984dfc64c10f96c5350d6d9216a5d7abfece1658dfc93925f7a6b0c80817c886

Resubmissions

22-10-2024 00:20

241022-amwdaavhka 10

22-10-2024 00:16

22-10-2024 00:12

22-10-2024 00:09

22-10-2024 00:06

Analysis

max time kernel
141s
max time network
142s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
22-10-2024 00:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WaveInstaller.exe
Size

2.3MB
MD5

215d509bc217f7878270c161763b471e
SHA1

bfe0a2580d54cfa28d3ff5ef8dc754fdc73adcd9
SHA256

984dfc64c10f96c5350d6d9216a5d7abfece1658dfc93925f7a6b0c80817c886
SHA512

68e615dfcb1b7770ad64175438a913744c14bdd3af93b339c2b526271bdd0d23334e78d049fdae8ca9fe66672a8cf252ebf891be9ab6c46a3d8f1fb00fa8c83b
SSDEEP

49152:LinbT3qpTDQSmanAmwJAaDMg33U2pLOiniT:LinKpTJmWAmmAMP8in

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
5	raw.githubusercontent.com
53	raw.githubusercontent.com

Drops file in Windows directory 1 IoCs

Processes:

chrome.exe

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

WaveInstaller.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WaveInstaller.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133740292403789969"	chrome.exe

Modifies registry class 4 IoCs

Processes:

BackgroundTransferHost.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid	Process
2924	chrome.exe
2924	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exe

pid	Process
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WaveInstaller.exechrome.exe

description	pid	Process
Token: SeDebugPrivilege	2620	WaveInstaller.exe
Token: SeShutdownPrivilege	2924	chrome.exe
Token: SeCreatePagefilePrivilege	2924	chrome.exe
Token: SeShutdownPrivilege	2924	chrome.exe
Token: SeCreatePagefilePrivilege	2924	chrome.exe
Token: SeShutdownPrivilege	2924	chrome.exe
Token: SeCreatePagefilePrivilege	2924	chrome.exe
Token: SeShutdownPrivilege	2924	chrome.exe
Token: SeCreatePagefilePrivilege	2924	chrome.exe
Token: SeShutdownPrivilege	2924	chrome.exe
Token: SeCreatePagefilePrivilege	2924	chrome.exe
Token: SeShutdownPrivilege	2924	chrome.exe
Token: SeCreatePagefilePrivilege	2924	chrome.exe
Token: SeShutdownPrivilege	2924	chrome.exe
Token: SeCreatePagefilePrivilege	2924	chrome.exe
Token: SeShutdownPrivilege	2924	chrome.exe
Token: SeCreatePagefilePrivilege	2924	chrome.exe
Token: SeShutdownPrivilege	2924	chrome.exe
Token: SeCreatePagefilePrivilege	2924	chrome.exe
Token: SeShutdownPrivilege	2924	chrome.exe
Token: SeCreatePagefilePrivilege	2924	chrome.exe
Token: SeShutdownPrivilege	2924	chrome.exe
Token: SeCreatePagefilePrivilege	2924	chrome.exe
Token: SeShutdownPrivilege	2924	chrome.exe
Token: SeCreatePagefilePrivilege	2924	chrome.exe
Token: SeShutdownPrivilege	2924	chrome.exe
Token: SeCreatePagefilePrivilege	2924	chrome.exe
Token: SeShutdownPrivilege	2924	chrome.exe
Token: SeCreatePagefilePrivilege	2924	chrome.exe
Token: SeShutdownPrivilege	2924	chrome.exe
Token: SeCreatePagefilePrivilege	2924	chrome.exe
Token: SeShutdownPrivilege	2924	chrome.exe
Token: SeCreatePagefilePrivilege	2924	chrome.exe
Token: SeShutdownPrivilege	2924	chrome.exe
Token: SeCreatePagefilePrivilege	2924	chrome.exe
Token: SeShutdownPrivilege	2924	chrome.exe
Token: SeCreatePagefilePrivilege	2924	chrome.exe
Token: SeShutdownPrivilege	2924	chrome.exe
Token: SeCreatePagefilePrivilege	2924	chrome.exe
Token: SeShutdownPrivilege	2924	chrome.exe
Token: SeCreatePagefilePrivilege	2924	chrome.exe
Token: SeShutdownPrivilege	2924	chrome.exe
Token: SeCreatePagefilePrivilege	2924	chrome.exe
Token: SeShutdownPrivilege	2924	chrome.exe
Token: SeCreatePagefilePrivilege	2924	chrome.exe
Token: SeShutdownPrivilege	2924	chrome.exe
Token: SeCreatePagefilePrivilege	2924	chrome.exe
Token: SeShutdownPrivilege	2924	chrome.exe
Token: SeCreatePagefilePrivilege	2924	chrome.exe
Token: SeShutdownPrivilege	2924	chrome.exe
Token: SeCreatePagefilePrivilege	2924	chrome.exe
Token: SeShutdownPrivilege	2924	chrome.exe
Token: SeCreatePagefilePrivilege	2924	chrome.exe
Token: SeShutdownPrivilege	2924	chrome.exe
Token: SeCreatePagefilePrivilege	2924	chrome.exe
Token: SeShutdownPrivilege	2924	chrome.exe
Token: SeCreatePagefilePrivilege	2924	chrome.exe
Token: SeShutdownPrivilege	2924	chrome.exe
Token: SeCreatePagefilePrivilege	2924	chrome.exe
Token: SeShutdownPrivilege	2924	chrome.exe
Token: SeCreatePagefilePrivilege	2924	chrome.exe
Token: SeShutdownPrivilege	2924	chrome.exe
Token: SeCreatePagefilePrivilege	2924	chrome.exe
Token: SeShutdownPrivilege	2924	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	Process
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe

Suspicious use of SendNotifyMessage 16 IoCs

Processes:

chrome.exe

pid	Process
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe
2924	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	Process	procid_target
PID 2924 wrote to memory of 2960	2924	chrome.exe	84
PID 2924 wrote to memory of 2960	2924	chrome.exe	84
PID 2924 wrote to memory of 3508	2924	chrome.exe	85
PID 2924 wrote to memory of 3508	2924	chrome.exe	85
PID 2924 wrote to memory of 3508	2924	chrome.exe	85
PID 2924 wrote to memory of 3508	2924	chrome.exe	85
PID 2924 wrote to memory of 3508	2924	chrome.exe	85
PID 2924 wrote to memory of 3508	2924	chrome.exe	85
PID 2924 wrote to memory of 3508	2924	chrome.exe	85
PID 2924 wrote to memory of 3508	2924	chrome.exe	85
PID 2924 wrote to memory of 3508	2924	chrome.exe	85
PID 2924 wrote to memory of 3508	2924	chrome.exe	85
PID 2924 wrote to memory of 3508	2924	chrome.exe	85
PID 2924 wrote to memory of 3508	2924	chrome.exe	85
PID 2924 wrote to memory of 3508	2924	chrome.exe	85
PID 2924 wrote to memory of 3508	2924	chrome.exe	85
PID 2924 wrote to memory of 3508	2924	chrome.exe	85
PID 2924 wrote to memory of 3508	2924	chrome.exe	85
PID 2924 wrote to memory of 3508	2924	chrome.exe	85
PID 2924 wrote to memory of 3508	2924	chrome.exe	85
PID 2924 wrote to memory of 3508	2924	chrome.exe	85
PID 2924 wrote to memory of 3508	2924	chrome.exe	85
PID 2924 wrote to memory of 3508	2924	chrome.exe	85
PID 2924 wrote to memory of 3508	2924	chrome.exe	85
PID 2924 wrote to memory of 3508	2924	chrome.exe	85
PID 2924 wrote to memory of 3508	2924	chrome.exe	85
PID 2924 wrote to memory of 3508	2924	chrome.exe	85
PID 2924 wrote to memory of 3508	2924	chrome.exe	85
PID 2924 wrote to memory of 3508	2924	chrome.exe	85
PID 2924 wrote to memory of 3508	2924	chrome.exe	85
PID 2924 wrote to memory of 3508	2924	chrome.exe	85
PID 2924 wrote to memory of 3508	2924	chrome.exe	85
PID 2924 wrote to memory of 1936	2924	chrome.exe	86
PID 2924 wrote to memory of 1936	2924	chrome.exe	86
PID 2924 wrote to memory of 540	2924	chrome.exe	87
PID 2924 wrote to memory of 540	2924	chrome.exe	87
PID 2924 wrote to memory of 540	2924	chrome.exe	87
PID 2924 wrote to memory of 540	2924	chrome.exe	87
PID 2924 wrote to memory of 540	2924	chrome.exe	87
PID 2924 wrote to memory of 540	2924	chrome.exe	87
PID 2924 wrote to memory of 540	2924	chrome.exe	87
PID 2924 wrote to memory of 540	2924	chrome.exe	87
PID 2924 wrote to memory of 540	2924	chrome.exe	87
PID 2924 wrote to memory of 540	2924	chrome.exe	87
PID 2924 wrote to memory of 540	2924	chrome.exe	87
PID 2924 wrote to memory of 540	2924	chrome.exe	87
PID 2924 wrote to memory of 540	2924	chrome.exe	87
PID 2924 wrote to memory of 540	2924	chrome.exe	87
PID 2924 wrote to memory of 540	2924	chrome.exe	87
PID 2924 wrote to memory of 540	2924	chrome.exe	87
PID 2924 wrote to memory of 540	2924	chrome.exe	87
PID 2924 wrote to memory of 540	2924	chrome.exe	87
PID 2924 wrote to memory of 540	2924	chrome.exe	87
PID 2924 wrote to memory of 540	2924	chrome.exe	87
PID 2924 wrote to memory of 540	2924	chrome.exe	87
PID 2924 wrote to memory of 540	2924	chrome.exe	87
PID 2924 wrote to memory of 540	2924	chrome.exe	87
PID 2924 wrote to memory of 540	2924	chrome.exe	87
PID 2924 wrote to memory of 540	2924	chrome.exe	87
PID 2924 wrote to memory of 540	2924	chrome.exe	87
PID 2924 wrote to memory of 540	2924	chrome.exe	87
PID 2924 wrote to memory of 540	2924	chrome.exe	87
PID 2924 wrote to memory of 540	2924	chrome.exe	87
PID 2924 wrote to memory of 540	2924	chrome.exe	87

C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\WaveInstaller.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff5e03cc40,0x7fff5e03cc4c,0x7fff5e03cc58
  2⤵
  PID:2960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1832,i,14297559874523169466,16717551529714262531,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1816 /prefetch:2
  2⤵
  PID:3508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2024,i,14297559874523169466,16717551529714262531,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2096 /prefetch:3
  2⤵
  PID:1936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2148,i,14297559874523169466,16717551529714262531,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2184 /prefetch:8
  2⤵
  PID:540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,14297559874523169466,16717551529714262531,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3148 /prefetch:1
  2⤵
  PID:4924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,14297559874523169466,16717551529714262531,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:4824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3552,i,14297559874523169466,16717551529714262531,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4496 /prefetch:1
  2⤵
  PID:4744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4620,i,14297559874523169466,16717551529714262531,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4648 /prefetch:8
  2⤵
  PID:4020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4656,i,14297559874523169466,16717551529714262531,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4596 /prefetch:8
  2⤵
  PID:3192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4968,i,14297559874523169466,16717551529714262531,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4648 /prefetch:1
  2⤵
  PID:4504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3212,i,14297559874523169466,16717551529714262531,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3216 /prefetch:8
  2⤵
  PID:1760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4724,i,14297559874523169466,16717551529714262531,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4800 /prefetch:8
  2⤵
  PID:1304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3432,i,14297559874523169466,16717551529714262531,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:712

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2984

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:4568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
486764c2023fb7b62fff08e61b8b17fc

SHA1
854076a7e168d648bfcdcaffa1deedca701e5881

SHA256
b962b364d9f4382dfe6ddf110c48c1409ce2851132869835ed699a8d36b1bbed

SHA512
70bfb7d70814b16bb8c4a15bf8de77071909c3044f45959f5c8c7507b07180ea474608a30ec36e0a85a3a04264471bdcef9d75e31db7fdccbb836a0384b27e6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000012

