adwind | e1400af60f1a0a76a2d0d47b8bb9425265441f05118469a55598b2233276200f

Analysis

max time kernel
121s
max time network
122s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
23/10/2024, 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

arw.exe
Size

629KB
MD5

ca7cbed2db2ddc355d1a991ae33f9b7b
SHA1

7720c740b3f5f579acaae6cd152602d4b1fc62b5
SHA256

e1400af60f1a0a76a2d0d47b8bb9425265441f05118469a55598b2233276200f
SHA512

c0e0205a0657f4788d521305066ca587eed53f85ffb92c38d0231c051faf87b73acae67e433b9129b3d11daca02a0a5cf3d7bde20030b0f61ff83ff2cabd5f6a
SSDEEP

12288:IpdVfrKp5SBUOvkD/gKVGDHszAVXMG2n+z2x0K73fsZOXFg:Ipd9K7MlGXwz+AV8G2OpQSy

Score

10^/10

adwind discovery trojan

Malware Config

Signatures

AdWind
A Java-based RAT family operated as malware-as-a-service.
trojan adwind

Class file contains resources related to AdWind 1 IoCs

resource	yara_rule
sample	family_adwind4

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133741911955350071"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	arw.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\e8649aa0636d23562b1a0219d086c144-edac1a87c84e310aae2d9b41f6da0f91daa10a43.zip:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4072	chrome.exe
4072	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4072	chrome.exe
4072	chrome.exe
4072	chrome.exe
4072	chrome.exe
4072	chrome.exe
4072	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4072	chrome.exe
Token: SeCreatePagefilePrivilege	4072	chrome.exe
Token: SeShutdownPrivilege	4072	chrome.exe
Token: SeCreatePagefilePrivilege	4072	chrome.exe
Token: SeShutdownPrivilege	4072	chrome.exe
Token: SeCreatePagefilePrivilege	4072	chrome.exe
Token: SeShutdownPrivilege	4072	chrome.exe
Token: SeCreatePagefilePrivilege	4072	chrome.exe
Token: SeShutdownPrivilege	4072	chrome.exe
Token: SeCreatePagefilePrivilege	4072	chrome.exe
Token: SeShutdownPrivilege	4072	chrome.exe
Token: SeCreatePagefilePrivilege	4072	chrome.exe
Token: SeShutdownPrivilege	4072	chrome.exe
Token: SeCreatePagefilePrivilege	4072	chrome.exe
Token: SeShutdownPrivilege	4072	chrome.exe
Token: SeCreatePagefilePrivilege	4072	chrome.exe
Token: SeShutdownPrivilege	4072	chrome.exe
Token: SeCreatePagefilePrivilege	4072	chrome.exe
Token: SeShutdownPrivilege	4072	chrome.exe
Token: SeCreatePagefilePrivilege	4072	chrome.exe
Token: SeShutdownPrivilege	4072	chrome.exe
Token: SeCreatePagefilePrivilege	4072	chrome.exe
Token: SeShutdownPrivilege	4072	chrome.exe
Token: SeCreatePagefilePrivilege	4072	chrome.exe
Token: SeShutdownPrivilege	4072	chrome.exe
Token: SeCreatePagefilePrivilege	4072	chrome.exe
Token: SeShutdownPrivilege	4072	chrome.exe
Token: SeCreatePagefilePrivilege	4072	chrome.exe
Token: SeShutdownPrivilege	4072	chrome.exe
Token: SeCreatePagefilePrivilege	4072	chrome.exe
Token: SeShutdownPrivilege	4072	chrome.exe
Token: SeCreatePagefilePrivilege	4072	chrome.exe
Token: SeShutdownPrivilege	4072	chrome.exe
Token: SeCreatePagefilePrivilege	4072	chrome.exe
Token: SeShutdownPrivilege	4072	chrome.exe
Token: SeCreatePagefilePrivilege	4072	chrome.exe
Token: SeShutdownPrivilege	4072	chrome.exe
Token: SeCreatePagefilePrivilege	4072	chrome.exe
Token: SeShutdownPrivilege	4072	chrome.exe
Token: SeCreatePagefilePrivilege	4072	chrome.exe
Token: SeShutdownPrivilege	4072	chrome.exe
Token: SeCreatePagefilePrivilege	4072	chrome.exe
Token: SeShutdownPrivilege	4072	chrome.exe
Token: SeCreatePagefilePrivilege	4072	chrome.exe
Token: SeShutdownPrivilege	4072	chrome.exe
Token: SeCreatePagefilePrivilege	4072	chrome.exe
Token: SeShutdownPrivilege	4072	chrome.exe
Token: SeCreatePagefilePrivilege	4072	chrome.exe
Token: SeShutdownPrivilege	4072	chrome.exe
Token: SeCreatePagefilePrivilege	4072	chrome.exe
Token: SeShutdownPrivilege	4072	chrome.exe
Token: SeCreatePagefilePrivilege	4072	chrome.exe
Token: SeShutdownPrivilege	4072	chrome.exe
Token: SeCreatePagefilePrivilege	4072	chrome.exe
Token: SeShutdownPrivilege	4072	chrome.exe
Token: SeCreatePagefilePrivilege	4072	chrome.exe
Token: SeShutdownPrivilege	4072	chrome.exe
Token: SeCreatePagefilePrivilege	4072	chrome.exe
Token: SeShutdownPrivilege	4072	chrome.exe
Token: SeCreatePagefilePrivilege	4072	chrome.exe
Token: SeShutdownPrivilege	4072	chrome.exe
Token: SeCreatePagefilePrivilege	4072	chrome.exe
Token: SeShutdownPrivilege	4072	chrome.exe
