e3eaff77005772603d85eb955c338eb29ed0d86f0aa5472f293a613121badb3a

Resubmissions

01/10/2024, 23:53

241001-3xnemswhrn 8

01/10/2024, 23:51

241001-3v5adawhlp 8

Analysis

max time kernel
335s
max time network
336s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
01/10/2024, 23:53

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

image_2024-10-01_165056187.png
Size

60KB
MD5

622a08136cf22380c2502478ecf36447
SHA1

671a0433a39bdf95605d946f1c6c4c2e2ed56380
SHA256

e3eaff77005772603d85eb955c338eb29ed0d86f0aa5472f293a613121badb3a
SHA512

03b48c0ce5b2951b020fd7b842f649779f7221c566c77e6c2a974e8d0b487bc1a767c67f5cccc78642e031b2a43807e87906ea62e9593220c8d66edff5cffc7c
SSDEEP

1536:T5uNItk5QFQmw42Q5mIb5/gRZ4hWbDi92FuQJQCAw8hTmALZ:cNItk5AQV42vw/gRu0XGQlz8nZ

Score

8^/10

bootkit defense_evasion discovery evasion persistence

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1512	CoreR.exe
4320	runme.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
42	camo.githubusercontent.com
47	raw.githubusercontent.com
15	camo.githubusercontent.com
41	camo.githubusercontent.com
43	camo.githubusercontent.com
44	camo.githubusercontent.com
45	camo.githubusercontent.com
46	raw.githubusercontent.com
58	raw.githubusercontent.com
14	raw.githubusercontent.com
40	camo.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	runme.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\CoreR.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	runme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoreR.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133723004558932781"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "34"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings	CoreR.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4424	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\CoreR.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2212	chrome.exe
2212	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe
436	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe
Token: SeShutdownPrivilege	2212	chrome.exe
Token: SeCreatePagefilePrivilege	2212	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe
2212	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1512	CoreR.exe
8776	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 4484	2212	chrome.exe	83
PID 2212 wrote to memory of 4484	2212	chrome.exe	83
PID 2212 wrote to memory of 4056	2212	chrome.exe	84
PID 2212 wrote to memory of 4056	2212	chrome.exe	84
PID 2212 wrote to memory of 4056	2212	chrome.exe	84
PID 2212 wrote to memory of 4056	2212	chrome.exe	84
PID 2212 wrote to memory of 4056	2212	chrome.exe	84
PID 2212 wrote to memory of 4056	2212	chrome.exe	84
PID 2212 wrote to memory of 4056	2212	chrome.exe	84
PID 2212 wrote to memory of 4056	2212	chrome.exe	84
PID 2212 wrote to memory of 4056	2212	chrome.exe	84
PID 2212 wrote to memory of 4056	2212	chrome.exe	84
PID 2212 wrote to memory of 4056	2212	chrome.exe	84
PID 2212 wrote to memory of 4056	2212	chrome.exe	84
PID 2212 wrote to memory of 4056	2212	chrome.exe	84
PID 2212 wrote to memory of 4056	2212	chrome.exe	84
PID 2212 wrote to memory of 4056	2212	chrome.exe	84
PID 2212 wrote to memory of 4056	2212	chrome.exe	84
PID 2212 wrote to memory of 4056	2212	chrome.exe	84
PID 2212 wrote to memory of 4056	2212	chrome.exe	84
PID 2212 wrote to memory of 4056	2212	chrome.exe	84
PID 2212 wrote to memory of 4056	2212	chrome.exe	84
PID 2212 wrote to memory of 4056	2212	chrome.exe	84
PID 2212 wrote to memory of 4056	2212	chrome.exe	84
PID 2212 wrote to memory of 4056	2212	chrome.exe	84
PID 2212 wrote to memory of 4056	2212	chrome.exe	84
PID 2212 wrote to memory of 4056	2212	chrome.exe	84
PID 2212 wrote to memory of 4056	2212	chrome.exe	84
PID 2212 wrote to memory of 4056	2212	chrome.exe	84
PID 2212 wrote to memory of 4056	2212	chrome.exe	84
PID 2212 wrote to memory of 4056	2212	chrome.exe	84
PID 2212 wrote to memory of 4056	2212	chrome.exe	84
PID 2212 wrote to memory of 1216	2212	chrome.exe	85
PID 2212 wrote to memory of 1216	2212	chrome.exe	85
PID 2212 wrote to memory of 2256	2212	chrome.exe	86
PID 2212 wrote to memory of 2256	2212	chrome.exe	86
PID 2212 wrote to memory of 2256	2212	chrome.exe	86
PID 2212 wrote to memory of 2256	2212	chrome.exe	86
PID 2212 wrote to memory of 2256	2212	chrome.exe	86
PID 2212 wrote to memory of 2256	2212	chrome.exe	86
PID 2212 wrote to memory of 2256	2212	chrome.exe	86
PID 2212 wrote to memory of 2256	2212	chrome.exe	86
PID 2212 wrote to memory of 2256	2212	chrome.exe	86
PID 2212 wrote to memory of 2256	2212	chrome.exe	86
PID 2212 wrote to memory of 2256	2212	chrome.exe	86
PID 2212 wrote to memory of 2256	2212	chrome.exe	86
PID 2212 wrote to memory of 2256	2212	chrome.exe	86
PID 2212 wrote to memory of 2256	2212	chrome.exe	86
PID 2212 wrote to memory of 2256	2212	chrome.exe	86
PID 2212 wrote to memory of 2256	2212	chrome.exe	86
PID 2212 wrote to memory of 2256	2212	chrome.exe	86
PID 2212 wrote to memory of 2256	2212	chrome.exe	86
PID 2212 wrote to memory of 2256	2212	chrome.exe	86
PID 2212 wrote to memory of 2256	2212	chrome.exe	86
PID 2212 wrote to memory of 2256	2212	chrome.exe	86
PID 2212 wrote to memory of 2256	2212	chrome.exe	86
PID 2212 wrote to memory of 2256	2212	chrome.exe	86
PID 2212 wrote to memory of 2256	2212	chrome.exe	86
PID 2212 wrote to memory of 2256	2212	chrome.exe	86
PID 2212 wrote to memory of 2256	2212	chrome.exe	86
PID 2212 wrote to memory of 2256	2212	chrome.exe	86
PID 2212 wrote to memory of 2256	2212	chrome.exe	86
PID 2212 wrote to memory of 2256	2212	chrome.exe	86
PID 2212 wrote to memory of 2256	2212	chrome.exe	86

