33b345ff12a23eb79820925c0a354cf6f5a9b1ab2e2c575fc8638643d5295380

Resubmissions

05/06/2023, 18:46

230605-xe5nbaab79 6

05/06/2023, 17:14

230605-vr22vaad5x 6

05/06/2023, 16:55

230605-ve7fsshg22 6

05/06/2023, 14:41

230605-r2gl4sha99 3

Analysis

max time kernel
1800s
max time network
1723s
platform
windows10-2004_x64
resource
win10v2004-20230220-es
resource tags

arch:x64arch:x86image:win10v2004-20230220-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
05/06/2023, 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

COMUNICADO2007020-20202220-20REACTIVACIC393N20DEL20SERVICIO20GMAIL20.pdf
Size

234KB
MD5

73fe1b2a285f9a2dabd8b24f2621673e
SHA1

fa24a3dcb6c3f9d40ea1a6920de4bc5c0257309d
SHA256

33b345ff12a23eb79820925c0a354cf6f5a9b1ab2e2c575fc8638643d5295380
SHA512

973c9a157e89b8e677e75344cbd7c9c072f4f8fc95f44799659114c4328efea1785fc9ad1e376e6fb6a59e96531e94bfb377a95b38c7ec5fbed3b9c435b7e0e4
SSDEEP

6144:aRYzUILFj3qDusW/BgJOawK2zNxsT9G/v2C2JS:SYzhFj6D6CwZzN4MeC2JS

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133304497188883603"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4238149048-355649189-894321705-1000\{7FDD111E-C377-4E82-8AE1-A1ADDBDC00CD}	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1392	chrome.exe
1392	chrome.exe
3340	chrome.exe
3340	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe
Token: SeShutdownPrivilege	1392	chrome.exe
Token: SeCreatePagefilePrivilege	1392	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
2636	AcroRd32.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe
1392	chrome.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2636	AcroRd32.exe
2636	AcroRd32.exe
2636	AcroRd32.exe
2636	AcroRd32.exe
2636	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 4248	2636	AcroRd32.exe	82
PID 2636 wrote to memory of 4248	2636	AcroRd32.exe	82
PID 2636 wrote to memory of 4248	2636	AcroRd32.exe	82
PID 4248 wrote to memory of 2484	4248	RdrCEF.exe	83
PID 4248 wrote to memory of 2484	4248	RdrCEF.exe	83
PID 4248 wrote to memory of 2484	4248	RdrCEF.exe	83
PID 4248 wrote to memory of 2484	4248	RdrCEF.exe	83
PID 4248 wrote to memory of 2484	4248	RdrCEF.exe	83
PID 4248 wrote to memory of 2484	4248	RdrCEF.exe	83
PID 4248 wrote to memory of 2484	4248	RdrCEF.exe	83
PID 4248 wrote to memory of 2484	4248	RdrCEF.exe	83
PID 4248 wrote to memory of 2484	4248	RdrCEF.exe	83
PID 4248 wrote to memory of 2484	4248	RdrCEF.exe	83
PID 4248 wrote to memory of 2484	4248	RdrCEF.exe	83
PID 4248 wrote to memory of 2484	4248	RdrCEF.exe	83
PID 4248 wrote to memory of 2484	4248	RdrCEF.exe	83
PID 4248 wrote to memory of 2484	4248	RdrCEF.exe	83
PID 4248 wrote to memory of 2484	4248	RdrCEF.exe	83
PID 4248 wrote to memory of 2484	4248	RdrCEF.exe	83
PID 4248 wrote to memory of 2484	4248	RdrCEF.exe	83
PID 4248 wrote to memory of 2484	4248	RdrCEF.exe	83
PID 4248 wrote to memory of 2484	4248	RdrCEF.exe	83
PID 4248 wrote to memory of 2484	4248	RdrCEF.exe	83
PID 4248 wrote to memory of 2484	4248	RdrCEF.exe	83
PID 4248 wrote to memory of 2484	4248	RdrCEF.exe	83
PID 4248 wrote to memory of 2484	4248	RdrCEF.exe	83
PID 4248 wrote to memory of 2484	4248	RdrCEF.exe	83
PID 4248 wrote to memory of 2484	4248	RdrCEF.exe	83
PID 4248 wrote to memory of 2484	4248	RdrCEF.exe	83
PID 4248 wrote to memory of 2484	4248	RdrCEF.exe	83
PID 4248 wrote to memory of 2484	4248	RdrCEF.exe	83
PID 4248 wrote to memory of 2484	4248	RdrCEF.exe	83
PID 4248 wrote to memory of 2484	4248	RdrCEF.exe	83
PID 4248 wrote to memory of 2484	4248	RdrCEF.exe	83
PID 4248 wrote to memory of 2484	4248	RdrCEF.exe	83
PID 4248 wrote to memory of 2484	4248	RdrCEF.exe	83
PID 4248 wrote to memory of 2484	4248	RdrCEF.exe	83
PID 4248 wrote to memory of 2484	4248	RdrCEF.exe	83
PID 4248 wrote to memory of 2484	4248	RdrCEF.exe	83
PID 4248 wrote to memory of 2484	4248	RdrCEF.exe	83
PID 4248 wrote to memory of 2484	4248	RdrCEF.exe	83
PID 4248 wrote to memory of 2484	4248	RdrCEF.exe	83
PID 4248 wrote to memory of 2484	4248	RdrCEF.exe	83
PID 4248 wrote to memory of 2484	4248	RdrCEF.exe	83
PID 4248 wrote to memory of 1156	4248	RdrCEF.exe	84
PID 4248 wrote to memory of 1156	4248	RdrCEF.exe	84
PID 4248 wrote to memory of 1156	4248	RdrCEF.exe	84
PID 4248 wrote to memory of 1156	4248	RdrCEF.exe	84
PID 4248 wrote to memory of 1156	4248	RdrCEF.exe	84
PID 4248 wrote to memory of 1156	4248	RdrCEF.exe	84
PID 4248 wrote to memory of 1156	4248	RdrCEF.exe	84
PID 4248 wrote to memory of 1156	4248	RdrCEF.exe	84
PID 4248 wrote to memory of 1156	4248	RdrCEF.exe	84
PID 4248 wrote to memory of 1156	4248	RdrCEF.exe	84
PID 4248 wrote to memory of 1156	4248	RdrCEF.exe	84
PID 4248 wrote to memory of 1156	4248	RdrCEF.exe	84
PID 4248 wrote to memory of 1156	4248	RdrCEF.exe	84
PID 4248 wrote to memory of 1156	4248	RdrCEF.exe	84
PID 4248 wrote to memory of 1156	4248	RdrCEF.exe	84
PID 4248 wrote to memory of 1156	4248	RdrCEF.exe	84
PID 4248 wrote to memory of 1156	4248	RdrCEF.exe	84
PID 4248 wrote to memory of 1156	4248	RdrCEF.exe	84
PID 4248 wrote to memory of 1156	4248	RdrCEF.exe	84
PID 4248 wrote to memory of 1156	4248	RdrCEF.exe	84

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\COMUNICADO2007020-20202220-20REACTIVACIC393N20DEL20SERVICIO20GMAIL20.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4248
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8AC4261A75D1BF228D715ED5744E085B --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2484
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=6CFDF9F8A91979A292ED6F1A70D064FB --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=6CFDF9F8A91979A292ED6F1A70D064FB --renderer-client-id=2 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:1156
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E46CADDBF1AA2DB318C8DBA5C0E5CEBE --mojo-platform-channel-handle=2292 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3956
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=72702702BB24B8D9DE52C8B8D6E44664 --mojo-platform-channel-handle=1948 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:3456
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E6888D20489089ECE5C04047E007A64B --mojo-platform-channel-handle=2388 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff3d2c9758,0x7fff3d2c9768,0x7fff3d2c9778
  2⤵
  PID:1172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1692 --field-trial-handle=1780,i,14307121969080857820,391311322690888759,131072 /prefetch:2
  2⤵
  PID:3760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1780,i,14307121969080857820,391311322690888759,131072 /prefetch:8
  2⤵
  PID:3756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 --field-trial-handle=1780,i,14307121969080857820,391311322690888759,131072 /prefetch:8
  2⤵
  PID:3004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3108 --field-trial-handle=1780,i,14307121969080857820,391311322690888759,131072 /prefetch:1
  2⤵
  PID:3272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3120 --field-trial-handle=1780,i,14307121969080857820,391311322690888759,131072 /prefetch:1
  2⤵
  PID:964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4468 --field-trial-handle=1780,i,14307121969080857820,391311322690888759,131072 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4636 --field-trial-handle=1780,i,14307121969080857820,391311322690888759,131072 /prefetch:8
  2⤵
  PID:3908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4728 --field-trial-handle=1780,i,14307121969080857820,391311322690888759,131072 /prefetch:8
  2⤵
  PID:1076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 --field-trial-handle=1780,i,14307121969080857820,391311322690888759,131072 /prefetch:8
  2⤵
  PID:3144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 --field-trial-handle=1780,i,14307121969080857820,391311322690888759,131072 /prefetch:8
  2⤵
  PID:4156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5212 --field-trial-handle=1780,i,14307121969080857820,391311322690888759,131072 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4432 --field-trial-handle=1780,i,14307121969080857820,391311322690888759,131072 /prefetch:1
  2⤵
  PID:4724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 --field-trial-handle=1780,i,14307121969080857820,391311322690888759,131072 /prefetch:8
  2⤵
  - Modifies registry class
  PID:648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4608 --field-trial-handle=1780,i,14307121969080857820,391311322690888759,131072 /prefetch:8
  2⤵
  PID:2616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4568 --field-trial-handle=1780,i,14307121969080857820,391311322690888759,131072 /prefetch:1
  2⤵
  PID:1500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4736 --field-trial-handle=1780,i,14307121969080857820,391311322690888759,131072 /prefetch:1
  2⤵
  PID:3432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5148 --field-trial-handle=1780,i,14307121969080857820,391311322690888759,131072 /prefetch:1
  2⤵
  PID:3016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5592 --field-trial-handle=1780,i,14307121969080857820,391311322690888759,131072 /prefetch:8
  2⤵
  PID:4036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5732 --field-trial-handle=1780,i,14307121969080857820,391311322690888759,131072 /prefetch:8
  2⤵
  PID:3728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4472 --field-trial-handle=1780,i,14307121969080857820,391311322690888759,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3340

