hxxp://www[.]winzip[.]com/wzgate[.]cgi?lang=EN&url=www[.]winzip[.]com/whyuninst[.]cgi&param=dsi%3D1273%26nid%3D-%26ver%3D21[.]5[.]12480[.]0%26bnc%3Dnkln&osbits=64&wzbits=64&x-at=nkln

Resubmissions

12/04/2023, 14:53

230412-r9kczaee2t 8

12/04/2023, 14:47

230412-r52rfsch84 1

Analysis

max time kernel
510s
max time network
512s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
12/04/2023, 14:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://www.winzip.com/wzgate.cgi?lang=EN&url=www.winzip.com/whyuninst.cgi&param=dsi%3D1273%26nid%3D-%26ver%3D21.5.12480.0%26bnc%3Dnkln&osbits=64&wzbits=64&x-at=nkln

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133257920319353640"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
3764	chrome.exe
3764	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2088	chrome.exe
Token: SeCreatePagefilePrivilege	2088	chrome.exe
Token: SeShutdownPrivilege	2088	chrome.exe
Token: SeCreatePagefilePrivilege	2088	chrome.exe
Token: SeShutdownPrivilege	2088	chrome.exe
Token: SeCreatePagefilePrivilege	2088	chrome.exe
Token: SeShutdownPrivilege	2088	chrome.exe
Token: SeCreatePagefilePrivilege	2088	chrome.exe
Token: SeShutdownPrivilege	2088	chrome.exe
Token: SeCreatePagefilePrivilege	2088	chrome.exe
Token: SeShutdownPrivilege	2088	chrome.exe
Token: SeCreatePagefilePrivilege	2088	chrome.exe
Token: SeShutdownPrivilege	2088	chrome.exe
Token: SeCreatePagefilePrivilege	2088	chrome.exe
Token: SeShutdownPrivilege	2088	chrome.exe
Token: SeCreatePagefilePrivilege	2088	chrome.exe
Token: SeShutdownPrivilege	2088	chrome.exe
Token: SeCreatePagefilePrivilege	2088	chrome.exe
Token: SeShutdownPrivilege	2088	chrome.exe
Token: SeCreatePagefilePrivilege	2088	chrome.exe
Token: SeShutdownPrivilege	2088	chrome.exe
Token: SeCreatePagefilePrivilege	2088	chrome.exe
Token: SeShutdownPrivilege	2088	chrome.exe
Token: SeCreatePagefilePrivilege	2088	chrome.exe
Token: SeShutdownPrivilege	2088	chrome.exe
Token: SeCreatePagefilePrivilege	2088	chrome.exe
Token: SeShutdownPrivilege	2088	chrome.exe
Token: SeCreatePagefilePrivilege	2088	chrome.exe
Token: SeShutdownPrivilege	2088	chrome.exe
Token: SeCreatePagefilePrivilege	2088	chrome.exe
Token: SeShutdownPrivilege	2088	chrome.exe
Token: SeCreatePagefilePrivilege	2088	chrome.exe
Token: SeShutdownPrivilege	2088	chrome.exe
Token: SeCreatePagefilePrivilege	2088	chrome.exe
Token: SeShutdownPrivilege	2088	chrome.exe
Token: SeCreatePagefilePrivilege	2088	chrome.exe
Token: SeShutdownPrivilege	2088	chrome.exe
Token: SeCreatePagefilePrivilege	2088	chrome.exe
Token: SeShutdownPrivilege	2088	chrome.exe
Token: SeCreatePagefilePrivilege	2088	chrome.exe
Token: SeShutdownPrivilege	2088	chrome.exe
Token: SeCreatePagefilePrivilege	2088	chrome.exe
Token: SeShutdownPrivilege	2088	chrome.exe
Token: SeCreatePagefilePrivilege	2088	chrome.exe
Token: SeShutdownPrivilege	2088	chrome.exe
Token: SeCreatePagefilePrivilege	2088	chrome.exe
Token: SeShutdownPrivilege	2088	chrome.exe
Token: SeCreatePagefilePrivilege	2088	chrome.exe
Token: SeShutdownPrivilege	2088	chrome.exe
Token: SeCreatePagefilePrivilege	2088	chrome.exe
Token: SeShutdownPrivilege	2088	chrome.exe
Token: SeCreatePagefilePrivilege	2088	chrome.exe
Token: SeShutdownPrivilege	2088	chrome.exe
Token: SeCreatePagefilePrivilege	2088	chrome.exe
Token: SeShutdownPrivilege	2088	chrome.exe
Token: SeCreatePagefilePrivilege	2088	chrome.exe
Token: SeShutdownPrivilege	2088	chrome.exe
Token: SeCreatePagefilePrivilege	2088	chrome.exe
Token: SeShutdownPrivilege	2088	chrome.exe
Token: SeCreatePagefilePrivilege	2088	chrome.exe
Token: SeShutdownPrivilege	2088	chrome.exe
Token: SeCreatePagefilePrivilege	2088	chrome.exe
Token: SeShutdownPrivilege	2088	chrome.exe
Token: SeCreatePagefilePrivilege	2088	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 4872	2088	chrome.exe	79
PID 2088 wrote to memory of 4872	2088	chrome.exe	79
PID 2088 wrote to memory of 2256	2088	chrome.exe	81
PID 2088 wrote to memory of 2256	2088	chrome.exe	81
PID 2088 wrote to memory of 2256	2088	chrome.exe	81
PID 2088 wrote to memory of 2256	2088	chrome.exe	81
PID 2088 wrote to memory of 2256	2088	chrome.exe	81
PID 2088 wrote to memory of 2256	2088	chrome.exe	81
PID 2088 wrote to memory of 2256	2088	chrome.exe	81
PID 2088 wrote to memory of 2256	2088	chrome.exe	81
PID 2088 wrote to memory of 2256	2088	chrome.exe	81
PID 2088 wrote to memory of 2256	2088	chrome.exe	81
PID 2088 wrote to memory of 2256	2088	chrome.exe	81
PID 2088 wrote to memory of 2256	2088	chrome.exe	81
PID 2088 wrote to memory of 2256	2088	chrome.exe	81
PID 2088 wrote to memory of 2256	2088	chrome.exe	81
PID 2088 wrote to memory of 2256	2088	chrome.exe	81
PID 2088 wrote to memory of 2256	2088	chrome.exe	81
PID 2088 wrote to memory of 2256	2088	chrome.exe	81
PID 2088 wrote to memory of 2256	2088	chrome.exe	81
PID 2088 wrote to memory of 2256	2088	chrome.exe	81
PID 2088 wrote to memory of 2256	2088	chrome.exe	81
PID 2088 wrote to memory of 2256	2088	chrome.exe	81
PID 2088 wrote to memory of 2256	2088	chrome.exe	81
PID 2088 wrote to memory of 2256	2088	chrome.exe	81
PID 2088 wrote to memory of 2256	2088	chrome.exe	81
PID 2088 wrote to memory of 2256	2088	chrome.exe	81
PID 2088 wrote to memory of 2256	2088	chrome.exe	81
PID 2088 wrote to memory of 2256	2088	chrome.exe	81
PID 2088 wrote to memory of 2256	2088	chrome.exe	81
PID 2088 wrote to memory of 2256	2088	chrome.exe	81
PID 2088 wrote to memory of 2256	2088	chrome.exe	81
PID 2088 wrote to memory of 2256	2088	chrome.exe	81
PID 2088 wrote to memory of 2256	2088	chrome.exe	81
PID 2088 wrote to memory of 2256	2088	chrome.exe	81
PID 2088 wrote to memory of 2256	2088	chrome.exe	81
PID 2088 wrote to memory of 2256	2088	chrome.exe	81
PID 2088 wrote to memory of 2256	2088	chrome.exe	81
PID 2088 wrote to memory of 2256	2088	chrome.exe	81
PID 2088 wrote to memory of 2256	2088	chrome.exe	81
PID 2088 wrote to memory of 4336	2088	chrome.exe	82
PID 2088 wrote to memory of 4336	2088	chrome.exe	82
PID 2088 wrote to memory of 5040	2088	chrome.exe	83
PID 2088 wrote to memory of 5040	2088	chrome.exe	83
PID 2088 wrote to memory of 5040	2088	chrome.exe	83
PID 2088 wrote to memory of 5040	2088	chrome.exe	83
PID 2088 wrote to memory of 5040	2088	chrome.exe	83
PID 2088 wrote to memory of 5040	2088	chrome.exe	83
PID 2088 wrote to memory of 5040	2088	chrome.exe	83
PID 2088 wrote to memory of 5040	2088	chrome.exe	83
PID 2088 wrote to memory of 5040	2088	chrome.exe	83
PID 2088 wrote to memory of 5040	2088	chrome.exe	83
PID 2088 wrote to memory of 5040	2088	chrome.exe	83
PID 2088 wrote to memory of 5040	2088	chrome.exe	83
PID 2088 wrote to memory of 5040	2088	chrome.exe	83
PID 2088 wrote to memory of 5040	2088	chrome.exe	83
PID 2088 wrote to memory of 5040	2088	chrome.exe	83
PID 2088 wrote to memory of 5040	2088	chrome.exe	83
PID 2088 wrote to memory of 5040	2088	chrome.exe	83
PID 2088 wrote to memory of 5040	2088	chrome.exe	83
PID 2088 wrote to memory of 5040	2088	chrome.exe	83
PID 2088 wrote to memory of 5040	2088	chrome.exe	83
PID 2088 wrote to memory of 5040	2088	chrome.exe	83
PID 2088 wrote to memory of 5040	2088	chrome.exe	83

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://www.winzip.com/wzgate.cgi?lang=EN&url=www.winzip.com/whyuninst.cgi&param=dsi%3D1273%26nid%3D-%26ver%3D21.5.12480.0%26bnc%3Dnkln&osbits=64&wzbits=64&x-at=nkln
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb17ef9758,0x7ffb17ef9768,0x7ffb17ef9778
  2⤵
  PID:4872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1812 --field-trial-handle=1880,i,16844801762465504146,10581305377405739974,131072 /prefetch:2
  2⤵
  PID:2256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1880,i,16844801762465504146,10581305377405739974,131072 /prefetch:8
  2⤵
  PID:4336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2176 --field-trial-handle=1880,i,16844801762465504146,10581305377405739974,131072 /prefetch:8
  2⤵
  PID:5040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3012 --field-trial-handle=1880,i,16844801762465504146,10581305377405739974,131072 /prefetch:1
  2⤵
  PID:1356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3028 --field-trial-handle=1880,i,16844801762465504146,10581305377405739974,131072 /prefetch:1
  2⤵
  PID:4220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4424 --field-trial-handle=1880,i,16844801762465504146,10581305377405739974,131072 /prefetch:1
  2⤵
  PID:3940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3356 --field-trial-handle=1880,i,16844801762465504146,10581305377405739974,131072 /prefetch:1
  2⤵
  PID:2924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 --field-trial-handle=1880,i,16844801762465504146,10581305377405739974,131072 /prefetch:8
  2⤵
  PID:1872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5592 --field-trial-handle=1880,i,16844801762465504146,10581305377405739974,131072 /prefetch:8
  2⤵
  PID:5032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5692 --field-trial-handle=1880,i,16844801762465504146,10581305377405739974,131072 /prefetch:8
  2⤵
  PID:4488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5692 --field-trial-handle=1880,i,16844801762465504146,10581305377405739974,131072 /prefetch:8
  2⤵
  PID:1988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 --field-trial-handle=1880,i,16844801762465504146,10581305377405739974,131072 /prefetch:8
  2⤵
  PID:4768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=984 --field-trial-handle=1880,i,16844801762465504146,10581305377405739974,131072 /prefetch:1
  2⤵
  PID:440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5220 --field-trial-handle=1880,i,16844801762465504146,10581305377405739974,131072 /prefetch:1
  2⤵
  PID:392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3428 --field-trial-handle=1880,i,16844801762465504146,10581305377405739974,131072 /prefetch:8
  2⤵
  PID:2212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5608 --field-trial-handle=1880,i,16844801762465504146,10581305377405739974,131072 /prefetch:8
  2⤵
  PID:4616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4776 --field-trial-handle=1880,i,16844801762465504146,10581305377405739974,131072 /prefetch:1
  2⤵
  PID:3388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5156 --field-trial-handle=1880,i,16844801762465504146,10581305377405739974,131072 /prefetch:1
  2⤵
  PID:4660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3328 --field-trial-handle=1880,i,16844801762465504146,10581305377405739974,131072 /prefetch:8
  2⤵
  PID:2564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5540 --field-trial-handle=1880,i,16844801762465504146,10581305377405739974,131072 /prefetch:8
  2⤵
  PID:1988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=5100 --field-trial-handle=1880,i,16844801762465504146,10581305377405739974,131072 /prefetch:1
  2⤵
  PID:4168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3356 --field-trial-handle=1880,i,16844801762465504146,10581305377405739974,131072 /prefetch:8
  2⤵
  PID:3972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5924 --field-trial-handle=1880,i,16844801762465504146,10581305377405739974,131072 /prefetch:8
  2⤵
  PID:4112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4916 --field-trial-handle=1880,i,16844801762465504146,10581305377405739974,131072 /prefetch:8
  2⤵
  PID:1460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6052 --field-trial-handle=1880,i,16844801762465504146,10581305377405739974,131072 /prefetch:8
  2⤵
  PID:1764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6000 --field-trial-handle=1880,i,16844801762465504146,10581305377405739974,131072 /prefetch:8
  2⤵
  PID:4560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5944 --field-trial-handle=1880,i,16844801762465504146,10581305377405739974,131072 /prefetch:8
  2⤵
  PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6164 --field-trial-handle=1880,i,16844801762465504146,10581305377405739974,131072 /prefetch:8
  2⤵
  PID:2704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4460 --field-trial-handle=1880,i,16844801762465504146,10581305377405739974,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3764

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:640

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
4a70ffad4e7670603624135fa8de7c29

SHA1
85a1d2ef890771ace18a932fc300326b578f05f4

SHA256
42d9094833af8afc79f1b74587cdf7fd9e87dadd487c00ccfcd38aae55701807

SHA512
0a76b18640d26ae84ce83e3f0b0e080ce84a3c33823c63df1b3d66aa66a1a41f9c1e7f226c838cf4d8422540654726af4b5c49095adbc37a7376d97e2bca0b60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
1b9ab60d5599ec5cac1330d6ba83b9be

SHA1
0bf2cb2c494531aa14dc8b8496eaf2e477d060b4

SHA256
0562d3f188dbba1e9d3dad6da747e7d36ab33e0e840a79464a391dd345dc8404

SHA512
fc9dcc74169145f2d42053708c480231be2a61ff1ec36f726e35659eb306738ba2560705c9e257aaf28beea7b93dc9c46e956464311ec5cffa8f0b5ae259f9de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
4929bcb7fe56baa8cbb03b023009cda4

SHA1
0a441d478732eb42e19215dceebbe272c1a63823

SHA256
23a4df3ef48a80c4ab52fb411c7370d3c8af1a5b3259824d0c7c3fcf5254d04a

SHA512
fb491a1428753a7cefa807a84d87e90cf79e1c20a33e4c626930b79e30a5ef4b451bd3cbc1697f7238cd31bace5a3cea1c32630427f09e756400f2de71368c83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
9f66afa668eb8e4669a09554ea0659e7

SHA1
705cb6f085749d915b9437436ac6095909cb3bcd

SHA256
e4543efbb4cb5aa961962ca7286020afa70a07a80a56e1f992d5ae29744cb01d

SHA512
444f78e896db90514b68b1223474cef82c86b59f65cbf2dd66a0283cc5981798dfaf896680f65b6cdef3626f07fe17f229510e1087d3322eeab1742c5eed690a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
05df886ab649fdece930c48d76223b83

SHA1
5f8e305021f032ead5ae9789549573ddaede2015

SHA256
aaacb512ca163f0e654e985cfa793df0de273de42a083921e0738d31242a9739

SHA512
d09b153211630cb49920a3d75676b5f05ecf49fbc0e885b9be6ae1098c9a60e9b82b64dd37801c791aa320f08305b389b0d843336c03e017ba567c62c54b68c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
49b28d855a0f0a4b4648443d9d8cc4e3

SHA1
04edc401f533afa5234be188dab6e0d0b98fdeb1

SHA256
534822d31d76028230e901a415500f8e3b3c4696c9d87cf73d5afb7ff83eb98d

SHA512
e86acc2ad8023a8feedb1dccbaa599d841d97164887742016f39075ce22530fb87b5b2b35d7219350a0afc80a9d46faa41d145e519b4340a0d71ab847b496b59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
45cc11ecdf755a945e372a9a11be7e7b

SHA1
f1be79bd89e9a12f90e9fc603a5acacc370778dd

SHA256
b1ccb06930c4b0a014205096fea53454671b26945e1349ed943df913cdf3c5a4

SHA512
ea448fc2df71e6b0324b688c1f43d52e17f1dea0fb821d2e65a449906bb1db772164b4f58a4cce44fd4b81b9656343eeba2995f807ba17380d6d4cc29bf16d7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
77d670547bc463a546882c8ff9c6096f

SHA1
aa43bb43fa9e5c7bd5cb2d734392ad86fbc4bb91

SHA256
65b76e7ec4839891b2842a1436a0c471f987e5dad1abf42fa025535503e23493

SHA512
77d4bb01105056326947b882aef7e4d11a270310f2a3e20e4e215427abbf2429ebfc6abf9e050858046716a10be5327978edefdb16ce1364d9c07b96a54d8f51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b5bce31d7d2b4db633795017848e6771

SHA1
725270c747f22d545455d282682cc40910929aed

SHA256
e0acf52cc2d0bc25e76b451ee513f6c96a609ba54a33de4f48b5586143b69de5

SHA512
e6cb8cbaa71e43af45ed31e0ac4b80f36e9f5cbbb1307e2413c4edf519f6094c6ae623e4d0cf88cfbf29e57aefb92b306e7f7ae8e8251aa330658c17a9869759

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
be8dc41918a5f35574e2dd2bec769913

SHA1
815f9a1b7a746f72884e7987cffc4c6b9de6a195

SHA256
354517a477c8a3ea39563f5cad1eb3e8e514d2d045b24abed4127a326619a015

SHA512
d4f34d1566e4d51f50b9eb5794a61bd304ede604a5d9afc5ab9cefd8069ffcb42a1ae2fdfe3f89ac0d1793fea9d3f61f51ed97c56d1a659b11849dde787a1745

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
e95d7797ab2f569626820ca312ba2ce7

SHA1
4fb9e6b37d99b02af1ce46259ccd0577d6750ab9

SHA256
08ad51bda0b85f20fbe43b93455148a800259c2452bdb7dd613129ae0b479fe0

SHA512
0cb9dd24475853151394a9a5b09734bda453f0bdcdbed683d8a6bc9876c7cdc9373a4f1165e025873cad91e93492e4c1817977d55816cb314ed90a22af3dd7ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
201KB

MD5
73de35aae422f14a5f04c4fc8f1e7043

SHA1
6ce7ea7bfc66e8c9dd564640dfc76c16f65a73f3

SHA256
98a756078fd7d3bdc78d1ff7864c4c74c2cea023c494a218dd441003d0e29d9b

SHA512
df26f73709f9ddbd7cfc2138c629819c8b87c803274ae9c20fddff6146d2156a5312a00d9ec8e0d255ed0c8dabe05716574bd82d663d98f8b2ad87f302072f49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
72KB

MD5
07782700e4a9191832379eabb4790aea

SHA1
dd8bbce6abb6aa8c47d51b694149d81e69691ab7

SHA256
454ecd2680d8286418e2273503a66be65df784c966ebc2fdbda31e95b246fa0c

SHA512
725fee9a7a73f0c910ebd6290c70a5fdfc36e57ec38fa0ac723a83c13ce02bb406f73a00d1042b152604ff0fa47288a9da353c719d85f200a7bae8baa3db9c0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
201KB

MD5
ea92acdd4a853422c1b8ea95aa10b656

SHA1
955696e9ebee1c86251025b01bff1357bf82f7a7

SHA256
0968159a440ac94ffa6a6ba21b42907d0804246fa005c51bb65df98a3415c7f3

SHA512
3b2bfb4e9cdc3bcbeb5a5fd6e1f27ea30ba588aa3a55b773e710aba9cc287864fef4eca3698bfd4563de8ee3d6e1045e7c34fe4fed7028b4e4e054c903ef4be6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
201KB

MD5
56722aee1d12e30fa4b24e4e61821f91

SHA1
d81638f80754db9d04e6c4319759807c75cf5240

SHA256
1a65085c6d8b3b8b2e4fe7529e76aa47c42b28e0b27803c27c0c330588d6bfe1

SHA512
ae288c26a551fd8abcdca5133a739118e1fc63fabae266a8925165743e2622373e7204e88949082b0afd7c63444c919bddfeadc3d82cdb2a9e3b37fbcf6f4ab6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
201KB

MD5
4da7e815a67967ee2f3d1e685ac31104

SHA1
37b4a45455adfbf5a7d1e227da248b4f1b88f722

SHA256
e9ed38d82446c81d18753ba5ff413291b9290505ae2b6b641a44d324d00254ca

SHA512
9127a2e3357dc0b66a455791b234ffc1a65cdf372280221bfe9c60f64b7f26fbc419c2dfe744bc5debadd746e8ec8f120613647ca633fe6b4c3c07feed36ad5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
110KB

MD5
ac71272832cc08c358361a8023605dd2

SHA1
e81343e16a8c34cea056d80fa4ba8fda8467d888

SHA256
85086af1ee42d2d31aa4b2ab3e64840201839b8ed6aa5c318be4cfd0002f549a

SHA512
a5550f4f912022f7ee94ec8eacd65ce003435719de38cb5e1fa93f1601962ac0712f0d672e4b2580c3c349685ab21a741355f9ff376bda1774c4340a9511abbb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57f9f0.TMP

Filesize
101KB

MD5
2a5b6d309cbe39df4c57b5c4c4448e9d

SHA1
2360f9f18390d29e760e8e1d674f26dc43e726d3

SHA256
6fe7d0351698c136658f71cb7b70e54bc5b67c0ded7ec01a2bbc17e638713ed4

SHA512
68a48a9dc81d1e798047e810c01995a4d3d7ed1cefffcbf4bc048c6cb13127b4619a9943823c5cfa6c3d4c765791bccfadfb1a616aea5d681c9b3adcf55e6bd0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\winzip27-uninstall.exe

Filesize
2.8MB

MD5
e54173efd4e5856548bf048a2a1390db

SHA1
81eacf91e773e939836dc3ed4ac769f52cb78f79

SHA256
9c49d7dfbe7eefca5ab06dd823e0e8ef69e69f29cd742896d5a61fe89e2c3b9b

SHA512
0b027917ddf4c01789c77be67de422766159658b1ec5af8fc1f6b5e52fbd7411dd71fc3290fb7682d303f1742ba4a6f62c0849a390f1b62b123456e01ec5d48b

Download Submit