d82d49e9ad153ef84670c1d0bde5f36b540d32fa037cca6127ce9e4e366b7403

max time kernel
708s
max time network
602s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11-07-2024 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AutoIt-Extractor-net40-x64.exe
Size

1.2MB
MD5

205792ce0da5273baffa6aa5b87d3a88
SHA1

50439afe5c2bd328f68206d06d6c31190b3946c6
SHA256

d82d49e9ad153ef84670c1d0bde5f36b540d32fa037cca6127ce9e4e366b7403
SHA512

186f2fac650ee02683c689b0c04867a30330a5475475b106a2aaaedc5e2fa3c9325cf07a2c5321044f5aed1502d729d1d9537ac57bf7733cc228c44ceaba7821
SSDEEP

24576:pcdWeAKpCklFpaQ3vGvW68WxOFxT6YP7KPU48YNL8SsbJDeAKpCZG:QFAcdFpa068WxOFxT6YP7KPU48YNVsbu

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
516	archive_CnMhglzZtP.tmp
1904	miditower.exe

Loads dropped DLL 3 IoCs

pid	Process
516	archive_CnMhglzZtP.tmp
516	archive_CnMhglzZtP.tmp
516	archive_CnMhglzZtP.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 11 IoCs

pid	pid_target	Process	procid_target
2624	1904	WerFault.exe	123
3876	1904	WerFault.exe	123
2332	1904	WerFault.exe	123
2144	1904	WerFault.exe	123
4668	1904	WerFault.exe	123
3676	1904	WerFault.exe	123
3368	1904	WerFault.exe	123
1660	1904	WerFault.exe	123
3416	1904	WerFault.exe	123
4876	1904	WerFault.exe	123
4736	1904	WerFault.exe	123

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133652034399132513"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3376	chrome.exe
3376	chrome.exe
516	archive_CnMhglzZtP.tmp
516	archive_CnMhglzZtP.tmp
1904	miditower.exe
1904	miditower.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe
Token: SeShutdownPrivilege	3376	chrome.exe
Token: SeCreatePagefilePrivilege	3376	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
516	archive_CnMhglzZtP.tmp

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe
3376	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3376 wrote to memory of 3068	3376	chrome.exe	98
PID 3376 wrote to memory of 3068	3376	chrome.exe	98
PID 3376 wrote to memory of 3060	3376	chrome.exe	99
PID 3376 wrote to memory of 3060	3376	chrome.exe	99
PID 3376 wrote to memory of 3060	3376	chrome.exe	99
PID 3376 wrote to memory of 3060	3376	chrome.exe	99
PID 3376 wrote to memory of 3060	3376	chrome.exe	99
PID 3376 wrote to memory of 3060	3376	chrome.exe	99
PID 3376 wrote to memory of 3060	3376	chrome.exe	99
PID 3376 wrote to memory of 3060	3376	chrome.exe	99
PID 3376 wrote to memory of 3060	3376	chrome.exe	99
PID 3376 wrote to memory of 3060	3376	chrome.exe	99
PID 3376 wrote to memory of 3060	3376	chrome.exe	99
PID 3376 wrote to memory of 3060	3376	chrome.exe	99
PID 3376 wrote to memory of 3060	3376	chrome.exe	99
PID 3376 wrote to memory of 3060	3376	chrome.exe	99
PID 3376 wrote to memory of 3060	3376	chrome.exe	99
PID 3376 wrote to memory of 3060	3376	chrome.exe	99
PID 3376 wrote to memory of 3060	3376	chrome.exe	99
PID 3376 wrote to memory of 3060	3376	chrome.exe	99
PID 3376 wrote to memory of 3060	3376	chrome.exe	99
PID 3376 wrote to memory of 3060	3376	chrome.exe	99
PID 3376 wrote to memory of 3060	3376	chrome.exe	99
PID 3376 wrote to memory of 3060	3376	chrome.exe	99
PID 3376 wrote to memory of 3060	3376	chrome.exe	99
PID 3376 wrote to memory of 3060	3376	chrome.exe	99
PID 3376 wrote to memory of 3060	3376	chrome.exe	99
PID 3376 wrote to memory of 3060	3376	chrome.exe	99
PID 3376 wrote to memory of 3060	3376	chrome.exe	99
PID 3376 wrote to memory of 3060	3376	chrome.exe	99
PID 3376 wrote to memory of 3060	3376	chrome.exe	99
PID 3376 wrote to memory of 3060	3376	chrome.exe	99
PID 3376 wrote to memory of 3336	3376	chrome.exe	100
PID 3376 wrote to memory of 3336	3376	chrome.exe	100
PID 3376 wrote to memory of 2076	3376	chrome.exe	101
PID 3376 wrote to memory of 2076	3376	chrome.exe	101
PID 3376 wrote to memory of 2076	3376	chrome.exe	101
PID 3376 wrote to memory of 2076	3376	chrome.exe	101
PID 3376 wrote to memory of 2076	3376	chrome.exe	101
PID 3376 wrote to memory of 2076	3376	chrome.exe	101
PID 3376 wrote to memory of 2076	3376	chrome.exe	101
PID 3376 wrote to memory of 2076	3376	chrome.exe	101
PID 3376 wrote to memory of 2076	3376	chrome.exe	101
PID 3376 wrote to memory of 2076	3376	chrome.exe	101
PID 3376 wrote to memory of 2076	3376	chrome.exe	101
PID 3376 wrote to memory of 2076	3376	chrome.exe	101
PID 3376 wrote to memory of 2076	3376	chrome.exe	101
PID 3376 wrote to memory of 2076	3376	chrome.exe	101
PID 3376 wrote to memory of 2076	3376	chrome.exe	101
PID 3376 wrote to memory of 2076	3376	chrome.exe	101
PID 3376 wrote to memory of 2076	3376	chrome.exe	101
PID 3376 wrote to memory of 2076	3376	chrome.exe	101
PID 3376 wrote to memory of 2076	3376	chrome.exe	101
PID 3376 wrote to memory of 2076	3376	chrome.exe	101
PID 3376 wrote to memory of 2076	3376	chrome.exe	101
PID 3376 wrote to memory of 2076	3376	chrome.exe	101
PID 3376 wrote to memory of 2076	3376	chrome.exe	101
PID 3376 wrote to memory of 2076	3376	chrome.exe	101
PID 3376 wrote to memory of 2076	3376	chrome.exe	101
PID 3376 wrote to memory of 2076	3376	chrome.exe	101
PID 3376 wrote to memory of 2076	3376	chrome.exe	101
PID 3376 wrote to memory of 2076	3376	chrome.exe	101
PID 3376 wrote to memory of 2076	3376	chrome.exe	101
PID 3376 wrote to memory of 2076	3376	chrome.exe	101

C:\Users\Admin\AppData\Local\Temp\AutoIt-Extractor-net40-x64.exe
"C:\Users\Admin\AppData\Local\Temp\AutoIt-Extractor-net40-x64.exe"
1⤵
PID:2912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff9f2d1cc40,0x7ff9f2d1cc4c,0x7ff9f2d1cc58
  2⤵
  PID:3068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1912,i,7484094010437517583,17073403511561997690,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=1904 /prefetch:2
  2⤵
  PID:3060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2184,i,7484094010437517583,17073403511561997690,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  PID:3336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2224,i,7484094010437517583,17073403511561997690,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2432 /prefetch:8
  2⤵
  PID:2076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3192,i,7484094010437517583,17073403511561997690,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:4700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3344,i,7484094010437517583,17073403511561997690,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:2176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4076,i,7484094010437517583,17073403511561997690,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:4892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4836,i,7484094010437517583,17073403511561997690,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4844 /prefetch:8
  2⤵
  PID:1600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5068,i,7484094010437517583,17073403511561997690,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5076 /prefetch:8
  2⤵
  PID:3296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5344,i,7484094010437517583,17073403511561997690,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:4328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4628,i,7484094010437517583,17073403511561997690,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5320 /prefetch:1
  2⤵
  PID:5032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5332,i,7484094010437517583,17073403511561997690,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3508 /prefetch:1
  2⤵
  PID:1660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3180,i,7484094010437517583,17073403511561997690,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3764 /prefetch:8
  2⤵
  PID:2804

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:2200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4440

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3168

C:\Users\Admin\Desktop\test\archive_CnMhglzZtP.exe
"C:\Users\Admin\Desktop\test\archive_CnMhglzZtP.exe"
1⤵
PID:3052
- C:\Users\Admin\AppData\Local\Temp\is-UGRGG.tmp\archive_CnMhglzZtP.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-UGRGG.tmp\archive_CnMhglzZtP.tmp" /SL5="$D01DA,6367722,56832,C:\Users\Admin\Desktop\test\archive_CnMhglzZtP.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:516
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Delete /F /TN "midi_tower_7111"
    3⤵
    PID:3672
- - C:\Users\Admin\AppData\Local\Miditower\miditower.exe
    "C:\Users\Admin\AppData\Local\Miditower\miditower.exe" 4a3e9848af684f6f395529af5e8fd0a7
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1904
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 880
      4⤵
      Program crash
      PID:2624
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 888
      4⤵
      Program crash
      PID:3876
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 956
      4⤵
      Program crash
      PID:2332
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 1080
      4⤵
      Program crash
      PID:2144
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 1100
      4⤵
      Program crash
      PID:4668
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 1100
      4⤵
      Program crash
      PID:3676
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 1088
      4⤵
      Program crash
      PID:3368
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 1080
      4⤵
      Program crash
      PID:1660
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 1148
      4⤵
      Program crash
      PID:3416
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 996
      4⤵
      Program crash
      PID:4876
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 944
      4⤵
      Program crash
      PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1904 -ip 1904
1⤵
PID:1228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1904 -ip 1904
1⤵
PID:2420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1904 -ip 1904
1⤵
PID:4040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1904 -ip 1904
1⤵
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1904 -ip 1904
1⤵
PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1904 -ip 1904
1⤵
PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1904 -ip 1904
1⤵
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1904 -ip 1904
1⤵
PID:368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1904 -ip 1904
1⤵
PID:4268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1904 -ip 1904
1⤵
PID:2944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1904 -ip 1904
1⤵
PID:5000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
8cd3ce65744c755aa57a29e8081aace7

SHA1
d1912f4fb958f8f3a5f1168368506babc8c7d618

SHA256
7c63fed7710a3d30884a0a298ad1a97f61fb7ee1c6b5123c1188c89b7e853d76

SHA512
b9a30dec1f19f61acdbd5b244ef75729c607e50d41d7c57d8cb0464fe24769244f88e086f281ba390d538fdd5c21b431ef485eae32bfcd5e2652bd022dcc2dc8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
07fde6a2efb34e1bae6f63b29a4ab3d6

SHA1
04008b750c39bb3fc6102a468f23245ffa8311bc

SHA256
3190eb154a14bd5cd5e090228480dea127da528fba22ad8bdf99ed794e77e8fc

SHA512
b094d450cd9e9f69bb0397aa5d2d3966b331e2473c749d371ddf6e274e52702914974c354edc8c15f6ca68fafdf1f7630f2b1d143b55ac46b6d7ba4361700311

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
c215336c1db391a336e48a92967b6052

SHA1
ea3f12149d418bfcf2fa65cdf8a9b121448037b5

SHA256
7b8dedaea194fc793bfa1fd1869fb53f71be2c5a1304d46c9983cd4bcb6bbb48

SHA512
69b14f6b77c3997e4a099b7893515c11f47d732c8c8f08fbd2612bae3d630c54c80953ed05640e934d9a7871342132cadbdfcabb6d987a5830fd9e626f7e9d45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
d57582e50f0273d3cace10acdbeb97e5

SHA1
2603aecff0ede47dcb257a220b9a7c9b8451c52b

SHA256
7c7ca6041d8cafa402b8adf2ee1ff6c1ad412f71b7218c4b854047cc6867ba35

SHA512
4cfccfaf68d858e42f67ee728c94469763b08379e8945699760c6e4b3595aec1d5608f6fea9fd51fbdffe3c5aafd7564c8edb212af91d93041a3b1d02714aa16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
e2c45eb5dafd6b580f13f45f0f71083c

SHA1
bc29523f7d7785dd653ff63db0c8826e6a4fef8a

SHA256
d01a2bb3574ef175fb91528a67e1251ae3f580653402e020a8461281c0742245

SHA512
3734078c8ade454edf0288b4b747929b65665b33c338001a27394e816296220df2e622c285d56dde6f7765a24c24309281d8b64da6ce2d82af835546ad609d23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
59dc37fc63421aa6ca3ee934d987e44d

SHA1
3218a0be87932fc2e07289430ce2d3004a7101e8

SHA256
e39db1da1e1401941cba807b7c70544d7f1fcd710f7c404f0230e6354e534b69

SHA512
27e638d04ce0b18e538f923e363caed20168af02cc193e2ca3cc287a8fa81cda6941e19aa1e1386e07f78e08e60257846559a83f09ef63112a99ff5ba254ab2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
4e3e49f740f3cf6bf6588618e434b74f

SHA1
20ff2165d8c8d80c989e75c1ea8e499996a31b03

SHA256
8418098f37a2f59809a49c9a96c2d64ae0187bc7b3d58175a01fcf060c10bf2b

SHA512
fc5ab2461b5dfc485fd214b0a1592914c4f0e9ebee28d762d20bb369e3ef0bd9a6076850695f29a8a6cc0f8c971ccab640349df5816590134c4e75e675a79f01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
59b8e3a9e57f96547f913c536424040f

SHA1
18c0d040d082c3252ae41e7ec6ae030345c7f388

SHA256
6937333a0d466f7769256031ca338f047477f0b24227f0f94413b76105bb416e

SHA512
26fffd443c50eb8a55b8b72decfdcf5d5cded4ee78d2706c7fd8749efd1d1a462e71b3c962d8ccb723e0f65295d1f055b65059a8262f916c122b1751001f29cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
1927dd940c88fd0f4336af759126d50d

SHA1
f83725a4e30ccabda0ddde2c403266ab594f8b96

SHA256
533d0f38fea7db141b2c434440d792d058d93b26a24eb779503cd2c102fbb56d

SHA512
ca6d27ac812bde88f335c0c138d709fd8ee8b36a598990633a452858b050b8fd705becb8408dc13fd5dd5c48b459c6a6b59ea72e98eee000e6139570847cd2c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
182KB

MD5
81a9282493a2d17cf17bf930991f77b5

SHA1
0340da10c90fc339a4234e1cff1a707ed27c3878

SHA256
4b2429bc286c4b12bb9329de098ae010a7d10aed2d2068b504065c0a56a83b25

SHA512
0ff37e9aa990bdf33aaa831bd2c54845c8a80a4867849c977c9a96fb5c0b9f746b69fa89924cab319af20ebf5f2767de83120677e9ceeee4befb594ef8fd6a4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
182KB

MD5
7a04121c708f72ccc8a3cdff251999ed

SHA1
b0281363d650e48ad30d4e0b036d4753b3ca86b0

SHA256
b47b045f9f28b06c66a30676de28624f0afda3134ce6dba3563a996ec3d56ced

SHA512
01b12597e18a5a458d3c97c899f176fb1eb5927dda36c1a5a7f1b4a48c52a307cf620dd0c01d1bd9b7e4f48ef8e0df1926f24d4be9b6fcee0f21c3c4279760fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
182KB

MD5
550ee24f92de3a09b28ab33215271010

SHA1
ccaf7ce4248cd5c89f7672beffe2beb78220c57d

SHA256
14ff9486704863dcffa076f7039b918969effc5c9cd25e21d00c9ba2a49e40b0

SHA512
e64a860754c9b16fa5e14e325e72d820d248a12208d19029bad9295410ed05034afb443bf7b6fab3db52b4b45fce77962cefa6552ae66ed625161baed3650527

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
8463e4cfd002d8020ad39a79f4b1946a

SHA1
cd08cc50c07016cbefcebeac6084fbc458707e35

SHA256
a184961bcc1300ff6c5596790fa7468a0396581a30c2f4cf076f8190e3cdc67b

SHA512
46e966ea76e00cfd24712b4c2769c54a699f6863a8b75c64670e29c8662e757805ae9de8de63688979655b06739fcd6dcedd068b8f38782eae3bca03c05b18fa

Download Submit
C:\Users\Admin\AppData\Local\Miditower\miditower.exe

Filesize
4.7MB

MD5
b8b6d3163eb35a5db56e0aa080bea67a

SHA1
c1a5d161c33268d10d85284e66f7a4e707f9d6c3

SHA256
8116a7399b1fe06d6a6625843e722a0b32c8e8bd1a8570688eff98dcda430846

SHA512
a0ea32bdad8f4aa2a50eb3ba2b94ee1c02e4e1bc9b79cceca0e31595c438a0fb19da53cf84924f4f34baa28c77b32716182e538ee7a00e7eed17cfd69be630a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-B7NRN.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-B7NRN.tmp\_isetup\_isdecmp.dll

Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UGRGG.tmp\archive_CnMhglzZtP.tmp

Filesize
694KB

MD5
79144d05ea034f28b063a82208282c8f

SHA1
f404e559fac094e7b15f4d6c9770fc514d43b191

SHA256
75326593185391989454f6f03c155b4e82de46d886ff21e671bb2d1e6eb64bc6

SHA512
29aeab5d07a210549b19e5e4f22878fe06f0fae741f88206394d659b2dd5708461916410312d1f877955c5df0ff6fc2b1255c32250d33e8b257f7874c5752f10

Download Submit
C:\Users\Admin\Downloads\archive_CnMhglzZtP.zip.crdownload

Filesize
6.3MB

MD5
6e1fd6d043fc1652fcc4f74c3e31f204

SHA1
2e5392e2a42135bc8e4566039c275caaba1cb94c

SHA256
218287963ed52fa574a692e00a7060d9147c48b852c6e51f627c91293be0dea2

SHA512
4120431912adc504d762b844059772cfc430f260c18ebd7f3240deedc4b0be04856377e336d9945cb8e111dd1fa0047975018e98ea39360123139ac19472571f

Download Submit
memory/516-325-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1904-323-0x0000000000400000-0x0000000000CB4000-memory.dmp

Filesize
8.7MB

Download
memory/1904-322-0x0000000000400000-0x0000000000CB4000-memory.dmp

Filesize
8.7MB

Download
memory/1904-326-0x0000000000400000-0x0000000000CB4000-memory.dmp

Filesize
8.7MB

Download
memory/1904-344-0x0000000000400000-0x0000000000CB4000-memory.dmp

Filesize
8.7MB

Download
memory/2912-1-0x00000000003B0000-0x00000000004EC000-memory.dmp

Filesize
1.2MB

Download
memory/2912-2-0x00007FF9E3F60000-0x00007FF9E4A21000-memory.dmp

Filesize
10.8MB

Download
memory/2912-3-0x00007FF9E3F60000-0x00007FF9E4A21000-memory.dmp

Filesize
10.8MB

Download
memory/2912-0-0x00007FF9E3F63000-0x00007FF9E3F65000-memory.dmp

Filesize
8KB

Download
memory/2912-4-0x00007FF9E3F60000-0x00007FF9E4A21000-memory.dmp

Filesize
10.8MB

Download
memory/3052-247-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3052-324-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download