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
720B

MD5
711c735437850d0c816478640f0ce597

SHA1
f045913019a230e874bc537b86d2a23b61445673

SHA256
861b7f4d215b23921f5b46127074e70020f127e9127012152da6852022ae9544

SHA512
68ab1604bdd0d2f43b036f42c175944dd604fad6f35dcbf638d91f7bc263a550cc6483dab4af448145e1933ae4fe2bfe3c0b924e7ca085b8f00a0a719eca0623

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\Origins\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
037dc68ec288be5d88c33c728dbb773a

SHA1
861e3932623c0d10ad32a609b05979f2a2bfa8e9

SHA256
5a71aaaed16d9b3e3c16320a17ada1ac9760e50873d136a7d70d82a855b087f5

SHA512
9586c74b1ea9f4889d63138639318cd0c463dbca2acb046c3d028dd6055a355bfc1eb72d561d0d856526d496bd3242e1086d142c6f501cdab15af6a6f398fbf2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
05a28f6361a83630fdc01818ae87febc

SHA1
2de0c1a90f8102ece7f0e8b340ce60a4f2bb7657

SHA256
94a3378abafa638587aacd57cf702d45de12c380b5f497ce3d56af109a39bdac

SHA512
fc894392268925feb4adbfe1936f9b8a86a49f3c9f6561af7b1af4d91bdb1ddf2f5f8ef12dc4310b47b3a89d2479593489f02e14f85f57ecbc328088020a785c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
61eb961129a0a0ec4db0c1de7c594044

SHA1
139eec30fb060bc4c3d5cc931ad67e729629b447

SHA256
c08da4cd4ec1b921ccaab99d6df747ecab398c8942f0afd3e5498490f1694c4b

SHA512
d2ac1d2e2683b1ec1773fc9c854d51176596e69e9c2b36fe47d32f33cebed991865fe28f5b6d2174652419bb7e36c420bc569e3ea263ab6acab0dd88909f4d31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
273ebf645faca35f636eda2a1e93ad3b

SHA1
d7ab6c9fc75aa8b868cf9f73acd2eebdbed51659

SHA256
dcdefce60958be16466939b0b70d68887a5729058c9e204ce48f1f0fe22414ff

SHA512
5d9561ad67c216ea7f6596c85512aaf41bc06fa468f7f0f50c08c665a484fc501896fce050dcef24e6867c1bfd573208673dfe0743579334fb50f70d06dd1ea5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
6076b407ebaed07009d63aeb737cd9f4

SHA1
50c65ea82074ba0b817db775eb918fb0995f5a7d

SHA256
93f591f97861d55e93749a904b4625b00a5385c820adc90bb85d8fa735afd397

SHA512
2543fb10dfccb20777440c88c454a940d5f90c545edb73e723e37db73d8c03d5d091c2c30463d805dfd55ba326ccc0ad70e0fa4e9521a876a981f1dec6a8bea5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
8310f815e3e792287b365d5da710d9a4

SHA1
6424133fc2318b78bfde00be5cc1d2dfafdde995

SHA256
b463231c2ae8bf0562987b473a5e9ef5552745dddbc5ba4ec40156c75bbb0201

SHA512
4e4059a3d286356a96eb5ddcf75e55c1782141496292d7bbbaa92275cb0488a85a9f87c8c17fec6eee33a9e5f542c87a0f250570dbc2234d729b1cc62756cf6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
91c104ac7980f638f321f361165be447

SHA1
4443a648e3642f61f24b2747726cb9dc89e231e0

SHA256
f8f93ebe8f27f1eaf3d4ace81177c2f2643d3ff8d217665922d86fd9fe731e1a

SHA512
ef38067f55e45fee732aefee24b443b4f17655ca7f254ceb298a1b544761b4a827b4213008ca3dd2c7796dfe1688d3c56d79b4969fc50cc918588cd27cdb2c71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f618e03e897c80fbe289c8e0d8dbed63

SHA1
24519d417dcd2350b1e38bac1db2434d1c266bd1

SHA256
2fc1f643b21f64caf9042eb87cb9470b8ea4b87858cbce91b298ae1d3848f5c8

SHA512
1ee949c478df964e3e905fca26d9462b18ea2afd06dec288b863cfa0154369dc4bef4f6dec82a6baae840146e3e1b3c5e5f855f85cc0f1500eb7947f283c5e54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ac068bbd04335206c0ad8764e048687c

SHA1
3ce8b6970d2101ffa6c736115457f06887953344

SHA256
98505f720ae977a46b6cc7cb38ed367db5b029af929772b423d0f2891af55951

SHA512
1570615f0b67ad8c92abbab4c91535dd07be5674be55e41452734a4fd33b0b79e60a3df74c73daa4f7c51336a629383c32073a4b9af101dcbfc13a13c4524792

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4a6d882aa44463c5e46863a2d17459ec

SHA1
669ea9281900f9637aeb3cce601420060112bfb9

SHA256
e8ac1765cc2623e88ee51ae6b16d5a3413efbe023cac6d411639444987708055

SHA512
1c2572758ebe57343c20ec8027fcd8a9c96a176237c0f5cf0734ad6c0aab4d74b6c928d4b78c3b912ac05db944f9d9a365054a28214ebd3fd3d104bf467a2d4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e084c7c4949348e957ede78381465e76

SHA1
cd0e6342777684aaba36dc82cf26a9d38fb8bd32

SHA256
78facb0e181daced3ea041aa2298900082ffa81ac25ea754ac55c43b455e940a

SHA512
72d5970940a2ce2471a4747111ceef29c11d0196f2bfae6ec078d43fbdb7914673f9c4f8d519cfa31f9f6078dbf0080b36441792412131a5b108e45a77ddcca6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
93a1c83bdb887f812d516a2a9d1d523d

SHA1
92144669740223ee6691c46e156fb609c29013ba

SHA256
69138b8d34eb09b6b3bf50bf9b4264b2bee98f7112e96415821946cb5594baed

SHA512
57b4cbd8823838709b1a3caf7337d0c3b68e681da76327a61d87c486dd37522752336d25c51a6ad1eca53a952a0536eae7843161e06cc0aa4a936d39f9203a6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
1b762114b7f1340fbefd23e75c73d497

SHA1
d0061d475332eeed65a7a740c5c90e7cbda1137e

SHA256
d155af6761f5e5bf761c8d5c2f88a6431b8fdbb0db03ff2b2707fe2a9f9f4fbf

SHA512
6420f58ca1d2583773950785afe2dff9ff87befa45ca59ec7674acbbf80929db2626c5f2af1e14280432ad5e6911f88ba59c0687febc58a2a081295ca672befa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
ce77fe5e4d99a8f115eb16d68895cedc

SHA1
d66c68dd3f802db847329a1462d08ba0c55edcb1

SHA256
5f7c142c8854da539d3b64317f2e79e369c03807bc9ff736f7e18e5d76d733d1

SHA512
edd6d675c394ed8c953b91bcd2c4aaf2c2d20007d451c0fefabcb0d497aebbb2f73d5320475228a90be9eda3788427124eb2cac287253bfdccbcfba7294b3225

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
157KB

MD5
821a94445fbb8ef0a6e28b73bc855d9d

SHA1
1cf151a67901fcf5dba6848806ac211327480e62

SHA256
cf7dbc66a97d04b6511e9ec5b222e4edf653ea516ebe05d15920c55119e7481f

SHA512
03950c8e02ee2362c9a9dbf33cd6bbc53eeaa656e4a1332cc4ede63a771dfa15669ef09e2da0c0dca4f4ffc196f90c505732b45ad76e9b49ba1a6099ab0060a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
157KB

MD5
d3ee0593f331aa1a2b2fb8bc08cee915

SHA1
15cfa3e2a0a884d3cead41207bcd77cb1ea9800e

SHA256
8390e4b24c354f290071278e07668509c68bcdc7968f76f7fff04b3be67fc99f

SHA512
7cbaa3ac421fd377a2911a0f3f71d75dfb9a395897730e7ba716924de09c5cb26910887c95124ac5581206e9821b61c73467eb9800bfc683cd189e71b3731a02

Download Submit