hxxp://khppt[.]it

Analysis

max time kernel
102s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31/03/2023, 18:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://khppt.it

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133247677115310688"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	mspaint.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2268	vlc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1632	chrome.exe
1632	chrome.exe
8	mspaint.exe
8	mspaint.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4232	OpenWith.exe
2268	vlc.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
672	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe
Token: SeShutdownPrivilege	1632	chrome.exe
Token: SeCreatePagefilePrivilege	1632	chrome.exe

Suspicious use of FindShellTrayWindow 44 IoCs

pid	Process
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
2268	vlc.exe
2268	vlc.exe
2268	vlc.exe
2268	vlc.exe
2268	vlc.exe
2268	vlc.exe
2268	vlc.exe
2268	vlc.exe
2268	vlc.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe

Suspicious use of SendNotifyMessage 40 IoCs

pid	Process
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
2268	vlc.exe
2268	vlc.exe
2268	vlc.exe
2268	vlc.exe
2268	vlc.exe
2268	vlc.exe
2268	vlc.exe
2268	vlc.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe
1632	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
8	mspaint.exe
4232	OpenWith.exe
2268	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 5024	1632	chrome.exe	86
PID 1632 wrote to memory of 5024	1632	chrome.exe	86
PID 1632 wrote to memory of 3916	1632	chrome.exe	87
PID 1632 wrote to memory of 3916	1632	chrome.exe	87
PID 1632 wrote to memory of 3916	1632	chrome.exe	87
PID 1632 wrote to memory of 3916	1632	chrome.exe	87
PID 1632 wrote to memory of 3916	1632	chrome.exe	87
PID 1632 wrote to memory of 3916	1632	chrome.exe	87
PID 1632 wrote to memory of 3916	1632	chrome.exe	87
PID 1632 wrote to memory of 3916	1632	chrome.exe	87
PID 1632 wrote to memory of 3916	1632	chrome.exe	87
PID 1632 wrote to memory of 3916	1632	chrome.exe	87
PID 1632 wrote to memory of 3916	1632	chrome.exe	87
PID 1632 wrote to memory of 3916	1632	chrome.exe	87
PID 1632 wrote to memory of 3916	1632	chrome.exe	87
PID 1632 wrote to memory of 3916	1632	chrome.exe	87
PID 1632 wrote to memory of 3916	1632	chrome.exe	87
PID 1632 wrote to memory of 3916	1632	chrome.exe	87
PID 1632 wrote to memory of 3916	1632	chrome.exe	87
PID 1632 wrote to memory of 3916	1632	chrome.exe	87
PID 1632 wrote to memory of 3916	1632	chrome.exe	87
PID 1632 wrote to memory of 3916	1632	chrome.exe	87
PID 1632 wrote to memory of 3916	1632	chrome.exe	87
PID 1632 wrote to memory of 3916	1632	chrome.exe	87
PID 1632 wrote to memory of 3916	1632	chrome.exe	87
PID 1632 wrote to memory of 3916	1632	chrome.exe	87
PID 1632 wrote to memory of 3916	1632	chrome.exe	87
PID 1632 wrote to memory of 3916	1632	chrome.exe	87
PID 1632 wrote to memory of 3916	1632	chrome.exe	87
PID 1632 wrote to memory of 3916	1632	chrome.exe	87
PID 1632 wrote to memory of 3916	1632	chrome.exe	87
PID 1632 wrote to memory of 3916	1632	chrome.exe	87
PID 1632 wrote to memory of 3916	1632	chrome.exe	87
PID 1632 wrote to memory of 3916	1632	chrome.exe	87
PID 1632 wrote to memory of 3916	1632	chrome.exe	87
PID 1632 wrote to memory of 3916	1632	chrome.exe	87
PID 1632 wrote to memory of 3916	1632	chrome.exe	87
PID 1632 wrote to memory of 3916	1632	chrome.exe	87
PID 1632 wrote to memory of 3916	1632	chrome.exe	87
PID 1632 wrote to memory of 3916	1632	chrome.exe	87
PID 1632 wrote to memory of 3556	1632	chrome.exe	88
PID 1632 wrote to memory of 3556	1632	chrome.exe	88
PID 1632 wrote to memory of 2188	1632	chrome.exe	89
PID 1632 wrote to memory of 2188	1632	chrome.exe	89
PID 1632 wrote to memory of 2188	1632	chrome.exe	89
PID 1632 wrote to memory of 2188	1632	chrome.exe	89
PID 1632 wrote to memory of 2188	1632	chrome.exe	89
PID 1632 wrote to memory of 2188	1632	chrome.exe	89
PID 1632 wrote to memory of 2188	1632	chrome.exe	89
PID 1632 wrote to memory of 2188	1632	chrome.exe	89
PID 1632 wrote to memory of 2188	1632	chrome.exe	89
PID 1632 wrote to memory of 2188	1632	chrome.exe	89
PID 1632 wrote to memory of 2188	1632	chrome.exe	89
PID 1632 wrote to memory of 2188	1632	chrome.exe	89
PID 1632 wrote to memory of 2188	1632	chrome.exe	89
PID 1632 wrote to memory of 2188	1632	chrome.exe	89
PID 1632 wrote to memory of 2188	1632	chrome.exe	89
PID 1632 wrote to memory of 2188	1632	chrome.exe	89
PID 1632 wrote to memory of 2188	1632	chrome.exe	89
PID 1632 wrote to memory of 2188	1632	chrome.exe	89
PID 1632 wrote to memory of 2188	1632	chrome.exe	89
PID 1632 wrote to memory of 2188	1632	chrome.exe	89
PID 1632 wrote to memory of 2188	1632	chrome.exe	89
PID 1632 wrote to memory of 2188	1632	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://khppt.it
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9b4c49758,0x7ff9b4c49768,0x7ff9b4c49778
  2⤵
  PID:5024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=1784,i,912451947803475316,9148525976311411400,131072 /prefetch:2
  2⤵
  PID:3916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1784,i,912451947803475316,9148525976311411400,131072 /prefetch:8
  2⤵
  PID:3556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2244 --field-trial-handle=1784,i,912451947803475316,9148525976311411400,131072 /prefetch:8
  2⤵
  PID:2188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3024 --field-trial-handle=1784,i,912451947803475316,9148525976311411400,131072 /prefetch:1
  2⤵
  PID:4332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3004 --field-trial-handle=1784,i,912451947803475316,9148525976311411400,131072 /prefetch:1
  2⤵
  PID:4048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3992 --field-trial-handle=1784,i,912451947803475316,9148525976311411400,131072 /prefetch:1
  2⤵
  PID:4020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3020 --field-trial-handle=1784,i,912451947803475316,9148525976311411400,131072 /prefetch:1
  2⤵
  PID:452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4824 --field-trial-handle=1784,i,912451947803475316,9148525976311411400,131072 /prefetch:8
  2⤵
  PID:4460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5036 --field-trial-handle=1784,i,912451947803475316,9148525976311411400,131072 /prefetch:8
  2⤵
  PID:3800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4060 --field-trial-handle=1784,i,912451947803475316,9148525976311411400,131072 /prefetch:8
  2⤵
  PID:4756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5052 --field-trial-handle=1784,i,912451947803475316,9148525976311411400,131072 /prefetch:1
  2⤵
  PID:2336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4816 --field-trial-handle=1784,i,912451947803475316,9148525976311411400,131072 /prefetch:1
  2⤵
  PID:2032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4176 --field-trial-handle=1784,i,912451947803475316,9148525976311411400,131072 /prefetch:1
  2⤵
  PID:2936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3264 --field-trial-handle=1784,i,912451947803475316,9148525976311411400,131072 /prefetch:1
  2⤵
  PID:4652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5028 --field-trial-handle=1784,i,912451947803475316,9148525976311411400,131072 /prefetch:8
  2⤵
  PID:3824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3900 --field-trial-handle=1784,i,912451947803475316,9148525976311411400,131072 /prefetch:1
  2⤵
  PID:3908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5204 --field-trial-handle=1784,i,912451947803475316,9148525976311411400,131072 /prefetch:1
  2⤵
  PID:2844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=3216 --field-trial-handle=1784,i,912451947803475316,9148525976311411400,131072 /prefetch:1
  2⤵
  PID:2616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=4132 --field-trial-handle=1784,i,912451947803475316,9148525976311411400,131072 /prefetch:1
  2⤵
  PID:3844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4844 --field-trial-handle=1784,i,912451947803475316,9148525976311411400,131072 /prefetch:8
  2⤵
  PID:4776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5752 --field-trial-handle=1784,i,912451947803475316,9148525976311411400,131072 /prefetch:8
  2⤵
  PID:3532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5316 --field-trial-handle=1784,i,912451947803475316,9148525976311411400,131072 /prefetch:1
  2⤵
  PID:4012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=3248 --field-trial-handle=1784,i,912451947803475316,9148525976311411400,131072 /prefetch:1
  2⤵
  PID:4788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=5868 --field-trial-handle=1784,i,912451947803475316,9148525976311411400,131072 /prefetch:1
  2⤵
  PID:3968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=4828 --field-trial-handle=1784,i,912451947803475316,9148525976311411400,131072 /prefetch:1
  2⤵
  PID:4020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3340 --field-trial-handle=1784,i,912451947803475316,9148525976311411400,131072 /prefetch:8
  2⤵
  PID:4212

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2224

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\BlockSet.png" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:8

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:3120

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4232

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SuspendSkip.m1v"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
936B

MD5
bd4bc96354b22d5c16f4baa2271c522a

SHA1
207ba85e3d7f132071ddd818d69d73b80ece56d7

SHA256
bbc0735a5e66be53ade148c42eaf4efb9c74417e022765f671fb6b02f2362839

SHA512
353a994ca384a3d82a14145b79125112cd907bcba37a4d801b2c892bc061fa27bb9a77dcee56d644ac6fdc63932c6df0b86efa136f57b4afe93f30d52a17c260

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
882B

MD5
768b4b8ccc64408dbe4ecfa5710a8735

SHA1
99fc05573f72ae358535d5d81095d13452b9fa34

SHA256
f541efd1b50c45cb0a26a666578af3fc0691621f8d27a1d1aea94de2b940270f

SHA512
6175bff80acedf832efc6f690aa0880cb1b1b4ac24e48ee5d8fcbbfbed1956a79f425841f7c5072b77f6ac12210c5bc0385f1be800b0b407da42850947f21166

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
7c54a866368069143434b3f1ade56606

SHA1
b99df23ba4bfc44655b398b7362102db848055ae

SHA256
47da3cf4c64fb56bbb72fe350efa9fd4e43aa99c9b6191757b5b22109fff688a

SHA512
63fe6850da2ed5052c073a1dbf0f1daf6c906c1781458412b60f3dda502f6c116046f18de3a48633c8f20a77f436761bb83351a671e416a164d5eca0f8797d1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e14fc91a97d3b5ab025d44e1129deadd

SHA1
5711b0aaa00581aeeb42f5c78c8db538e6d01dc6

SHA256
9849c2473d40ab316ecca3af2e04bdac1a5378407a5ef8125ba3f37beeb32f55

SHA512
bed6f7ae0634cfc052c14976112cb4ebfa40f0e7e72fd6a6880aeafd6fafd55f2f6769a78f06099c011e0fbd05dc47b384f7a54627d022671f3d8dd3202dd528

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f1eb526285ab97e9dc4baf2b239bb3f2

SHA1
38b3acf9d351e57d9b952bd49067883ea9e45ada

SHA256
d772b0e2b901c19487a04d7387be73a54b3879ddb6412a64821520675d6585c6

SHA512
702042992e317dee00beb28589843abcb68535c0040d8f4d03cf55c2b118df6aea7d9578329d8cad9127e426aaa132849e9433d6b8b9e415c6584587e3463a8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
051af0ef4a5a2db7f103934d19240eab

SHA1
812e3da94d1ad111288b65c027e4dfe9b0c1fcc4

SHA256
977594c8b6df93741fa28c2440be32e09dba17592a9d44e12edbc2874e388834

SHA512
723027792e79401ff996e450087663785bdf41d4e7cc0c31eb5ed31d672e5cf91360f3034bb687f9e3f532862f5f96e29e59a606444eebbee105c952782238bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
4b15bf0b8bb25f92725892b519539190

SHA1
131051284ff2a0a2ca34176b13e28e3342adfa37

SHA256
48aa037c168043094f5c9b7afe6bd5c43a281b1e1340a0ede2ab7253f10af486

SHA512
d5611d4d21c3d26ea380d4aa3057b9a2931ad2f4407fa90fa269233cd0778e2ac094479dcfa90beb08d14f88db0272aa95109a4e20010c539b1828bde1de8a3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
c6c4dbe05f4ef40d303d6501e3f7cc26

SHA1
747b902882e04a95d9d323bf977db5b00725ba26

SHA256
9379b3fdc7b5e1885a1b6e59b3daba6d693eeafae6b2e63224509b9c354b22b5

SHA512
8af1e668db46566f358a90355185634904b45c880932f7aa83c422e719b3dd70dde3b8ec8bef27addd2a94030a15177259ca975792d2a11aade237e168698710

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
703ad22a2c9736e61651d661fe21398e

SHA1
05523c04b0102d5026ded5df8f3aa8ab9a610077

SHA256
dccc57657d5e327459a7012ac49a3d7c24de797924da56ba3645fd51d5b74816

SHA512
7047c0ae9ca8270ae8d9097726f63939d7026cdd48788a5c28ebc6c30274a4825e5090457c167fa759b0a886e38aa67c917182cea66e168f70aa1cdee9630229

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
92da99008b0e2cda39c19c9ef1399a19

SHA1
7d922e21b61823e6e3069d6c82e9cf11b096a366

SHA256
4296c2d4177095ab1391b3821fa280c7b80321b24201be4255be625ca9500f39

SHA512
9dce0be1105a275192bbccadc6ea61a77eaed89ebc3e3c89e17d6b9ddb41e967c20dea0c9a1b58d5e27e9465cec6c7876513c76ef1b4f90de356fd8828d95e6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
e8a736d936f7b757abc28f5ca7c65e4a

SHA1
75a05973be297e7833701c97b0ffe485eaa60bed

SHA256
8fd5c1861f1649c071a9bfa80b88d321d122eb05147b246b2e30b7c72787f3ae

SHA512
d9037d1bc4a9cadd1158a7c053cb90962753644f8e33435c7020d2610e6397f03d0f233c8564d95f770c7c3d0f23b8fdc284846e517c31ab16ec2acc2ccc99aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
56B

MD5
ae1bccd6831ebfe5ad03b482ee266e4f

SHA1
01f4179f48f1af383b275d7ee338dd160b6f558a

SHA256
1b11047e738f76c94c9d15ee981ec46b286a54def1a7852ca1ade7f908988649

SHA512
baf7ff6747f30e542c254f46a9678b9dbf42312933962c391b79eca6fcb615e4ba9283c00f554d6021e594f18c087899bc9b5362c41c0d6f862bba7fb9f83038

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe579172.TMP

Filesize
120B

MD5
ab02394bcabfdb742bccfd0bf1283f50

SHA1
7126b476591a7450369a5f6d4fd9a51d4e2aac9b

SHA256
2ba55e277ad986ce4e2547f75630e0ba528e37ac373d7aa14575068f2fcf0c91

SHA512
a635cc2592536686fdd5386f2e99ddc52fc3a3324ceade071b6cb92f23751ccc16ee6c3be0d6c173066730de086e4f5782231db2810e6e49c3d1d7f001fee464

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
264KB

MD5
5c9899cb89d9429cc197d8cb2661331c

SHA1
bc4979eb52e1ac6ad86bb2114e27bddc05dffd67

SHA256
c9f42cb91f9ddb2d175c15d8b61173edd4aa829f2a2815a2c108b83d3cca2264

SHA512
edb2f652de094a48f54f61a5fcdcd492bc48e1837f17f606e90f24cf872cc989f8634af4f03cd3b0bc809c3c9bf9f2840d0744de6a8526e114cd6b7f87145134

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
173KB

MD5
4661543c3defe21543fe23a304522818

SHA1
816ebbb5f61c98744eea0e10ac8e64fd395fb514

SHA256
1c7fcb146d3d2789710d578b13ee8c47995fcd96dae25c89ae757c156b390307

SHA512
7ee207b8212f6c801203ad209cea07feba336522d8dd83a1e1bdb7f5d363bcb240f93ac131fa38959c6511d3e91694517c5469db23b472ea64fb098e1b8ce69c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
173KB

MD5
183245acc92acaef183c03985dadcac4

SHA1
4c07cc496e347b207613739a2ae980766afeb54f

SHA256
d60fb954ba25efe43dc8756930284265d91d634196586af56caaff09bf35e6e7

SHA512
5b63fb01ca1a99440c4be1eb02eac4cef0044c0659c92aa1db972ab711c46dd1611e4d200294324e2cadaa7fca916d07dc928a988dd618c660776e0fe6ff6c5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
173KB

MD5
b35ef13be8e0efc1e41a40add7cb1d94

SHA1
2a2d3ceea4fdfe64c04e0370cf12a1efc0bae08e

SHA256
f7c4ca07e5a81abeddb715d9d6ffcd7029353c77f8b1a3b9fa8697ece556ead0

SHA512
1d3530a91218f906bed15be4047cad51bf5d4cbf899c854a6a22197295fa88a58f728c5c6860f2f91e34e52dfffbbabf74045fc4cac8b9980e5a99bebf530a8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
173KB

MD5
a1b8044f9e2ada4621ae7018ce6399b1

SHA1
04a24d01a808ddda4fd14e7ce43a357c9b1624f6

SHA256
7b4024f0b2c8a53f49d2c60a4ee40a19fb51ce625371a12335d2fd3e5d0f9270

SHA512
1380b2ee1a8cde42815db5d875bfd321a4243dd3b0492b9f84e5aa778010b7bdb2fcce24fb4370aa1e366b540bc25f0925cc2c338a23b8850f4d2f58e6db12a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
101KB

MD5
d30aeb3076cc5e8f470bd2d7d5707bf9

SHA1
96ce26befc457d549bed8bfce4140521fbf8a702

SHA256
f38aaad6185f0bf65b62a8cca033dbe641c4b23652279c8223b9065361eaae57

SHA512
2d45cfc2c7b55501ba4cb6650862069b6e08d3d6360572792874b3892b62b2a61a8187ed7fdaf269f20a42738da4d44d81e4e301113d67bd6612ddc32951fcf9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe579395.TMP

Filesize
97KB

MD5
b5cddb724a61d3a5a3ee2e36505df6e5

SHA1
bc09c8897e3d7745295c933636bfb9b98bbce280

SHA256
890bc39f3d43662a87a1381d79e2404e67a2294379ab02610ae61358d8894d58

SHA512
c2fa4d471c915ee5e88e4ba9046612f2231dbfa3fef31e0487ebab820bab8c329ab74ea692e3e0898315a0fd023b632de39512e93debace29dfb29d2809a6718

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
memory/2268-220-0x00007FF9AE2D0000-0x00007FF9AE3E2000-memory.dmp

Filesize
1.1MB

Download
memory/2268-219-0x0000026453070000-0x000002645411B000-memory.dmp

Filesize
16.7MB

Download
memory/2268-218-0x00007FF9B1130000-0x00007FF9B13E4000-memory.dmp

Filesize
2.7MB

Download
memory/2268-217-0x00007FF9B2150000-0x00007FF9B2184000-memory.dmp

Filesize
208KB

Download
memory/2268-216-0x00007FF797630000-0x00007FF797728000-memory.dmp

Filesize
992KB

Download
memory/3120-196-0x000001BB54DC0000-0x000001BB54DC1000-memory.dmp

Filesize
4KB

Download
memory/3120-195-0x000001BB54DC0000-0x000001BB54DC1000-memory.dmp

Filesize
4KB

Download
memory/3120-194-0x000001BB54DC0000-0x000001BB54DC1000-memory.dmp

Filesize
4KB

Download
memory/3120-193-0x000001BB54DB0000-0x000001BB54DB1000-memory.dmp

Filesize
4KB

Download
memory/3120-192-0x000001BB54D20000-0x000001BB54D21000-memory.dmp

Filesize
4KB

Download
memory/3120-190-0x000001BB54D20000-0x000001BB54D21000-memory.dmp

Filesize
4KB

Download
memory/3120-188-0x000001BB54CA0000-0x000001BB54CA1000-memory.dmp

Filesize
4KB

Download
memory/3120-181-0x000001BB4C160000-0x000001BB4C170000-memory.dmp

Filesize
64KB

Download
memory/3120-177-0x000001BB4B9B0000-0x000001BB4B9C0000-memory.dmp

Filesize
64KB

Download