3861795ece849d6b417a3c9870a7e0a0eccd27f74e706b9242d94d5e8885b705

Resubmissions

22-03-2023 21:05

230322-zw7kcadc8x 10

22-03-2023 20:11

230322-yx9wesba78 10

22-03-2023 20:06

230322-yvvnqaba59 10

Analysis

max time kernel
151s
max time network
155s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
22-03-2023 20:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

obfuscation.xlsm
Size

35KB
MD5

b54c993e941836bf2c9c69948b30bcf0
SHA1

a3e6234b5310a3918b9e01c08badf3eb5f44a4b8
SHA256

3861795ece849d6b417a3c9870a7e0a0eccd27f74e706b9242d94d5e8885b705
SHA512

cda8807707e6ee42309df106c3c3f8daf1c63b154dbee9741ca25679732d6e61a36fc6dbbd1ca76b8d444296ba5001cafe57d11c6ded384451d71cbef7cc80f1
SSDEEP

768:YLsShCAVaV5WqShv3H4+jbXAAQpyQyAtewZP8a88ULsR6LQkZt5mZ2:YbhCLVkqStYuQgrCl38896LbZt5mQ

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4108	3272	mshta.exe	EXCEL.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEchrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133239894978514328"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings chrome.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3272 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

228 chrome.exe
228 chrome.exe
4796 chrome.exe
4796 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exe

pid process

228 chrome.exe
228 chrome.exe
228 chrome.exe
228 chrome.exe
228 chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe
Token: SeShutdownPrivilege	228	chrome.exe
Token: SeCreatePagefilePrivilege	228	chrome.exe

Suspicious use of FindShellTrayWindow 38 IoCs

Processes:

EXCEL.EXEchrome.exe

pid	process
3272	EXCEL.EXE
3272	EXCEL.EXE
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe

Suspicious use of SendNotifyMessage 26 IoCs

Processes:

chrome.exe

pid	process
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe
228	chrome.exe

Suspicious use of SetWindowsHookEx 29 IoCs

Processes:

EXCEL.EXE

pid	process
3272	EXCEL.EXE
3272	EXCEL.EXE
3272	EXCEL.EXE
3272	EXCEL.EXE
3272	EXCEL.EXE
3272	EXCEL.EXE
3272	EXCEL.EXE
3272	EXCEL.EXE
3272	EXCEL.EXE
3272	EXCEL.EXE
3272	EXCEL.EXE
3272	EXCEL.EXE
3272	EXCEL.EXE
3272	EXCEL.EXE
3272	EXCEL.EXE
3272	EXCEL.EXE
3272	EXCEL.EXE
3272	EXCEL.EXE
3272	EXCEL.EXE
3272	EXCEL.EXE
3272	EXCEL.EXE
3272	EXCEL.EXE
3272	EXCEL.EXE
3272	EXCEL.EXE
3272	EXCEL.EXE
3272	EXCEL.EXE
3272	EXCEL.EXE
3272	EXCEL.EXE
3272	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EXCEL.EXEchrome.exe

description	pid	process	target process
PID 3272 wrote to memory of 4108	3272	EXCEL.EXE	mshta.exe
PID 3272 wrote to memory of 4108	3272	EXCEL.EXE	mshta.exe
PID 228 wrote to memory of 3324	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 3324	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 2612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 2612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 2612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 2612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 2612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 2612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 2612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 2612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 2612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 2612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 2612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 2612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 2612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 2612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 2612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 2612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 2612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 2612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 2612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 2612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 2612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 2612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 2612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 2612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 2612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 2612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 2612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 2612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 2612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 2612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 2612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 2612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 2612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 2612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 2612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 2612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 2612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 2612	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 2948	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 2948	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4328	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4328	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4328	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4328	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4328	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4328	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4328	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4328	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4328	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4328	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4328	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4328	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4328	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4328	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4328	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4328	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4328	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4328	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4328	228	chrome.exe	chrome.exe
PID 228 wrote to memory of 4328	228	chrome.exe	chrome.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\obfuscation.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3272

C:\Windows\SYSTEM32\mshta.exe
mshta C:\Users\Admin\AppData\Local\Temp\LwTHLrGh.hta
2⤵
- Process spawned unexpected child process
PID:4108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffe5c499758,0x7ffe5c499768,0x7ffe5c499778
2⤵
PID:3324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1816 --field-trial-handle=1780,i,13598599963792372058,6319841105108021891,131072 /prefetch:8
2⤵
PID:2948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=232 --field-trial-handle=1780,i,13598599963792372058,6319841105108021891,131072 /prefetch:2
2⤵
PID:2612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2100 --field-trial-handle=1780,i,13598599963792372058,6319841105108021891,131072 /prefetch:8
2⤵
PID:4328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2984 --field-trial-handle=1780,i,13598599963792372058,6319841105108021891,131072 /prefetch:1
2⤵
PID:2092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2948 --field-trial-handle=1780,i,13598599963792372058,6319841105108021891,131072 /prefetch:1
2⤵
PID:3624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4296 --field-trial-handle=1780,i,13598599963792372058,6319841105108021891,131072 /prefetch:1
2⤵
PID:4400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4344 --field-trial-handle=1780,i,13598599963792372058,6319841105108021891,131072 /prefetch:8
2⤵
PID:3804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4620 --field-trial-handle=1780,i,13598599963792372058,6319841105108021891,131072 /prefetch:8
2⤵
PID:3308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4952 --field-trial-handle=1780,i,13598599963792372058,6319841105108021891,131072 /prefetch:8
2⤵
PID:3732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4804 --field-trial-handle=1780,i,13598599963792372058,6319841105108021891,131072 /prefetch:8
2⤵
PID:1560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 --field-trial-handle=1780,i,13598599963792372058,6319841105108021891,131072 /prefetch:8
2⤵
PID:4656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 --field-trial-handle=1780,i,13598599963792372058,6319841105108021891,131072 /prefetch:8
2⤵
PID:4808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4500 --field-trial-handle=1780,i,13598599963792372058,6319841105108021891,131072 /prefetch:1
2⤵
PID:2072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4524 --field-trial-handle=1780,i,13598599963792372058,6319841105108021891,131072 /prefetch:1
2⤵
PID:3820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1728 --field-trial-handle=1780,i,13598599963792372058,6319841105108021891,131072 /prefetch:8
2⤵
PID:5012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4416 --field-trial-handle=1780,i,13598599963792372058,6319841105108021891,131072 /prefetch:8
2⤵
PID:5112

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Downloads\download.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:2680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2436 --field-trial-handle=1780,i,13598599963792372058,6319841105108021891,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4796

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4984

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
240B

MD5
f737eef1e60ab207f9baafd1ea7e5098

SHA1
54dd80478bca810c6df57299d5fdae8fa7f75568

SHA256
ca1c25518d6d668dce00d698cf4049d8941d9ad757379bb870315790d8e50f4c

SHA512
ce494d5d4f3b9e6e879ab76e5e099e6fe5337c0e917017de0e0b16036a7b1403a853f7e5ec7f8f77ad9b18c076c68b536db9a2cceff464b90316bc778cfe5250

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
7ca85a5ac2aaa233fe450235808821f9

SHA1
1a64efb138be0f4c38b4dbdc2f8ec80fee84d293

SHA256
987bed11df951fcf8989161c00d4c701ebb78ac5aa8a6975da7ee62bfc71191f

SHA512
9f516748480e1aef027b4c6b65a762c38835d8e2acfb71ecaf80f000966730111dcb7cd03dc53fdb2ca23b13cf417f5b9c18c8486851a5138fbc1eac370847d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
538B

MD5
61a78d76ae28a5faa948d9f29c001b57

SHA1
3fff174fe5a649e97b0dbde3e28c917e6a4510bc

SHA256
6eadd5822173c04d87ae800037b381a8a8c369c911dff87def765dbfcb8b6b54

SHA512
2d427a42ced50d8a779d4b29ae5a4a916b43f73ef408d31497ba11467ac4a69610c922b008105e43818e4f5ae4019073906304b20b6a88239d91dfd78f799128

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
705B

MD5
c882079b8b0739d4ec32ebd9f52e1110

SHA1
7a5a5a6cc4b86b725f82fce520873a0a573c6c99

SHA256
fcec6de3da2da1a5be6c84a6960efda7118c92bd96bac068121145ac2895d461

SHA512
bc13b69e81ec33769630e67e6401fc1846a56a84100a12437434df9a7369b5b073ab7a5b09b27b2497cb3b103d2ff5bf7e2b3dd4452a21794899ff183fc4e0d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
5328fc78d5766abe0c2c5c366dda1ca9

SHA1
d895850088342de26c4528aa2b735816b6135911

SHA256
e7931be3984252cbc63a15f7460acbc1c44c47217a5262cac5d3cc5002050448

SHA512
bdb6c6ec9fd0d6eae2886107df2bebc28c80a9ef86a5eac015263374831963fe48aa1791819dc46339e1cd445cc99d072eec8bb6f032876b19fac1f79b0aa148

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
5634329ace55998cc9c65b0ff5ec0099

SHA1
c08ace70ac59ff327a18e474d2400ea891b25719

SHA256
607331a656e110d933143e10bbae961f9b629ad3924c1b0ba8b1fa8b64daa79a

SHA512
afe1ed39fb465117f2e8d6deadeea0fb33448b75286c4afc8e293ba0270c7a9451ca0e6780c9b0e54fcbe916ab16c9b1c72b6c087753595249444a57d6b11bd7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
e99863899a8aad4084c2fa8966fc61c4

SHA1
a98719c7bdd4ab6831656e94c0d689b1fd9463d0

SHA256
fe2633cccc9abf7a912b133f40f90df72a529e124483dbd0e7254a46cec27e23

SHA512
882395876b5fda8e6e77fac6571a3ae3e8cf7b00240c43f62127489b1984b55e62eefa38411c86ebdc6e9c3906a78040e020ed176603d52849d804392e69b666

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
144KB

MD5
f34768c80d2accdc501f63cccc3cbfcc

SHA1
171daed566a69853a60a58d54c686eb7e3161690

SHA256
35b6614fc4bcf283cf66adf28d93c0cc1ffd7bf423ee1421cff2cc35f4cf5f6b

SHA512
4586365a83e00e2fc720cd3be28d8f84726b17c5ff3df74329520f7c77e117a3d9c4136c040e1c12dc26d051c0b72802eedf6d94797919d2c3fcc38f7c505f8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
99KB

MD5
5d9646a47789c4ebe924f0a02dee5db7

SHA1
2042bba0f20291746b5a4ac787731ba16dd5e90b

SHA256
54d0b1ceb4baac635beb2f86ae8a99eac8b041c817bd8ca5c65bd5c8b77247b6

SHA512
542fa8533996b10ef86345466cbe60d5f0e1d606908b136349db0025aae185053b4aa995f0eb7f80a4bd23e55c958ff9a68ff7c49c3e741d2cfb973da780fa27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
110KB

MD5
5f6e2c66492e1048b8f62b36fb6db3ba

SHA1
60d8a08cf876ab0b852a62a2ce79e8676879af4b

SHA256
bed3cb41eb9eeeacea4b7017d1b2bcc943b7cdeaea77bffd39aebcb0e3c566bf

SHA512
905eb42ffa37ff95a4abab8fb205a2a314dc36b1e6f6fd6af4d74023286fef99678e81717a10aa4c181e537697a5d88e223e24622a977e4e483a4d2fdff34d27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe578e36.TMP
Filesize
98KB

MD5
a896b290ba17632f0208c2662cc317bd

SHA1
d16719804309fc73c3b0c25adb85a6ecec871b4c

SHA256
0699d47a3fb97a3d9ee0b705a41a0fbf3af8357881761d8581d4118c4a32dd51

SHA512
319e684c51590d7ca24c8c1f78f6d45ab5409560f87e55482d530c159bd2118d8850eda9fef728bac42f16ff9085bad27e81b67220b0c0b9d87ffef53727b1e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\LwTHLrGh.hta
Filesize
17KB

MD5
084149c0fc6722b43b42ebc96f22effe

SHA1
d40525e84d7da7f2e193a4e2fc2a24739dc88027

SHA256
8d74853d271ec7a12880c4e33591df212628e3cb6a2f4038adad28c4b6891a96

SHA512
193a745b3bed038168d7523e9d7f670e62bf4f6ba81b4117a3c80b9c848b3ac69059bc3c4ab72eee41d4defacc32249cd9df1b6683c088eb820e54fa85d7280c

Download Submit
C:\Users\Admin\Downloads\download.hta
Filesize
5KB

MD5
c4c22e0735ec592ab87f45c7be53eecd

SHA1
b6d9c41d6c81f30c8f9d383fe5e0d5a0c3ee62da

SHA256
b6e6565f337a8d5c0fa35517d64f95bd6768083ae220a21bc62087820c3d326e

SHA512
eb379572c61193f90c97345987201d2988ab081bf095d42b155b939cabe5b6e168f39aa35e9e3dd29efdf5d2e96542925ad0493f417f8222589d2967feb01e41

Download Submit
C:\Users\Admin\Downloads\download.hta
Filesize
5KB

MD5
c4c22e0735ec592ab87f45c7be53eecd

SHA1
b6d9c41d6c81f30c8f9d383fe5e0d5a0c3ee62da

SHA256
b6e6565f337a8d5c0fa35517d64f95bd6768083ae220a21bc62087820c3d326e

SHA512
eb379572c61193f90c97345987201d2988ab081bf095d42b155b939cabe5b6e168f39aa35e9e3dd29efdf5d2e96542925ad0493f417f8222589d2967feb01e41

Download Submit
\??\pipe\crashpad_228_QOBUDMNGREHGIOPI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3272-337-0x000001B20B6C0000-0x000001B20B8C0000-memory.dmp

Filesize
2.0MB

Download
memory/3272-307-0x000001B20B6C0000-0x000001B20B8C0000-memory.dmp

Filesize
2.0MB

Download
memory/3272-134-0x00007FFE3D400000-0x00007FFE3D410000-memory.dmp

Filesize
64KB

Download
memory/3272-133-0x00007FFE3D400000-0x00007FFE3D410000-memory.dmp

Filesize
64KB

Download
memory/3272-121-0x00007FFE40CB0000-0x00007FFE40CC0000-memory.dmp

Filesize
64KB

Download
memory/3272-124-0x00007FFE40CB0000-0x00007FFE40CC0000-memory.dmp

Filesize
64KB

Download
memory/3272-123-0x00007FFE40CB0000-0x00007FFE40CC0000-memory.dmp

Filesize
64KB

Download
memory/3272-122-0x00007FFE40CB0000-0x00007FFE40CC0000-memory.dmp

Filesize
64KB

Download