xworm | a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6

Analysis

max time kernel
50s
max time network
803s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01/07/2024, 01:19

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

sv.exe
Size

63KB
MD5

c095a62b525e62244cad230e696028cf
SHA1

67232c186d3efe248b540f1f2fe3382770b5074a
SHA256

a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6
SHA512

5ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0
SSDEEP

1536:unjFXblMp3wgDkbivVSm16KTOKjLIJXc:unrAwgDkbicmbOKj0JM

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

amount-acceptance.gl.at.ply.gg:7420

Attributes

Install_directory
%ProgramData%
install_file
svhost.exe

Signatures

Detect Xworm Payload 8 IoCs

resource	yara_rule
behavioral2/memory/1236-1-0x0000000000E50000-0x0000000000E66000-memory.dmp	family_xworm
behavioral2/files/0x000e00000001226d-145.dat	family_xworm
behavioral2/memory/3068-147-0x0000000001250000-0x0000000001266000-memory.dmp	family_xworm
behavioral2/memory/2684-206-0x0000000001350000-0x0000000001366000-memory.dmp	family_xworm
behavioral2/memory/3048-400-0x0000000000300000-0x0000000000316000-memory.dmp	family_xworm
behavioral2/memory/940-511-0x00000000011F0000-0x0000000001206000-memory.dmp	family_xworm
behavioral2/memory/1572-626-0x0000000000F60000-0x0000000000F76000-memory.dmp	family_xworm
behavioral2/memory/1788-631-0x0000000000220000-0x0000000000236000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2812	powershell.exe
1900	powershell.exe
2560	powershell.exe
1872	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	sv.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	sv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\ProgramData\\svhost.exe"	sv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2724	taskkill.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2064	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2556	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1872	powershell.exe
2812	powershell.exe
1900	powershell.exe
2560	powershell.exe
1032	chrome.exe
1032	chrome.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	1236	sv.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	1236	sv.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1236 wrote to memory of 1872	1236	sv.exe	28
PID 1236 wrote to memory of 1872	1236	sv.exe	28
PID 1236 wrote to memory of 1872	1236	sv.exe	28
PID 1236 wrote to memory of 2812	1236	sv.exe	30
PID 1236 wrote to memory of 2812	1236	sv.exe	30
PID 1236 wrote to memory of 2812	1236	sv.exe	30
PID 1236 wrote to memory of 1900	1236	sv.exe	32
PID 1236 wrote to memory of 1900	1236	sv.exe	32
PID 1236 wrote to memory of 1900	1236	sv.exe	32
PID 1236 wrote to memory of 2560	1236	sv.exe	34
PID 1236 wrote to memory of 2560	1236	sv.exe	34
PID 1236 wrote to memory of 2560	1236	sv.exe	34
PID 1236 wrote to memory of 2556	1236	sv.exe	36
PID 1236 wrote to memory of 2556	1236	sv.exe	36
PID 1236 wrote to memory of 2556	1236	sv.exe	36
PID 1032 wrote to memory of 2420	1032	chrome.exe	40
PID 1032 wrote to memory of 2420	1032	chrome.exe	40
PID 1032 wrote to memory of 2420	1032	chrome.exe	40
PID 1032 wrote to memory of 2864	1032	chrome.exe	41
PID 1032 wrote to memory of 2864	1032	chrome.exe	41
PID 1032 wrote to memory of 2864	1032	chrome.exe	41
PID 1032 wrote to memory of 2864	1032	chrome.exe	41
PID 1032 wrote to memory of 2864	1032	chrome.exe	41
PID 1032 wrote to memory of 2864	1032	chrome.exe	41
PID 1032 wrote to memory of 2864	1032	chrome.exe	41
PID 1032 wrote to memory of 2864	1032	chrome.exe	41
PID 1032 wrote to memory of 2864	1032	chrome.exe	41
PID 1032 wrote to memory of 2864	1032	chrome.exe	41
PID 1032 wrote to memory of 2864	1032	chrome.exe	41
PID 1032 wrote to memory of 2864	1032	chrome.exe	41
PID 1032 wrote to memory of 2864	1032	chrome.exe	41
PID 1032 wrote to memory of 2864	1032	chrome.exe	41
PID 1032 wrote to memory of 2864	1032	chrome.exe	41
PID 1032 wrote to memory of 2864	1032	chrome.exe	41
PID 1032 wrote to memory of 2864	1032	chrome.exe	41
PID 1032 wrote to memory of 2864	1032	chrome.exe	41
PID 1032 wrote to memory of 2864	1032	chrome.exe	41
PID 1032 wrote to memory of 2864	1032	chrome.exe	41
PID 1032 wrote to memory of 2864	1032	chrome.exe	41
PID 1032 wrote to memory of 2864	1032	chrome.exe	41
PID 1032 wrote to memory of 2864	1032	chrome.exe	41
PID 1032 wrote to memory of 2864	1032	chrome.exe	41
PID 1032 wrote to memory of 2864	1032	chrome.exe	41
PID 1032 wrote to memory of 2864	1032	chrome.exe	41
PID 1032 wrote to memory of 2864	1032	chrome.exe	41
PID 1032 wrote to memory of 2864	1032	chrome.exe	41
PID 1032 wrote to memory of 2864	1032	chrome.exe	41
PID 1032 wrote to memory of 2864	1032	chrome.exe	41
PID 1032 wrote to memory of 2864	1032	chrome.exe	41
PID 1032 wrote to memory of 2864	1032	chrome.exe	41
PID 1032 wrote to memory of 2864	1032	chrome.exe	41
PID 1032 wrote to memory of 2864	1032	chrome.exe	41
PID 1032 wrote to memory of 2864	1032	chrome.exe	41
PID 1032 wrote to memory of 2864	1032	chrome.exe	41
PID 1032 wrote to memory of 2864	1032	chrome.exe	41
PID 1032 wrote to memory of 2864	1032	chrome.exe	41
PID 1032 wrote to memory of 2864	1032	chrome.exe	41
PID 1032 wrote to memory of 760	1032	chrome.exe	42
PID 1032 wrote to memory of 760	1032	chrome.exe	42
PID 1032 wrote to memory of 760	1032	chrome.exe	42
PID 1032 wrote to memory of 2340	1032	chrome.exe	43
PID 1032 wrote to memory of 2340	1032	chrome.exe	43
PID 1032 wrote to memory of 2340	1032	chrome.exe	43
PID 1032 wrote to memory of 2340	1032	chrome.exe	43

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\sv.exe
"C:\Users\Admin\AppData\Local\Temp\sv.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2560
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\ProgramData\svhost.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2556
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM explorer.exe
  2⤵
  - Kills process with taskkill
  PID:2724
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:2796
- - C:\Windows\System32\NOTEPAD.EXE
    "C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\crash.bat
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:2064
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\crash.bat"
    3⤵
    PID:756
- C:\Windows\system32\shutdown.exe
  shutdown.exe /f /r /t 0
  2⤵
  PID:2372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef1c59758,0x7fef1c59768,0x7fef1c59778
  2⤵
  PID:2420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1168 --field-trial-handle=1220,i,10910035838150310342,11353799772358102098,131072 /prefetch:2
  2⤵
  PID:2864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1500 --field-trial-handle=1220,i,10910035838150310342,11353799772358102098,131072 /prefetch:8
  2⤵
  PID:760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1604 --field-trial-handle=1220,i,10910035838150310342,11353799772358102098,131072 /prefetch:8
  2⤵
  PID:2340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2244 --field-trial-handle=1220,i,10910035838150310342,11353799772358102098,131072 /prefetch:1
  2⤵
  PID:3056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2252 --field-trial-handle=1220,i,10910035838150310342,11353799772358102098,131072 /prefetch:1
  2⤵
  PID:2844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1324 --field-trial-handle=1220,i,10910035838150310342,11353799772358102098,131072 /prefetch:2
  2⤵
  PID:2948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3300 --field-trial-handle=1220,i,10910035838150310342,11353799772358102098,131072 /prefetch:1
  2⤵
  PID:2248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3400 --field-trial-handle=1220,i,10910035838150310342,11353799772358102098,131072 /prefetch:8
  2⤵
  PID:2056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3424 --field-trial-handle=1220,i,10910035838150310342,11353799772358102098,131072 /prefetch:8
  2⤵
  PID:1584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3632 --field-trial-handle=1220,i,10910035838150310342,11353799772358102098,131072 /prefetch:8
  2⤵
  PID:2680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3808 --field-trial-handle=1220,i,10910035838150310342,11353799772358102098,131072 /prefetch:1
  2⤵
  PID:2624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=1900 --field-trial-handle=1220,i,10910035838150310342,11353799772358102098,131072 /prefetch:1
  2⤵
  PID:1596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 --field-trial-handle=1220,i,10910035838150310342,11353799772358102098,131072 /prefetch:8
  2⤵
  PID:1676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2408 --field-trial-handle=1220,i,10910035838150310342,11353799772358102098,131072 /prefetch:1
  2⤵
  PID:2572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1880 --field-trial-handle=1220,i,10910035838150310342,11353799772358102098,131072 /prefetch:8
  2⤵
  PID:2884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=1756 --field-trial-handle=1220,i,10910035838150310342,11353799772358102098,131072 /prefetch:1
  2⤵
  PID:2040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=3316 --field-trial-handle=1220,i,10910035838150310342,11353799772358102098,131072 /prefetch:1
  2⤵
  PID:1728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=3648 --field-trial-handle=1220,i,10910035838150310342,11353799772358102098,131072 /prefetch:1
  2⤵
  PID:2108