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\image_2024-10-01_165056187.png
1⤵
PID:1736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffccdfecc40,0x7ffccdfecc4c,0x7ffccdfecc58
  2⤵
  PID:4484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1836,i,379800315620493789,8201567146966877986,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1832 /prefetch:2
  2⤵
  PID:4056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2132,i,379800315620493789,8201567146966877986,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2136 /prefetch:3
  2⤵
  PID:1216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2212,i,379800315620493789,8201567146966877986,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2228 /prefetch:8
  2⤵
  PID:2256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,379800315620493789,8201567146966877986,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:2096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3188,i,379800315620493789,8201567146966877986,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:4860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4436,i,379800315620493789,8201567146966877986,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4480 /prefetch:1
  2⤵
  PID:936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4648,i,379800315620493789,8201567146966877986,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4656 /prefetch:8
  2⤵
  PID:4632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4636,i,379800315620493789,8201567146966877986,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4640 /prefetch:8
  2⤵
  PID:2356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4804,i,379800315620493789,8201567146966877986,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4724 /prefetch:8
  2⤵
  PID:2608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4944,i,379800315620493789,8201567146966877986,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4904 /prefetch:8
  2⤵
  PID:2460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5040,i,379800315620493789,8201567146966877986,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4580 /prefetch:1
  2⤵
  PID:4296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3116,i,379800315620493789,8201567146966877986,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4820 /prefetch:1
  2⤵
  PID:1928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5168,i,379800315620493789,8201567146966877986,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5156 /prefetch:8
  2⤵
  PID:1776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5164,i,379800315620493789,8201567146966877986,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5336 /prefetch:8
  2⤵
  PID:576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5180,i,379800315620493789,8201567146966877986,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5484 /prefetch:8
  2⤵
  PID:3784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5188,i,379800315620493789,8201567146966877986,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5628 /prefetch:8
  2⤵
  PID:660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3352,i,379800315620493789,8201567146966877986,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3592 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:2816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4892,i,379800315620493789,8201567146966877986,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5540 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:436