Token: SeCreatePagefilePrivilege	4072	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
4072	chrome.exe
4072	chrome.exe
4072	chrome.exe
4072	chrome.exe
4072	chrome.exe
4072	chrome.exe
4072	chrome.exe
4072	chrome.exe
4072	chrome.exe
4072	chrome.exe
4072	chrome.exe
4072	chrome.exe
4072	chrome.exe
4072	chrome.exe
4072	chrome.exe
4072	chrome.exe
4072	chrome.exe
4072	chrome.exe
4072	chrome.exe
4072	chrome.exe
4072	chrome.exe
4072	chrome.exe
4072	chrome.exe
4072	chrome.exe
4072	chrome.exe
4072	chrome.exe
4072	chrome.exe
4072	chrome.exe
4072	chrome.exe
4072	chrome.exe
4072	chrome.exe
4072	chrome.exe
4072	chrome.exe
4072	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4072	chrome.exe
4072	chrome.exe
4072	chrome.exe
4072	chrome.exe
4072	chrome.exe
4072	chrome.exe
4072	chrome.exe
4072	chrome.exe
4072	chrome.exe
4072	chrome.exe
4072	chrome.exe
4072	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3136	javaw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4208 wrote to memory of 3136	4208	arw.exe	80
PID 4208 wrote to memory of 3136	4208	arw.exe	80
PID 4072 wrote to memory of 5056	4072	chrome.exe	93
PID 4072 wrote to memory of 5056	4072	chrome.exe	93
PID 4072 wrote to memory of 4924	4072	chrome.exe	94
PID 4072 wrote to memory of 4924	4072	chrome.exe	94
PID 4072 wrote to memory of 4924	4072	chrome.exe	94
PID 4072 wrote to memory of 4924	4072	chrome.exe	94
PID 4072 wrote to memory of 4924	4072	chrome.exe	94
PID 4072 wrote to memory of 4924	4072	chrome.exe	94
PID 4072 wrote to memory of 4924	4072	chrome.exe	94
PID 4072 wrote to memory of 4924	4072	chrome.exe	94
PID 4072 wrote to memory of 4924	4072	chrome.exe	94
PID 4072 wrote to memory of 4924	4072	chrome.exe	94
PID 4072 wrote to memory of 4924	4072	chrome.exe	94
PID 4072 wrote to memory of 4924	4072	chrome.exe	94
PID 4072 wrote to memory of 4924	4072	chrome.exe	94
PID 4072 wrote to memory of 4924	4072	chrome.exe	94
PID 4072 wrote to memory of 4924	4072	chrome.exe	94
PID 4072 wrote to memory of 4924	4072	chrome.exe	94
PID 4072 wrote to memory of 4924	4072	chrome.exe	94
PID 4072 wrote to memory of 4924	4072	chrome.exe	94
PID 4072 wrote to memory of 4924	4072	chrome.exe	94
PID 4072 wrote to memory of 4924	4072	chrome.exe	94
PID 4072 wrote to memory of 4924	4072	chrome.exe	94
PID 4072 wrote to memory of 4924	4072	chrome.exe	94
PID 4072 wrote to memory of 4924	4072	chrome.exe	94
PID 4072 wrote to memory of 4924	4072	chrome.exe	94
PID 4072 wrote to memory of 4924	4072	chrome.exe	94
PID 4072 wrote to memory of 4924	4072	chrome.exe	94
PID 4072 wrote to memory of 4924	4072	chrome.exe	94
PID 4072 wrote to memory of 4924	4072	chrome.exe	94
PID 4072 wrote to memory of 4924	4072	chrome.exe	94
PID 4072 wrote to memory of 4924	4072	chrome.exe	94
PID 4072 wrote to memory of 2476	4072	chrome.exe	95
PID 4072 wrote to memory of 2476	4072	chrome.exe	95
PID 4072 wrote to memory of 3308	4072	chrome.exe	96
PID 4072 wrote to memory of 3308	4072	chrome.exe	96
PID 4072 wrote to memory of 3308	4072	chrome.exe	96
PID 4072 wrote to memory of 3308	4072	chrome.exe	96
PID 4072 wrote to memory of 3308	4072	chrome.exe	96
PID 4072 wrote to memory of 3308	4072	chrome.exe	96
PID 4072 wrote to memory of 3308	4072	chrome.exe	96
PID 4072 wrote to memory of 3308	4072	chrome.exe	96
PID 4072 wrote to memory of 3308	4072	chrome.exe	96
PID 4072 wrote to memory of 3308	4072	chrome.exe	96
PID 4072 wrote to memory of 3308	4072	chrome.exe	96
PID 4072 wrote to memory of 3308	4072	chrome.exe	96
PID 4072 wrote to memory of 3308	4072	chrome.exe	96
PID 4072 wrote to memory of 3308	4072	chrome.exe	96
PID 4072 wrote to memory of 3308	4072	chrome.exe	96
PID 4072 wrote to memory of 3308	4072	chrome.exe	96
PID 4072 wrote to memory of 3308	4072	chrome.exe	96
PID 4072 wrote to memory of 3308	4072	chrome.exe	96
PID 4072 wrote to memory of 3308	4072	chrome.exe	96
PID 4072 wrote to memory of 3308	4072	chrome.exe	96
PID 4072 wrote to memory of 3308	4072	chrome.exe	96
PID 4072 wrote to memory of 3308	4072	chrome.exe	96
PID 4072 wrote to memory of 3308	4072	chrome.exe	96
PID 4072 wrote to memory of 3308	4072	chrome.exe	96
PID 4072 wrote to memory of 3308	4072	chrome.exe	96
PID 4072 wrote to memory of 3308	4072	chrome.exe	96
PID 4072 wrote to memory of 3308	4072	chrome.exe	96
PID 4072 wrote to memory of 3308	4072	chrome.exe	96

