b662290de96c568fc32720e4862e8eb5da8bc47096c8b66599d51072a5db4ae8

Resubmissions

20/02/2025, 14:15

250220-rkw1gawran 10

Analysis

max time kernel
900s
max time network
850s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
20/02/2025, 14:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

net8.0-windows10.0.26100.0/Velocity.exe
Size

140KB
MD5

9792add6ee65934b6a03cc1605ea098b
SHA1

966c698fe9cf94f27876a87192ec7f9ba487dfef
SHA256

575a5ee1eb56e433e4402beef8e4c2ae66a84cb181d22ed4f35fe6d65eec5a1e
SHA512

a25c8eb359a7ab52151547fcdbac1ffa41aa25ca854a2d77e70683be8e324905b05f5193cfe11fefe8b19c434e7be8bf72ab7e160a7beb827a2f60b04df8c816
SSDEEP

3072:3jK4UGDHXrQ8hy7qgpHulWD9ZvZ5Pf3Ca10xuZ04ntfOrhBu5:3jK4TDUqgpqWDLZ5H+xuZ048hA

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-80166876-2127584002-2233670790-1000\Control Panel\International\Geo\Nation	Velocity.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	raw.githubusercontent.com
5	raw.githubusercontent.com

Network Service Discovery 1 TTPs 24 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
5908	CefSharp.BrowserSubprocess.exe
4208	CefSharp.BrowserSubprocess.exe
4376	CefSharp.BrowserSubprocess.exe
3208	CefSharp.BrowserSubprocess.exe
4184	CefSharp.BrowserSubprocess.exe
2916	CefSharp.BrowserSubprocess.exe
1288	CefSharp.BrowserSubprocess.exe
2528	CefSharp.BrowserSubprocess.exe
3612	CefSharp.BrowserSubprocess.exe
4604	CefSharp.BrowserSubprocess.exe
3304	CefSharp.BrowserSubprocess.exe
4696	CefSharp.BrowserSubprocess.exe
4504	CefSharp.BrowserSubprocess.exe
5372	CefSharp.BrowserSubprocess.exe
5220	CefSharp.BrowserSubprocess.exe
3848	CefSharp.BrowserSubprocess.exe
1656	CefSharp.BrowserSubprocess.exe
1496	CefSharp.BrowserSubprocess.exe
4772	CefSharp.BrowserSubprocess.exe
3644	CefSharp.BrowserSubprocess.exe
5644	CefSharp.BrowserSubprocess.exe
5528	CefSharp.BrowserSubprocess.exe
5668	CefSharp.BrowserSubprocess.exe
1048	CefSharp.BrowserSubprocess.exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	Velocity.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	Velocity.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_923463322\hyph-or.hyb	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_923463322\hyph-et.hyb	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_923463322\hyph-as.hyb	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_923463322\hyph-af.hyb	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_1008764445\surnames.txt	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_1577941996\manifest.json	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_923463322\hyph-te.hyb	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_923463322\hyph-nn.hyb	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_923463322\hyph-lv.hyb	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_1387226405\manifest.json	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_923463322\hyph-ml.hyb	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_1008764445\female_names.txt	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_2003074602\ct_config.pb	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_1387226405\manifest.fingerprint	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_1539675942\_metadata\verified_contents.json	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_923463322\hyph-und-ethi.hyb	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_1008764445\manifest.json	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_1577941996\manifest.fingerprint	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_1393219873\download_file_types.pb	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_923463322\hyph-hy.hyb	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_923463322\hyph-gl.hyb	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_923463322\hyph-ta.hyb	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_923463322\hyph-el.hyb	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_1008764445\manifest.fingerprint	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_1393219873\manifest.fingerprint	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_331179412\crl-set	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_1127512596\_metadata\verified_contents.json	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_2014770914\_metadata\verified_contents.json	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_609646600\manifest.json	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_923463322\hyph-sl.hyb	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_923463322\hyph-ga.hyb	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_923463322\manifest.json	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_1336460686\preloaded_data.pb	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_331179412\manifest.json	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_1539675942\LICENSE.txt	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_290647433\manifest.fingerprint	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_923463322\hyph-mr.hyb	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_1127512596\_platform_specific\win_x64\widevinecdm.dll.sig	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_1127512596\manifest.fingerprint	Velocity.exe
File opened for modification	C:\Windows\SystemTemp	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_923463322\hyph-es.hyb	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_923463322\hyph-en-us.hyb	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_923463322\_metadata\verified_contents.json	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_1008764445\ranked_dicts	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_923463322\hyph-tk.hyb	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_1008764445\english_wikipedia.txt	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_1799514681\_metadata\verified_contents.json	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_1799514681\manifest.fingerprint	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_1577941996\_metadata\verified_contents.json	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_1387226405\_metadata\verified_contents.json	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_923463322\hyph-de-1901.hyb	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_923463322\hyph-bg.hyb	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_1127512596\_platform_specific\win_x64\widevinecdm.dll	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_923463322\hyph-nl.hyb	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_923463322\hyph-ka.hyb	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_854823207\safety_tips.pb	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_2003074602\manifest.json	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_1336460686\manifest.json	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_1336460686\_metadata\verified_contents.json	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_1953170213\_metadata\verified_contents.json	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_923463322\hyph-ru.hyb	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_1008764445\us_tv_and_film.txt	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_331179412\manifest.fingerprint	Velocity.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_2014770914\optimization-hints.pb	Velocity.exe