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1148

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4544

C:\Users\Admin\Downloads\CoreR.exe
"C:\Users\Admin\Downloads\CoreR.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1512
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\1A86\A879.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:3344
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\1A86\A878.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\1A86\cmd.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4104
  - - C:\Windows\SysWOW64\reg.exe
      REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:4424
- - C:\1A86\runme.exe
    "C:\1A86\runme.exe"
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    PID:4320
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c shutdown -r -t 0
      4⤵
      System Location Discovery: System Language Discovery
      PID:8624
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown -r -t 0
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:8720

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004E0
1⤵
PID:1336

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3818055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:8776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\1A86\A878.vbs

Filesize
140B

MD5
8dde08a9b941891a863f52fe9b50c62b

SHA1
5de6eaa6b752ce62fb2d8992a513c35c1b2e7615

SHA256
4b260e128c7564b4098dba3c7318554b9189e8f8a24b2b69e54dcb57cf984f51

SHA512
2f75686e45e5e6c81362244c234b9146ca0580d8ad965c3b7ee339ccedb9220fca7040fd53d541af901022c2fce0bee8660c4f9e93f647af0f35acfe1d335877

Download Submit
C:\1A86\A879.vbs

Filesize
1KB

MD5
57843dbd7c999248396130c7fb8d21aa

SHA1
0bddebef6e719fe1f5f1166b59544d070e8fe3f9

SHA256
a5edfa99158b9e6aa4754ddc970a4636ef29fe8a1e1e79e5e5a5f00fb652f516

SHA512
336980c9dd43cda2c91b9291cc1df10e856cf09a67e493156744c175679e8a3249a252252c98a328e59bc5db1e7f839ac9ced333f5a97c092739f422a8b2cbf9

Download Submit
C:\1A86\cmd.bat

Filesize
109B

MD5
3fc537b642d3756646715325299c6367

SHA1
0a6b4d2012d44fe631dd8bf56da001bfd04b99bb

SHA256
708511c356493e41ca103db51b8df3fb57898ddb2bb7cf4f11560facde9425ed

SHA512
7a290cd5a44ac4ba51d5b8ab6ea7bd2f2c392a1237c8b923267d524b2ab92e532e3c27dd21d96c3e89c5b84060f0e8ee2a4d9e59e21cfc8c3e15322c5334d064

Download Submit
C:\1A86\runme.exe

Filesize
104KB

MD5
37457a9e7a82a5247622050e0c8ec104

SHA1
42c5f303a6cf82be6c40120532a2ea5dfbc31ff0

SHA256
87d71d7df9f3e28a71abb9bb8f6b037a100df45cddb9bdd562137902872ca3b6

SHA512
170645acdf79c2ed4d4088ecb8fc4d519f39fd10a061e524ee2f7c71e21abeef34d98ac47c52c295366f873b5041ea6263d7156ff38c1eca9caf579df2e62d32

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
3e4bcedc113bfd7eb4da659b16735d3f

SHA1
bb57e04eed8030b4aa896ab62591176f14914781

SHA256
10b769d1d2dc23276665c0d1f943d2d705fa77eeb34f32e8e836cab6dee12228

SHA512
57b66c5763303d8fb0a3c2c9934dec63b7961656bb51e1e04e96df587648e8216142dc53291c6d62467f286d40759e3fb945c631295b11f76f3dbaba26278596

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
3KB

MD5
8f137ee983358280841b3332dc755d82

SHA1
7894069827819ec41f82918bccd0c99f11949a92

SHA256
36d4ac23fc478aebe48d6329cb75f033f50438f63ada8b6087837a8108c1441c

SHA512
40a21fbff5b0342c25d941822a9daa098b25f49ecf63c07e0db007ae18b423d2b3e50be8e66c42c49b98b9b2be92227fd0153b3ec4422d3a72c16fec210e21d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
d923e402c9f3fa6a2151cd9810e49be9

SHA1
f93a408e21d4637737f9d448e7044f8ed0a060ce

SHA256
f974c258e4edb22d1c3c7233b0e8e24810f9763b4c374fd95b5aa47f29928e82

SHA512
e524e0fe23b8ce546861e56fd171d8627ef1f0d9a62a80e2aa0d445c0b37475a5090df38daa4604c421842709e9c8969083087ddb25ddd72bd89bb385cd68723

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
5c1918b2f3ab15f6ecbae1e167c4bd6b

