hxxp://Google[.]com

max time kernel
102s
max time network
102s
platform
windows11-21h2_x64
resource
win11-20250314-en
resource tags

arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
submitted
25/03/2025, 03:34

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://Google.com

Score

8^/10

bootkit defense_evasion discovery persistence pyinstaller

Malware Config

Signatures

Downloads MZ/PE file 1 IoCs

flow	pid	Process
52	408	chrome.exe

Executes dropped EXE 2 IoCs

pid	Process
2156	tutorial.exe
2552	tutorial.exe

Loads dropped DLL 11 IoCs

pid	Process
2552	tutorial.exe
2552	tutorial.exe
2552	tutorial.exe
2552	tutorial.exe
2552	tutorial.exe
2552	tutorial.exe
2552	tutorial.exe
2552	tutorial.exe
2552	tutorial.exe
2552	tutorial.exe
2552	tutorial.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
52	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	tutorial.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\tutorial.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x001900000002b2f4-495.dat	pyinstaller

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
5228	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133873472995887179"	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\tutorial.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe
Token: SeShutdownPrivilege	5720	chrome.exe
Token: SeCreatePagefilePrivilege	5720	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe
5720	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2156	tutorial.exe
2552	tutorial.exe
2552	tutorial.exe
2552	tutorial.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5720 wrote to memory of 3512	5720	chrome.exe	78
PID 5720 wrote to memory of 3512	5720	chrome.exe	78
PID 5720 wrote to memory of 1888	5720	chrome.exe	79
PID 5720 wrote to memory of 1888	5720	chrome.exe	79
PID 5720 wrote to memory of 408	5720	chrome.exe	80
PID 5720 wrote to memory of 408	5720	chrome.exe	80
PID 5720 wrote to memory of 1888	5720	chrome.exe	79
PID 5720 wrote to memory of 1888	5720	chrome.exe	79
PID 5720 wrote to memory of 1888	5720	chrome.exe	79
PID 5720 wrote to memory of 1888	5720	chrome.exe	79
PID 5720 wrote to memory of 1888	5720	chrome.exe	79
PID 5720 wrote to memory of 1888	5720	chrome.exe	79
PID 5720 wrote to memory of 1888	5720	chrome.exe	79
PID 5720 wrote to memory of 1888	5720	chrome.exe	79
PID 5720 wrote to memory of 1888	5720	chrome.exe	79
PID 5720 wrote to memory of 1888	5720	chrome.exe	79
PID 5720 wrote to memory of 1888	5720	chrome.exe	79
PID 5720 wrote to memory of 1888	5720	chrome.exe	79
PID 5720 wrote to memory of 1888	5720	chrome.exe	79
PID 5720 wrote to memory of 1888	5720	chrome.exe	79
PID 5720 wrote to memory of 1888	5720	chrome.exe	79
PID 5720 wrote to memory of 1888	5720	chrome.exe	79
PID 5720 wrote to memory of 1888	5720	chrome.exe	79
PID 5720 wrote to memory of 1888	5720	chrome.exe	79
PID 5720 wrote to memory of 1888	5720	chrome.exe	79
PID 5720 wrote to memory of 1888	5720	chrome.exe	79
PID 5720 wrote to memory of 1888	5720	chrome.exe	79
PID 5720 wrote to memory of 1888	5720	chrome.exe	79
PID 5720 wrote to memory of 1888	5720	chrome.exe	79
PID 5720 wrote to memory of 1888	5720	chrome.exe	79
PID 5720 wrote to memory of 1888	5720	chrome.exe	79
PID 5720 wrote to memory of 1888	5720	chrome.exe	79
PID 5720 wrote to memory of 1888	5720	chrome.exe	79
PID 5720 wrote to memory of 1888	5720	chrome.exe	79
PID 5720 wrote to memory of 3044	5720	chrome.exe	81
PID 5720 wrote to memory of 3044	5720	chrome.exe	81
PID 5720 wrote to memory of 3044	5720	chrome.exe	81
PID 5720 wrote to memory of 3044	5720	chrome.exe	81
PID 5720 wrote to memory of 3044	5720	chrome.exe	81
PID 5720 wrote to memory of 3044	5720	chrome.exe	81
PID 5720 wrote to memory of 3044	5720	chrome.exe	81
PID 5720 wrote to memory of 3044	5720	chrome.exe	81
PID 5720 wrote to memory of 3044	5720	chrome.exe	81
PID 5720 wrote to memory of 3044	5720	chrome.exe	81
PID 5720 wrote to memory of 3044	5720	chrome.exe	81
PID 5720 wrote to memory of 3044	5720	chrome.exe	81
PID 5720 wrote to memory of 3044	5720	chrome.exe	81
PID 5720 wrote to memory of 3044	5720	chrome.exe	81
PID 5720 wrote to memory of 3044	5720	chrome.exe	81
PID 5720 wrote to memory of 3044	5720	chrome.exe	81
PID 5720 wrote to memory of 3044	5720	chrome.exe	81
PID 5720 wrote to memory of 3044	5720	chrome.exe	81
PID 5720 wrote to memory of 3044	5720	chrome.exe	81
PID 5720 wrote to memory of 3044	5720	chrome.exe	81
PID 5720 wrote to memory of 3044	5720	chrome.exe	81
PID 5720 wrote to memory of 3044	5720	chrome.exe	81
PID 5720 wrote to memory of 3044	5720	chrome.exe	81
PID 5720 wrote to memory of 3044	5720	chrome.exe	81
PID 5720 wrote to memory of 3044	5720	chrome.exe	81
PID 5720 wrote to memory of 3044	5720	chrome.exe	81
PID 5720 wrote to memory of 3044	5720	chrome.exe	81
PID 5720 wrote to memory of 3044	5720	chrome.exe	81
PID 5720 wrote to memory of 3044	5720	chrome.exe	81
PID 5720 wrote to memory of 3044	5720	chrome.exe	81

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://Google.com
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe5f29dcf8,0x7ffe5f29dd04,0x7ffe5f29dd10
  2⤵
  PID:3512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2012,i,12253018897321247700,14311062204257529206,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2008 /prefetch:2
  2⤵
  PID:1888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2108,i,12253018897321247700,14311062204257529206,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2132 /prefetch:11
  2⤵
  - Downloads MZ/PE file
  PID:408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2324,i,12253018897321247700,14311062204257529206,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2472 /prefetch:13
  2⤵
  PID:3044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3076,i,12253018897321247700,14311062204257529206,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3116 /prefetch:1
  2⤵
  PID:3352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3080,i,12253018897321247700,14311062204257529206,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:1108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4180,i,12253018897321247700,14311062204257529206,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4200 /prefetch:9
  2⤵
  PID:2360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4148,i,12253018897321247700,14311062204257529206,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4632 /prefetch:1
  2⤵
  PID:2012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5128,i,12253018897321247700,14311062204257529206,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5140 /prefetch:14
  2⤵
  PID:1376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5424,i,12253018897321247700,14311062204257529206,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5512 /prefetch:14
  2⤵
  PID:2212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5140,i,12253018897321247700,14311062204257529206,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5544 /prefetch:14
  2⤵
  PID:5372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5436,i,12253018897321247700,14311062204257529206,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5368 /prefetch:14
  2⤵
  PID:2076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5564,i,12253018897321247700,14311062204257529206,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5760,i,12253018897321247700,14311062204257529206,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=212 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:5296
- C:\Users\Admin\Downloads\tutorial.exe
  "C:\Users\Admin\Downloads\tutorial.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2156
- - C:\Users\Admin\Downloads\tutorial.exe
    "C:\Users\Admin\Downloads\tutorial.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of SetWindowsHookEx
    PID:2552
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /f /im svchost.exe
      4⤵
      PID:4724
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im svchost.exe
        5⤵
        Kills process with taskkill
        
        PID:5228

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
0dffc4d8346b3f4d3b25e6a14e17ffeb

SHA1
4a430f61e5083c67b1ae2dea9dfa1982d38014c8

SHA256
4393f87da12d9d24e0ad89508db15cb3fa41588161075841ff5c77820f754b71

SHA512
697ef89359f0f992022e809837e912f1ce1f8f605aae82314a4217af0e288fa63c805ab51f6ce66b2d194f97f3eca1c2d0f06e47d02c4d13383b9e3eedbb9ba1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
140cf597bbeade9ff26398aa547e4c91

SHA1
fdb86962fd2b6903a73278a22b88bce5d2aa5652

SHA256
d5dba9dffb66584961d151aa031eb94a9e82b41a2cf6e443951a62720918b5bd

SHA512
ec6bda4d59b29d00a721d9e86d372df3641624ba1c82a1ce707af238bcd120864c963c8c0208fc99524d398fc9a88fcb43d979033d6137cd0b503d8570e2141b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
1fa62ed44673f923d93b68af21c4e06a

SHA1
8ae95dfd59e595f6a3be6f5dc05f3fa515f5dfbf

SHA256
ce64fc901a0bd256e1bfa76162a2f2804ff1042c3914022de4fa932ebb3f5d32

SHA512
02d26d2f39d3f0122bf4094fc63d65d01d48ee0b9a17fc065ab8f3204acfa5f5c2de482aacd8182071b3fc455d86442d0fca22f9d8ec7cbf4644561673e93d62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
8c20f7211adc6618ee65bb1cb82e954c

SHA1
94f49972ea94f134fe47af545a9dec431b80720a

SHA256
d0971b5d564f0f0eba4fa5058590348f177a7b0f01bf5a2ab8c4bd2e94925d8f

SHA512
b4418c4279af08df48a59049772bffa47acc9fdb37af57981b7139c1ba8a56faf9230b64d3598fb52181f1ccec7631e621536e2026bcf68998b032e97f359d8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
0551c5e90d45881d629c8ef8d5206101

SHA1
9f0e3c396ba268ce1794a1b69a618d5c4f0f2de0

SHA256
6f343b97fc129a0ea47d5be7fef2ae414209988dd846152cfc1faf967033e935

SHA512
afbbad2bf50bc50d4ff5d9d987d18c0820027a4830c34623d51ed6dd11c51cc6f9e9664b0f820d60ac6724899f338d3a7709e24b9fc68b3afaedc2053d1caaf5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
6cb80bb58c15554c1e9127b59a97188d

SHA1
b5d67472cbaa1f0738e685aceb03156ed19ee7c8

SHA256
5c055561e58fdaf2b1dad22be0a7039df71444a5d193c21a31107abbafa68c57

SHA512
72c862cfe8cf30d648d4c5d6995e95f592860b005a0951dc3dd20fda294ee6ee3ff95c2e404853cf532a9fbc24db0116684e4b92c42b0a97ad9003e52f897ca3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
9d823ff20a53f21e23c01f4f477ad9ab

SHA1
e15a5e1133e8c30e4b1b07b2ed44e7d337ff3505

SHA256
cb91cc65700214ac8bbd33b3db566b1409cec234f8629f183f1fb9de35e37352

SHA512
51914d0ac0900614ae6c91bc504a693d762e1f376b3c212ad341c8dfffb14f37a0ce1b6b6ebad5ef9b8ec7bb9f0e33aa79666442a53c52da2bd7431df9a716af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c307cb1819f370d8718fde8073735683

SHA1
18503246809a34142f50ed7547f739e52fd13e85

SHA256
0e0b482ae5344bbfab46641fafc8f7d75c70df1d751df811df4c69e98496724b

SHA512
a94fc1e61d1830a4c0cb235414521209751b77d64ed5b23e8277e9e0229846f9ac9f9fe12b671c18ac2ee8328eaf3cc7946d273bce43f985e718723b6d1a291e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
0c4ee74392bcb9c2651fb89da5d6ea38

SHA1
3b0c059f0763113bc1f02ff5dcbc7ab421b9bb30

SHA256
271186f51c93e49b8e397d63570f77ed64355ad873c825457f56c4be696da869

SHA512
0c69717b1882b08f112a904faf5b582497a6ba83dceeb00e15c8522c1557dc55e25ee27713984c27e49a24c9d84606c6cb4edd41168ee16587e07a3402257080

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
6a4878358e1b4abeacf75e2fa91e048b

SHA1
a7a34fa32c37f13437edc00ddd7ae320e59d4ee4

SHA256
9654d0465fe029beb2182f778b326044cbf3b51c342e16055e9acce066fb879b

SHA512
efeb7893bdec29b5d923b0c0978b8359940a69d2b80dc7eed9d7d9c5cdb08941bd00bb50e79b6f005a67dd38f8e4fcedab48a2615a041d7b4a45870be047f38a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57b95d.TMP

Filesize
48B

MD5
bbdbbf0e11abb489ee4c480861ff4771

SHA1
60fd9aec500ea1ed28a694f40481e75fea0e67aa

SHA256
91b4c578a4904033a3d286dde581f832dbf3f7f4f039dc54e70c60340b02fb12

SHA512
4e026ab6e0bfaac8529b815fad3cb9944e6e2c9577e08fddc2f7bdd5d0760bf9857ea7e28138e02f4e585df7c13b4ba2ad52b76ca66f9d243b4eed2d6a372c43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\blob_storage\723bd9b6-2174-43a2-b3fc-41d870c0829a\1

Filesize
5.7MB

MD5
0eae4c94f54caabf5382c46882305e49

SHA1
99775256ed12470d8ca7edecab5c62df15dd7ab4

SHA256
e14c4f6e23b471e4d213000da398d8d908dba36970e189e8c02c226222cae9ab

SHA512
7f4a461fa8ad6f45076f1ae28f5147b9b8d2cd27a810a6e511fa9e883c113b5be6f6aa622fa6be064f6a1483c80ab162ced74cd53aba024c6f42c09019f86b30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
603ffb03cbc0d85fecb4ed8736da4ce7

SHA1
ba3f3e7ddbcc01ea8378b132fc6d0a820d6b8ebf

SHA256
0d3bdb439c938f3d8a4a449330769a66ce788d65f7120b6c3558fed74fb8c55c

SHA512
7869c468285aa06494e84010dfd246a3844e43315936188b49f223d7e76356f038b98c86cc06328153637e623dbf222ad8ddda79984b5776c3a47320ef62439b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
166372290179ac79da31fe2a1fb5259a

SHA1
dbca2e597426c1e861b1cd8f5cfcfad3f00da2c7

SHA256
9c3aa8cd4d680070383e3c6a2cc4e83486fac1c0d23698f64e119b1d904a813e

SHA512
ece7e326298e64d52d3e1477fcc625064ea20291a8713da2c191aa2b28babc2280f131d0cb09add5acf8c4f3080b808fd063aa3b290586041f7c4e5cc40dc383

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
1b798b22e661eca2d862bd8c3e8ffae8

SHA1
ea9f2dfe1442340e2e552941e7c7cf9597efffd7

SHA256
714743061dae1ea09733fd611d59d7ed4875a4fbd8ae34f2f6546f2c0138bb35

SHA512
95f75c6e645e01a63caea008de06834d7370a7d0e629e25873b6fe97eeeda3b9819ada0e3eb89ff92dc8d4c033b8f67eee8035a137c703c4713a83b41e107442

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21562\Pythonwin\win32ui.pyd

Filesize
1.1MB

MD5
0e96b5724c2213300864ceb36363097a

SHA1
151931d9162f9e63e8951fc44a9b6d89af7af446

SHA256
85cf3081b0f1adafdbdcf164d7788a7f00e52bacdf02d1505812de4facfc962f

SHA512
46e8fee7b12f061ea8a7ab0cd4a8e683946684388498d6117afc404847b9fbb0a16dc0e5480609b1352df8f61457dcdbda317248ca81082cc4f30e29a3242d3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21562\VCRUNTIME140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21562\VCRUNTIME140_1.dll

Filesize
48KB

MD5
cf0a1c4776ffe23ada5e570fc36e39fe

SHA1
2050fadecc11550ad9bde0b542bcf87e19d37f1a

SHA256
6fd366a691ed68430bcd0a3de3d8d19a0cb2102952bfc140bbef4354ed082c47

SHA512
d95cd98d22ca048d0fc5bca551c9db13d6fa705f6af120bbbb621cf2b30284bfdc7320d0a819bb26dab1e0a46253cc311a370bed4ef72ecb60c69791ed720168

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21562\_ctypes.pyd

Filesize
120KB

MD5
6114277c6fc040f68d25ca90e25924cd

SHA1
028179c77cb3ba29cd8494049421eaa4900ccd0e

SHA256
f07fe92ce85f7786f96a4d59c6ee5c05fe1db63a1889ba40a67e37069639b656

SHA512
76e8ebefb9ba4ea8dcab8fce50629946af4f2b3f2f43163f75483cfb0a97968478c8aaef1d6a37be85bfc4c91a859deda6da21d3e753daefe084a203d839353d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21562\base_library.zip

Filesize
1.8MB

MD5
d271ba9b8bffd25395083cccf6fc17b9

SHA1
a2970f5991f41af61176e1f184287717ac7eb8b5

SHA256
9226f0ca49d97923deb30845e664fe17e14b3e3b084ea9a4b5c63bb07fdfc8ee

SHA512
86e8b13ed396a27c985d1c521af341db7e7dfb8e4c7ea70481680ddea1ddea9d1548c03d302b4f17cecab70bbc585837ceff4cd33105af1310bfaa249c878136

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21562\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21562\python311.dll

Filesize
5.5MB

MD5
58e01abc9c9b5c885635180ed104fe95

SHA1
1c2f7216b125539d63bd111a7aba615c69deb8ba

SHA256
de1b95d2e951fc048c84684bc7df4346138910544ee335b61fc8e65f360c3837

SHA512
cd32c77191309d99aeed47699501b357b35669123f0dd70ed97c3791a009d1855ab27162db24a4bd9e719b68ee3b0539ee6db88e71abb9a2d4d629f87bc2c081

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21562\pythonwin\mfc140u.dll

Filesize
5.4MB

MD5
03a161718f1d5e41897236d48c91ae3c

SHA1
32b10eb46bafb9f81a402cb7eff4767418956bd4

SHA256
e06c4bd078f4690aa8874a3deb38e802b2a16ccb602a7edc2e077e98c05b5807

SHA512
7abcc90e845b43d264ee18c9565c7d0cbb383bfd72b9cebb198ba60c4a46f56da5480da51c90ff82957ad4c84a4799fa3eb0cedffaa6195f1315b3ff3da1be47

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21562\pywin32_system32\pywintypes311.dll

Filesize
131KB

MD5
90b786dc6795d8ad0870e290349b5b52

SHA1
592c54e67cf5d2d884339e7a8d7a21e003e6482f

SHA256
89f2a5c6be1e70b3d895318fdd618506b8c0e9a63b6a1a4055dff4abdc89f18a

SHA512
c6e1dbf25d260c723a26c88ec027d40d47f5e28fc9eb2dbc72a88813a1d05c7f75616b31836b68b87df45c65eef6f3eaed2a9f9767f9e2f12c45f672c2116e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21562\win32\win32api.pyd

Filesize
130KB

MD5
1d6762b494dc9e60ca95f7238ae1fb14

SHA1
aa0397d96a0ed41b2f03352049dafe040d59ad5d

SHA256
fae5323e2119a8f678055f4244177b5806c7b6b171b1945168f685631b913664

SHA512
0b561f651161a34c37ff8d115f154c52202f573d049681f8cdd7bba2e966bb8203780c19ba824b4a693ef12ef1eeef6aeeef96eb369e4b6129f1deb6b26aaa00

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21562\win32\win32file.pyd

Filesize
140KB

MD5
06afadb12d29f947746dea813784efe1

SHA1
60402c0f3e5bc5a50f220aa98a40060572b8f5cb

SHA256
4a9f813daa23e27c8a1d0915cfcc1c06e4df10c9ee33a37e215888129501d256

SHA512
3032eb20475873d037ab3722596d98841ddc18a698981697dca85a5d446d0d9985b397eaac1b91c44527adbfdd97a6435261b28529acabe6dd7b4ed59c1162ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21562\win32\win32gui.pyd

Filesize
212KB

MD5
3c81c0ceebb2b5c224a56c024021efad

SHA1
aee4ddcc136856ed2297d7dbdc781a266cf7eab9

SHA256
6085bc00a1f157c4d2cc0609e20e1e20d2572fe6498de3bec4c9c7bebcfbb629

SHA512
f2d6c06da4f56a8119a931b5895c446432152737b4a7ae95c2b91b1638e961da78833728d62e206e1d886e7c36d7bed3fa4403d0b57a017523dd831dd6b7117f

Download Submit
C:\Users\Admin\Downloads\348fb9fd-fa9f-40a0-a801-72471abc1f35.tmp

Filesize
10.7MB

MD5
fa649a64c7c396494ffb5833b98ad0d9

SHA1
03963f24d7123ad3b097c1ad4c44f63b3c5135ca

SHA256
fb96cbdb2f10c6fdcd69fa56e9ce7629e1cc320f63470e6b6dfe0335d5f6907d

SHA512
d86344f65becad03401ae850d1fa053aecb5dc533b4e58192d95c8ea7a8a4a4e61e520ae3e5bed7e5d2bde242a25c1d77e0c0d20156967e552b64e2c3104c780

Download Submit
C:\Users\Admin\Downloads\tutorial.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads