5877ff8332596cf786131c077ae510b8eb4d0371498380f6c147de8dfce6a706

Analysis

max time kernel
1590s
max time network
1594s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
12-03-2023 21:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ACNHSpawner.exe
Size

635KB
MD5

51af19d91789adb15a320b1cd957de76
SHA1

38302244a37f533bbbe6a56b11927db36320a487
SHA256

5877ff8332596cf786131c077ae510b8eb4d0371498380f6c147de8dfce6a706
SHA512

5ab6e77744d9c3d64a4a0eb6e0ce6a2ed0c8864496b5addcb1448d3efff14cc0be374c2281e4f45c40d6b19efec2edffd94991697ed259cea519118c3950c949
SSDEEP

3072:oys7oYfSbbQTLWuiUg7VsS4jMJN0LvdPJ+Y7g9R6E7T1lW:o/7oYfSHQPWTUg4/9J+q40

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Saved Games\Microsoft Games\desktop.ini	solitaire.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft Games\Solitaire\desktop.ini	solitaire.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\taskschd.msc	mmc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\Local Settings	solitaire.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\Local Settings\Software	solitaire.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\Local Settings\Software\Microsoft	solitaire.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\Local Settings\Software\Microsoft\Windows	solitaire.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX	solitaire.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\GameStats	solitaire.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\GameStats\{8669ECE8-D1C3-4345-8310-E60F6D44FDAF}\LastPlayed = "0"	solitaire.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\GameStats\{8669ECE8-D1C3-4345-8310-E60F6D44FDAF}	solitaire.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1688	chrome.exe
1688	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2400	mmc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	1372	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1372	AUDIODG.EXE
Token: 33	1372	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1372	AUDIODG.EXE
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
588	chrome.exe
1688	chrome.exe
2400	mmc.exe
1688	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2400	mmc.exe
2400	mmc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 1540	1688	chrome.exe	33
PID 1688 wrote to memory of 1540	1688	chrome.exe	33
PID 1688 wrote to memory of 1540	1688	chrome.exe	33
PID 1688 wrote to memory of 1956	1688	chrome.exe	35
PID 1688 wrote to memory of 1956	1688	chrome.exe	35
PID 1688 wrote to memory of 1956	1688	chrome.exe	35
PID 1688 wrote to memory of 1956	1688	chrome.exe	35
PID 1688 wrote to memory of 1956	1688	chrome.exe	35
PID 1688 wrote to memory of 1956	1688	chrome.exe	35
PID 1688 wrote to memory of 1956	1688	chrome.exe	35
PID 1688 wrote to memory of 1956	1688	chrome.exe	35
PID 1688 wrote to memory of 1956	1688	chrome.exe	35
PID 1688 wrote to memory of 1956	1688	chrome.exe	35
PID 1688 wrote to memory of 1956	1688	chrome.exe	35
PID 1688 wrote to memory of 1956	1688	chrome.exe	35
PID 1688 wrote to memory of 1956	1688	chrome.exe	35
PID 1688 wrote to memory of 1956	1688	chrome.exe	35
PID 1688 wrote to memory of 1956	1688	chrome.exe	35
PID 1688 wrote to memory of 1956	1688	chrome.exe	35
PID 1688 wrote to memory of 1956	1688	chrome.exe	35
PID 1688 wrote to memory of 1956	1688	chrome.exe	35
PID 1688 wrote to memory of 1956	1688	chrome.exe	35
PID 1688 wrote to memory of 1956	1688	chrome.exe	35
PID 1688 wrote to memory of 1956	1688	chrome.exe	35
PID 1688 wrote to memory of 1956	1688	chrome.exe	35
PID 1688 wrote to memory of 1956	1688	chrome.exe	35
PID 1688 wrote to memory of 1956	1688	chrome.exe	35
PID 1688 wrote to memory of 1956	1688	chrome.exe	35
PID 1688 wrote to memory of 1956	1688	chrome.exe	35
PID 1688 wrote to memory of 1956	1688	chrome.exe	35
PID 1688 wrote to memory of 1956	1688	chrome.exe	35
PID 1688 wrote to memory of 1956	1688	chrome.exe	35
PID 1688 wrote to memory of 1956	1688	chrome.exe	35
PID 1688 wrote to memory of 1956	1688	chrome.exe	35
PID 1688 wrote to memory of 1956	1688	chrome.exe	35
PID 1688 wrote to memory of 1956	1688	chrome.exe	35
PID 1688 wrote to memory of 1956	1688	chrome.exe	35
PID 1688 wrote to memory of 1956	1688	chrome.exe	35
PID 1688 wrote to memory of 1956	1688	chrome.exe	35
PID 1688 wrote to memory of 1956	1688	chrome.exe	35
PID 1688 wrote to memory of 1956	1688	chrome.exe	35
PID 1688 wrote to memory of 1956	1688	chrome.exe	35
PID 1688 wrote to memory of 520	1688	chrome.exe	36
PID 1688 wrote to memory of 520	1688	chrome.exe	36
PID 1688 wrote to memory of 520	1688	chrome.exe	36
PID 1688 wrote to memory of 268	1688	chrome.exe	37
PID 1688 wrote to memory of 268	1688	chrome.exe	37
PID 1688 wrote to memory of 268	1688	chrome.exe	37
PID 1688 wrote to memory of 268	1688	chrome.exe	37
PID 1688 wrote to memory of 268	1688	chrome.exe	37
PID 1688 wrote to memory of 268	1688	chrome.exe	37
PID 1688 wrote to memory of 268	1688	chrome.exe	37
PID 1688 wrote to memory of 268	1688	chrome.exe	37
PID 1688 wrote to memory of 268	1688	chrome.exe	37
PID 1688 wrote to memory of 268	1688	chrome.exe	37
PID 1688 wrote to memory of 268	1688	chrome.exe	37
PID 1688 wrote to memory of 268	1688	chrome.exe	37
PID 1688 wrote to memory of 268	1688	chrome.exe	37
PID 1688 wrote to memory of 268	1688	chrome.exe	37
PID 1688 wrote to memory of 268	1688	chrome.exe	37
PID 1688 wrote to memory of 268	1688	chrome.exe	37
PID 1688 wrote to memory of 268	1688	chrome.exe	37
PID 1688 wrote to memory of 268	1688	chrome.exe	37
PID 1688 wrote to memory of 268	1688	chrome.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ACNHSpawner.exe
"C:\Users\Admin\AppData\Local\Temp\ACNHSpawner.exe"
1⤵
PID:2004

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:1968

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:1300

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x47c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6779758,0x7fef6779768,0x7fef6779778
  2⤵
  PID:1540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1188 --field-trial-handle=1264,i,5435558845818872985,6350040293326484350,131072 /prefetch:2
  2⤵
  PID:1956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1480 --field-trial-handle=1264,i,5435558845818872985,6350040293326484350,131072 /prefetch:8
  2⤵
  PID:520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1656 --field-trial-handle=1264,i,5435558845818872985,6350040293326484350,131072 /prefetch:8
  2⤵
  PID:268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2320 --field-trial-handle=1264,i,5435558845818872985,6350040293326484350,131072 /prefetch:1
  2⤵
  PID:1216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2340 --field-trial-handle=1264,i,5435558845818872985,6350040293326484350,131072 /prefetch:1
  2⤵
  PID:1364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=3572 --field-trial-handle=1264,i,5435558845818872985,6350040293326484350,131072 /prefetch:2
  2⤵
  PID:2264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1356 --field-trial-handle=1264,i,5435558845818872985,6350040293326484350,131072 /prefetch:1
  2⤵
  PID:2336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3804 --field-trial-handle=1264,i,5435558845818872985,6350040293326484350,131072 /prefetch:8
  2⤵
  PID:2388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1380 --field-trial-handle=1264,i,5435558845818872985,6350040293326484350,131072 /prefetch:8
  2⤵
  PID:2456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3892 --field-trial-handle=1264,i,5435558845818872985,6350040293326484350,131072 /prefetch:1
  2⤵
  PID:2564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4160 --field-trial-handle=1264,i,5435558845818872985,6350040293326484350,131072 /prefetch:1
  2⤵
  PID:2680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3700 --field-trial-handle=1264,i,5435558845818872985,6350040293326484350,131072 /prefetch:1
  2⤵
  PID:2808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3732 --field-trial-handle=1264,i,5435558845818872985,6350040293326484350,131072 /prefetch:1
  2⤵
  PID:2908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2376 --field-trial-handle=1264,i,5435558845818872985,6350040293326484350,131072 /prefetch:8
  2⤵
  PID:2936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4392 --field-trial-handle=1264,i,5435558845818872985,6350040293326484350,131072 /prefetch:8
  2⤵
  PID:2960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4356 --field-trial-handle=1264,i,5435558845818872985,6350040293326484350,131072 /prefetch:1
  2⤵
  PID:2160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=860 --field-trial-handle=1264,i,5435558845818872985,6350040293326484350,131072 /prefetch:1
  2⤵
  PID:2148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=4844 --field-trial-handle=1264,i,5435558845818872985,6350040293326484350,131072 /prefetch:1
  2⤵
  PID:2596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4972 --field-trial-handle=1264,i,5435558845818872985,6350040293326484350,131072 /prefetch:8
  2⤵
  PID:3032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2524 --field-trial-handle=1264,i,5435558845818872985,6350040293326484350,131072 /prefetch:8
  2⤵
  PID:3012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=540 --field-trial-handle=1264,i,5435558845818872985,6350040293326484350,131072 /prefetch:1
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=1680 --field-trial-handle=1264,i,5435558845818872985,6350040293326484350,131072 /prefetch:1
  2⤵
  PID:2940

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2044

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe
"C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe" -Embedding
1⤵
PID:2216

C:\Program Files\Microsoft Games\solitaire\solitaire.exe
"C:\Program Files\Microsoft Games\solitaire\solitaire.exe"
1⤵
- Drops desktop.ini file(s)
- Modifies registry class
PID:2488

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:588

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2860

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-10-1.bdic

Filesize
441KB

MD5
4604e676a0a7d18770853919e24ec465

SHA1
415ef3b2ca0851e00ebaf0d6c9f6213c561ac98f

SHA256
a075b01d9b015c616511a9e87da77da3d9881621db32f584e4606ddabf1c1100

SHA512
3d89c21f20772a8bebdb70b29c42fca2f6bffcda49dff9d5644f3f3910b7c710a5c20154a7af5134c9c7a8624a1251b5e56ced9351d87463f31bed8188eb0774

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
47KB

MD5
bb8204b36608582165b50708380e71bb

SHA1
b718705e245d95f5efadc3b39741a9a4f696496b

SHA256
0c8b2b1c039503daf4c49f6917a8d1d4d7e14b5fdd407f6731c001ad05cfc291

SHA512
c16e185ab4bb6c05a6cf7018553c5216e2f99b79542eb48bf3b49bd48e29539a5e554dde1984d2f2abe1d7ab58f96eba160aaecaad6e9d1c5a97bd50cf9ce1b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
37KB

MD5
d90cb261f4a509d886611473296e188e

SHA1
23551f9039c8b855b496f017c8f75b32f6e56671

SHA256
ca6c7cdd1e68e9f251fbf58e0b0ad9e883b38979e264c3cf4125f603b21c8bb4

SHA512
1cca6c9490c8f7adca7441ffea3e7445309d0c52fbaf7252e4c3c73525e00233a8173536c031747a55343bb86e96618d9c96afc6e4f8d25b0106729cca5c8031

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
2d2a9bcfc62f1e43714745b0d2ce50b9

SHA1
593c9bdab3ea4edacdcec94933a052c726b4cdf7

SHA256
df637e84f190e7e7f48dde6bbb5b4e770277b5df8b0c564ffa289db2de0e1f0b

SHA512
db4b621f98dfdd159b23d5ed6ce69d42a69ff454748eb7b4c959ce6ea450381d21ea530bea80f6d4d79cfe224acbc29103bd0b64ca4c05ce8f24073c9910fd44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000002.dbtmp

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT~RF6e4b15.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
e870a99db8821f2368cfda5c68049e27

SHA1
41813ef030242b9b52ed70f2fa58e04486d40ae2

SHA256
4b95ce5b211788d85c4f477696f4da9086b506f337f8d22f48d68a1568daab9e

SHA512
ec300962a46f9410bb6f312029aa6fd176bbc316b25bcb9fa5cda4c31b5d2aa9727fedc6596c26121b119d5e49dfb91dda247a31ce9c91ee786f3ff461ebbcc0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
525B

MD5
8319ac45586245e563ba9cef7f9162de

SHA1
be5f0adbd806a46f4ffd260eb22f70211482d129

SHA256
ada160962f8b3ae73314797487e0cdfdf05c10d8d70b27dd5ac7d1546670b574

SHA512
2806876dd2cf613436b92d09727b1c8cf585574281715e2f27d0cb77396634f387a5bd9956a90cced97648d81259e285f4bbe819d6053e9402d78d03b7ce07e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
525B

MD5
7bb19e2baf97a9717ea901bdd248dd81

SHA1
cb2f3e3378cfa2676145f45cdfd4ababd7fdcbc8

SHA256
96e35e23cda8d20bed176ce253c5e54d0621017a821c105c0de3bea75050a418

SHA512
4a40a4ec8705ce3632f8d960fdb23fd7be894aa48271292c56b1c2e1d7c44783f8ea9c67cbde54385a9b410b71fcc3eb44f8948daeab63a3699d5ccbdf10b199

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
b21873483962fe308870a12f2a86b7a5

SHA1
c300aa87cc4b5e8fc905a9a0ad4912de9fa9a40e

SHA256
1e4291562d47036855770dd66ec19ceab6118647e1456f56425058c8c1db3146

SHA512
e1a7fd291ae7a376f17eb0ff8b596976b47b86ca68b4f5900bb71606e0603c57ace8a932a59837aa203f8861586f05a2d6a99703274df28d0a03e487718fa0f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
5880117651de7e52e17b0def968bff27

SHA1
e43193e72f1a095ecda8e8b71c120cb7c30a43c6

SHA256
4abb43baf602f5cdd4d51f20bcd3783e2d83068daf9bc0c3a02a53f67a926b9e

SHA512
da34ed28761ec39fd8999f9ef383e6d3aae55b9789c49212876a1fccdc0193e27c03b04e2b8f7a15992edd18074b1afd6c6cab81af13c4cbc3b0adf2e7ee0936

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
47684eb9f931bdbad60c0840545a7388

SHA1
e6d149a76ec0f396d5682600d734cef3856e27a0

SHA256
4ac5f1879863e761bd6a80e4ed477ad53508534f90a33441cef6d0215e403b98

SHA512
cfa9a702ea3b64b9708fec8c1711a6a8a0a0164f5975f52a7d64199232b6b1c3464e4bec6639d7fbe7ff3e34ac83b58c495d71a54b8c3c530c0c311d7c1851a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
57aedf79497fb8683fd9d91f06f5e157

SHA1
6782de6fc3c98d55dffc2dcb93767d1336b3b0de

SHA256
2688e0b839878310e5bfd38c90bfc669c76469581bef409ca69ef1c5632f70e4

SHA512
1e3f21866ab32c9d1c9d0cc2e79bb30dc8b5d93991089f1b12f3b792b6eaeae1c7c505e917fa277856f058949af6d0e4c839b64e1bb837304936b3f571c0f1d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\d723738d-1b62-44e3-b434-e9eea64e4664.tmp

Filesize
4KB

MD5
37d50f6ce84fbcdf8b73c79682500378

SHA1
a8cccaf17eb8b0746d0e9069064752a758d27c7d

SHA256
ce9f0a2d11ae05de8376acf18e510e3502b3529c71b5f61a749c6085aea6975d

SHA512
838cd8fd62a5819c80171b705423352671e58fbb5c7f11d828a9e2b34ff4e003df1b56c805cec7dfe051615d672282c681a8a0b7d76c5d77932a28dfc8095e3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
143KB

MD5
b8d52a07978641e431107e4f301d780a

SHA1
c7159788c7e116b135810da57506995836215f6f

SHA256
f02617c50b9059e7f384e872a2f3a91221d0e01b7782a3d870dc53eb25ea227e

SHA512
0b1aed4ec8245adfc1e24f2e06d6936363b43bb1fbc4a4740e2f5ac9307b1ee959a22424758af09daba333c6bf5341d3fac8cadf6644d702f488be4c7549c32e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
143KB

MD5
aad39421e3b606f81ce142d9001dc6a0

SHA1
b7a36acbdebbe4aaf4e91eaa1a84c9520c7929d1

SHA256
41dc41a5cbb3c3a0f28ef28e5aa2a3c641e69a685d33ef3c29b907becff641b7

SHA512
c181c72d19f08f9e0636669ea1e4a481d5785edc5cd45bd4a4b1fa418cdcef078e4320bb541909eeca9004af241ce279a101c5221180643887adc2ade46258fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
143KB

MD5
d1b19702777cedb905d2a208a6f13619

SHA1
6251944dc76a0023ef2e20ce4035db51d1009bf5

SHA256
c1f7aec54e687f7290d4fe8eb2eb36b2b5b9447143cee1f3ac7dd4d3ceb2130c

SHA512
120295ccb341b8d0e83214ff5adbef78cd0d35596d9b63fec76c89a29c4cf014b2dc522d4da07d3bbe46eb291b1d3e848920c1235863c97b04e4fd6e5d30bf77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\d8555dbe-c4e2-425c-801b-ca38d4f15ab3.tmp

Filesize
143KB

MD5
370199b2dbcd2861e274488624c4e734

SHA1
3103af8ca2630dae2550075598e9badab5d710a8

SHA256
55a587d9bd7e208054349d93140767817d7ab57a83dd5e2819544efc8ce4b610

SHA512
5b4000186bfd3cdf03166133844a80c0c4406458e6ee42a5396cc8526a8e8b43ac5090ca920fe3e58e3a6f6e1afd19dfdb23a04f692e821e9d842508c344c3f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\GameExplorer\GameStatistics\{8669ECE8-D1C3-4345-8310-E60F6D44FDAF}\{8669ECE8-D1C3-4345-8310-E60F6D44FDAF}.gamestats

Filesize
2KB

MD5
a338c1bb5704e723487ef4f8d5d592f5

SHA1
9b6e89c7fdf4ed588a98b673dcc3073f85eaea5d

SHA256
c096f55238f36481b0e846e37004e813ea0b34ddbc7a94f0155fd64ed4dd5672

SHA512
ab62aac5a5fb6f599616d0998cb8011ca18c0631e42451958af89bcaa8db2b6e179651cb14c94f3f6868b0c8632a4048f8c9e6ba7ea6a31abb168e1362188952

Download Submit
memory/2400-396-0x0000000004460000-0x00000000044E0000-memory.dmp

Filesize
512KB

Download
memory/2400-397-0x0000000004460000-0x00000000044E0000-memory.dmp

Filesize
512KB

Download
memory/2400-403-0x0000000004460000-0x00000000044E0000-memory.dmp

Filesize
512KB

Download
memory/2400-402-0x0000000004460000-0x00000000044E0000-memory.dmp

Filesize
512KB

Download
memory/2400-401-0x0000000004460000-0x00000000044E0000-memory.dmp

Filesize
512KB

Download
memory/2400-399-0x000007FFFFF00000-0x000007FFFFF10000-memory.dmp

Filesize
64KB

Download
memory/2400-400-0x0000000004460000-0x00000000044E0000-memory.dmp

Filesize
512KB

Download
memory/2400-398-0x0000000004460000-0x00000000044E0000-memory.dmp

Filesize
512KB

Download
memory/2400-390-0x00000000022B0000-0x00000000022CE000-memory.dmp

Filesize
120KB

Download
memory/2400-391-0x0000000002030000-0x0000000002031000-memory.dmp

Filesize
4KB

Download
memory/2400-392-0x0000000004460000-0x00000000044E0000-memory.dmp

Filesize
512KB

Download
memory/2400-393-0x000000001D0D0000-0x000000001D416000-memory.dmp

Filesize
3.3MB

Download
memory/2400-394-0x0000000004460000-0x00000000044E0000-memory.dmp

Filesize
512KB

Download
memory/2400-395-0x0000000004460000-0x00000000044E0000-memory.dmp

Filesize
512KB

Download
memory/2488-219-0x0000000001B70000-0x0000000001B71000-memory.dmp

Filesize
4KB

Download
memory/2488-192-0x0000000001B70000-0x0000000001B71000-memory.dmp

Filesize
4KB

Download
memory/2488-221-0x0000000001BC0000-0x0000000001BCA000-memory.dmp

Filesize
40KB

Download
memory/2488-222-0x0000000001BC0000-0x0000000001BCA000-memory.dmp

Filesize
40KB

Download
memory/2488-220-0x0000000001BC0000-0x0000000001BCA000-memory.dmp

Filesize
40KB

Download
memory/2488-223-0x0000000001BC0000-0x0000000001BCA000-memory.dmp

Filesize
40KB

Download
memory/2488-236-0x0000000001BC0000-0x0000000001BC6000-memory.dmp

Filesize
24KB

Download
memory/2488-224-0x0000000001E40000-0x0000000001E4A000-memory.dmp

Filesize
40KB

Download
memory/2488-199-0x0000000001E40000-0x0000000001E4A000-memory.dmp

Filesize
40KB

Download
memory/2488-193-0x0000000001BC0000-0x0000000001BCA000-memory.dmp

Filesize
40KB

Download
memory/2488-198-0x0000000001BC0000-0x0000000001BCA000-memory.dmp

Filesize
40KB

Download
memory/2488-194-0x0000000001BC0000-0x0000000001BCA000-memory.dmp

Filesize
40KB

Download
memory/2488-195-0x0000000001BC0000-0x0000000001BCA000-memory.dmp

Filesize
40KB

Download
memory/2488-196-0x0000000001BC0000-0x0000000001BCA000-memory.dmp

Filesize
40KB

Download
memory/2488-197-0x0000000001BC0000-0x0000000001BCA000-memory.dmp

Filesize
40KB

Download