SHA1
2bf54cdc27a5740851483e6b6d565e53cda8b426

SHA256
e422b889e86d7d36c420896385696c81c27b6271ba6816c00dfd7e4068847172

SHA512
d77075f65de3f2e88b7674c2f94811bf47c4513dfa134c834894a217f3450ac1333d476f09a6097db7987869806e31d350eb3f0eedb6bf3c0d435495c51337ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c920c33b6051507876b93a1e2e00969b

SHA1
c4102fbcdd0037f462833aa381c4ec011a7efb1b

SHA256
cf297484ef95ac1bd3e23e27c4b2162b8d5cfd14ab37b12c43984020c9680805

SHA512
7a8492419d95d890ef5e39580d60eaa14ea39725b4c0230e087cea30cdd86c23d154d77d10ba0159e48d455761bda92a439009b05ded38d4462c7ba694c2a13f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
22820078cd78c4b503447ea270c9e45e

SHA1
ffc017b11be9e43204d77d2f3669d326f5688b1f

SHA256
c52b170d9c9ac1ed48b0c389680545aa54e8a5ff00a37090fd8afa1c2294772f

SHA512
1bf8d234838ba9df602b9582596ab10b9999c50d65e069bac7096ad87fc81c1d9b08363590104187dee9e9aad89cf0ff7ff60fccd16c4378fade1260f330bab3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
fabbf7e06fef51d75c82530df7dc1a03

SHA1
c95aba482f8d141c38dda66d6de096a22e943a8f

SHA256
c99158789c2487ed48ce42a443718b11e6525cdc93ac962b63473ff8315e009f

SHA512
e58501c40c592d8c7afa8170387a621b9f8c636830f427268590568868998c1a7d13c34e8e96db08668fb03faf96b5ce2c2f38d9cd7a376607ec8e2b66116a8b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
51860c59473f884ac2b6a5a5fe254a40

SHA1
faf0f658b5c36cba47ee056e7fb266448d9313a9

SHA256
0fe3c5f3273f869cda39a2fca693d528208e9fc76c736627dac275c493816568

SHA512
20e865703fd4cbef710c25762499c5ee5685f3a1912d723f44a2d32198c8bd27dbb9c402b52f7ba0fddbc36e145181d05a6b05dba448f3c87df2f24b1af18e6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
08da8d868e0e7cfba2f88e22873a78f2

SHA1
1f76ebab52b3e42a519e5aeced2e21cb18fb6ca6

SHA256
87a48ab1c8c6d8af7f27e70441e74a59042816d5c79e712730c82092e592727f

SHA512
039e1bc72767d6da2c84d268138d5ef3987fa3da84fca73fd5cee25c57853598e3d76863180b4dc7fa345730da7bd7098f46b58e3f1e6bd9dbca426163efa4d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
4523d1c9ff99d1a4b9280b79fc6059eb

SHA1
cedf4edb3d694933b94af8fdf8c1e0e745eb07c3

SHA256
20aa456284822b731184daf9d39a31bbaef2cc867adedf64ce6a8760bc2138da

SHA512
f59d6fd1df404f24632a076fbb297b4b8e39e65ea72bde69c2645dd7ed6bdb61ec730042201dca400b265dd062485b1bbfafee4329a40090c9be83543e75317c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
79f7916b15cd54eaf355d8d443da15fa

SHA1
08c7662a51249711ac9c2e7c0cd90efb3ea8bbe7

SHA256
5a8f8b76b9e7da624587b532190a637924fa6a558d49c2638aab3740efccf71c

SHA512
71cecc18d134c0eafe196818a4100a2b3692fabd2bf03b07e39c2848b347f7880b7e6409eb182676fa550f10147911b651d9177f7b82eff0c950f912475b4289

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ec1842faf109d7f679f15711a1d7ed28

SHA1
bce4a12824b87b20264531c7de57ad7a3421de0c

SHA256
fbdb97e66c3d14fb7463c07e413bfd1ae96993310e66829a52a2ef215e98722b

SHA512
e0c594906b2e317df6706da3112abc9155c171836f17df283f64aca08904e07b6c21857d7df09205e6700ba09e30d12cd960d9f4052039f322405357403bcd2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8fba4647e49a0803442b8b59fb4322a4

SHA1
24005ac04fde64a51da508eebe7d41f443358cc7

SHA256
68204db17951cc264fd0cb1b2945943bcc1ed0490506ed74b512df7009aa9746

SHA512
3cb7f4dc09bc3640abb10d6875369783d7a0dbbef7cc44deccfc6fae8a07ed144026fc3a25c2708741d395f895ed23649de4ba9bf9382b158b401a896d1e0f33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b449f2b24a43e35a4b665c6bebe2419d

SHA1
817fdf35f5e7bb645e17b4ac1ea57fd30b61b60a

SHA256
b3778f158dfd0291da7f50afcd77b15cd0b2af068061883f5c527bd9792d758e

SHA512
d93f80a199ed60f930f2a78f14861b9bf46fcd5232c204c0de1f133359ba6f48a275ad14c851defb693c6e82a372388235c677cce31d38d7dbf9e195665e375e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
081c915357f050b41907d035c0764ab4

SHA1
bbcb87c0009e4c7f1449315f1a4a7ce26a3de0e6

SHA256
aa8b5cb9b91c67bb26941176d66075c1ccb494ce6fe3c396d90777542c7cbeeb

SHA512
45b701c6a118780813094cb536d17b6a366395918643d91a15ff72e8ba03f908aee53cf00ea37841d47af6e7b005bd7994bb75b266da37969c8a9e88896e716f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
448ac8614f5eb5b6ecff9a309f94f658

SHA1
0300652fac301e6b5e51a7159c6da0b4f3ec4ce4

SHA256
b06f8eaac4c122962e32404aac894a6990a74b94135dabf17b5f6e0a59e83860

SHA512
98e53a0553caae66c740519b2430e543fc14af89dad529a7e537ab68bf3f906b2002803e7372369e51bcdfd5dbd01565db2c7fbed6d06d68115edc5452f1926b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4ab40c3ac52181a055acad1ba12bdc58

SHA1
ae7795760d08a291c979b673b460e1534bd4af6e

SHA256
54bad5518c5a2770874191954192db2c84f8d7374ea286c25610bed839509b4d

SHA512
c3bf69816d2fef911ba773339bc60d4f5a38f28abfd6dd2e645a4a5b3dc8d65432ee35195e47ecf94f6b497bf5595e10b1409da341c8063bcf8a60333272355b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5d7492f048898a85e38ecc8804a4313f

SHA1
b0e90108763349d0837820a1f688514fd11a70c3

SHA256
99c6d721af7072de2a031fcbcf49d09dc28637e46b8dbf7042fc6d01ab1d6a04

SHA512
f5132cc0d36bb250b90dc78503507aa2495842836605175ff60dfcbe8c1be466ac25c2116db582efe30e0d744dc385f5c4ce5ed2113267c4ae3f3059fba3fa9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b491a019d9e416867df25e126026b79b

SHA1
5c3f2bfade5d06a7e32b3504745ac58af43fe25c

SHA256
accd45d08e3cf359e510bf68d668e6d151a66a9563f8da426f47fc6d32e7c959

SHA512
8ff18a92a54361d5345a05c70cecc6213be7a692b27a17545f14b3d89d81b5c4a7c999d3886a7c0a6ad465db121e11dac2e52eaa4cc9a0357839303995e16df0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b05f46d6bb17cf7c8e43268962ab4317

SHA1
efd07119fbe17769478efb130ff782ad64612265

SHA256
0f4e268b9b1b60041e9a9e813bdbc91a157b3a5632fae483b45b7e00e4f6178f

SHA512
ac179e0c8855c106e7711f37909c63211f484980319ebe50b3ec719964b68cb36f348f7a8e117c26d268f3e24231d18412b273e62b1b587b535e4c1c857b0e81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1430a9c2f8ee06b10b32a577a793eca2

SHA1
263e821dd72802d4e0a0899ba94634dfdeae7f1c

SHA256
24084885e867c5cc0474a80b1419e574085ffc90e175c200afca82c1bd375508

SHA512
5a7b6db565fd6db561fd5dc7d48c18d67d477ac77579371011c0ff718cb3da3b610f54272873d6114aac0007fec839d03b54dc1ddcde620e8c88cc72eb3ef5b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
dd774d70aee8f1ef76b634074447d827