System Network Connections Discovery 1 TTPs 2 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
3560	cmd.exe
996	NETSTAT.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Velocity.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Velocity.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Velocity.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
996	NETSTAT.EXE

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	Velocity.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133845348640968968"	Velocity.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe
2416	Velocity.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5372	CefSharp.BrowserSubprocess.exe
Token: SeDebugPrivilege	3848	CefSharp.BrowserSubprocess.exe
Token: SeDebugPrivilege	5220	CefSharp.BrowserSubprocess.exe
Token: SeShutdownPrivilege	2416	Velocity.exe
Token: SeCreatePagefilePrivilege	2416	Velocity.exe
Token: SeDebugPrivilege	2416	Velocity.exe
Token: SeDebugPrivilege	3208	CefSharp.BrowserSubprocess.exe
Token: SeShutdownPrivilege	2416	Velocity.exe
Token: SeCreatePagefilePrivilege	2416	Velocity.exe
Token: SeDebugPrivilege	996	NETSTAT.EXE
Token: SeDebugPrivilege	3644	CefSharp.BrowserSubprocess.exe
Token: SeShutdownPrivilege	2416	Velocity.exe
Token: SeCreatePagefilePrivilege	2416	Velocity.exe
Token: SeShutdownPrivilege	2416	Velocity.exe
Token: SeCreatePagefilePrivilege	2416	Velocity.exe
Token: SeShutdownPrivilege	2416	Velocity.exe
Token: SeCreatePagefilePrivilege	2416	Velocity.exe
Token: SeDebugPrivilege	3612	CefSharp.BrowserSubprocess.exe
Token: SeShutdownPrivilege	2416	Velocity.exe
Token: SeCreatePagefilePrivilege	2416	Velocity.exe
Token: SeShutdownPrivilege	2416	Velocity.exe
Token: SeCreatePagefilePrivilege	2416	Velocity.exe
Token: SeShutdownPrivilege	2416	Velocity.exe
Token: SeCreatePagefilePrivilege	2416	Velocity.exe
Token: SeShutdownPrivilege	2416	Velocity.exe
Token: SeCreatePagefilePrivilege	2416	Velocity.exe
Token: SeShutdownPrivilege	2416	Velocity.exe
Token: SeCreatePagefilePrivilege	2416	Velocity.exe
Token: SeShutdownPrivilege	2416	Velocity.exe
Token: SeCreatePagefilePrivilege	2416	Velocity.exe
Token: SeShutdownPrivilege	2416	Velocity.exe
Token: SeCreatePagefilePrivilege	2416	Velocity.exe
Token: SeShutdownPrivilege	2416	Velocity.exe
Token: SeCreatePagefilePrivilege	2416	Velocity.exe
Token: SeShutdownPrivilege	2416	Velocity.exe
Token: SeCreatePagefilePrivilege	2416	Velocity.exe
Token: SeShutdownPrivilege	2416	Velocity.exe
Token: SeCreatePagefilePrivilege	2416	Velocity.exe
Token: SeShutdownPrivilege	2416	Velocity.exe
Token: SeCreatePagefilePrivilege	2416	Velocity.exe
Token: SeShutdownPrivilege	2416	Velocity.exe
Token: SeCreatePagefilePrivilege	2416	Velocity.exe
Token: SeShutdownPrivilege	2416	Velocity.exe
Token: SeCreatePagefilePrivilege	2416	Velocity.exe
Token: SeShutdownPrivilege	2416	Velocity.exe
Token: SeCreatePagefilePrivilege	2416	Velocity.exe
Token: SeShutdownPrivilege	2416	Velocity.exe
Token: SeCreatePagefilePrivilege	2416	Velocity.exe
Token: SeShutdownPrivilege	2416	Velocity.exe
Token: SeCreatePagefilePrivilege	2416	Velocity.exe
Token: SeShutdownPrivilege	2416	Velocity.exe
Token: SeCreatePagefilePrivilege	2416	Velocity.exe
Token: SeShutdownPrivilege	2416	Velocity.exe
Token: SeCreatePagefilePrivilege	2416	Velocity.exe
Token: SeShutdownPrivilege	2416	Velocity.exe
Token: SeCreatePagefilePrivilege	2416	Velocity.exe
Token: SeShutdownPrivilege	2416	Velocity.exe
Token: SeCreatePagefilePrivilege	2416	Velocity.exe
Token: SeShutdownPrivilege	2416	Velocity.exe
Token: SeCreatePagefilePrivilege	2416	Velocity.exe
Token: SeShutdownPrivilege	2416	Velocity.exe
Token: SeCreatePagefilePrivilege	2416	Velocity.exe
Token: SeShutdownPrivilege	2416	Velocity.exe
Token: SeCreatePagefilePrivilege	2416	Velocity.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 5220	2416	Velocity.exe	79
PID 2416 wrote to memory of 5220	2416	Velocity.exe	79
PID 2416 wrote to memory of 5372	2416	Velocity.exe	80
PID 2416 wrote to memory of 5372	2416	Velocity.exe	80
PID 2416 wrote to memory of 3848	2416	Velocity.exe	81
PID 2416 wrote to memory of 3848	2416	Velocity.exe	81
PID 2416 wrote to memory of 3644	2416	Velocity.exe	82
PID 2416 wrote to memory of 3644	2416	Velocity.exe	82
PID 2416 wrote to memory of 3208	2416	Velocity.exe	83
PID 2416 wrote to memory of 3208	2416	Velocity.exe	83
PID 2416 wrote to memory of 3560	2416	Velocity.exe	84
PID 2416 wrote to memory of 3560	2416	Velocity.exe	84
PID 3560 wrote to memory of 996	3560	cmd.exe	86
PID 3560 wrote to memory of 996	3560	cmd.exe	86
PID 3560 wrote to memory of 5728	3560	cmd.exe	87
PID 3560 wrote to memory of 5728	3560	cmd.exe	87
PID 2416 wrote to memory of 3612	2416	Velocity.exe	88
PID 2416 wrote to memory of 3612	2416	Velocity.exe	88
PID 2416 wrote to memory of 1656	2416	Velocity.exe	93
PID 2416 wrote to memory of 1656	2416	Velocity.exe	93
PID 2416 wrote to memory of 1496	2416	Velocity.exe	94
PID 2416 wrote to memory of 1496	2416	Velocity.exe	94
PID 2416 wrote to memory of 4184	2416	Velocity.exe	95
PID 2416 wrote to memory of 4184	2416	Velocity.exe	95
PID 2416 wrote to memory of 4772	2416	Velocity.exe	96
PID 2416 wrote to memory of 4772	2416	Velocity.exe	96
PID 2416 wrote to memory of 5644	2416	Velocity.exe	97
PID 2416 wrote to memory of 5644	2416	Velocity.exe	97
PID 2416 wrote to memory of 4696	2416	Velocity.exe	98
PID 2416 wrote to memory of 4696	2416	Velocity.exe	98
PID 2416 wrote to memory of 4604	2416	Velocity.exe	99
PID 2416 wrote to memory of 4604	2416	Velocity.exe	99
PID 2416 wrote to memory of 4504	2416	Velocity.exe	100
PID 2416 wrote to memory of 4504	2416	Velocity.exe	100
PID 2416 wrote to memory of 5528	2416	Velocity.exe	101
PID 2416 wrote to memory of 5528	2416	Velocity.exe	101
PID 2416 wrote to memory of 2916	2416	Velocity.exe	102
PID 2416 wrote to memory of 2916	2416	Velocity.exe	102
PID 2416 wrote to memory of 5668	2416	Velocity.exe	103
PID 2416 wrote to memory of 5668	2416	Velocity.exe	103
PID 2416 wrote to memory of 1048	2416	Velocity.exe	108
PID 2416 wrote to memory of 1048	2416	Velocity.exe	108
PID 2416 wrote to memory of 1288	2416	Velocity.exe	109
PID 2416 wrote to memory of 1288	2416	Velocity.exe	109
PID 2416 wrote to memory of 3304	2416	Velocity.exe	110
PID 2416 wrote to memory of 3304	2416	Velocity.exe	110
PID 2416 wrote to memory of 2528	2416	Velocity.exe	111
PID 2416 wrote to memory of 2528	2416	Velocity.exe	111
PID 2416 wrote to memory of 5908	2416	Velocity.exe	112
PID 2416 wrote to memory of 5908	2416	Velocity.exe	112
PID 2416 wrote to memory of 4208	2416	Velocity.exe	113
PID 2416 wrote to memory of 4208	2416	Velocity.exe	113
PID 2416 wrote to memory of 4376	2416	Velocity.exe	114
PID 2416 wrote to memory of 4376	2416	Velocity.exe	114

C:\Users\Admin\AppData\Local\Temp\net8.0-windows10.0.26100.0\Velocity.exe
"C:\Users\Admin\AppData\Local\Temp\net8.0-windows10.0.26100.0\Velocity.exe"
1⤵
- Checks computer location settings
- Checks system information in the registry
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\AppData\Local\Temp\net8.0-windows10.0.26100.0\runtimes\win-x64\native\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\net8.0-windows10.0.26100.0\runtimes\win-x64\native\CefSharp.BrowserSubprocess.exe" --type=gpu-process --no-sandbox --string-annotations=is-enterprise-managed=no --start-stack-profiler --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2372,i,15302477302459956117,14313141329725890031,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=1724 --mojo-platform-channel-handle=2368 /prefetch:2 --host-process-id=2416
  2⤵
  - Network Service Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5220
- C:\Users\Admin\AppData\Local\Temp\net8.0-windows10.0.26100.0\runtimes\win-x64\native\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\net8.0-windows10.0.26100.0\runtimes\win-x64\native\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --string-annotations=is-enterprise-managed=no --start-stack-profiler --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --field-trial-handle=2404,i,15302477302459956117,14313141329725890031,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=2416 --mojo-platform-channel-handle=2408 /prefetch:3 --host-process-id=2416
  2⤵
  - Network Service Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5372
- C:\Users\Admin\AppData\Local\Temp\net8.0-windows10.0.26100.0\runtimes\win-x64\native\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\net8.0-windows10.0.26100.0\runtimes\win-x64\native\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --string-annotations=is-enterprise-managed=no --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --field-trial-handle=2612,i,15302477302459956117,14313141329725890031,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=2584 --mojo-platform-channel-handle=2384 /prefetch:8 --host-process-id=2416
  2⤵
  - Network Service Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3848
- C:\Users\Admin\AppData\Local\Temp\net8.0-windows10.0.26100.0\runtimes\win-x64\native\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\net8.0-windows10.0.26100.0\runtimes\win-x64\native\CefSharp.BrowserSubprocess.exe" --type=renderer --string-annotations=is-enterprise-managed=no --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=5076,i,15302477302459956117,14313141329725890031,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=5148 --mojo-platform-channel-handle=5144 --host-process-id=2416 /prefetch:1
  2⤵
  - Network Service Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3644
- C:\Users\Admin\AppData\Local\Temp\net8.0-windows10.0.26100.0\runtimes\win-x64\native\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\net8.0-windows10.0.26100.0\runtimes\win-x64\native\CefSharp.BrowserSubprocess.exe" --type=renderer --string-annotations=is-enterprise-managed=no --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=5084,i,15302477302459956117,14313141329725890031,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=5160 --mojo-platform-channel-handle=5152 --host-process-id=2416 /prefetch:1
  2⤵
  - Network Service Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3208
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c netstat -ano | findstr :30000
  2⤵
  - System Network Connections Discovery
  - Suspicious use of WriteProcessMemory
  PID:3560
- - C:\Windows\system32\NETSTAT.EXE
    netstat -ano
    3⤵
    - System Network Connections Discovery
    - Gathers network information
    - Suspicious use of AdjustPrivilegeToken
    PID:996
- - C:\Windows\system32\findstr.exe
    findstr :30000
    3⤵
    PID:5728
- C:\Users\Admin\AppData\Local\Temp\net8.0-windows10.0.26100.0\runtimes\win-x64\native\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\net8.0-windows10.0.26100.0\runtimes\win-x64\native\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-sandbox --string-annotations=is-enterprise-managed=no --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --field-trial-handle=5816,i,15302477302459956117,14313141329725890031,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=5820 --mojo-platform-channel-handle=5812 /prefetch:8 --host-process-id=2416
  2⤵
  - Network Service Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3612
- C:\Users\Admin\AppData\Local\Temp\net8.0-windows10.0.26100.0\runtimes\win-x64\native\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\net8.0-windows10.0.26100.0\runtimes\win-x64\native\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-sandbox --string-annotations=is-enterprise-managed=no --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --field-trial-handle=4232,i,15302477302459956117,14313141329725890031,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=7160 --mojo-platform-channel-handle=6968 /prefetch:8 --host-process-id=2416
  2⤵
  - Network Service Discovery
  PID:1656
- C:\Users\Admin\AppData\Local\Temp\net8.0-windows10.0.26100.0\runtimes\win-x64\native\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\net8.0-windows10.0.26100.0\runtimes\win-x64\native\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-sandbox --string-annotations=is-enterprise-managed=no --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --field-trial-handle=7116,i,15302477302459956117,14313141329725890031,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=7156 --mojo-platform-channel-handle=7160 /prefetch:8 --host-process-id=2416
  2⤵
  - Network Service Discovery
  PID:1496
- C:\Users\Admin\AppData\Local\Temp\net8.0-windows10.0.26100.0\runtimes\win-x64\native\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\net8.0-windows10.0.26100.0\runtimes\win-x64\native\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-sandbox --string-annotations=is-enterprise-managed=no --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --field-trial-handle=7120,i,15302477302459956117,14313141329725890031,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=4240 --mojo-platform-channel-handle=7144 /prefetch:8 --host-process-id=2416
  2⤵
  - Network Service Discovery
  PID:4184
- C:\Users\Admin\AppData\Local\Temp\net8.0-windows10.0.26100.0\runtimes\win-x64\native\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\net8.0-windows10.0.26100.0\runtimes\win-x64\native\CefSharp.BrowserSubprocess.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-sandbox --string-annotations=is-enterprise-managed=no --start-stack-profiler --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=7144,i,15302477302459956117,14313141329725890031,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=4240 --mojo-platform-channel-handle=7140 /prefetch:8 --host-process-id=2416
  2⤵
  - Network Service Discovery
  PID:4772
- C:\Users\Admin\AppData\Local\Temp\net8.0-windows10.0.26100.0\runtimes\win-x64\native\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\net8.0-windows10.0.26100.0\runtimes\win-x64\native\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --no-sandbox --string-annotations=is-enterprise-managed=no --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --field-trial-handle=7088,i,15302477302459956117,14313141329725890031,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=1128 --mojo-platform-channel-handle=7100 /prefetch:8 --host-process-id=2416
  2⤵
  - Network Service Discovery
  PID:5644
- C:\Users\Admin\AppData\Local\Temp\net8.0-windows10.0.26100.0\runtimes\win-x64\native\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\net8.0-windows10.0.26100.0\runtimes\win-x64\native\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-sandbox --string-annotations=is-enterprise-managed=no --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --field-trial-handle=4456,i,15302477302459956117,14313141329725890031,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=7136 --mojo-platform-channel-handle=6368 /prefetch:8 --host-process-id=2416
  2⤵
  - Network Service Discovery
  PID:4696
- C:\Users\Admin\AppData\Local\Temp\net8.0-windows10.0.26100.0\runtimes\win-x64\native\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\net8.0-windows10.0.26100.0\runtimes\win-x64\native\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-sandbox --string-annotations=is-enterprise-managed=no --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --field-trial-handle=4468,i,15302477302459956117,14313141329725890031,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=7136 --mojo-platform-channel-handle=7076 /prefetch:8 --host-process-id=2416
  2⤵
  - Network Service Discovery
  PID:4604
- C:\Users\Admin\AppData\Local\Temp\net8.0-windows10.0.26100.0\runtimes\win-x64\native\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\net8.0-windows10.0.26100.0\runtimes\win-x64\native\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-sandbox --string-annotations=is-enterprise-managed=no --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --field-trial-handle=1904,i,15302477302459956117,14313141329725890031,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=6968 --mojo-platform-channel-handle=7136 /prefetch:8 --host-process-id=2416
  2⤵
  - Network Service Discovery
  PID:4504
- C:\Users\Admin\AppData\Local\Temp\net8.0-windows10.0.26100.0\runtimes\win-x64\native\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\net8.0-windows10.0.26100.0\runtimes\win-x64\native\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-sandbox --string-annotations=is-enterprise-managed=no --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --field-trial-handle=7068,i,15302477302459956117,14313141329725890031,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=6968 --mojo-platform-channel-handle=7080 /prefetch:8 --host-process-id=2416
  2⤵
  - Network Service Discovery
  PID:5528
- C:\Users\Admin\AppData\Local\Temp\net8.0-windows10.0.26100.0\runtimes\win-x64\native\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\net8.0-windows10.0.26100.0\runtimes\win-x64\native\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-sandbox --string-annotations=is-enterprise-managed=no --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --field-trial-handle=7108,i,15302477302459956117,14313141329725890031,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=5072 --mojo-platform-channel-handle=5664 /prefetch:8 --host-process-id=2416
  2⤵
  - Network Service Discovery
  PID:2916
- C:\Users\Admin\AppData\Local\Temp\net8.0-windows10.0.26100.0\runtimes\win-x64\native\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\net8.0-windows10.0.26100.0\runtimes\win-x64\native\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-sandbox --string-annotations=is-enterprise-managed=no --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --field-trial-handle=5072,i,15302477302459956117,14313141329725890031,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=1552 --mojo-platform-channel-handle=1900 /prefetch:8 --host-process-id=2416
  2⤵
  - Network Service Discovery
  PID:5668
- C:\Users\Admin\AppData\Local\Temp\net8.0-windows10.0.26100.0\runtimes\win-x64\native\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\net8.0-windows10.0.26100.0\runtimes\win-x64\native\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-sandbox --string-annotations=is-enterprise-managed=no --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --field-trial-handle=5352,i,15302477302459956117,14313141329725890031,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=5664 --mojo-platform-channel-handle=5068 /prefetch:8 --host-process-id=2416
  2⤵
  - Network Service Discovery
  PID:1048
- C:\Users\Admin\AppData\Local\Temp\net8.0-windows10.0.26100.0\runtimes\win-x64\native\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\net8.0-windows10.0.26100.0\runtimes\win-x64\native\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-sandbox --string-annotations=is-enterprise-managed=no --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --field-trial-handle=5064,i,15302477302459956117,14313141329725890031,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=6960 --mojo-platform-channel-handle=5068 /prefetch:8 --host-process-id=2416
  2⤵
  - Network Service Discovery
  PID:1288
- C:\Users\Admin\AppData\Local\Temp\net8.0-windows10.0.26100.0\runtimes\win-x64\native\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\net8.0-windows10.0.26100.0\runtimes\win-x64\native\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-sandbox --string-annotations=is-enterprise-managed=no --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --field-trial-handle=4244,i,15302477302459956117,14313141329725890031,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=7072 --mojo-platform-channel-handle=7076 /prefetch:8 --host-process-id=2416
  2⤵
  - Network Service Discovery
  PID:3304
- C:\Users\Admin\AppData\Local\Temp\net8.0-windows10.0.26100.0\runtimes\win-x64\native\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\net8.0-windows10.0.26100.0\runtimes\win-x64\native\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-sandbox --string-annotations=is-enterprise-managed=no --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --field-trial-handle=7128,i,15302477302459956117,14313141329725890031,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=7160 --mojo-platform-channel-handle=7104 /prefetch:8 --host-process-id=2416
  2⤵
  - Network Service Discovery
  PID:2528
- C:\Users\Admin\AppData\Local\Temp\net8.0-windows10.0.26100.0\runtimes\win-x64\native\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\net8.0-windows10.0.26100.0\runtimes\win-x64\native\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-sandbox --string-annotations=is-enterprise-managed=no --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --field-trial-handle=7084,i,15302477302459956117,14313141329725890031,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=5292 --mojo-platform-channel-handle=7156 /prefetch:8 --host-process-id=2416
  2⤵
  - Network Service Discovery
  PID:5908
- C:\Users\Admin\AppData\Local\Temp\net8.0-windows10.0.26100.0\runtimes\win-x64\native\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\net8.0-windows10.0.26100.0\runtimes\win-x64\native\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-sandbox --string-annotations=is-enterprise-managed=no --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --field-trial-handle=7132,i,15302477302459956117,14313141329725890031,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=7156 --mojo-platform-channel-handle=7140 /prefetch:8 --host-process-id=2416
  2⤵
  - Network Service Discovery
  PID:4208
- C:\Users\Admin\AppData\Local\Temp\net8.0-windows10.0.26100.0\runtimes\win-x64\native\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\net8.0-windows10.0.26100.0\runtimes\win-x64\native\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-sandbox --string-annotations=is-enterprise-managed=no --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --field-trial-handle=4500,i,15302477302459956117,14313141329725890031,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=4464 --mojo-platform-channel-handle=4452 /prefetch:8 --host-process-id=2416
  2⤵
  - Network Service Discovery
  PID:4376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\CEF\User Data\Default\DawnWebGPUCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\Default\Extension Rules\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\Default\Extension Rules\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\Default\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\Default\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\Default\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\Default\Network\Network Persistent State

Filesize
551B

MD5
c72524c7a4c20169f3027355b4d2ce6d

SHA1
57e376e7955c525009bdffe4ac49f52886cca723

SHA256
4b8ed1c8c9d5caee809a1af60fd40cc5dda8fe7e4e0a679c88dbb940921c02bf

SHA512
44cc56788092a20e8fbc5894e1408659e72295ad523e337a78cff5673e547aaec1b35c40e7825849bb888212db1ce2d108063b91d35a86bcf650bc531eb32de7

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\Default\Network\Network Persistent State

Filesize
551B

MD5
56ad6e1a67bba003597cfeeab31cef95

SHA1
3d8aaaff5bb70be5709d0a1b23e2621125eeaeaa

SHA256
dc58031b597fb2eadbdabbe315f605e13be5dffb8cc54fb5cf8c73ebf265c7ec

SHA512
e6925113e257551a24366105cf6d024bde2e4866c2655e8305c01490868ae3460527cb5ce47e74d7c2bb02b82a542a40cc7d44997856a1ae24a71dbac043df95

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\Default\Network\Network Persistent State~RFe595ba3.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\Default\Network\TransportSecurity

Filesize
353B

MD5
dbd04c4aeb0d438903fa0af2e4eacb1f

SHA1
07db29d28d95b7668da10c2c9439e6c13721bec0

SHA256
787850953504309ead9ce537494e3af307221a8e477820c755dfd8738a584825

SHA512
88b1265436068ee68a9f522151c269f7011997df57c08e5516d0e0edd2bd341b8f4f13a169842a2bee27380ca8f47b58973ca4a809bd575b8a2a5eb0825a5a8f

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\Default\Network\TransportSecurity~RFe596ce9.TMP

Filesize
351B

MD5
f4fd2af4d5d035003feb54ca5b5b314a

SHA1
dede6b3b38905e91fae8ee252dc971d30056bdb2

SHA256
e5a3c24193c99a2b2afd2b509e9ed16bb13fdd3b4dc459fd168b7b42669c076b

SHA512
5c4c8afcd3180ad4245418a55acf7ac213f55b7c1467462913b217f3fd71c36be8f81732762d5705336f53e40c8b339829a5ae8148b753894b116bf29590a489

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\Default\d605e218-4d2e-48c7-ba51-87d6ab9fe169.tmp

Filesize
7KB

MD5
7b5153a440d19e9e57293c5253fcc80e

SHA1
86c0ad30cd16b6a88dc2324dae1a9bc0bbd01335

SHA256
a85517e9b7655030b7f0d2ff77a7bfea1d4a7f72c5218f529768b807deb09d56

SHA512
5be0b45aad816264e58543f827c4c667640ff7a8c725e979a23e1115ab9ec44b0553c759915f9ae1a87f2bb7dceaae32bfd136eaecef4b0ca2928aabfb79227d

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\Local State

Filesize
2KB

MD5
b669356fc7f5eda237f53901a47af265

SHA1
b693e0d5993958a2dd7ef95364d12baac84f77ac

SHA256
a58a28bc49d7d7e93165b4e99c467d0fa3f84e94c969d7be848d36b5809985ca

SHA512
ca188ed5925f1269a5fe8888dbc8fbec969eb5a126405e9b5676c9e0082641959597be4312686ea6d8fedf4dba155e48999206caeee90e7a885f8b0e3e13152d

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\Local State

Filesize
5KB

MD5
4252386215bb5126b379fbd7c56adef5

SHA1
69a7f9ccd8953fda054d20b8af733bdfb4a08d2b

SHA256
83c6fa204831681c64bfafe0350f334c21743c225b2aa44ad2cb12847b8d6057

SHA512
91f824bd81511b01a3dc7de40f145f62bd7fe8fa0dff6461cd877ae0011262cc5ee98de3f17786ddf386d3f126158eb0f581832fa2db6397aa0170b4080702be

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\Local State

Filesize
5KB

MD5
684c98bea914355f9aa3ade0f1dffa5c

SHA1
8a7aa25035c2aec9df8948c57299465203ada28c

SHA256
3331295a0d6e905f5c7d1ce86ecd79e250aa36ea4c1189c191e74c6d1575473a

SHA512
e2914ce256ba366b1f6e745d03935f716c594d6819027dbdb17174d266f39054c1e172b500a6b62ba5802512c443e296846c243ba9f311a7606ef70fcd08557e

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\Local State

Filesize
5KB

MD5
0b7595823d6426c560b1acd106bc8c2c

SHA1
cc8f9289028029130de47ad5e96de9229f40fae0

SHA256
b902ec131a3e65b71d1455e1ae0061aa20c5d41c5bc51aa9136fd73591b560f8

SHA512
fe0bab09ae3376643d803a60586d02156acea173929a1da40c03b8b1b0f5f180deee4d89195cb0f3e3b00a6681b9a242679b8efdda81709da2a207c8bd75d4c1

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\Local State

Filesize
24KB

MD5
a0953d3887d6fc683e3f75df51846916

SHA1
44538a3b3b65dbfc4d38bbb0fae06bebd365a4d8

SHA256
574adbea0a5f416beaa846ed60c40de753e8c7f68670cc8c8dfc187f1298f953

SHA512
be0a64f8cf35bea89d565081d00f0bd7581d2a6c7bc9eb5b580cd8acd4c61f1f47db5b7b271a8af58cf7de801fcc3c47d2b85b5dbdab1f7f39dfd1b3a5446473

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\Local State

Filesize
26KB

MD5
e7eff47e9d3b817ca4f21765bdf0dff8

SHA1
13f850c5e208dccaea5b0395bd13d8e993dd7d82

SHA256
59dffd9474d7bcfd708357062c33868231e98db92f9e858e9654fd54a6fc38a6

SHA512
dc6de520ab38b94a6d7c2728df00a933d07f8221dee91b885f488a3e0045f4d4c58eaacc19ea277d25b579f3880b88d274495ab99ea71d2738ec48e625414d3c

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\Local State

Filesize
1KB

MD5
7c68a2b62a12ccc9b3ab705439a1f972

SHA1
68460433ea407cb99069c80c2e60cf609f85eadc

SHA256
1fab810f9db1b82c31c86d8ca73edc483b97b3aa2e9c536d860a467dc9d0590a

SHA512
7503aeee2b2d69fe8aca646cb4936defa25e4fa528c5f6fd6ec57b7c11225e6caf3feaabe6322bfb892ee4afc2534994422af7f560f31ebf44c7c94d5bedc12f

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\Local State~RFe584735.TMP

Filesize
952B

MD5
13d3defe813cc9f9863638bf95896ac1

SHA1
dd1b344f430b370a8ec4a7e62e9ab31b8fa28faa

SHA256
ce52ae36822050a468853c76ef9278b271601150b7c25a4b67eb91a749ecc482

SHA512
fb250b2cf9425e1eecfda56ae8613a26949e4a0bf71b9210ca78bcd54da2177533cbd82ce2d6354f59dac2191f726d2abab6b6c2bd74166fa225be99cf7f4762

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\chrome_debug.log

Filesize
691B

MD5
6900d536fe8d37c8ed9d281f012d4eee

SHA1
f47002a22d6b88601ffa6b02fe1f5bf8510f2c65

SHA256
34bf6b57548a6efa14874f7d81b2cf0c90103b3abe44489c26d364130c034c1b

SHA512
3fec8ab7f117e03808184f7a39c1da19b9fc32fc65a403d05c61bad9c00693692ec1dfc0b3b9bc2f027cc0f04391cf1c1f1c00ec07d303e3de2462837ca24150

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\chrome_debug.log

Filesize
875B

MD5
acec3a9c67cbc799dbea65779cab476d

SHA1
212101c7d312c88b13541f87c8abfa5c4d388b2d

SHA256
2d6865791340c1b54037dbe6b4fdcc9bfbc76f57e0b4e600591b685c920fd3cf

SHA512
d397d400fe292494c81ee0afbc15c61cf2733a9313b07df08808f82c79014a9708e833f7e5ec0db26427a61727f3e969955251ff7e697120e98517b0d281276b

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_331179412\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_923463322\hyph-bn.hyb

Filesize
703B

MD5
8961fdd3db036dd43002659a4e4a7365

SHA1
7b2fa321d50d5417e6c8d48145e86d15b7ff8321

SHA256
c2784e33158a807135850f7125a7eaabe472b3cfc7afb82c74f02da69ea250fe

SHA512
531ecec11d296a1ab3faeb2c7ac619da9d80c1054a2ccee8a5a0cd996346fea2a2fee159ac5a8d79b46a764a2aa8e542d6a79d86b3d7dda461e41b19c9bebe92

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_923463322\hyph-mr.hyb

Filesize
687B

MD5
0807cf29fc4c5d7d87c1689eb2e0baaa

SHA1
d0914fb069469d47a36d339ca70164253fccf022

SHA256
f4df224d459fd111698dd5a13613c5bbf0ed11f04278d60230d028010eac0c42

SHA512
5324fd47c94f5804bfa1aa6df952949915896a3fc77dccaed0eeffeafe995ce087faef035aecea6b4c864a16ad32de00055f55260af974f2c41afff14dce00f3

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping2416_923463322\hyph-nn.hyb

Filesize
141KB

MD5
f2d8fe158d5361fc1d4b794a7255835a

SHA1
6c8744fa70651f629ed887cb76b6bc1bed304af9

SHA256
5bcbb58eaf65f13f6d039244d942f37c127344e3a0a2e6c32d08236945132809

SHA512
946f4e41be624458b5e842a6241d43cd40369b2e0abc2cacf67d892b5f3d8a863a0e37e8120e11375b0bacb4651eedb8d324271d9a0c37527d4d54dd4905afab

Download Submit
memory/4772-519-0x00000212270D0000-0x00000212270D1000-memory.dmp

Filesize
4KB

Download
memory/4772-518-0x00000212270D0000-0x00000212270D1000-memory.dmp

Filesize
4KB

Download
memory/4772-517-0x00000212270D0000-0x00000212270D1000-memory.dmp

Filesize
4KB

Download
memory/4772-516-0x00000212270D0000-0x00000212270D1000-memory.dmp

Filesize
4KB

Download
memory/4772-515-0x00000212270D0000-0x00000212270D1000-memory.dmp

Filesize
4KB

Download
memory/4772-520-0x00000212270D0000-0x00000212270D1000-memory.dmp

Filesize
4KB

Download
memory/4772-514-0x00000212270D0000-0x00000212270D1000-memory.dmp

Filesize
4KB

Download
memory/4772-508-0x00000212270D0000-0x00000212270D1000-memory.dmp

Filesize
4KB

Download
memory/4772-509-0x00000212270D0000-0x00000212270D1000-memory.dmp

Filesize
4KB

Download
memory/4772-510-0x00000212270D0000-0x00000212270D1000-memory.dmp

Filesize
4KB

Download