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:576

C:\Windows\system32\taskeng.exe
taskeng.exe {E61EC6DF-D6BD-4ECC-868E-5BF267BEF2B9} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]
1⤵
PID:2424
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  PID:3068
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  PID:2684
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  PID:3048
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  PID:940
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  PID:1572
- C:\ProgramData\svhost.exe
  C:\ProgramData\svhost.exe
  2⤵
  PID:1788

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x504
1⤵
PID:1084

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2108

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svhost.exe

Filesize
63KB

MD5
c095a62b525e62244cad230e696028cf

SHA1
67232c186d3efe248b540f1f2fe3382770b5074a

SHA256
a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6

SHA512
5ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\USERDA~1\CHROME~1.TXT

Filesize
4B

MD5
8a266503932fb1c62e23a1460534e496

SHA1
4c4deb20bce04c894632a73f6194f62d52f06544

SHA256
ee4fd44750a330b3ba386e2b6f0edad2644e737bac668576243f5c1a3e3c862d

SHA512
183de4ffdcc0623d75893e3414f0ec0604b1baa6d1038f8961969623395e2386a09ad46c3921a4dbe1d56c0051b910cd3a7a25d1ef76245180f553f0984f2620

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\USERDA~1\Crashpad\settings.dat

Filesize
40B

MD5
7f23d535acf41edd1f178efb507b52fc

SHA1
bafa8c1158592d660b4e5c55af6d3fac2c190ac4

SHA256
306b4c2895629617525ef6e236a7450db2ba2de671de983804c51fd6bcfb493c

SHA512
b47ce01b9a73eacdad4b818c1a3f6d8ab6e103fb7f589251262e719408c76dd984489353db53b4b1da1ae556df4ab74a9c34ab71b8562e40a1c965039a6e7614

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\USERDA~1\Default\CODECA~1\js\0291FE~1

Filesize
229B

MD5
0b9276ed6275f13faf97400a535c4e29

SHA1
21b82567a255bb50c0de561da11a993b822b90df

SHA256
b3b33d07ba88142bbcf363ed14ddfa787ca51a743b270b509b8d038777d26a40

SHA512
3bc07d2a94be0a42641eb5e956b90cb87fd3d00f139f5e45e38dadd01b5605e7fe8be3e31c4ad4a1c98d413671a023bb5e5b6588dce19b951a19bf5cd9ec117c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\USERDA~1\Default\CODECA~1\js\1B2B85~1

Filesize
19KB

MD5
d8c1bcd0eed00989d9759cdb84500c26

SHA1
af614123f9bceaa54788ea0b8bb0e1f74956279b

SHA256
7abca1fab6d63f8341311227c42e9c23a48fa868cb52087e04b48f71b1432066

SHA512
dedc35b7cfb1361a255a71f0308af70a7d18271233e5adb1a066b2350f716110ff27ba35cd74460f330e9281742c82f0f988e0881a3c7a11bfcb3ca3a8cd1d34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\USERDA~1\Default\CODECA~1\js\20AF64~1

Filesize
229B

MD5
e93d0a353ba899f4c68be25320152c81

SHA1
340b87fca08eecb4b18045c0e3ebb74f2a8f9a21

SHA256
e23d0f8adf84b0feb7f5d5b1f85fc7a03e52a816084e7e324d0026fab8c23248

SHA512
89d12d555e5255841fd065f01b6ee75be6e0dda108b411622a14429655ce1dc99a4092f6695ddf77554203185709ee54c1eb35ba962d921f117a5fe48c4e2cd3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\USERDA~1\Default\CODECA~1\js\24A93F~1

Filesize
229B

MD5
42200afb04a3883127dac21399c173b4

SHA1
18c6ce79b7b300720af5fb55879032364ece4f91

SHA256
4925af96c932410b87bb40df40ca73960845034d5933b16eadc09ff475a448db

SHA512
1879fcb8c56b60888d0e24d2709ba3aeb0c70dd9603bd6e96a95b620787f0699c24628c3ac6fbe847d42df49fea6f57963fe84c33758dfb5d49f351c43a043a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\USERDA~1\Default\CODECA~1\js\28EF72~1

Filesize
233B

MD5
543b0676b933a4cc24b790f8d76c2ed9

SHA1
fc538d7e097ce87c1c1c8a29d4db1a07048c39db

SHA256
13cc798eda5a6547d157ad05327be085c1c6f5df5f75bc18b81eddc993a3bd6a

SHA512
9e64c475e3392f1ea497b632e9a0b8d6211c9a253f40377e611eb27c7ba14d9fd29e1b34ccd2139faf4ab895775e8dd861a9a6bdebef20e52414fe428f5452ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\USERDA~1\Default\CODECA~1\js\2A0B4C~1