SHA1
cc321b0551964b140a17ddcecc86a0799cd34c4d

SHA256
db3edb8c88024eb14118b71f9034d146643bcd8cb1e14037d69c82bd9dc2eead

SHA512
f905291da19d914ea0d0c690bba548fa10298128b587376a1a6f1acc7abd3fc327af732364071f82d9a6ffced56699464b0c2a342cfb96566af0199beccb75f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ca3e5b058bb6c66135ae28125d711921

SHA1
c80dd21212f0bba87c48fe6094a77e6a1f77f2ea

SHA256
f5e67fc79bb88ddf75e4384d6fbcc7882f6d8228dfd2a39690f4dec20b68a065

SHA512
2252a3e36d22e699bd3fd4076f88ec24c10dbdb816b648056c705f451e20c186e7ada0e350b397c410d7badd2abe88a32e49bc90fd5ef80770a1230e7d924728

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
dd70e08cc9a4616d80e73627c492c5df

SHA1
6fe6c02493794ba57998d1445daf56f8830320a5

SHA256
9bf3eb8ba5526ccae0e45d3d66a29fcaf489a853657336c6466c255f24500e88

SHA512
edb772e1778a57fa64707504332bd259dbbda01358fd0ef0f41d37f5453a6446df362c710b550ff3130315235344678f94c2d3c679861b32f868ff174d045299

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
661a82e813ceec65b40d9add1e1bcb69

SHA1
7865c44ed37f45805339a6eb5d0de186da70e22a

SHA256
717ee7f1bbb5ceaf9f2e2cf50668bde85ec200bd4ee17c08969da5cacf31b8b8

SHA512
9c6ee654b909aa3bcef701d8751730c9223909a1427acd91530b142a58924ff50615286bf46c49c8bbf7497cf635910f5f158cab6552c54e19784ba3e0e3a980

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
96c0c9279c8cf903b6687f5e6f1636ea

SHA1
f8fc61d2516b80cbea227371c70c439d80906610

SHA256
2ba64ab7a923ee29cf688c7b80bff99aecc52b5ddc28c2a20e800593cf99bd61

SHA512
e08d96fabc07d6b8286f1ec6c214cf471fcaa839a2de647b40ab380c270b444b0dea29995ab26c754d9cc5dc2087c3c4c51822e5cab449dbc5b61037abfd4cd3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
89d9fd757b19469baa822995e0db7767

SHA1
c371c1de6a14cedbe7ef51e6ff3f715dc78f14e1

SHA256
04870970b7736fe205f2eb62b02741620291b594479991b8a562065356a6f8c9

SHA512
545d82631f19f937064242d8e6ed5224d74af70dd0c4e82443d29b816d9aa8ec2fa17719847315ef7d8325e7a68c2b1305f5ee09f4b4c009da584802998e5b2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
bd98c094c06e6245d778105abe947211

SHA1
cca1d5448d5aeb19f8e6794f5c2a5bf7a15ae997

SHA256
e94085944fbb868604d85fbc0800cc4c65eef3c464b0e4068f5126961b698709

SHA512
0a965beb065ffe85821555926423810076cbccf95bc96bebdebea55f45c549680c4260b5347b8ac9f731fb9a0ea71217cf4cd8245196a7f6a0150097e72328f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d39fb3810f8f7ee8481246e40f597cd7

SHA1
ed18097530f55638168c59f1552df19adf40edcc

SHA256
418918e1829fa40ccc38f4d611b7785657a4acf915ff88df410bf309868d1bd2

SHA512
d6e95f926831644cff01707dd2c85fe0864124f95efd2680b97ae9b5676c443d08402b25d797c756d3fd5ec3bfb6db2508e40febc191979931db583ea9e042b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4b69c03c5b7f14c8f874845d3f2c36bc

SHA1
2ec0611c39ac3c4f962845ff2c1bf17286409226

SHA256
f5de40f76ff682bb9d975c476d13d1f48afa0ec54f7fef3b171d71b8c0784697

SHA512
f91bd76b99ca7fe85b27268e31168482bc45e4a7590679b9ea3cff7a5a610bfd037ad4f63561c2f78a6cbdadee0e4b171dfcf1e827e39d19a024f2ec0b9ac67e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
84fdd5170d61ea88785d2bd36490dbd9