Filesize
100KB

MD5
753120c8f7dc4a467572536bff4b550e

SHA1
025fde20eb6e0fd4240b1ae16b62d39b22154d93

SHA256
0b472d4a984c25e53fe68cbe128efa723121c072f062062d8971eedb3e5ceb53

SHA512
16301ae9dd66107b9095a0c1a21aeed787cab1e8fa82c6e3a8f83250f2914b19a882810a4511f863692c3c0801a398bed69020604fb19b8c9d844a6901ee7dc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000015

Filesize
215KB

MD5
0e3d96124ecfd1e2818dfd4d5f21352a

SHA1
098b1aa4b26d3c77d24dc2ffd335d2f3a7aeb5d7

SHA256
eef545efdb498b725fbabeedd5b80cec3c60357df9bc2943cfd7c8d5ae061dcc

SHA512
c02d65d901e26d0ed28600fa739f1aa42184e00b4e9919f1e4e9623fe9d07a2e2c35b0215d4f101afc1e32fc101a200ca4244eb1d9ca846065d387144451331c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
720B

MD5
6bdeb200f425b7ff1cfac2706f458c57

SHA1
ae4b6069f30c074b2f336685efcd1628c431a5f6

SHA256
4d7244d744980d1adf888b3073d33a2906cbbe5015083e430f393d35d0a545c9

SHA512
debb2fdcc7570a71ef1d475d8737995cb69f83941b5196a2404455cc155c21969bac0436d9b4124be5a32003532ee6ec4322c8ee594cc11b8a64574679c6ec06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
f9af6c6da9e7aa1dca4dbc997254501f

SHA1
3c748065b3c693486aee6868f1ab4d4edb5c74ce

SHA256
4f696b20e57b006ba1838c5016a391c38bb34cfc88950c9a3e195e78505ec571

SHA512
f88be0ed328f83fe06c095f05f05f1547d7dac94f44285b9221746a7079afeb4fe727ee94717d607ec9093ad82529e8ece021faa78301171c7cd52fc63e89f2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
789769720207a03817ccc4612dda5702

SHA1
d30805266b6e304d26e6062ca92c3768a01e411a

SHA256
1b30a71707b4f113702865b59dbacce950ee86b929120484b7b5824005442b52

SHA512
58a39e8bec728d034237e95f54e84db3075dae60e8ee6a2314f7f5ceb8cd264e0107dbab20cb7f8deb27a94f4052480b9629bf9a0ec7b1363dc106958d5abdd4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
722e1ccd1d87d1d8a2c67bbfecd2ec27

SHA1
a4d559278194e308408c683cc198385f6493cca4

SHA256
053162c8ab975c43584faf01093cb2d2a01bf951da371e16d12353b5b9514b25

SHA512
fd611743d329825ad9a71094b945cccb363da3948d9790787eee6a1ae7618fc816cadda861e0ac30c93feb254369febb56d8200e047dd96927c886821ebac45d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
5c86ec82f13412b633604c93876afc84

SHA1
d6ba567bda7b089820ee04dbe58a5582a42044dd

SHA256
b47c5c5b0d3dc68b2bcf4e32849c0fe05c5cd9a56a9f1b0d9fedfec06bc8c8c5

SHA512
b3d7e221e29bc5ddf17e49e436aed216e0390eb316ac451fc0a62d8e8917269100ff077ca3b2f2663197f7001f54361f16794044e99eb99739fb2d4d72e82eac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
55239894430de8355c7f8b0a0bff9f2a

SHA1
86ecdc1eb0a59c78178a50f575e5e3d606922816

SHA256
934376dec55dc12290edd3156d3bd2b1e3b3bdeb340d92709a269b0f535486ec

SHA512
00d0c895a13deb3ce8a85a34eb4d93bb5dbe82c68a5b28523315eb1979e08af36101f986627870a0db66e25afde8ef761e41a8b0877e986c77cb67e580b281f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
21bc756359a75577f9e742d21e020c7c

SHA1
f8456f9b7eb9b7ff7b7932d7ee47b2777f65dcc9

SHA256
8109e7d4a835b9ae9db92a53cb1e73a2b7c7e8ee40d56f32df7c4bff09a65a11

SHA512
fc0ce3d7031de5a623e3a59cc9097195d2acd438bfc0e14e60d3e65b2f3a7845b7be0ac988ad8a48a600341c13ac5b2a4e689b494230bdd8aa9bd28a93bbd1d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
64e2486bc965707fde570101d8a4b9cd

SHA1
024e59d17ccfc5c3fd97cdff6692962c8131ce89

SHA256
96638cff1e311f60bc69647f43b97c86cd3ff0f5977e7f0eb8b59e0137346574

SHA512
07f72bbeb3c87bc081d9a6d30ba4ae7031b5120f982b30776e1d39a3d41b99a34ed92ca811afbd25936ead52dc25bf125bde77a85023598bcfcd6eb777b7267b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
e68e45de50e43fe3ed34d2ca7b8617ec

SHA1
5b69c5b98ba0434435e0478ce8d084a9c93b4626

SHA256
5ce6b6cf94453cd47e7e66786e6c5b1a3e9fe1d11f29f2c5b48f8082e3a7cbf9

SHA512
e7579c5068b9acfbb82c0e9440d73da00f646b4d18f14516d69202e6a6de16afa4b6da1f74087c1f33f7db0b13247da2c97fe4a9eabbe35d5e24b1eeafa79ec7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
243b234580d13d09f82dc258fdbb592a

SHA1
867e1c0af4412776ce797cd340662244b7fbe8e1

SHA256
57ac3b58807d80a682c96976f9c61dadf10aadd04b13241a7eb93684b3cadeb3

SHA512
2e765d1d52614465879814782c73601d236856956276d9347b9c25c35ccfd5d827f0fb11d6617a538757d680555a1fd743cf14d53c050c61a040febf27708140

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2d089eb97a30a319ba362c41ac4a8d28

SHA1
ee45072855f00a0439f6760288cbbf460cec1457

SHA256
fe8606f79f7df00bd504d64eae1c989392c056d3c96ecb23f1f3fe06aa4757a1

SHA512
ad54a66d792ddee2e7016113add35854d10fbcb5758b8e29db414aa95953b5c7ccf9cab942872ee21e4cc0938252411f3c2cd59b41e5fe0e601d4594ee43dbba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1ae01ae79cf95a2735bbcc991cec23f1

SHA1
30e9e931bdb0d8657bf1a875f46d32979a286631

SHA256
03b51aa3becbb108f007ef0af027271dba3fc1b7118a58349ddd031cb26a3522

SHA512
413717f288283e112261a405d42e0225ca808c7cf5273e96b222b7db20dcdf638b2cc67e87d43a3f634232c7efa6a0d9c6da95e229abec90d1ab93c16fba02c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4edc53a3c4c8947096e93dc905f36272

SHA1
d1ea2fdb53fd799aa5f12072216144c2569085c2

SHA256
e32dca183e634cedad04d05e3e64d8cf9d8c1a304dc68a21e1f99c9b4d136f7e

SHA512
f45fc331a630154bca0acb4312d22dbd5f70af3081eb524b406083bc62ffc5d36e7d52f3a10c79799d3fc6799bf23c517af6a75c07db143676fbc0b29e8d7c64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1d08796eb4a4b2b52e975cbe81fc81b3

SHA1
ebb61c9166c54742258c7786341c82464105cec2

SHA256
230037c8bfacdc6e85bf34cfba360f052e03c2ad70f4d0758519714a8d1b5479

SHA512
1e9cefef107b1a639a0c690ed495ab64055b318e6915a963f5fe1e70b38d4a29fd1b4d63e993f907433a9e49efd13f0b5b9d67e8dcba1735dc75894006e7eea3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ba6467317da73808357cb1a184fc8e4a

SHA1
d1d59e31ca5c20f1c3ff1cbb405794bba1f82647

SHA256
f9e141c21ef2fb15e9cd4aea8261b259b0b50e751c2afa795637f2ac29ce9e5f

SHA512
5d9cffd4accb5e85937f19f32267a42661fd19f02643a493161910dcab750b26f9c38e810901702ab07393e3db40e193546c81fe266db745ae4acaf8da3e569c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
05cc9ca597b2dbc3875c86e81da04273

SHA1
1968b2c8d01a29ecc52337799a768d761e6876eb

SHA256
6d477f6a81ccb8d9e5be9bf2f2ba67e98cd3511389f4c0f1b9732f00cd6b335f

SHA512
22cb2172a21d218a5edadff1818426b5d352b14812ea725858ea3f6dd38350160e20d6a829a0d8af2b9e3f07eb2bb922acee9008c76bfeb3a1e5d5ba1373ee13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
6a96425d8afc646fd27fcc533895ee73

SHA1
bcee0f51ef4dc7b46bf34c0a3ff8fb94298cfb17

SHA256
fc2aef1db877af5bbb225fe660851fb4db973f0458787028cd7d34959ee6768c

SHA512
2b1b614e99d7efbf0a194d045e6cda694ab2deb73613806e32a913786c4c480b4348fa5ddba84a2e83fa45a8136c6d3cf256ce9d1d7656cb1bd195639ff45edc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
a50c61c78ae61546949ee340bbd0a971

SHA1
56df4741c6735db84fe94515ebfcf92c1ec2682e

SHA256
6d0a8a280e4bcf066b5330f51cf5d28859bba0393757f1361ad29874e8d4dfdf

SHA512
5e5c8d417785e47dfebffef95c097c97fff92791a3d2e99fe95d1c3858e0f4c25077a6c2274a0f7a05f04190eaa5a610a8de873186dc801eb482afab066bfc11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
1f97608de8958f553d102904fd292c66

SHA1
1da8fee2a752069da811a1b9ef9aa23ba8ba4291

SHA256
a5d209692a908edb00a05887bdb1a782dd50946d743f5e681c2f86e360939008

SHA512
1f88af21ea80abe423e770b24c67435d75d39431d4c1a1719a33fb66ff8ee790fa1598c2fe0d6ca62a6c304adb846dd7b380e0e4ab1b921d84baa8b074411906

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\1feb1826-49bb-42ca-9ac9-b34b9df69e51.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.exc

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\??\pipe\crashpad_2924_MFMACXAJKMIWBLTX

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2620-1-0x0000000000CC0000-0x0000000000F0A000-memory.dmp

Filesize
2.3MB

Download
memory/2620-4-0x0000000006470000-0x00000000064A8000-memory.dmp

Filesize
224KB

Download
memory/2620-2-0x00000000743D0000-0x0000000074B81000-memory.dmp

Filesize
7.7MB

Download
memory/2620-5-0x0000000006240000-0x000000000624E000-memory.dmp

Filesize
56KB

Download
memory/2620-6-0x00000000743DE000-0x00000000743DF000-memory.dmp

Filesize
4KB

Download
memory/2620-8-0x00000000743D0000-0x0000000074B81000-memory.dmp

Filesize
7.7MB

Download
memory/2620-0-0x00000000743DE000-0x00000000743DF000-memory.dmp

Filesize
4KB

Download
memory/2620-3-0x00000000743D0000-0x0000000074B81000-memory.dmp

Filesize
7.7MB

Download
memory/2620-7-0x00000000743D0000-0x0000000074B81000-memory.dmp

Filesize
7.7MB

Download
memory/2620-334-0x000000000B010000-0x000000000B0A6000-memory.dmp

Filesize
600KB

Download
memory/2620-335-0x0000000001690000-0x00000000016B6000-memory.dmp

Filesize
152KB

Download
memory/2620-336-0x00000000016E0000-0x00000000016E8000-memory.dmp

Filesize
32KB

Download
memory/2620-338-0x0000000005960000-0x00000000059D2000-memory.dmp

Filesize
456KB

Download
memory/2620-339-0x0000000001700000-0x000000000170A000-memory.dmp

Filesize
40KB

Download
memory/2620-340-0x00000000017A0000-0x00000000017AA000-memory.dmp

Filesize
40KB

Download