f4fa70d77ab278eb01159e39eb1da4c0e231a958c15e13ee5ff695e1a4bf9e0a

Analysis

max time kernel
331s
max time network
505s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
24/05/2023, 05:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

RECIB_VNT-895.msi
Size

3.2MB
MD5

815cba7b075fee8259e422b541dfe370
SHA1

c1b6d78ca160e849524e2f94727f695dbe3630e1
SHA256

f0f4b15613e70b2a0f8e754647f67cd38b9f3e1c49a1fc98af69d016b56ece48
SHA512

ae56fc184fb31ac1b3821bf37da12cf8dc38e1ba909ba7fe503a06c99d55f24f5ca5cd380af163a2de8a1cb7f235c429700647a4651157cd74d342295387d13e
SSDEEP

49152:7zfauo8Jc1dkX3rqlu01QZN5viOfL5yPFpeHAkdQVgQnJiG2TT2e/g7jizoL5lai:etrAOP1WDjFyPzvkd6n1QTn/M0

Score

7^/10

upx

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
568	MsiExec.exe
568	MsiExec.exe
568	MsiExec.exe
556	MsiExec.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000001339d-73.dat	upx
behavioral1/files/0x000700000001339d-74.dat	upx
behavioral1/memory/556-75-0x0000000072970000-0x00000000732F5000-memory.dmp	upx

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\6c2c4f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2F7A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI316E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\6c2c51.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3A18.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3A87.tmp	msiexec.exe
File created	C:\Windows\Installer\6c2c4f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI321B.tmp	msiexec.exe
File created	C:\Windows\Installer\6c2c51.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
960	msiexec.exe
960	msiexec.exe
596	chrome.exe
596	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2024	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2024	msiexec.exe
Token: SeRestorePrivilege	960	msiexec.exe
Token: SeTakeOwnershipPrivilege	960	msiexec.exe
Token: SeSecurityPrivilege	960	msiexec.exe
Token: SeCreateTokenPrivilege	2024	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2024	msiexec.exe
Token: SeLockMemoryPrivilege	2024	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2024	msiexec.exe
Token: SeMachineAccountPrivilege	2024	msiexec.exe
Token: SeTcbPrivilege	2024	msiexec.exe
Token: SeSecurityPrivilege	2024	msiexec.exe
Token: SeTakeOwnershipPrivilege	2024	msiexec.exe
Token: SeLoadDriverPrivilege	2024	msiexec.exe
Token: SeSystemProfilePrivilege	2024	msiexec.exe
Token: SeSystemtimePrivilege	2024	msiexec.exe
Token: SeProfSingleProcessPrivilege	2024	msiexec.exe
Token: SeIncBasePriorityPrivilege	2024	msiexec.exe
Token: SeCreatePagefilePrivilege	2024	msiexec.exe
Token: SeCreatePermanentPrivilege	2024	msiexec.exe
Token: SeBackupPrivilege	2024	msiexec.exe
Token: SeRestorePrivilege	2024	msiexec.exe
Token: SeShutdownPrivilege	2024	msiexec.exe
Token: SeDebugPrivilege	2024	msiexec.exe
Token: SeAuditPrivilege	2024	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2024	msiexec.exe
Token: SeChangeNotifyPrivilege	2024	msiexec.exe
Token: SeRemoteShutdownPrivilege	2024	msiexec.exe
Token: SeUndockPrivilege	2024	msiexec.exe
Token: SeSyncAgentPrivilege	2024	msiexec.exe
Token: SeEnableDelegationPrivilege	2024	msiexec.exe
Token: SeManageVolumePrivilege	2024	msiexec.exe
Token: SeImpersonatePrivilege	2024	msiexec.exe
Token: SeCreateGlobalPrivilege	2024	msiexec.exe
Token: SeRestorePrivilege	960	msiexec.exe
Token: SeTakeOwnershipPrivilege	960	msiexec.exe
Token: SeRestorePrivilege	960	msiexec.exe
Token: SeTakeOwnershipPrivilege	960	msiexec.exe
Token: SeRestorePrivilege	960	msiexec.exe
Token: SeTakeOwnershipPrivilege	960	msiexec.exe
Token: SeRestorePrivilege	960	msiexec.exe
Token: SeTakeOwnershipPrivilege	960	msiexec.exe
Token: SeRestorePrivilege	960	msiexec.exe
Token: SeTakeOwnershipPrivilege	960	msiexec.exe
Token: SeRestorePrivilege	960	msiexec.exe
Token: SeTakeOwnershipPrivilege	960	msiexec.exe
Token: SeRestorePrivilege	960	msiexec.exe
Token: SeTakeOwnershipPrivilege	960	msiexec.exe
Token: SeRestorePrivilege	960	msiexec.exe
Token: SeTakeOwnershipPrivilege	960	msiexec.exe
Token: SeRestorePrivilege	960	msiexec.exe
Token: SeTakeOwnershipPrivilege	960	msiexec.exe
Token: 33	1712	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1712	AUDIODG.EXE
Token: 33	1712	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1712	AUDIODG.EXE
Token: SeShutdownPrivilege	596	chrome.exe
Token: SeShutdownPrivilege	596	chrome.exe
Token: SeShutdownPrivilege	596	chrome.exe
Token: SeShutdownPrivilege	596	chrome.exe
Token: SeShutdownPrivilege	596	chrome.exe
Token: SeShutdownPrivilege	596	chrome.exe
Token: SeShutdownPrivilege	596	chrome.exe
Token: SeShutdownPrivilege	596	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
2024	msiexec.exe
2024	msiexec.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe
596	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 568	960	msiexec.exe	28
PID 960 wrote to memory of 568	960	msiexec.exe	28
PID 960 wrote to memory of 568	960	msiexec.exe	28
PID 960 wrote to memory of 568	960	msiexec.exe	28
PID 960 wrote to memory of 568	960	msiexec.exe	28
PID 960 wrote to memory of 568	960	msiexec.exe	28
PID 960 wrote to memory of 568	960	msiexec.exe	28
PID 960 wrote to memory of 556	960	msiexec.exe	29
PID 960 wrote to memory of 556	960	msiexec.exe	29
PID 960 wrote to memory of 556	960	msiexec.exe	29
PID 960 wrote to memory of 556	960	msiexec.exe	29
PID 960 wrote to memory of 556	960	msiexec.exe	29
PID 596 wrote to memory of 520	596	chrome.exe	34
PID 596 wrote to memory of 520	596	chrome.exe	34
PID 596 wrote to memory of 520	596	chrome.exe	34
PID 596 wrote to memory of 1072	596	chrome.exe	36
PID 596 wrote to memory of 1072	596	chrome.exe	36
PID 596 wrote to memory of 1072	596	chrome.exe	36
PID 596 wrote to memory of 1072	596	chrome.exe	36
PID 596 wrote to memory of 1072	596	chrome.exe	36
PID 596 wrote to memory of 1072	596	chrome.exe	36
PID 596 wrote to memory of 1072	596	chrome.exe	36
PID 596 wrote to memory of 1072	596	chrome.exe	36
PID 596 wrote to memory of 1072	596	chrome.exe	36
PID 596 wrote to memory of 1072	596	chrome.exe	36
PID 596 wrote to memory of 1072	596	chrome.exe	36
PID 596 wrote to memory of 1072	596	chrome.exe	36
PID 596 wrote to memory of 1072	596	chrome.exe	36
PID 596 wrote to memory of 1072	596	chrome.exe	36
PID 596 wrote to memory of 1072	596	chrome.exe	36
PID 596 wrote to memory of 1072	596	chrome.exe	36
PID 596 wrote to memory of 1072	596	chrome.exe	36
PID 596 wrote to memory of 1072	596	chrome.exe	36
PID 596 wrote to memory of 1072	596	chrome.exe	36
PID 596 wrote to memory of 1072	596	chrome.exe	36
PID 596 wrote to memory of 1072	596	chrome.exe	36
PID 596 wrote to memory of 1072	596	chrome.exe	36
PID 596 wrote to memory of 1072	596	chrome.exe	36
PID 596 wrote to memory of 1072	596	chrome.exe	36
PID 596 wrote to memory of 1072	596	chrome.exe	36
PID 596 wrote to memory of 1072	596	chrome.exe	36
PID 596 wrote to memory of 1072	596	chrome.exe	36
PID 596 wrote to memory of 1072	596	chrome.exe	36
PID 596 wrote to memory of 1072	596	chrome.exe	36
PID 596 wrote to memory of 1072	596	chrome.exe	36
PID 596 wrote to memory of 1072	596	chrome.exe	36
PID 596 wrote to memory of 1072	596	chrome.exe	36
PID 596 wrote to memory of 1072	596	chrome.exe	36
PID 596 wrote to memory of 1072	596	chrome.exe	36
PID 596 wrote to memory of 1072	596	chrome.exe	36
PID 596 wrote to memory of 1072	596	chrome.exe	36
PID 596 wrote to memory of 1072	596	chrome.exe	36
PID 596 wrote to memory of 1072	596	chrome.exe	36
PID 596 wrote to memory of 1072	596	chrome.exe	36
PID 596 wrote to memory of 2024	596	chrome.exe	37
PID 596 wrote to memory of 2024	596	chrome.exe	37
PID 596 wrote to memory of 2024	596	chrome.exe	37
PID 596 wrote to memory of 1156	596	chrome.exe	38
PID 596 wrote to memory of 1156	596	chrome.exe	38
PID 596 wrote to memory of 1156	596	chrome.exe	38
PID 596 wrote to memory of 1156	596	chrome.exe	38
PID 596 wrote to memory of 1156	596	chrome.exe	38
PID 596 wrote to memory of 1156	596	chrome.exe	38
PID 596 wrote to memory of 1156	596	chrome.exe	38

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\RECIB_VNT-895.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2024

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A8C05F4954241BB79F91510EA7B2A7AA
  2⤵
  - Loads dropped DLL
  PID:568
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding CEDF6EA481630FDCDC4231D829D0D9B6
  2⤵
  - Loads dropped DLL
  PID:556

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1064

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x188
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5d69758,0x7fef5d69768,0x7fef5d69778
  2⤵
  PID:520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1224 --field-trial-handle=1300,i,11950374855360898409,3922845982857713399,131072 /prefetch:2
  2⤵
  PID:1072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1512 --field-trial-handle=1300,i,11950374855360898409,3922845982857713399,131072 /prefetch:8
  2⤵
  PID:2024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1620 --field-trial-handle=1300,i,11950374855360898409,3922845982857713399,131072 /prefetch:8
  2⤵
  PID:1156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2300 --field-trial-handle=1300,i,11950374855360898409,3922845982857713399,131072 /prefetch:1
  2⤵
  PID:1012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2324 --field-trial-handle=1300,i,11950374855360898409,3922845982857713399,131072 /prefetch:1
  2⤵
  PID:592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1452 --field-trial-handle=1300,i,11950374855360898409,3922845982857713399,131072 /prefetch:2
  2⤵
  PID:2224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2172 --field-trial-handle=1300,i,11950374855360898409,3922845982857713399,131072 /prefetch:1
  2⤵
  PID:2320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3944 --field-trial-handle=1300,i,11950374855360898409,3922845982857713399,131072 /prefetch:8
  2⤵
  PID:2368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3952 --field-trial-handle=1300,i,11950374855360898409,3922845982857713399,131072 /prefetch:8
  2⤵
  PID:2376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4036 --field-trial-handle=1300,i,11950374855360898409,3922845982857713399,131072 /prefetch:1
  2⤵
  PID:2528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3936 --field-trial-handle=1300,i,11950374855360898409,3922845982857713399,131072 /prefetch:8
  2⤵
  PID:2556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4460 --field-trial-handle=1300,i,11950374855360898409,3922845982857713399,131072 /prefetch:8
  2⤵
  PID:2876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=1960 --field-trial-handle=1300,i,11950374855360898409,3922845982857713399,131072 /prefetch:1
  2⤵
  PID:2980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2780 --field-trial-handle=1300,i,11950374855360898409,3922845982857713399,131072 /prefetch:1
  2⤵
  PID:2548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3968 --field-trial-handle=1300,i,11950374855360898409,3922845982857713399,131072 /prefetch:1
  2⤵
  PID:952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=2292 --field-trial-handle=1300,i,11950374855360898409,3922845982857713399,131072 /prefetch:1
  2⤵
  PID:1748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=2788 --field-trial-handle=1300,i,11950374855360898409,3922845982857713399,131072 /prefetch:1
  2⤵
  PID:2120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=2408 --field-trial-handle=1300,i,11950374855360898409,3922845982857713399,131072 /prefetch:1
  2⤵
  PID:2388

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1080

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:3012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\6c2c52.rbs

Filesize
559B

MD5
2b6e7a25b4235a06b91a51a425f39ff0

SHA1
5ac71434f08c239c2c3be7f40cb1f90c04e4a305

SHA256
678da1f45f791e76ac41c7db3a562bada7c921e345a825ea9c39b969ff67b985

SHA512
41cc365fce25a195deb1e59ea8811feab7236ea68b21c2cfae54a53c4c0e5ff235b10cb8b5826505449cc75fe0ae178cb9100600edc4440777785a7764e5a81b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d9ea7bca664b02136a67c0bfed5dc7b3

SHA1
d9ef2353dee56e47aa24d6d2b03124ef42a4b371

SHA256
01375463f3ed106d3ee37905850fd25d5ffc1369b8a408d9337e7d8adb39c7cf

SHA512
db2ad5730456eed2143807e084539e2966d34ad9ce3ac2694a79e8b1b1a9e21e3c6a83d47f3598fc96302dc2d1b163755c2c8ad8f03c3526449ff167c37c8d25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000d

Filesize
37KB

MD5
5b0c0d429185ff30e04c93f67116d98f

SHA1
8eb3286fe16a5bee5a0164b131bc534fd131f250

SHA256
f1a0b957050b529afc0e94c436976326124ed8968183859c413986487623294d

SHA512
6295bcd662325172b15c476d26f23c8794c4f1454e0e8cfd43bca79b45aa03e1ae721ebdada1c52fe7699027fa97699156280ff259ce3cc476e322ccc0337902

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
2c027c5aa8fdc70221e69fcb156c38c4

SHA1
0ba2e66f381fd1ffc3759a2dba8ba3310883804e

SHA256
8c7954b547f4f66c77855990ad20c9e6e8755e66504e798a7fede34d4b0135ff

SHA512
4c92fb31ccbf4ed12a0ec934ff4a47894a78a8b9a12427f5d3af9d1d67460968f3119703d65c7c3df029b42b8618d8161f1cbe3b5051fd4ed21b5e57c2baaf60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
838275a842dca88979ed7cab13ddefd8

SHA1
bcff67c576b7efff4815afaccbc1f1558193a92d

SHA256
ad3c95db99d05948cf0959cfd5f72e234044b232f7c687ecfbebcda0ab5d1633

SHA512
73352f9c14bd3e67b0d650edec63800e321dfa8169224ea513ca3820e37aedf985fdea5995ac7a48e0a6cf8cce900354fdeb892a7a6c86da6875d8c643597ca8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\CURRENT~RF710742.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
67b1dac4e3bdf14f44eed3001390c1e2

SHA1
e16754c46ebd5fa10fdc63258649b8571425669d

SHA256
2dbad358bd626b5f9e8533faaabccc15c8545d3531c4a92714c866d4ed3d6547

SHA512
ee04037f51f1ba4d14381bd4e3afcf2a5c6e45e8ecf428fff8fc5df8c421a12ff8774a7b92a79cc637bf5ffa5c8c4db39b58e5b2c04b659e302c2857ca65160b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
5dc120ba2e841f9cd6a5199ad1022f97

SHA1
83c6bf4b29357eaee9f8dea8ff34270fe90c56ba

SHA256
fa9eec6779b4f31d9d7c12ff60bdf9f9c88c68938eed548ddb63ca222cfad706

SHA512
48db8a95493348610fd52ef1ac46ce3d30c6bf8b2ec2c2b76b664e4bc8846ecbc9a901cb5618d3e927fd0044795a6c142afd4f3e5b2f824b592a0bcb8e479385

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
691B

MD5
beb5f0231462e03bebaf2b801a9318af

SHA1
e0bfa91dd5f29789b088930fcf063f7fd5515588

SHA256
e15d470a6bad67de0c48bddf145720003cea1da27aa4fc6a5b95d35c2224167e

SHA512
32b9f2542eaded682b1bd865c750aa520fab9598ae95d5e0dbbebe1a87e02a32972bfa779cc2ba0c06d98eb6ca198a6c5d46a9b80bd02bfec9aa08759c40908b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
527B

MD5
6f8314b1ef5f4e2b9c65c3051d157ff8

SHA1
16549985777488eb3a6d1e489abd34cc4e10f2ea

SHA256
a626c249d289933a5a02f296642bbfd0903e928cfd45ecdecf7ee9df855efff2

SHA512
012cc00c7301940894b750d63fe1e01c085311ec6b6f96464baaeecbcb9f1c5e5d4842050b08760bbbcd899af538cb33e980b50f9c1007684507c582e458d576

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
44393e87ce31ae8a165536cc45a03411

SHA1
c9da25ad45417c33f1d0717ae437906b99be7fce

SHA256
5fe7b7ac01d623f2a4fd971463733fdbd70152b9c561eee793c70300891657ec

SHA512
87f25bbefdf015a05f613fbee6ab6c977a26bd9dc76058bcd44ba8f21c1567772f24c868ddbe8be6b12317d6f497f82b2f9922b03ed5c7b41961459ebdac6a97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
c467d06146a7f74f84e07a1032baae2b

SHA1
cfb351ed3faeb290da9a2459d563300d6a00d8e6

SHA256
be14f9672eaa612113b507526261d5a0cf3313e8bc4bd3ce5c69d6c8577b4e49

SHA512
6525260fffe67f8ec9d01fcb243448da7dd373f1a9c1dba35c696705f2f1f8bfd28b073a4b42e1010735d1417dded28184159623b9a51413dd6589e7d67b7b2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
8399ef8d4481e970c89477d7ee7ece43

SHA1
7c8c32ad48329dc9de81ff2f52a2ee63e82fb426

SHA256
4afa5df467c83457a725a7b4b084177824771de7ba7811f19a8f8d8556b45820

SHA512
3844f09a304be323af1d073c95faf11e624417a51668ae4bd3fd126970d27b0a6e4f996874e796c85c9668c680985a47ca00508158a3444335c7d701eadc4bf0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
209ae45f834fa890c8913095df6651ae

SHA1
e909b833e90cd91a64c5a9132bb5979ab0738f14

SHA256
79debfc7ccb9c1e5d90682f6ac6ecc594fe7901c6c7aadf0439629c47351f763

SHA512
8858b4d6be0723bfc6567ee0c824da0896626a9a5b937c0846d0b871177e14dc806dfaca412910e4a7c2a71e49db774b5aae4eed31518564725d580746d8e27d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\a30d7d6a-67a6-44e7-b7b4-d6bd47748d61.tmp

Filesize
5KB

MD5
8de5e7ff0f6225d362212960e9963a49

SHA1
cf0c5f06916b54adcd6db1c42f934e2164e5baa7

SHA256
e5f590b68893446b4877bff9941ec3cc2e648cc945376b2d9e7b0896530a9ed0

SHA512
a279469fb376760f449fe4a8bf6639dd03e557696fb953d0af3ab81af0526e0bef4463fdd3c27fc483da7a27707dcd509e98db39df782d8503ee9763527d9070

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab33C0.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3444.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Windows\Installer\MSI2F7A.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSI316E.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSI321B.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSI321B.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
C:\Windows\Installer\MSI3A87.tmp

Filesize
2.2MB

MD5
85c345e8c8f651490ee12b84f639e88d

SHA1
4ffefe1585ba65cd1e5d9c8a1c5b2e01f02e74b4

SHA256
eaaa54dfde8ebeac59b260fc49e154be5570e0a48174666151bd1a9b3ee375c8

SHA512
787c82b4192c9b72b712baf3552036837de4f418bed65190fc2329d7a09f37ecaf5b6b3d0b1406c6de938ae49c08eab845081b4381b73328cbe7b7ed879139e6

Download Submit
\Windows\Installer\MSI2F7A.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
\Windows\Installer\MSI316E.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
\Windows\Installer\MSI321B.tmp

Filesize
554KB

MD5
3b171ce087bb799aafcbbd93bab27f71

SHA1
7bd69efbc7797bdff5510830ca2cc817c8b86d08

SHA256
bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

SHA512
7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

Download Submit
\Windows\Installer\MSI3A87.tmp

Filesize
2.2MB

MD5
85c345e8c8f651490ee12b84f639e88d

SHA1
4ffefe1585ba65cd1e5d9c8a1c5b2e01f02e74b4

SHA256
eaaa54dfde8ebeac59b260fc49e154be5570e0a48174666151bd1a9b3ee375c8

SHA512
787c82b4192c9b72b712baf3552036837de4f418bed65190fc2329d7a09f37ecaf5b6b3d0b1406c6de938ae49c08eab845081b4381b73328cbe7b7ed879139e6

Download Submit
memory/556-75-0x0000000072970000-0x00000000732F5000-memory.dmp

Filesize
9.5MB

Download