C:\Users\Admin\AppData\Local\Temp\arw.exe
"C:\Users\Admin\AppData\Local\Temp\arw.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4208
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\feina.jar"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3136

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdf2fecc40,0x7ffdf2fecc4c,0x7ffdf2fecc58
  2⤵
  PID:5056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1840,i,6440441453982500118,2194955877339640965,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1836 /prefetch:2
  2⤵
  PID:4924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1808,i,6440441453982500118,2194955877339640965,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1876 /prefetch:3
  2⤵
  PID:2476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2180,i,6440441453982500118,2194955877339640965,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2212 /prefetch:8
  2⤵
  PID:3308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2980,i,6440441453982500118,2194955877339640965,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3104 /prefetch:1
  2⤵
  PID:1332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3184,i,6440441453982500118,2194955877339640965,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:1968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=2196,i,6440441453982500118,2194955877339640965,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3624 /prefetch:1
  2⤵
  PID:2904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4616,i,6440441453982500118,2194955877339640965,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4624 /prefetch:8
  2⤵
  PID:2176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4652,i,6440441453982500118,2194955877339640965,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4784 /prefetch:8
  2⤵
  PID:2336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4892,i,6440441453982500118,2194955877339640965,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5036 /prefetch:8
  2⤵
  PID:4908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5068,i,6440441453982500118,2194955877339640965,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5072 /prefetch:8
  2⤵
  PID:4064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5064,i,6440441453982500118,2194955877339640965,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4856 /prefetch:1
  2⤵
  PID:1612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3436,i,6440441453982500118,2194955877339640965,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4704,i,6440441453982500118,2194955877339640965,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  PID:1980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4448,i,6440441453982500118,2194955877339640965,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5244 /prefetch:8
  2⤵
  - NTFS ADS
  PID:1284