SHA1
812bca72791e8a662520cfa0f83e59311916102d

SHA256
940322e4422ad1ea005bc31332a1d8985cb0733359c0c24ee304496fe3639d31

SHA512
818d53033e56ecadb71cb5ec986089467ff0e030951078520b56bef16da2fdaedbef9ac2dd7a133fd4297585454906160b17cc6ab209595ffe28d157e5b76792

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c004370389751a6794bb27026e342cc3

SHA1
da7c0970c180ff793b4270d5c2d5d1820a05a2c8

SHA256
2d3c0a4e414b6959f707b52b02c97da7098e15e80585caccfd0945373a036457

SHA512
08e0fa4f4b7018c7484674df49efd0201a797bfaf60092f0ba2e2b41e87865e2c9aad182c1a018c94f7c7ecff7d303d3a317ba591f8cc992fb994e10119e7f08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8d7729112821eafb4bfc2475b920b605

SHA1
e5861246cd5fd1dc084176ee7f5e23823ad6a09f

SHA256
5958c6b036cd1a719e70cca64f7f895060e5b8eedb2b62da272a2c29b76be0bd

SHA512
c85e68bbcedff5879ed74217554b067fe3b1d0867c933512c479e18af22d7e3729ddcf57e49258b77c609df80b98771436c91492d095d00b87159e4f2d0edd4c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
364db9a011c571c0307f90e77b386267

SHA1
0442288a5488aaad4f8a46fde30ebec84bf08c63

SHA256
6e173f03c0a76b1633524591f72312bb2aac3b08135fdb1246faf12f63cb44ca

SHA512
e06a39b6752a0b566ab0d4bd4ce1908597142b4fc9d2e46bf17097bfdf0c8633ea3fb8034b82798e4a836b8a1fe095ad33e442f98a935c23b5aa0153bd206a04

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
7c997b1687bf250345964daf711b0a5f

SHA1
124291908d1adf2ad47cc32d9e427e4a58eee0bf

SHA256
a078bb794d18e1c010efcebdb1783a57cc36b681673a3163c0910346d5cbb70d

SHA512
ce11ac2b2aae5c33155d799d39b9c53c161e0739472e046dd7bd1fb218cda9e2a498a7af618d4458da5e9a05764bfaa9dee2850bdddf0fde5bfc6f4805997d85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
211KB

MD5
22bd84ec7f69963dc93616a947caf0c3

SHA1
f328b6afecdadc89ea6550ade8915872a94c28b0

SHA256
182cd7ef9010c7ed1ecddb3210f6eac0341ae0c997bdcde4ac32441276aeb24a

SHA512
b32963027b68314259098e9ddd9bc6991131cd5de675ca519bc53dfff6b686fcc9d00c47567235839d7d5599f45ceab612494a9f40494c925e86f8aaf327eba2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
211KB

MD5
1083379f6041eaf38de2156ed4e326f9

SHA1
349e760799f0f6265a6b1ff95846cfa06959ed9d

SHA256
8868a98eeec7fb5b3eb0166ec37f95bb2442463440d466d0d90a79205713a3c1

SHA512
99333b0bcee85d82f6bf68aceb0282ca8544ecdbf7d11e7cf5cf4d8d10ea821c6e40d2f098924f4318d85ea9bcd8954723b9e7374fbdb3ad9cac4e27b978226b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
211KB

MD5
0f0b6b21a18a203cdd4d73a629d4d4fa

SHA1
5239891ab6e80a3c324337d3480a2461539a0bf2

SHA256
92d20efc9ed718fb547eb72e796cad37c8f7320cf51b4c7f86ac83d446cfd6cd

SHA512
a573e752c44b7a32c808df0ecdb1b5ce2b0f45f6b4d1349a562a683dae4f8e60b06861bae7f195230f0c541cf337cda001e4bc541710920b3a41e16a56fa89ab

Download Submit
C:\Users\Admin\Downloads\CoreR.exe

Filesize
320KB

MD5
a1120d3d09c540f8bec107e3eab8130d

SHA1
f18671b862e836f804f073ff83737d49b0a9d506

SHA256
107b73c04c1859fae828da2830b07d7daca15b87c3578cc1536fc4cc90a745df

SHA512
77816b0da5e35e2bb7c448a5f80363f479d4b617b3c672da9aba3ff3ec7d30eab41913fdb7dd9cfcd15a2cd2e89ff0d65ec5ae951899ea58bd3b338bac47e917

Download Submit
C:\Users\Admin\Downloads\CoreR.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads