7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33

Analysis

max time kernel
100s
max time network
103s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
27/05/2023, 04:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe
Size

112KB
MD5

24781c1e54454da853bef89a12b65975
SHA1

af8c5e592f28b6e017c38303a984cc4be5ff85ab
SHA256

7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33
SHA512

6e087498aed8ad8c197ad85580ad821df27ca4b6d42a4b4618499135290477401fea9accf792a850b4e92a99226867cb83d3f5d3be1d71afab5a0d6bf497a459
SSDEEP

3072:S1HEqBlf7xpQgWqpbE8K2I/ojRR6o55G5+8uHFbN:AHEqBlfVpQgWgbE8KMn6o55G5+XN

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2032	chrome.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1948 set thread context of 556	1948	7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe	28

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
1948	7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe
1948	7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe
1948	7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe
1948	7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe
1948	7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe
1948	7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe
1948	7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe
1948	7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe
1948	7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe
1948	7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe
1948	7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe
1948	7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe
1948	7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe
1948	7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe
1948	7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe
1948	7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe
1948	7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe
1948	7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe
1948	7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe
1948	7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe
1948	7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe
1948	7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe
1948	7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe
1948	7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe
1948	7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe
1948	7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe
1948	7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe
1948	7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe
1948	7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe
1948	7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe
1948	7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe
1948	7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe
1948	7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe
1948	7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe
1948	7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe
2032	chrome.exe
2032	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1948	7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe
Token: SeDebugPrivilege	556	7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe
Token: SeShutdownPrivilege	2032	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
556	7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe
2032	chrome.exe
2032	chrome.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
556	7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2032	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 556	1948	7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe	28
PID 1948 wrote to memory of 556	1948	7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe	28
PID 1948 wrote to memory of 556	1948	7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe	28
PID 1948 wrote to memory of 556	1948	7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe	28
PID 1948 wrote to memory of 556	1948	7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe	28
PID 1948 wrote to memory of 556	1948	7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe	28
PID 1948 wrote to memory of 556	1948	7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe	28
PID 1948 wrote to memory of 556	1948	7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe	28
PID 1948 wrote to memory of 556	1948	7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe	28
PID 1948 wrote to memory of 556	1948	7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe	28
PID 2032 wrote to memory of 1160	2032	chrome.exe	30
PID 2032 wrote to memory of 1160	2032	chrome.exe	30
PID 2032 wrote to memory of 1160	2032	chrome.exe	30
PID 2032 wrote to memory of 1868	2032	chrome.exe	32
PID 2032 wrote to memory of 1868	2032	chrome.exe	32
PID 2032 wrote to memory of 1868	2032	chrome.exe	32
PID 2032 wrote to memory of 1868	2032	chrome.exe	32
PID 2032 wrote to memory of 1868	2032	chrome.exe	32
PID 2032 wrote to memory of 1868	2032	chrome.exe	32
PID 2032 wrote to memory of 1868	2032	chrome.exe	32
PID 2032 wrote to memory of 1868	2032	chrome.exe	32
PID 2032 wrote to memory of 1868	2032	chrome.exe	32
PID 2032 wrote to memory of 1868	2032	chrome.exe	32
PID 2032 wrote to memory of 1868	2032	chrome.exe	32
PID 2032 wrote to memory of 1868	2032	chrome.exe	32
PID 2032 wrote to memory of 1868	2032	chrome.exe	32
PID 2032 wrote to memory of 1868	2032	chrome.exe	32
PID 2032 wrote to memory of 1868	2032	chrome.exe	32
PID 2032 wrote to memory of 1868	2032	chrome.exe	32
PID 2032 wrote to memory of 1868	2032	chrome.exe	32
PID 2032 wrote to memory of 1868	2032	chrome.exe	32
PID 2032 wrote to memory of 1868	2032	chrome.exe	32
PID 2032 wrote to memory of 1868	2032	chrome.exe	32
PID 2032 wrote to memory of 1868	2032	chrome.exe	32
PID 2032 wrote to memory of 1868	2032	chrome.exe	32
PID 2032 wrote to memory of 1868	2032	chrome.exe	32
PID 2032 wrote to memory of 1868	2032	chrome.exe	32
PID 2032 wrote to memory of 1868	2032	chrome.exe	32
PID 2032 wrote to memory of 1868	2032	chrome.exe	32
PID 2032 wrote to memory of 1868	2032	chrome.exe	32
PID 2032 wrote to memory of 1868	2032	chrome.exe	32
PID 2032 wrote to memory of 1868	2032	chrome.exe	32
PID 2032 wrote to memory of 1868	2032	chrome.exe	32
PID 2032 wrote to memory of 1868	2032	chrome.exe	32
PID 2032 wrote to memory of 1868	2032	chrome.exe	32
PID 2032 wrote to memory of 1868	2032	chrome.exe	32
PID 2032 wrote to memory of 1868	2032	chrome.exe	32
PID 2032 wrote to memory of 1868	2032	chrome.exe	32
PID 2032 wrote to memory of 1868	2032	chrome.exe	32
PID 2032 wrote to memory of 1868	2032	chrome.exe	32
PID 2032 wrote to memory of 1868	2032	chrome.exe	32
PID 2032 wrote to memory of 1868	2032	chrome.exe	32
PID 2032 wrote to memory of 112	2032	chrome.exe	33
PID 2032 wrote to memory of 112	2032	chrome.exe	33
PID 2032 wrote to memory of 112	2032	chrome.exe	33
PID 2032 wrote to memory of 1104	2032	chrome.exe	34
PID 2032 wrote to memory of 1104	2032	chrome.exe	34
PID 2032 wrote to memory of 1104	2032	chrome.exe	34
PID 2032 wrote to memory of 1104	2032	chrome.exe	34
PID 2032 wrote to memory of 1104	2032	chrome.exe	34
PID 2032 wrote to memory of 1104	2032	chrome.exe	34
PID 2032 wrote to memory of 1104	2032	chrome.exe	34
PID 2032 wrote to memory of 1104	2032	chrome.exe	34
PID 2032 wrote to memory of 1104	2032	chrome.exe	34

C:\Users\Admin\AppData\Local\Temp\7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe
"C:\Users\Admin\AppData\Local\Temp\7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Users\Admin\AppData\Local\Temp\7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe
  C:\Users\Admin\AppData\Local\Temp\7f0298fe79b3d4ea8293eceac1555ee8abeabbfca24d39fac5447ac0e1448c33.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:556

C:\Program Files\Google\Chrome\Application\chrome.exe
"chrome.exe" --no-first-run --no-default-browser-check --noerrdialogs --disable-crash-reporter --disable-backgrounding-occluded-windows --disable-background-timer-throttling --disable-extensions-http-throttling --disable-renderer-backgrounding --disable-audio-output --silent-launch --restore-last-session --elevated --ran-launcher --profile-directory="Default"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7ae9758,0x7fef7ae9768,0x7fef7ae9778
  2⤵
  PID:1160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --noerrdialogs --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1168 --field-trial-handle=1212,i,14027982270508656165,14496119125873156901,131072 /prefetch:2
  2⤵
  PID:1868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-audio-output --noerrdialogs --mojo-platform-channel-handle=1520 --field-trial-handle=1212,i,14027982270508656165,14496119125873156901,131072 /prefetch:8
  2⤵
  PID:112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --disable-audio-output --noerrdialogs --mojo-platform-channel-handle=1636 --field-trial-handle=1212,i,14027982270508656165,14496119125873156901,131072 /prefetch:8
  2⤵
  PID:1104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --disable-audio-output --noerrdialogs --mojo-platform-channel-handle=2784 --field-trial-handle=1212,i,14027982270508656165,14496119125873156901,131072 /prefetch:8
  2⤵
  PID:528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-extensions-http-throttling --disable-background-timer-throttling --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2452 --field-trial-handle=1212,i,14027982270508656165,14496119125873156901,131072 /prefetch:1
  2⤵
  PID:916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-extensions-http-throttling --first-renderer-process --disable-background-timer-throttling --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2444 --field-trial-handle=1212,i,14027982270508656165,14496119125873156901,131072 /prefetch:1
  2⤵
  PID:1728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-audio-output --noerrdialogs --mojo-platform-channel-handle=2952 --field-trial-handle=1212,i,14027982270508656165,14496119125873156901,131072 /prefetch:8
  2⤵
  PID:2064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --disable-audio-output --noerrdialogs --mojo-platform-channel-handle=3148 --field-trial-handle=1212,i,14027982270508656165,14496119125873156901,131072 /prefetch:8
  2⤵
  PID:2132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-audio-output --noerrdialogs --mojo-platform-channel-handle=3420 --field-trial-handle=1212,i,14027982270508656165,14496119125873156901,131072 /prefetch:8
  2⤵
  PID:2336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --noerrdialogs --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3540 --field-trial-handle=1212,i,14027982270508656165,14496119125873156901,131072 /prefetch:2
  2⤵
  PID:2568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --noerrdialogs --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=3540 --field-trial-handle=1212,i,14027982270508656165,14496119125873156901,131072 /prefetch:2
  2⤵
  PID:2684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-extensions-http-throttling --disable-background-timer-throttling --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3732 --field-trial-handle=1212,i,14027982270508656165,14496119125873156901,131072 /prefetch:1
  2⤵
  PID:2768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-audio-output --noerrdialogs --mojo-platform-channel-handle=3940 --field-trial-handle=1212,i,14027982270508656165,14496119125873156901,131072 /prefetch:8
  2⤵
  PID:2840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-audio-output --noerrdialogs --mojo-platform-channel-handle=4108 --field-trial-handle=1212,i,14027982270508656165,14496119125873156901,131072 /prefetch:8
  2⤵
  PID:2848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-extensions-http-throttling --disable-background-timer-throttling --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4124 --field-trial-handle=1212,i,14027982270508656165,14496119125873156901,131072 /prefetch:1
  2⤵
  PID:2952

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\1928007b-1034-4f41-bc32-f5f95816e670.tmp

Filesize
153KB

MD5
9be5a9f2ee27007e53c01cbd3523e1f2

SHA1
3b2e36c8582f72a3f2a8f7e6db1aabff1c3d8d39

SHA256
c838675851cb40fcc530b5de39c0256d3409dfe6cbdaef52ead3990ceefb2aef

SHA512
5ed4dec01f1f4b62be1acc95d40013949b7c2b91347e7c2dcd8055645cbfde5273868460ebe52a581b0bd58c74b75d1c225913b856441831d2caae97a27091b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\1fbbdf33-c63b-4dc0-b4e9-f1c8fccdb4cd.tmp

Filesize
4KB

MD5
c8c998edefdaa99eebfbf033cdf6c399

SHA1
b32148efcf729877a9080ed8eba48332d506143a

SHA256
95aa3d4ef15a16b81937181f782b732032195c7586b56a9310f8b7cb0f93c63f

SHA512
36cc77ef8f4913fd567bcc1581d1f734d84f4c6516dc5d0902147b33d364e0634dfee4fd5d6780c5e3e207d483434efa6c892f9b1097220003f630bb9a72a6cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\CURRENT~RF6d8da0.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
19aa00badc70d8ed501a95e5809edc07

SHA1
5fee9418821b3788bf9087186e3ed71900fa7df3

SHA256
d43991303ad94a7f0337b887dbd62d7b005a7a4d3a37a14fbd5519f1a38795f5

SHA512
347fb6f987128d7b9313e6a84c3a64fe441d638481a41845cad773f3a4893a6393ea7b4f6a7bf3e47a033fc0cb6c6859feaa669cf9f395b5fbed26eeac3365fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
be267d49f5eb87924a94d04347a3d7bc

SHA1
213d57882b8f966417e501158846306c1ee427ae

SHA256
42afcfc920e317856a242003150c22eac03c1338ff32c83942393a98309cc519

SHA512
3ed82294ccafad783c3d19ec5785dee09dd2f17cdcca7b1393d9a515607a228e44b77c10dbfcb5eae903d6ef79769637645cb7cd2a1e8ecdd218754aae7010ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
153KB

MD5
5c6021b838e2ebd28ac00d63935ce7a9

SHA1
64365141c1d8e6fbfa54ec5872fa453f2ad311df

SHA256
357ac3d49c591ddeb0a17643f25c6f79b4628d9a70b0fbf4f7ee8af451cb68b3

SHA512
0caa7a35c1199128168f5cb2d976f318252daf6d34d5476e8e0ced8ba7bdc17b615c89b59347778994d17dfdb6d8486b77fb4067fbd02d8ce03b331cd424f225

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2032_1050970406\tmp7912.tmp

Filesize
401KB

MD5
e0b6e6dbfef3335d54ecb1f68a4dafb3

SHA1
8a8c2c4985a1758612f70c5f6558dcd82fc6264c

SHA256
b04a8274a9de2e065193456478694d28eee38bad271c97a90d8d45a2cf77fe18

SHA512
75605c2858104a9f287c6c5f5ef2290fc49cf49bfa65ee20aa035105a86a534bc45e3efd423cecb21371a07c3f723b05ea4c68f401e4f2b9b20a1983b7601cb0

Download Submit
memory/556-60-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/556-64-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/556-62-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/556-67-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/556-68-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/556-70-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/556-71-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/556-66-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/556-63-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/556-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/556-61-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1948-54-0x0000000000F10000-0x0000000000F2E000-memory.dmp

Filesize
120KB

Download
memory/1948-59-0x0000000000490000-0x0000000000522000-memory.dmp

Filesize
584KB

Download
memory/1948-58-0x0000000008610000-0x00000000086A0000-memory.dmp

Filesize
576KB

Download
memory/1948-57-0x000000000BD80000-0x000000000C0A4000-memory.dmp

Filesize
3.1MB

Download
memory/1948-56-0x00000000005E0000-0x0000000000620000-memory.dmp

Filesize
256KB

Download
memory/1948-55-0x0000000000540000-0x0000000000546000-memory.dmp

Filesize
24KB

Download