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\e8649aa0636d23562b1a0219d086c144-edac1a87c84e310aae2d9b41f6da0f91daa10a43\e8649aa0636d23562b1a0219d086c144-edac1a87c84e310aae2d9b41f6da0f91daa10a43\hwidChecker.bat" "
1⤵
PID:2176
- C:\Windows\System32\Wbem\WMIC.exe
  wmic diskdrive get model, serialnumber
  2⤵
  PID:1668
- C:\Windows\System32\Wbem\WMIC.exe
  wmic cpu get serialnumber
  2⤵
  PID:5076
- C:\Windows\System32\Wbem\WMIC.exe
  wmic bios get serialnumber
  2⤵
  PID:4936
- C:\Windows\System32\Wbem\WMIC.exe
  wmic baseboard get serialnumber
  2⤵
  PID:2416
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_computersystemproduct get uuid
  2⤵
  PID:1356
- C:\Windows\system32\getmac.exe
  getmac
  2⤵
  PID:3340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
fa8546a60a2115cfa43485d82d6a47d8

SHA1
0c1fb0de2538aa7afe09bc113c5d6678b35a8e7e

SHA256
9348aa6cc909cac342000366a558abc17b4db7e847a706feea8f1f894527895b

SHA512
3f5dca37485173cc9e0e2c49ec1efa3966c09b2196658e4a9707ff089fb1f38e74deca9f450d9865b7bb845eb0dda751fbddc9b668e5f58fbc727d5d9a8b985f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
94ab46abddaa6c89fdd34d23e1672db0

SHA1
95fd246ddb8d9e2445ce454c0d69514f4327705b

SHA256
1dd12af60b65817e6173c13cce9f668c309d423b5a0cd334ad7e651ab570b0c9

SHA512
da80dcebacb3a9267c05e33823ce62e4ad86b6461b281afeac4e8093f49a280c07d855444e16974a5b8897f9165b755e3b77f7d5efadb44f580c6dc71f8ba37f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
31f2d30cc7b5a5e3c9e1298364997ace

SHA1
d69c49d1eca8c10a64da4af27515042ff62fb75c

SHA256
e44b1cd03d28e82034c61c08872ba4869ff22a45a9d4d60180a2f4a4ada55058

SHA512
062afae296670c596644e57f9838c4ad74b309ea17dbf24934aa790775e28eee32a2b1850909f4e787e198f5da4cc3db5fdffcc5bf9c3b2eb7ee1da8dbbd47ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
4786322418a61cb353e1d2ba97994610

SHA1
9928faf43635fdd1e3a9a3c69dba201753232a6f

SHA256
715f33e8ee9d32e48a8444716ffa69f85572c6ba28983e121b819cfed5c510fe

SHA512
182ee9434b97aa639d4960f52b4c809049746c62e68af52761892d92a0a0aa6535833f86d9a4c065d4e6105f052826678430082af3fff0fc0232b1f1fa5d4e4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
99091b86f3ccf404c8828573fc480103

SHA1
d2283a91ca9cdd9ae4f7165308fb8284ec5e197b

SHA256
3a38606d1814cc74b3edda4bbaf2a3a0d25b836252d89e19d69a5e345dade184

SHA512
0a675e8ac8620db59bc85056017c47de92482ae836f157238b28e2180572bcb66f6189762d760a32ee6350a62f2e71310148026d031801a63ed48e396b4a987b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
d29bb376ef9b64867c2a0166a1c44c2a

SHA1
2cb9919a5fc20659dfb4ed38160ea8fe523875cb

SHA256
a6471e86c056248c89438d6cc4e26181361d9ff1f342f3647f7c1f70e11ea4fa

SHA512
817588ff4d5231b29775b2326904ef833935cc51e5f70ab1c612fdad11c97d607b3807801b459be0cca20e1b55ab1c6ae75c22d46f7b9ef8fee45733560923b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7f49921e7460357402d2ddc0efe3ad67

SHA1
6c4008c66a9a6c804d5448b66d63333dc4d6abf9

SHA256
b920ad4f0a7dfd806d779ab3b1d3e3574bd8c942638c80c69c9636e875972b0a

SHA512
a9f8be67eef0a02b8fd2ef00fb9a9c31eba138cba97f8779873864871fd1dfbd11777219d646f1dbdec2831515c5978ab04a1e5bbb9c46411e307acef2e5ee15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e2aaabfaa5adcf56b0b57e328e5fd327

SHA1
5fb33e0262b611d33b146cc22da630df1ea39942

SHA256
2ce239ab77caf4c1518af883632bea9008509860d830a14786d00dd4fb5f19dc

SHA512
50535461b31d2a4c8048d7e4ef9049e6e7d0981546e5af66360643b6d23ed92ece12c731b0f1dd76ddfc320fb7dabe836d90454477af12a4dda9427d372c8f48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
9f5679e2217b56551fde3f6db106a5e5

SHA1
e0bd921e0c53ea0bb868537d9eaf30bb86fc9d5a

SHA256
167080cd95db6d96927334e5d901becb02cce012e6ba4ca2b1610599a996ba77

SHA512
6328fea724f9f95f3c352291c7fc6d4d4ffa291b4f4807282d2104bdf1459cadf58b8bf983e604b1d3524d560092e5ca94bb63d910c07015c8c605e3dd32ce98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ac887fe859738096889a7009f02078f3

SHA1
c93260441e493dcf5cfe9135af5f9074c8100161

SHA256
fd8d3761b088a93295e002c69102ff7b73359e9f3de174c82446521e09b7ae18

SHA512
04e37482c43e39366ec926569208c88afdc978087bd5b0b7c0b867f51c02b7b880ff586235e26cdc663b05c6c0cb36cde0211cee47a8d4739ea3767269ddf4e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
dbccde53da7ab67831c75ccd16f5746d

SHA1
77ac44aefe44155d4a5af671445b9d435b105d14

SHA256
229547461180f2c0bb716d1ce6328c8a02ffc2d70d43e9fbecd6c0446334b3cd

SHA512
c4d66c35aa9ab8655c1555007e01b62cb565b84bb753bc96f42aff5c11d1f7dfe7ae81c70ffc44b86c5cfce380d42e43c67a8ef9e8db117e19d37073016c3282

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ac43a57eede84457658b7181b8433195

SHA1
b9fb003b88faa9e040aca069450df125f6c4b339

SHA256
60ece5e4f02508f7f471558811d593fce45db65813686f4b12229a8d8c0219b6

SHA512
dd26a58d0269e170d3177413c8ae14693158f9c6a89171178df49314e8e0461f970d8d57682b6e0397e22863cfdceb8d55fc35c532750e9a8a1716429468efd2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4e2dd0bb27eeb01cddebcf824fb5d883

SHA1
51503be688b9c2907bcaf4980f8ddc6128180cc0

SHA256
ea960c06ef8743456de21f4dfc6de6c193b7a4dfde25cf20a92180a57865a6e7

SHA512
7cf9d5f6da5fada10d40c0b9eac2529c7376368277ffe92b49326ee9343c29e34864d16d12e0fb31e98a1b368fa42de1851c01fbe06aaaeacc7e30a65d57a779

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
324a0dd4b4909c5259e7a157d3e54bc8

SHA1
bc94716b0cb1462eb1b2f62176cd451aa479e25d

SHA256
7622cbc3fa974a27b7c738e3f9b5aa68e9d45769f0ac5ae8c0bc715f7453573d

SHA512
abd0dcf5355ee0ab641009d88cf764ee06073c4a1b9ec586da5393f04aabb3409fe65857f96a81ebf7fe4a62bb8d5e0c78e572f4a817e8b52ddcb4b0c34dfbe7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
b3d05585f54a32f2172c08d69f9372f6

SHA1
f19d9c6f33cce4ea5da4289ebedd7e78dd028f88

SHA256
3721380f28d4b7583f639d70e9d4f43dc1526dac4099774b0181780a57b1b6bf

SHA512
afd067ac4c6b78c7ca117f304fcd8e1d3a67fc1993d9ba726bb87a026a68aca587be0a4ef1f5eb8e87ebf8bdbed4b7fbbca33d2572ba56f758dd76a1fb06b6dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
69c78d425e82facc5cb6ac8720c3488d

SHA1
792768ae7e5d644d4ac6703b7b1373da155904f0

SHA256
67a8bb9783aa2c50c831c9ddb9f5bf3fc6fa6c1d61993dd24a9479d9be6cebf1

SHA512
22375e66d8106a25997d0e270275e6e5d9015d47512cb1452d27be5c5424b7c3eff6c97bf777271d444d8c5fa9efe07241de58b37db9e1e61d68ccb7dfcf027f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
71763d44cf1533b774e0c60b04cbeb42

SHA1
5bb48e25e961c8211cc62289cedd009a424c3638

SHA256
4c81f6c24888987c0e0ab197fd2ca3889a7354f8b71d0af9821a717e7781e45c

SHA512
a2e8203fda85a54fa3dc3668a08e31ddff86814f6e96343d1ad77ad2da746a18d3c28dd6aa3a166cba0c104b69a2b13b8641711b46f54d499d239014e14937cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\feina.jar

Filesize
639KB

MD5
058360c1290836aee58fa8f27e51fd5c

SHA1
f311561acbd74dfb6bfd5977dbeb76302da4ccc3

SHA256
47fcd8080e7a0ede413fd0a6dcdc5dea9e7ea2ce83b8c8c2ca78922cd822720d

SHA512
0d6856b489635a1fa5b60adf1fe8dbfe12fbaa7b4b8e14a54fecb438a2fd75771ff272d7ac57d16ce105eac52a18447ad4b35f1111d9642af3516da2d7d4d29d

Download Submit
C:\Users\Admin\Downloads\e8649aa0636d23562b1a0219d086c144-edac1a87c84e310aae2d9b41f6da0f91daa10a43.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/3136-32-0x0000025B002B0000-0x0000025B002C0000-memory.dmp

Filesize
64KB

Download
memory/3136-34-0x0000025B002C0000-0x0000025B002D0000-memory.dmp

Filesize
64KB

Download
memory/3136-50-0x0000025B002D0000-0x0000025B002E0000-memory.dmp

Filesize
64KB

Download
memory/3136-51-0x0000025B002E0000-0x0000025B002F0000-memory.dmp

Filesize
64KB

Download
memory/3136-48-0x0000025B002B0000-0x0000025B002C0000-memory.dmp

Filesize
64KB

Download
memory/3136-47-0x0000025B002A0000-0x0000025B002B0000-memory.dmp

Filesize
64KB

Download
memory/3136-46-0x0000025B00290000-0x0000025B002A0000-memory.dmp

Filesize
64KB

Download
memory/3136-45-0x0000025B00280000-0x0000025B00290000-memory.dmp

Filesize
64KB

Download
memory/3136-44-0x0000025B00270000-0x0000025B00280000-memory.dmp

Filesize
64KB

Download
memory/3136-42-0x0000025B00000000-0x0000025B00270000-memory.dmp

Filesize
2.4MB

Download
memory/3136-41-0x0000025B74B50000-0x0000025B74B51000-memory.dmp

Filesize
4KB

Download
memory/3136-38-0x0000025B002E0000-0x0000025B002F0000-memory.dmp

Filesize
64KB

Download
memory/3136-37-0x0000025B002D0000-0x0000025B002E0000-memory.dmp

Filesize
64KB

Download
memory/3136-49-0x0000025B002C0000-0x0000025B002D0000-memory.dmp

Filesize
64KB

Download
memory/3136-10-0x0000025B00000000-0x0000025B00270000-memory.dmp

Filesize
2.4MB

Download
memory/3136-30-0x0000025B002A0000-0x0000025B002B0000-memory.dmp

Filesize
64KB

Download
memory/3136-28-0x0000025B00290000-0x0000025B002A0000-memory.dmp

Filesize
64KB

Download
memory/3136-26-0x0000025B00280000-0x0000025B00290000-memory.dmp

Filesize
64KB

Download
memory/3136-376-0x0000025B74B50000-0x0000025B74B51000-memory.dmp

Filesize
4KB

Download
memory/3136-24-0x0000025B00270000-0x0000025B00280000-memory.dmp

Filesize
64KB

Download
memory/3136-22-0x0000025B74B50000-0x0000025B74B51000-memory.dmp

Filesize
4KB

Download
memory/3136-392-0x0000025B74B50000-0x0000025B74B51000-memory.dmp

Filesize
4KB

Download
memory/4208-0-0x00007FFDF3333000-0x00007FFDF3335000-memory.dmp

Filesize
8KB

Download
memory/4208-7-0x00007FFDF3330000-0x00007FFDF3DF2000-memory.dmp

Filesize
10.8MB

Download
memory/4208-4-0x00007FFDF3330000-0x00007FFDF3DF2000-memory.dmp

Filesize
10.8MB

Download
memory/4208-1-0x0000000000AE0000-0x0000000000B84000-memory.dmp

Filesize
656KB

Download