Filesize
229B

MD5
4a510bb254a8cb4d099da3abcbc8af4f

SHA1
0006973196fc7aa95c405b6f3a516040f5692273

SHA256
8d013e47a1fb21cc2824c89cc5a6eda2d1b1921486576ec4cc255e4b12a3bfce

SHA512
217cc1e61513013d3044901619f644bdab2437c4397d795c2216c56f43c474664d2e2c5fce0f90332aa19836abacba5d770db28c648ffd5080605795e0057bb8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\USERDA~1\Default\CODECA~1\js\49502B~1

Filesize
229B

MD5
be78d383055a3f9bcbf1255c81dd9c57

SHA1
9651c42b78f789d44259b5a2dc0cb639f85930d7

SHA256
150d8407153544c787f35728844cb5cf2a8703d8de0ad9912b4fcf467f347253

SHA512
f107e405175b249e53ef249464158a32fa412d299a23d172c2ccb4f3ffefea21539594360b348e128cb9fbfceda13906d4e767927e6e42de5e794e0a1b9902a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\USERDA~1\Default\CODECA~1\js\4C939D~1

Filesize
231B

MD5
d5a1f6aa6bacf3351e773fcbe1a5c093

SHA1
23b2f696ee5fd2dcbbe0a48e3079c07f96b39abb

SHA256
acdd28b27b9a0f480fbc7af66bcc29e20464458f2dd7c3f2d01b4c1dfb848d3f

SHA512
4a0a877365cb415e38b067e8a378026d13d65e4e35da04808de4a36644684845b9c552166dde394a7de253d04ba12682ede0a12f0da241dbec0d3b8553bc68d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\USERDA~1\Default\CODECA~1\js\738184~1

Filesize
2KB

MD5
3268d91f35eed30de12046631d37da5c

SHA1
c70b25a8be2cba55830e74db0efc035a65b29a58

SHA256
314a53337d2cbd14746833be9eb177be3e60599bede31c5c1e8403ece4e5fe32

SHA512
f507e5150d02744b667f30b3658ff626ea98bdd56b3f3d759ed7259de06af8b86ee781f62c5b1bf2d95d18e1ec0fe67eb5f8078b0fd54b86412db524bba2e3ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\USERDA~1\Default\CODECA~1\js\749ECF~1

Filesize
229B

MD5
2e4249c85c83d176133e80cf7fe1109c

SHA1
96675e7c56cbae6736163908e42384e5fdaaf866

SHA256
d27cf4a7e8b59de39049653eb6f3c8cee1180bc64ee07f03b6ab8aff83b3585f

SHA512
ff2ee8c780c3d9615c43450f319c5dc8c198988321215965665fb59eebebf245149cff15c537558a66884aa8d4f046dc6cdf990ad8e7bdf13154aae2c04e90f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\USERDA~1\Default\CODECA~1\js\756EA1~1

Filesize
229B

MD5
18bf3e0604ade1804087e53a2470cc11

SHA1
272a2709cc8df5e243586aa34d16832f16824155

SHA256
22dd0f650c64f309418d5effb16a11aaa5efd19ac11b93f40a1d6461b2ae2171

SHA512
eac1055a3c873549dcb5b7dcb94ea982e0fb93206b1ee1b9c4208e013db973c67a873c8c1779f744d26ac2019560300c2479a60b52e198c8ed70a4a71f75f24a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\USERDA~1\Default\CODECA~1\js\81368C~1

Filesize
280B

MD5
3ef377080325726b39a828cb089b1a24

SHA1
2c0f6417a4a7f00a90db0a690239ccbf4cc5e78e

SHA256
15db8254f5185dee99b8e7d0e809ad73eedde773d415f30e10f63eb22a22be14

SHA512
fef9056055683b9baea7372e79f9c4bc53b2133182176547328f6a864f03aec10242fc5e1c86914ff226bf175e19bd26dd42d9379632a5dae72120589b36438a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\USERDA~1\Default\CODECA~1\js\8AC7AE~1

Filesize
229B

MD5
de9d9d80b8117320d613ff293948e204

SHA1
fdb2496b54c1c325a9be5f1f286984b0ec87a4c1

SHA256
ba7d403f7eec05d89361f4482450f0f5d3d9892ec10266dd95877e466223a05f

SHA512
a2593ee920c6f9efe7a4c945f2cf5339221154d7d47e3b5bc3afc8548c97f3dda0a2f10be161f00fec6a74237bef90ef9265ca405587861516e46b5e1bcac511

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\USERDA~1\Default\CODECA~1\js\90613C~1

Filesize
229B

MD5
29db26d2557d20784a31b8bb15d68b84

SHA1
8247214a5d42d466f92c506c9cbbfa0dcb35c0d2

SHA256
1cb7b5272d5471deaf82bc8a7544f464c6d3f0a373f04146d665ff690d12b0db

SHA512
d8c90b3bc7d3de39d93a85302c6007f7c416d615a612b7fea7dee1d08b0a5bf5290224600e5ee200df01bdf21cad286d2a89d32ee2a06bbc013aa3a7713896fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\USERDA~1\Default\Cache\CACHE_~1\data_0

Filesize
44KB

MD5
d3a4edfedcb33e8b41fe182420b4c312

SHA1
a1ce6d957bf12990f66741fe2dcf88e3e39ab5d9

SHA256
166c3e9e42acab0f43a3d59bf12ad84d4b6efc33e7288154e6e8b0a761a47924

SHA512
da79c3503d1d23fb7d24c552dadccae642e30c57901e0f9ce68d0f68b7cadd359675f74691230f1c4ae73695eed6c2824c5d353cad9f4b1a682e7ca033b0bb60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\USERDA~1\Default\Cache\CACHE_~1\data_1

Filesize
264KB

MD5
8b23369c832a4275b5e47e65769c5268

SHA1
37e85e536422f52bd6b8f96265adb93b2aecb53c

SHA256
1f738894c42fcd0a87e5d8b224f9dc21a796f2430b71f1132b8277d68a9f029b

SHA512
6e91dec5689ead746cdea2ef40ed9f0c9a9fcba045c1bd0c24a5adaa8cd4e0bc46a018e8b29f60a165288a1309258aeb2d061066aa2edaeeb661c20acd88975c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\USERDA~1\Default\Cache\CACHE_~1\data_2

Filesize
1.0MB

MD5
605dd853f7cf07b5b4710db169ba465c

SHA1
202dff7ad21f77e95781341de3f80fc95e3d6c8c

SHA256
c3fe6df90cb8c98c016a8d7df000828e8983ab64f0f261d55ba7fdc82d634a86

SHA512
91c88ddd0216fc60089f5673523d56cd47bf8773a339dd9234433804ae13dce1b4234fead9c524cbf4e0baef23ace96a519ab00fea4cf517133a2c26b1c70027

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\USERDA~1\Default\Cache\CACHE_~1\data_3

Filesize
4.0MB

MD5
9b86ea2dfd8d63e4d336d57d1a4d8790

SHA1
feb1fb6652dc82aee7c108b9e088cae1758df642

SHA256
3d5fc14603674b0511a2f049076ebe406d1cc241144822d451b8f969179e389a

SHA512
c636066dd084040b0382e2fe229a57ffc7dafe19c351809aa85a3e65798f1bab95095b7d210b2a17f37025c32ec5bfa4ac22b7ec0f68e9f1111ee5d1a076f5a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\USERDA~1\Default\Cache\CACHE_~1\f_000005

Filesize
35KB

MD5
399ec70f60cdf02c765d14e8f2897c67

SHA1
c4e95749a21e9aa4c6d6327a970aff951e336700

SHA256
eca08e1cf5b3b95ea8caac00c3b368a18097f20aca37ed55cca76b43f5c3d8cd

SHA512
563a208e027bf47d0a0087abb082ffd05ddcc55c222452581e16c1154df8f74f28c4ba1e00ee579e2256b493d8b8dd4f2ff49ef06b17c27c805e8ba27d28b097

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\USERDA~1\Default\Cache\CACHE_~1\f_000006

Filesize
59KB

MD5
1d5f57b36984d3bc13513937212f7c85

SHA1
6962d480bc6216080b90505c9f25c8a3ed4c8df0

SHA256
7c5544c2101aa4a9ab3bd0ed98d6d1126457f802c8073333d2e7fb7be273dc30

SHA512
dcb01342a2eb9ff3ed03a23b7e0914ccb626e1136c2a24dc4e8144cd785c90acdbffc877408a922519055f0a375b4a31172e3120744de656d55dcd83b84a4f4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\USERDA~1\Default\Cache\CACHE_~1\f_000007

Filesize
41KB

MD5
cfd2fdfedddc08d2932df2d665e36745

SHA1
b3ddd2ea3ff672a4f0babe49ed656b33800e79d0

SHA256
576cff014b4dea0ff3a0c7a4044503b758bceb6a30c2678a1177446f456a4536

SHA512
394c2f25b002b77fd5c12a4872fd669a0ef10c663b2803eb66e2cdaee48ca386e1f76fe552200535c30b05b7f21091a472a50271cd9620131dfb2317276dbe6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\USERDA~1\Default\Cache\CACHE_~1\f_00000a

Filesize
34KB

MD5
d951a14a15e1512a683da903f04ff262

SHA1
46200805f2b889b7315a244485842d5de3b87866

SHA256
b7882411081627afcca0b56f2cfd2fcb5c6f319b00dfaf99ed0670a7d1875aa8

SHA512
d03c76b219ae85fbb78c872714d55da4af1d7a9706b6b76890e9f569ff16f9eca24f39c06b905229ccc7a7e7ca9450054ce2e677af162783807da9d8df04eefe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\USERDA~1\Default\Cache\CACHE_~1\f_00000b

Filesize
39KB

MD5
ac889308a6d4e0f347105baad55818f6

SHA1
15d757af700d45f689cb02fbf49d918c9fec330c

SHA256
e5e588f8b53bbc2da9170ce670ba77b5d02e66b04be00ba8002fcbed0c927708

SHA512
b2341fd7c11017d81d117c7577771eae7e3770ec03bf3a13219af0a79f6b6fbc1759e4500f93f3c2bbf006ecb9ed52fbbaf8ef77de5f482c1c0d2d4e2243e384

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\USERDA~1\Default\Cache\CACHE_~1\f_00000c

Filesize
39KB

MD5
994b80a27db473c22af2912a11cde6f5

SHA1
5c41f8de06b03d237ac9265d2d075327b931d1d9

SHA256
81b48b749f501a8aeab03113f8e8d564b4c9cc080a7b444011228b6de05ac163

SHA512
e009c798bb813322cf1faeab903a97e2e19df36abf62124e94ea5baf89edadb66c89a6faba1397199e2ce9ecfc6cf6c2818c140696ac010cf3a4c078dc7fa081

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\USERDA~1\Default\Cache\CACHE_~1\f_00000d

Filesize
45KB

MD5
5a1487118007d0da0818585283ed2d93

SHA1
086d609fc4246fcee5409c9e9fad336079d5619d

SHA256
7fb72ac45d8aedf898ecec401f147eeb4f0ebca9722b5e865fc7941d2f58761a

SHA512
8fc64c5e8381660c9441e0234adcb0502ee572812ab69ffa727f3ae89b61a435389d2e162510ed341358901c991445c8d0da5fe6def754e3a1a2c16b47ac8cf5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\USERDA~1\Default\Cache\CACHE_~1\f_00000e

Filesize
50KB

MD5
8c9680e4968618c29f30de5fb361831f

SHA1
6726582afc676ffce7111dd14ac7e4e6d19d5984

SHA256
24172fd83c9fcbe8a2573008ff8d6a31e7b9a80d403c73f12bd249246ea4d8bc

SHA512
6779a64d5fcb666f21a5ef74047bf11cd0b6973ea3400e3bb755d96768600c5f6e492a682648aa960b433c232fb5f25d6bc137bc400e008249a92e4ab80b14e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\USERDA~1\Default\Cache\CACHE_~1\f_00000f

Filesize
25KB

MD5
9ed5fecc2a82bcee11d5d73da4eb179c

SHA1
ca37b4d59573d33e7df2b0ec51dec9e15a18a99a

SHA256
8471d42248a9c5574b90b20ff84f59d6b17fadf061a81bf399a5d2002bc736d1

SHA512
d201306d3700ff0c050ea242b71280378748fc2da6d8d20abe7837c09925c639a92fe7f6feb7a963ec4b2e57e8f2414d839e356583dc0c93b0bbfbd80608adaf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\843e2ed9-5d2b-41ba-8c51-fbfde0b37aff.tmp

Filesize
293KB

MD5
2adeacfa7370ccf5895381000807c6f0

SHA1
9f0dbca4f4e643d3e5312c2aa68747f5f5a68269

SHA256
1bd03e5c70b21ea53b3528ab448578b704b0a219eecdf184bc13975103097581

SHA512
6138b9e88210c28691c3de4d72e2dca9081871806feb1a0e81b21fef9086a409986827dad0c7fc1f15d65fb033fc0688024e1b474c64648372ce821e43ee5e8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000009

Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\ae8eede0eb6bf6b6_0

Filesize
339KB

MD5
88338927fad776e146902b87f6e18cc0

SHA1
c8959cac8b3817b0551a7ce61def291ae645c0b8

SHA256
fc0e55ff8771bfa0dbaad3e6240f686f44d26481b22713a6796063397a95b9ce

SHA512
d8fcc1131f6bb79801c7e6d1bc18ba8c46534c2cc73a43a5e3c4536ec918318ec2349f690011578d066028c8e8496f221800d17edc6e558c5f8552784ecefb09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\ec5ea768045d5c65_0

Filesize
289B

MD5
7811c6e9ff3e158cc1ed27945166f820

SHA1
d30a50ab0ff4b5b2b5b259e00de206af26248a7b

SHA256
476029be08fbe91f163a560301cb6d895f551350b2fd8297004f218dc1fade55

SHA512
b8a1911cbbd204cfc52f88c0a2b6c4061aa50bb50428dcd078a579b3650181c9cbbff7f4b40a2c5dad956c14bab3800fab5c57a7d8029178361df571c984301c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
648B

MD5
bcee12987cf907aa1d651b4abb9c279d

SHA1
35ee6267a6567d9b7fc46bca97426a5ecae2760c

SHA256
a5bd230bcbbb9e164f306019cea87670a3f20bc384e69793552b6b393e89f1c5

SHA512
34f8dea0cace8e7293be55f4dfbe7681732f9ac96c65fabdab0dde0ae8664146cfc758b3b45b83b12881d669ea834d2e45209ff8389196aea4a13a387e51a677

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
cf8d2883740923718ed045b475427992

SHA1
dbfc7807a95a49a9e11b37ff04aee48e7869c21c

SHA256
35d33cccce8304ec59090a052d5d1be45ad5b011be686bfb57328aa76713fee0

SHA512
b0756b77fa8c671cd44c8209dd6593b5c18e681dcc4ea52d65afb06423a7d00749a1812ae7924c11053c0fbc339f0b6c78412e9b37eadc5b584d56ad162ee671

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
b4f9c5b85e18652857e068fe239b86b3

SHA1
227ac64f2087be275bf6f220fad295a4634a7cea

SHA256
5b5550970fd839e09a932ae7f13d19deb58cf9afe5fd8844ae408252507e5b41

SHA512
fbfac3a04252c5db805ca097a1b90c1187f0a9c1e58d6c5154b985a9e3bb7a12eea65e73dd2101c39879429f9d37a2709dbc61d8d41c5b4268432c9e528f44f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
8c6d41005d99ed3ad7abd97652fcebfa

SHA1
007ecfe83a112e9ed2888813391590c275179411

SHA256
a5e9706dcc9b8fcdedc1142507f15051e5c7b148dd98ee8cc0d64b0abd8530c7

SHA512
144b551b128f759e9ce98e8779d08b84737cd8387cbb436643abb192fba3549b9690b0ef91ba090fd72c722dd508fb8d80e126667157c53524f857c3177a8927

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
27dd482dc461428b4a1e114ef6697eab

SHA1
5e819fb6e80aedb94f74959db4266eb9feeb4417

SHA256
baa3652a5174829021cc5c4b239e7597a215b4c42e0d394b780713245f67475c

SHA512
b39c2916a553fc35131df730d245543d4651b4aa3d044b6933a78cdcaeed137fe211fa97d28a9c4164a83f6173d1e05eb90588855db8d615aaca11fb4694c05e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a96aacce8abcf6357cdb18e58d2bea07

SHA1
b9cc7dc9c2dc66cfe92fb34d465428e9f74b98bf

SHA256
66946442e0fe0896443dfbedc97d17b4d8a36016238af68e87cf43369a93d368

SHA512
66241e6d7ef8b91f51228b3def9e84bb7e0ba17872a978dd561dd7bb69a02807ee0903450f0dfc20e1c646800083285f549b1e3243265d0a724d43b2c898bc6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
2da3024d0eaf70a108626fe4347d7287

SHA1
594f0ccf75d9b4392159612bb9e4d0b519bb13c7

SHA256
05f065b87725801ae508fdc343dd8049ba78f05f6612aba2edc07c24d36c320a

SHA512
1d38d80fb3b6e80c3b7904be201a90501ace324cfcfb84e3e04f85ac08cddbe7a8cb4f81da04c0299aaed845860b8edaf14c459cfd63ed702029544db0d58915

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e132df8a83ce2b6f355055512724c20f

SHA1
90a5126becb717be707cdbaf90d2930fd2bcf34e

SHA256
0c2b15b34c3ebff78522212ef05e54f4d9bb420b9910fad87eb2b0a200f685b2

SHA512
180d6a9e5ca54e354187777023fbbfee4b86459c7dc973140b29f67687938246a1fa18609a3586be5dbf327f94d311d5303fc39be155a2be1dbb9c60c84ca042

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
0df078dd693f07092c213c4fa8317c0a

SHA1
bc9cd7fecdbd6ed433a2c66f523247cb06539b7a

SHA256
4130a8a9e926e2d4e15a2c8cbde604b1c552ce0de9df57984b11592856649520

SHA512
54e9d3716386642daa90c1a178cc398deb2539c6c09a6a6e5ec526f23029e8702fb0a4db86d6130b7cdcbb00c1d5def51c08a19cbb1c3ffa34a69a6ac3c1fa37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
5833a63ede18b5e7780c93c52e0f44e0

SHA1
f663166a67c722aa766510a5f50a1a55371cae4d

SHA256
7efddd0a3014bd648c8123cd29e0b564913cb2932664bde87cb6da0fb893b7b2

SHA512
ef43403a776b6acb3b6078a4483f1a75cce46616680881269c4bb1da95fab41f301d4914c9f2db548eec4aab76f955401c1247f168048a6c289c403faf3fcd41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7e47081156afac2d2d482246e16da932

SHA1
47d50dc47640c7a3386e4152530c890bfcd20634

SHA256
9d22b124ae2cba092b3698cd8f02d528c5793b281c21b1d0a828e795206061d8

SHA512
9a3905f30bec83b37bcb13191ff5bc6e7c9051415e4ac42581bec0371ab7db5760a842a61d493003d26896799fd77a5f0ac40735ee2d79d449b48c5f13838b3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
293KB

MD5
52c19038ceeeec2143c6ea829857f27f

SHA1
7d13b61d7ef8db18d0f0b3874e09eeeee44e8f5c

SHA256
0cf4dd50991fa58c9f741a2b4c10e72a134b120b880a5ae8b08eb0214a7d4cf7

SHA512
f212937843a8cadeb2635c88dcd11684ffb3789f66b6a4d59b34d3f5c57972b9e2bcd07bc1637cc725e975992d6d39371800cdf3173223e8be8ac2f82e530c18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
75KB

MD5
dcfe56a14c5f0261716c65aaf464c8e3

SHA1
4a6e5c8d8dcae77752efa9bdff2e3c15828bff31

SHA256
113cf370b08dbc42aa1a2d58dd49b6c6a04222e607eae021ac7c36c469bc730e

SHA512
c765d057eb184cc715bd32c97b1e66abd0b734ef68e88f05fd956e9fd75b6c0f3d4b3c0bae23dfdcbf49892301a69f1851206c05137c805da58005d2cfa90585

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar883A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OIOVWTW32QGJ5G3M5ZPZ.temp

Filesize
7KB

MD5
3f15aa936f3897f089015f35b38adce6

SHA1
bdf8d53317604d8124d3667ece67fd2c7b8f3baf

SHA256
0f07ae4400f5e00ec7b3519a58b4f532cc82b61df1a770ee8eaf9b92cfb0b1c9

SHA512
187e9a06ac41ccd6b0b147da86201c57e3718cb4703475f8c7509e36e7e917d18831dd5e723152b2f57acdd267aecc3cf68abd4022978405ad697fbfaeb33429

Download Submit
C:\Users\Admin\Desktop\crash.bat

Filesize
12B

MD5
63f7f3de4f2696f40d7d11ceef3466a0

SHA1
95b9f45d0196a99e63dd3a8277e9252a3d5a4603

SHA256
868267cbdf2b92d40f371c546439eae7d808bb95ca3b353f7864e03cf17d0a32

SHA512
71b530f508570de28a19dcbb1f7684a88fd66d62f0555c96f8b347148116e1a505b67b5f7a61824b89a97155f4bf057552a7740ae605f7649ab6bfe2cb052284

Download Submit
memory/940-511-0x00000000011F0000-0x0000000001206000-memory.dmp

Filesize
88KB

Download
memory/1236-0-0x000007FEF56B3000-0x000007FEF56B4000-memory.dmp

Filesize
4KB

Download
memory/1236-32-0x000000001AE70000-0x000000001AEF0000-memory.dmp

Filesize
512KB

Download
memory/1236-1-0x0000000000E50000-0x0000000000E66000-memory.dmp

Filesize
88KB

Download
memory/1236-437-0x0000000000650000-0x000000000065A000-memory.dmp

Filesize
40KB

Download
memory/1236-30-0x000000001AE70000-0x000000001AEF0000-memory.dmp

Filesize
512KB

Download
memory/1236-31-0x000007FEF56B3000-0x000007FEF56B4000-memory.dmp

Filesize
4KB

Download
memory/1572-626-0x0000000000F60000-0x0000000000F76000-memory.dmp

Filesize
88KB

Download
memory/1788-631-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/1872-8-0x0000000001E90000-0x0000000001E98000-memory.dmp

Filesize
32KB

Download
memory/1872-7-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/1872-6-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download
memory/2684-206-0x0000000001350000-0x0000000001366000-memory.dmp

Filesize
88KB

Download
memory/2796-629-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/2812-15-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/2812-14-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/3048-400-0x0000000000300000-0x0000000000316000-memory.dmp

Filesize
88KB

Download
memory/3068-147-0x0000000001250000-0x0000000001266000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads