netwire | f9bf619a41a56cae6b8e6d5b3fb3d3afdd7976745dbe9cc7f90ba4dcadc35d9b

Resubmissions

11-01-2025 23:09

250111-25hcxstnh1 10

14-12-2024 19:23

241214-x3vs1s1qbz 10

12-12-2024 19:35

241212-yaxycaxkaj 10

Analysis

max time kernel
44s
max time network
98s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
11-01-2025 23:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9bf619a41a56cae6b8e6d5b3fb3d3afdd7976745dbe9cc7f90ba4dcadc35d9b.exe
Size

584KB
MD5

c9e985c561be0dd05c190dc70ae3518e
SHA1

ffbcb080efbbd36ebb9f81eded9e63c7f66cab9f
SHA256

f9bf619a41a56cae6b8e6d5b3fb3d3afdd7976745dbe9cc7f90ba4dcadc35d9b
SHA512

f1b10f5bc7bb52bf70a8e083a45a823379b1b4e0ca42e7378a07a06d4b3b8346c4dfbc95575534df9b18445eb5d56a6302d07cd86b6017f422d99dccbfec1ebb
SSDEEP

12288:AgIdCFdSZHZVaeSESmqf6G+SqnTrrEsYGre4YzHix:HYYSZ5VrS3xqTrPFr0c

Score

10^/10

netwire botnet discovery persistence rat stealer

Malware Config

Extracted

Family

netwire

38.132.124.156:1199

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
12345
registry_autorun
true
startup_name
ronies
use_mutex
false

Signatures

NetWire RAT payload 6 IoCs

rat

resource	yara_rule
behavioral1/memory/2704-54-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2704-51-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2704-49-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2704-47-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2704-45-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2704-56-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Netwire family
netwire

Executes dropped EXE 2 IoCs

pid	Process
2608	service.exe
2704	service.exe

Loads dropped DLL 6 IoCs

pid	Process
2596	f9bf619a41a56cae6b8e6d5b3fb3d3afdd7976745dbe9cc7f90ba4dcadc35d9b.exe
2596	f9bf619a41a56cae6b8e6d5b3fb3d3afdd7976745dbe9cc7f90ba4dcadc35d9b.exe
2596	f9bf619a41a56cae6b8e6d5b3fb3d3afdd7976745dbe9cc7f90ba4dcadc35d9b.exe
2596	f9bf619a41a56cae6b8e6d5b3fb3d3afdd7976745dbe9cc7f90ba4dcadc35d9b.exe
2596	f9bf619a41a56cae6b8e6d5b3fb3d3afdd7976745dbe9cc7f90ba4dcadc35d9b.exe
2608	service.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\ronies = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe"	service.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2608 set thread context of 2704	2608	service.exe	36

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f9bf619a41a56cae6b8e6d5b3fb3d3afdd7976745dbe9cc7f90ba4dcadc35d9b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2948	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2360	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2608	service.exe
2608	service.exe
2512	chrome.exe
2512	chrome.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	2608	service.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe
Token: SeShutdownPrivilege	2512	chrome.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe
2512	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2360	WINWORD.EXE
2360	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 2608	2596	f9bf619a41a56cae6b8e6d5b3fb3d3afdd7976745dbe9cc7f90ba4dcadc35d9b.exe	30
PID 2596 wrote to memory of 2608	2596	f9bf619a41a56cae6b8e6d5b3fb3d3afdd7976745dbe9cc7f90ba4dcadc35d9b.exe	30
PID 2596 wrote to memory of 2608	2596	f9bf619a41a56cae6b8e6d5b3fb3d3afdd7976745dbe9cc7f90ba4dcadc35d9b.exe	30
PID 2596 wrote to memory of 2608	2596	f9bf619a41a56cae6b8e6d5b3fb3d3afdd7976745dbe9cc7f90ba4dcadc35d9b.exe	30
PID 2596 wrote to memory of 2360	2596	f9bf619a41a56cae6b8e6d5b3fb3d3afdd7976745dbe9cc7f90ba4dcadc35d9b.exe	31
PID 2596 wrote to memory of 2360	2596	f9bf619a41a56cae6b8e6d5b3fb3d3afdd7976745dbe9cc7f90ba4dcadc35d9b.exe	31
PID 2596 wrote to memory of 2360	2596	f9bf619a41a56cae6b8e6d5b3fb3d3afdd7976745dbe9cc7f90ba4dcadc35d9b.exe	31
PID 2596 wrote to memory of 2360	2596	f9bf619a41a56cae6b8e6d5b3fb3d3afdd7976745dbe9cc7f90ba4dcadc35d9b.exe	31
PID 2360 wrote to memory of 2320	2360	WINWORD.EXE	32
PID 2360 wrote to memory of 2320	2360	WINWORD.EXE	32
PID 2360 wrote to memory of 2320	2360	WINWORD.EXE	32
PID 2360 wrote to memory of 2320	2360	WINWORD.EXE	32
PID 2608 wrote to memory of 2948	2608	service.exe	33
PID 2608 wrote to memory of 2948	2608	service.exe	33
PID 2608 wrote to memory of 2948	2608	service.exe	33
PID 2608 wrote to memory of 2948	2608	service.exe	33
PID 2608 wrote to memory of 2704	2608	service.exe	36
PID 2608 wrote to memory of 2704	2608	service.exe	36
PID 2608 wrote to memory of 2704	2608	service.exe	36
PID 2608 wrote to memory of 2704	2608	service.exe	36
PID 2608 wrote to memory of 2704	2608	service.exe	36
PID 2608 wrote to memory of 2704	2608	service.exe	36
PID 2608 wrote to memory of 2704	2608	service.exe	36
PID 2608 wrote to memory of 2704	2608	service.exe	36
PID 2608 wrote to memory of 2704	2608	service.exe	36
PID 2608 wrote to memory of 2704	2608	service.exe	36
PID 2608 wrote to memory of 2704	2608	service.exe	36
PID 2608 wrote to memory of 2704	2608	service.exe	36
PID 2512 wrote to memory of 2324	2512	chrome.exe	41
PID 2512 wrote to memory of 2324	2512	chrome.exe	41
PID 2512 wrote to memory of 2324	2512	chrome.exe	41
PID 2512 wrote to memory of 624	2512	chrome.exe	43
PID 2512 wrote to memory of 624	2512	chrome.exe	43
PID 2512 wrote to memory of 624	2512	chrome.exe	43
PID 2512 wrote to memory of 624	2512	chrome.exe	43
PID 2512 wrote to memory of 624	2512	chrome.exe	43
PID 2512 wrote to memory of 624	2512	chrome.exe	43
PID 2512 wrote to memory of 624	2512	chrome.exe	43
PID 2512 wrote to memory of 624	2512	chrome.exe	43
PID 2512 wrote to memory of 624	2512	chrome.exe	43
PID 2512 wrote to memory of 624	2512	chrome.exe	43
PID 2512 wrote to memory of 624	2512	chrome.exe	43
PID 2512 wrote to memory of 624	2512	chrome.exe	43
PID 2512 wrote to memory of 624	2512	chrome.exe	43
PID 2512 wrote to memory of 624	2512	chrome.exe	43
PID 2512 wrote to memory of 624	2512	chrome.exe	43
PID 2512 wrote to memory of 624	2512	chrome.exe	43
PID 2512 wrote to memory of 624	2512	chrome.exe	43
PID 2512 wrote to memory of 624	2512	chrome.exe	43
PID 2512 wrote to memory of 624	2512	chrome.exe	43
PID 2512 wrote to memory of 624	2512	chrome.exe	43
PID 2512 wrote to memory of 624	2512	chrome.exe	43
PID 2512 wrote to memory of 624	2512	chrome.exe	43
PID 2512 wrote to memory of 624	2512	chrome.exe	43
PID 2512 wrote to memory of 624	2512	chrome.exe	43
PID 2512 wrote to memory of 624	2512	chrome.exe	43
PID 2512 wrote to memory of 624	2512	chrome.exe	43
PID 2512 wrote to memory of 624	2512	chrome.exe	43
PID 2512 wrote to memory of 624	2512	chrome.exe	43
PID 2512 wrote to memory of 624	2512	chrome.exe	43
PID 2512 wrote to memory of 624	2512	chrome.exe	43
PID 2512 wrote to memory of 624	2512	chrome.exe	43
PID 2512 wrote to memory of 624	2512	chrome.exe	43
PID 2512 wrote to memory of 624	2512	chrome.exe	43

C:\Users\Admin\AppData\Local\Temp\f9bf619a41a56cae6b8e6d5b3fb3d3afdd7976745dbe9cc7f90ba4dcadc35d9b.exe
"C:\Users\Admin\AppData\Local\Temp\f9bf619a41a56cae6b8e6d5b3fb3d3afdd7976745dbe9cc7f90ba4dcadc35d9b.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Users\Admin\AppData\Local\Temp\service.exe
  "C:\Users\Admin\AppData\Local\Temp\service.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HRgFfvmwT" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAAFF.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2948
- - C:\Users\Admin\AppData\Local\Temp\service.exe
    "C:\Users\Admin\AppData\Local\Temp\service.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2704
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\CPA accountant COVID_19 pandemic relief (20,000$).docx"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2320

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6759758,0x7fef6759768,0x7fef6759778
  2⤵
  PID:2324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1204 --field-trial-handle=1392,i,8309216962174152241,1852036011950273635,131072 /prefetch:2
  2⤵
  PID:624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1532 --field-trial-handle=1392,i,8309216962174152241,1852036011950273635,131072 /prefetch:8
  2⤵
  PID:2044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1660 --field-trial-handle=1392,i,8309216962174152241,1852036011950273635,131072 /prefetch:8
  2⤵
  PID:604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2172 --field-trial-handle=1392,i,8309216962174152241,1852036011950273635,131072 /prefetch:1
  2⤵
  PID:932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2180 --field-trial-handle=1392,i,8309216962174152241,1852036011950273635,131072 /prefetch:1
  2⤵
  PID:2248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1412 --field-trial-handle=1392,i,8309216962174152241,1852036011950273635,131072 /prefetch:2
  2⤵
  PID:2488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1444 --field-trial-handle=1392,i,8309216962174152241,1852036011950273635,131072 /prefetch:1
  2⤵
  PID:2824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3656 --field-trial-handle=1392,i,8309216962174152241,1852036011950273635,131072 /prefetch:8
  2⤵
  PID:1564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3868 --field-trial-handle=1392,i,8309216962174152241,1852036011950273635,131072 /prefetch:1
  2⤵
  PID:2544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3692 --field-trial-handle=1392,i,8309216962174152241,1852036011950273635,131072 /prefetch:1
  2⤵
  PID:668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3704 --field-trial-handle=1392,i,8309216962174152241,1852036011950273635,131072 /prefetch:1
  2⤵
  PID:2848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2184 --field-trial-handle=1392,i,8309216962174152241,1852036011950273635,131072 /prefetch:1
  2⤵
  PID:2992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3720 --field-trial-handle=1392,i,8309216962174152241,1852036011950273635,131072 /prefetch:1
  2⤵
  PID:892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3752 --field-trial-handle=1392,i,8309216962174152241,1852036011950273635,131072 /prefetch:1
  2⤵
  PID:2092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3224 --field-trial-handle=1392,i,8309216962174152241,1852036011950273635,131072 /prefetch:1
  2⤵
  PID:444

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
41KB

MD5
ca9e4686e278b752e1dec522d6830b1f

SHA1
1129a37b84ee4708492f51323c90804bb0dfed64

SHA256
b36086821f07e11041fc44b05d2cafe3fb756633e72b07da453c28bd4735ed26

SHA512
600e5d6e1df68423976b1dcfa99e56cb8b8f5cd008d52482fefb086546256a9822025d75f5b286996b19ee1c7cd254f476abf4de0cf8c6205d9f7d5e49b80671

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\d07c00c08c378fb5_0

Filesize
347KB

MD5
16fca53b35690b8cfff486ad47a41410

SHA1
c9c84ba822703fb8485822bffb2663e8d1f9d552

SHA256
5b2b2dca0263954325d6f7e64832d03e409843670636820983f2e0d5b8c8e7bd

SHA512
185476a811dd7afa783dc9ab1482912ba1c8a72a2cdf64d48074dfcc38b00159e336e88806b13d9c74a997ba235d78626d7a90d65f1ffbd6df21ba26fa7f9fc1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\f3ae0d23e488645b_0

Filesize
289B

MD5
cc39f2993fe98b128f5ddcb946610594

SHA1
60637926f7be6e5ff76deec283713f6dc6e3f428

SHA256
864b7920677b29eb955be62edc3f8a1a8a3ddde2a9f3dffcd04fb0d637222637

SHA512
99f2872803893e45a68dd7204b4a13ac0f4a1ae9c556e1fb1ef304846f236a0e78e2c5fe166e186451b65fb2e5dd56f09001e7c1f34a3f9b16b3c89a0fdf5267

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
951683ceee4e660c08cc72ce9f96f934

SHA1
c2e50910ac9f093957be5a7d99e6b781d2d1f4fd

SHA256
314fa65a35765854998ecc69fcfad2ea48e9c23cf7819c6a5705f05dbc72f829

SHA512
95ae7416b34a52b2b1bdcadbcf521bde474ab857049b13326509c94c656396b4d3be6f6eec0546ebb348ca83c440eed12985d8aea3a8b0d549b2f15b5eda454f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
d4315a4bd3c622d95a24ac9761f7abf8

SHA1
189adbfb57d9821150687c4f433e570814fdfd65

SHA256
f422039635039b88b5d185e1427d4a34567a409628c618b87d4c2d90db02d993

SHA512
70692322f14dc0efdf8fdef08370da2e5c94a87c9d08f4686eb04f502e290be9646718719f021075810108e20373cbe5aa9d5d14ddbe3aacb06c978e43517a09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
70f5133d67f82b229db09a77f8097a1a

SHA1
745cac03e0b410cc1a2a1a0260a12a7d6848d441

SHA256
7bc45b922c96d5fa58ca3fc143ecf98f6f37e2557c4ef60f78607e7df6532bee

SHA512
4157d49ef6d6f372c888fc3dbd5173481aa8a1a40be4e8766530c1363f6474bd232c32a03256fcd44c788e2f8e2be26b8bf3244807a94685a8900d65dcd2c097

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8c5481d2d03ebfb2de350b117472132f

SHA1
da2bf030ec71e10f75a4487e36ae288f06c9a650

SHA256
f7a444bf62c3079b2fc8710adba93b3d12ea2bd331c53a7ff7cb1bfb4f8b9a6c

SHA512
ce267cb2bfc4dc98520609050cd255ac80b246d604d03eac27192a55a39e9d7ace376406ae890aaeec525bc961b7544593d30f6d386518dd7f73fe36c1f03ab8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
35653d18c521385da0e0328448d04f2b

SHA1
fb2ecfd46fb2396a76d78957fbb9b75dbf78a002

SHA256
370d293b9909a86050ab65d3a166d3833cc59cd82cc1d8f1e6f83e5d1b9a161b

SHA512
5f4fd152c72d7c93e88bc75b08cefc90d0a61278309dd337628529ebe6828997b20cbac4f5f91a2f9d7e482c1a639667d761b703c50b46b34c8a026d17528d84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b9e6970ebaee3a96b79a5c56a5e21e93

SHA1
dba93cef936dafbc609d6bd55663d21061e892a7

SHA256
638d96ba04c42ffea948625267479fef66b17f42978bb9f2c3cfe0e61aaefba6

SHA512
6380562224ee6567876c22e7952d236527380a9b2ab60f3640b49776997caad7618404f2d823c5358723d3dda2be683b1fb44f1273922ea8546215b2fad2cc51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
355KB

MD5
d2a76e2a47f2a0275b4449377da27a49

SHA1
0303d8f440ce3b355187e1a596bcf2fbee66b6f1

SHA256
9842643bc922e570f8adf149d5a4ab52f8ae66516335f6d52d8c816112a2dd62

SHA512
748c01cbde2719d850e4e8ba646034383d36813c3f62b80f7ace0c3ccf89b65d5b5fbc0bc6451c1de73933828bb9aa8199347565188282ba5416519851271af5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
355KB

MD5
d697006102d3b09c1ce74411a87905cd

SHA1
98edd75ea81f798970dd08413518f676bdb29470

SHA256
78d9f8ce42770b95f8f6cb983abb34d204fcd2477870ee2054200c8fe6af09e0

SHA512
bb3eb5c54f9be8175136d901cb33c2c5f5a93ebfcded665e6b4c278b204dceda331e5d3bc4426805fae27975d1e76ade43e0b488c1bd3d8ab8c28f57b2ba0830

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\cee9a23e-f1b5-4315-9e2a-234bba931afc.tmp

Filesize
355KB

MD5
c082821c578b8a99b740f46c00812da9

SHA1
022738bc245ebe69a31fd78534d240b1d128ca0b

SHA256
7fff3325a82e3462885939633bf040dbe3734fb5c4e7caf6457a2b7457216b4e

SHA512
44f4fffb41f0bc3eb28665beb9c5a79f43042c715cfd7447488253a7959843fe6b0c910f50abbbb4d80f1e35d97877de8d4ec2f9dd76ac625f50eae2304f2f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPA accountant COVID_19 pandemic relief (20,000$).docx

Filesize
68KB

MD5
f5338a212a363459b7354fd8091d5501

SHA1
d5f79a7e7a664147f71dc58988462c51f489e16b

SHA256
9a62f34e8c12aeed7a693399f5d17676c9af7b50865f160fc7eb4d709c252583

SHA512
e033137c54ce92fec4d51f79d2cc79e6d6335060a1ba1f5ad0d30833749034c0c2c750e9cea9b654b1c36ea6cf67adddb08c0c165f46d75530cf7af1c1d81ab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\service.exe

Filesize
311KB

MD5
a69b9cf282c900d55cd7452e039daf41

SHA1
0ea752ca500e4b9df336cb4438e7804d3b0186ad

SHA256
3e2526d2955b6709532d1a16a221882619690292dce1527a3399a8d704a4c79d

SHA512
caa067276632186c0ef2e9bf821ad64aff680645a4d0436dac2cefa7aa99feb76cb6a52e672c325ba51783635388f32cd64c2a69f0aa52c1f8f37ab4d29d1765

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAAFF.tmp

Filesize
1KB

MD5
56adfcccadbc1c675c8920293c77abf4

SHA1
3b6e5204047ea871c35ff9901980bacd2c4cb20c

SHA256
b840cda6d4b4fa6e7b111ba3c0a5c0046e207d7e844a324593cca612d694b017

SHA512
0b4ebe9ac49d895a7ef4e42fe51a36f1eea7bfc8d3e460e606a30ea76a14cd294ed228d121fb6fb26c18859386dbedda4e4f303e72b040c8440f598d83e77db7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
24539e2b1b742835e240fc48b3593c26

SHA1
3e008374e463fbed4f3cadaa2a70d83228b28bd7

SHA256
d2a0f7dd2fd2a35fa67dcb86a8c821b68bc36a8e965609975437dff3827fdccd

SHA512
fa72f22df133ee9e1f87d213bf4f25686f79c2f3968219d7743d7e9b0c0db1fa303c6702395f67545f02b6db89f00259075b45140ee587fb4368d82b3de2f5f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/2360-86-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2360-87-0x000000007080D000-0x0000000070818000-memory.dmp

Filesize
44KB

Download
memory/2360-64-0x000000007080D000-0x0000000070818000-memory.dmp

Filesize
44KB

Download
memory/2360-22-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2360-25-0x000000007080D000-0x0000000070818000-memory.dmp

Filesize
44KB

Download
memory/2360-24-0x000000002F691000-0x000000002F692000-memory.dmp

Filesize
4KB

Download
memory/2608-23-0x0000000074060000-0x000000007460B000-memory.dmp

Filesize
5.7MB

Download
memory/2608-57-0x0000000074060000-0x000000007460B000-memory.dmp

Filesize
5.7MB

Download
memory/2608-21-0x0000000074061000-0x0000000074062000-memory.dmp

Filesize
4KB

Download
memory/2608-26-0x0000000074062000-0x0000000074064000-memory.dmp

Filesize
8KB

Download
memory/2704-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-53-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2704-54-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-39-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-51-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-47-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-43-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2704-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download