f703dae8de26aab20688ee0de3a80ead4c09d9a68af17d533b3c75415609f8b8

Analysis

max time kernel
519s
max time network
521s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
07-06-2023 17:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ph3jbkfngs4g4.exe
Size

27.5MB
MD5

8d48f2394d70eaeff9ca06701b8c2b18
SHA1

261cfb922a1386c6f62efaccbc2a8b7f001882e1
SHA256

f703dae8de26aab20688ee0de3a80ead4c09d9a68af17d533b3c75415609f8b8
SHA512

7f1491e82872c7044c39ffd9428ce244aa9e8902b53f4c12ac1d825811df7a7a858c4cc36a9104e62045bdd66a96cdd16842e6848244f6b6ede388d5312e11a2
SSDEEP

786432:asmE846itrumiPiEILhsXZJRHgwLlnaabLtBJGV6:WE84Htm6vLARg+nTbZTM6

Score

8^/10

microsoft discovery persistence phishing upx

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

msiexec.exe

flow pid process

573 1972 msiexec.exe
575 1972 msiexec.exe
576 1972 msiexec.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

VC_redist.x86.exeVC_redist.x86.exe

pid process

1296 VC_redist.x86.exe
3456 VC_redist.x86.exe
Loads dropped DLL 6 IoCs

Processes:

devloader.exeVC_redist.x86.exeVC_redist.x86.exeVC_redist.x86.exedevloader.exe

pid process

1876 devloader.exe
4368 VC_redist.x86.exe
1296 VC_redist.x86.exe
1296 VC_redist.x86.exe
2088 VC_redist.x86.exe
4168 devloader.exe

flow	pid	process
573	1972	msiexec.exe
575	1972	msiexec.exe
576	1972	msiexec.exe

pid	process
1296	VC_redist.x86.exe
3456	VC_redist.x86.exe

pid	process
1876	devloader.exe
4368	VC_redist.x86.exe
1296	VC_redist.x86.exe
1296	VC_redist.x86.exe
2088	VC_redist.x86.exe
4168	devloader.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\_MEI35922\python311.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI35922\python311.dll	upx
behavioral1/memory/1876-376-0x000007FEF3AC0000-0x000007FEF40A9000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI43562\python311.dll	upx
\Users\Admin\AppData\Local\Temp\_MEI43562\python311.dll	upx
behavioral1/memory/4168-990-0x000007FEF5E10000-0x000007FEF63F9000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

VC_redist.x86.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{410c0ee1-00bb-41b6-9772-e12c2828b02f} = "\"C:\\ProgramData\\Package Cache\\{410c0ee1-00bb-41b6-9772-e12c2828b02f}\\VC_redist.x86.exe\" /burn.runonce"	VC_redist.x86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	VC_redist.x86.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Detected potential entity reuse from brand microsoft.
phishing microsoft

Drops file in System32 directory 48 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\mfc140cht.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140deu.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140enu.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_2.dll	msiexec.exe
File created	C:\Windows\SysWOW64\concrt140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfcm140u.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140rus.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vcamp140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140_2.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140_atomic_wait.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vcomp140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140fra.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140cht.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140u.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vcomp140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140u.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140esn.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140ita.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vcamp140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140jpn.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_atomic_wait.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vccorlib140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140chs.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140kor.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_1.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140rus.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140fra.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\concrt140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140chs.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140kor.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140esn.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140ita.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfcm140u.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140_1.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vccorlib140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140deu.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140enu.dll	msiexec.exe

Drops file in Windows directory 22 IoCs

Processes:

VC_redist.x86.exeDrvInst.exemsiexec.exeVC_redist.x86.exechrome.exe

description	ioc	process
File opened for modification	C:\Windows\WindowsUpdate.log	VC_redist.x86.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI918D.tmp	msiexec.exe
File created	C:\Windows\Installer\727b2a.msi	msiexec.exe
File created	C:\Windows\Installer\727b2b.msi	msiexec.exe
File opened for modification	C:\Windows\WindowsUpdate.log	VC_redist.x86.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe	chrome.exe
File created	C:\Windows\Installer\727b1c.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\727b2b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA12C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA3BD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe	chrome.exe
File created	C:\Windows\Installer\727b1a.msi	msiexec.exe
File created	C:\Windows\Installer\727b2d.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\727b1a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8E02.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\727b1c.ipi	msiexec.exe
File created	C:\Windows\Installer\727b3f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\727b2d.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 52 IoCs

Processes:

DrvInst.exemsiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\30	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\30	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\31	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe

Modifies registry class 64 IoCs

Processes:

chrome.exemsiexec.exeVC_redist.x86.exeVC_redist.x86.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "2"	chrome.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\BAC95C2C6678DBA48AFE11153AC6145E	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BAC95C2C6678DBA48AFE11153AC6145E\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BAC95C2C6678DBA48AFE11153AC6145E\DeploymentFlags = "3"	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	chrome.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E4E77F3771A55E645ACFA860017427F5\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\DisplayName = "Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E4E77F3771A55E645ACFA860017427F5	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E4E77F3771A55E645ACFA860017427F5\Version = "237272852"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E4E77F3771A55E645ACFA860017427F5\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E4E77F3771A55E645ACFA860017427F5\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	chrome.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.30,bundle	VC_redist.x86.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	chrome.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E4E77F3771A55E645ACFA860017427F5\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BAC95C2C6678DBA48AFE11153AC6145E\PackageCode = "66BA6B50A49EFFA418122BDB80C144B2"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BAC95C2C6678DBA48AFE11153AC6145E\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BAC95C2C6678DBA48AFE11153AC6145E\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{C2C59CAB-8766-4ABD-A8EF-1151A36C41E5}v14.36.32532\\packages\\vcRuntimeAdditional_x86\\"	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\60DB5E5629367203C8625813703DFCA1	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BAC95C2C6678DBA48AFE11153AC6145E\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\DisplayName = "Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.30,bundle\Dependents\{4D8DCF8C-A72A-43E1-9833-C12724DB736E}	VC_redist.x86.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	chrome.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA\SourceList\Net	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5040806F8AF9AAC49928419ED5A1D3CA	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.36,bundle\DisplayName = "Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532"	VC_redist.x86.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E4E77F3771A55E645ACFA860017427F5	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\Version = "14.36.32532"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList\Net	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BAC95C2C6678DBA48AFE11153AC6145E\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\15E8B87C56C0E773581D82F286F95E50	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.36,bundle\ = "{410c0ee1-00bb-41b6-9772-e12c2828b02f}"	VC_redist.x86.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14	VC_redist.x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\BAC95C2C6678DBA48AFE11153AC6145E\Provider	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BAC95C2C6678DBA48AFE11153AC6145E\SourceList\Net	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	chrome.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E4E77F3771A55E645ACFA860017427F5\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.36,bundle\Dependents	VC_redist.x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\Version = "14.36.32532"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\Dependents\{410c0ee1-00bb-41b6-9772-e12c2828b02f}	VC_redist.x86.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	chrome.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlot = "3"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Ph3jbkfngs4g4.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Ph3jbkfngs4g4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Ph3jbkfngs4g4.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

Ph3jbkfngs4g4.exemsiexec.exe

pid	process
332	Ph3jbkfngs4g4.exe
1972	msiexec.exe
1972	msiexec.exe
1972	msiexec.exe
1972	msiexec.exe
1972	msiexec.exe
1972	msiexec.exe
1972	msiexec.exe
1972	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

chrome.exedevloader.exe

pid process

2184 chrome.exe
1876 devloader.exe

pid	process
2184	chrome.exe
1876	devloader.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exePh3jbkfngs4g4.exevssvc.exeDrvInst.exeVC_redist.x86.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	484	chrome.exe
Token: SeShutdownPrivilege	484	chrome.exe
Token: SeShutdownPrivilege	484	chrome.exe
Token: SeShutdownPrivilege	484	chrome.exe
Token: SeDebugPrivilege	332	Ph3jbkfngs4g4.exe
Token: SeBackupPrivilege	3680	vssvc.exe
Token: SeRestorePrivilege	3680	vssvc.exe
Token: SeAuditPrivilege	3680	vssvc.exe
Token: SeRestorePrivilege	3984	DrvInst.exe
Token: SeRestorePrivilege	3984	DrvInst.exe
Token: SeRestorePrivilege	3984	DrvInst.exe
Token: SeRestorePrivilege	3984	DrvInst.exe
Token: SeRestorePrivilege	3984	DrvInst.exe
Token: SeRestorePrivilege	3984	DrvInst.exe
Token: SeRestorePrivilege	3984	DrvInst.exe
Token: SeLoadDriverPrivilege	3984	DrvInst.exe
Token: SeLoadDriverPrivilege	3984	DrvInst.exe
Token: SeLoadDriverPrivilege	3984	DrvInst.exe
Token: SeShutdownPrivilege	3456	VC_redist.x86.exe
Token: SeIncreaseQuotaPrivilege	3456	VC_redist.x86.exe
Token: SeRestorePrivilege	1972	msiexec.exe
Token: SeTakeOwnershipPrivilege	1972	msiexec.exe
Token: SeSecurityPrivilege	1972	msiexec.exe
Token: SeCreateTokenPrivilege	3456	VC_redist.x86.exe
Token: SeAssignPrimaryTokenPrivilege	3456	VC_redist.x86.exe
Token: SeLockMemoryPrivilege	3456	VC_redist.x86.exe
Token: SeIncreaseQuotaPrivilege	3456	VC_redist.x86.exe
Token: SeMachineAccountPrivilege	3456	VC_redist.x86.exe
Token: SeTcbPrivilege	3456	VC_redist.x86.exe
Token: SeSecurityPrivilege	3456	VC_redist.x86.exe
Token: SeTakeOwnershipPrivilege	3456	VC_redist.x86.exe
Token: SeLoadDriverPrivilege	3456	VC_redist.x86.exe
Token: SeSystemProfilePrivilege	3456	VC_redist.x86.exe
Token: SeSystemtimePrivilege	3456	VC_redist.x86.exe
Token: SeProfSingleProcessPrivilege	3456	VC_redist.x86.exe
Token: SeIncBasePriorityPrivilege	3456	VC_redist.x86.exe
Token: SeCreatePagefilePrivilege	3456	VC_redist.x86.exe
Token: SeCreatePermanentPrivilege	3456	VC_redist.x86.exe
Token: SeBackupPrivilege	3456	VC_redist.x86.exe
Token: SeRestorePrivilege	3456	VC_redist.x86.exe
Token: SeShutdownPrivilege	3456	VC_redist.x86.exe
Token: SeDebugPrivilege	3456	VC_redist.x86.exe
Token: SeAuditPrivilege	3456	VC_redist.x86.exe
Token: SeSystemEnvironmentPrivilege	3456	VC_redist.x86.exe
Token: SeChangeNotifyPrivilege	3456	VC_redist.x86.exe
Token: SeRemoteShutdownPrivilege	3456	VC_redist.x86.exe
Token: SeUndockPrivilege	3456	VC_redist.x86.exe
Token: SeSyncAgentPrivilege	3456	VC_redist.x86.exe
Token: SeEnableDelegationPrivilege	3456	VC_redist.x86.exe
Token: SeManageVolumePrivilege	3456	VC_redist.x86.exe
Token: SeImpersonatePrivilege	3456	VC_redist.x86.exe
Token: SeCreateGlobalPrivilege	3456	VC_redist.x86.exe
Token: SeRestorePrivilege	1972	msiexec.exe
Token: SeTakeOwnershipPrivilege	1972	msiexec.exe
Token: SeRestorePrivilege	1972	msiexec.exe
Token: SeTakeOwnershipPrivilege	1972	msiexec.exe
Token: SeRestorePrivilege	1972	msiexec.exe
Token: SeTakeOwnershipPrivilege	1972	msiexec.exe
Token: SeRestorePrivilege	1972	msiexec.exe
Token: SeTakeOwnershipPrivilege	1972	msiexec.exe
Token: SeRestorePrivilege	1972	msiexec.exe
Token: SeTakeOwnershipPrivilege	1972	msiexec.exe
Token: SeRestorePrivilege	1972	msiexec.exe
Token: SeTakeOwnershipPrivilege	1972	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

VC_redist.x86.exe

pid process

1296 VC_redist.x86.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

chrome.exe

pid process

2184 chrome.exe

pid	process
1296	VC_redist.x86.exe

pid	process
2184	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exedevloader.exeVC_redist.x86.exeVC_redist.x86.exeVC_redist.x86.exe

description	pid	process	target process
PID 484 wrote to memory of 568	484	chrome.exe	chrome.exe
PID 484 wrote to memory of 568	484	chrome.exe	chrome.exe
PID 484 wrote to memory of 568	484	chrome.exe	chrome.exe
PID 484 wrote to memory of 1688	484	chrome.exe	chrome.exe
PID 484 wrote to memory of 1688	484	chrome.exe	chrome.exe
PID 484 wrote to memory of 1688	484	chrome.exe	chrome.exe
PID 484 wrote to memory of 1688	484	chrome.exe	chrome.exe
PID 484 wrote to memory of 1688	484	chrome.exe	chrome.exe
PID 484 wrote to memory of 1688	484	chrome.exe	chrome.exe
PID 484 wrote to memory of 1688	484	chrome.exe	chrome.exe
PID 484 wrote to memory of 1688	484	chrome.exe	chrome.exe
PID 484 wrote to memory of 1688	484	chrome.exe	chrome.exe
PID 484 wrote to memory of 1688	484	chrome.exe	chrome.exe
PID 484 wrote to memory of 1688	484	chrome.exe	chrome.exe
PID 484 wrote to memory of 1688	484	chrome.exe	chrome.exe
PID 484 wrote to memory of 1688	484	chrome.exe	chrome.exe
PID 484 wrote to memory of 1688	484	chrome.exe	chrome.exe
PID 484 wrote to memory of 1688	484	chrome.exe	chrome.exe
PID 484 wrote to memory of 1688	484	chrome.exe	chrome.exe
PID 484 wrote to memory of 1688	484	chrome.exe	chrome.exe
PID 484 wrote to memory of 1688	484	chrome.exe	chrome.exe
PID 484 wrote to memory of 1688	484	chrome.exe	chrome.exe
PID 484 wrote to memory of 1688	484	chrome.exe	chrome.exe
PID 484 wrote to memory of 1688	484	chrome.exe	chrome.exe
PID 484 wrote to memory of 1688	484	chrome.exe	chrome.exe
PID 484 wrote to memory of 1688	484	chrome.exe	chrome.exe
PID 484 wrote to memory of 1688	484	chrome.exe	chrome.exe
PID 484 wrote to memory of 1688	484	chrome.exe	chrome.exe
PID 484 wrote to memory of 1688	484	chrome.exe	chrome.exe
PID 484 wrote to memory of 1688	484	chrome.exe	chrome.exe
PID 484 wrote to memory of 1688	484	chrome.exe	chrome.exe
PID 484 wrote to memory of 1688	484	chrome.exe	chrome.exe
PID 484 wrote to memory of 1688	484	chrome.exe	chrome.exe
PID 484 wrote to memory of 1688	484	chrome.exe	chrome.exe
PID 484 wrote to memory of 1688	484	chrome.exe	chrome.exe
PID 484 wrote to memory of 1688	484	chrome.exe	chrome.exe
PID 484 wrote to memory of 1688	484	chrome.exe	chrome.exe
PID 484 wrote to memory of 1688	484	chrome.exe	chrome.exe
PID 484 wrote to memory of 1688	484	chrome.exe	chrome.exe
PID 484 wrote to memory of 1688	484	chrome.exe	chrome.exe
PID 484 wrote to memory of 1688	484	chrome.exe	chrome.exe
PID 484 wrote to memory of 1688	484	chrome.exe	chrome.exe
PID 484 wrote to memory of 840	484	chrome.exe	chrome.exe
PID 484 wrote to memory of 840	484	chrome.exe	chrome.exe
PID 484 wrote to memory of 840	484	chrome.exe	chrome.exe
PID 3592 wrote to memory of 1876	3592	devloader.exe	devloader.exe
PID 3592 wrote to memory of 1876	3592	devloader.exe	devloader.exe
PID 3592 wrote to memory of 1876	3592	devloader.exe	devloader.exe
PID 4368 wrote to memory of 1296	4368	VC_redist.x86.exe	VC_redist.x86.exe
PID 4368 wrote to memory of 1296	4368	VC_redist.x86.exe	VC_redist.x86.exe
PID 4368 wrote to memory of 1296	4368	VC_redist.x86.exe	VC_redist.x86.exe
PID 4368 wrote to memory of 1296	4368	VC_redist.x86.exe	VC_redist.x86.exe
PID 4368 wrote to memory of 1296	4368	VC_redist.x86.exe	VC_redist.x86.exe
PID 4368 wrote to memory of 1296	4368	VC_redist.x86.exe	VC_redist.x86.exe
PID 4368 wrote to memory of 1296	4368	VC_redist.x86.exe	VC_redist.x86.exe
PID 1296 wrote to memory of 3456	1296	VC_redist.x86.exe	VC_redist.x86.exe
PID 1296 wrote to memory of 3456	1296	VC_redist.x86.exe	VC_redist.x86.exe
PID 1296 wrote to memory of 3456	1296	VC_redist.x86.exe	VC_redist.x86.exe
PID 1296 wrote to memory of 3456	1296	VC_redist.x86.exe	VC_redist.x86.exe
PID 1296 wrote to memory of 3456	1296	VC_redist.x86.exe	VC_redist.x86.exe
PID 1296 wrote to memory of 3456	1296	VC_redist.x86.exe	VC_redist.x86.exe
PID 1296 wrote to memory of 3456	1296	VC_redist.x86.exe	VC_redist.x86.exe
PID 3456 wrote to memory of 3104	3456	VC_redist.x86.exe	VC_redist.x86.exe
PID 3456 wrote to memory of 3104	3456	VC_redist.x86.exe	VC_redist.x86.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Ph3jbkfngs4g4.exe
"C:\Users\Admin\AppData\Local\Temp\Ph3jbkfngs4g4.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6e09758,0x7fef6e09768,0x7fef6e09778
2⤵
PID:568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1224 --field-trial-handle=1244,i,8637324450852950680,12549154393125392260,131072 /prefetch:2
2⤵
PID:1688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1476 --field-trial-handle=1244,i,8637324450852950680,12549154393125392260,131072 /prefetch:8
2⤵
PID:840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1428 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:8
1⤵
PID:288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1184 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:2
1⤵
PID:1368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1656 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:8
1⤵
PID:1064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2236 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:2092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2320 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:2100

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1360 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:2
1⤵
PID:2500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --mojo-platform-channel-handle=2220 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:2576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3904 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:8
1⤵
PID:2592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3992 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:8
1⤵
PID:2608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=4152 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:2764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4320 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:8
1⤵
PID:2948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3456 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:8
1⤵
PID:908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3284 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:8
1⤵
PID:2156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=580 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:8
1⤵
PID:1968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4640 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:8
1⤵
PID:1644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3428 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:8
1⤵
PID:696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=2728 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:2340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=4604 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:1744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=4676 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:3016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4864 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:8
1⤵
PID:1580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4948 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:8
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:8
1⤵
PID:1540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5392 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:8
1⤵
PID:2260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5420 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:8
1⤵
PID:1692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --mojo-platform-channel-handle=896 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:1616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --mojo-platform-channel-handle=5216 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:2724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --mojo-platform-channel-handle=2008 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:2628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --mojo-platform-channel-handle=4920 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:1820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --mojo-platform-channel-handle=4444 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:2908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --mojo-platform-channel-handle=4456 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:2900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --mojo-platform-channel-handle=1736 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:2032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --mojo-platform-channel-handle=5244 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:2060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --mojo-platform-channel-handle=4320 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:2748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --mojo-platform-channel-handle=6196 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:2716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --mojo-platform-channel-handle=6064 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:2580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --mojo-platform-channel-handle=6336 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:3104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --mojo-platform-channel-handle=6312 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:1572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --mojo-platform-channel-handle=5776 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:3140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --mojo-platform-channel-handle=6820 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:3172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --mojo-platform-channel-handle=6696 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:3164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --mojo-platform-channel-handle=5728 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:3192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --mojo-platform-channel-handle=6964 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:3184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --mojo-platform-channel-handle=7116 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:3228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --mojo-platform-channel-handle=6660 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:3216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --mojo-platform-channel-handle=7244 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:3236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --mojo-platform-channel-handle=7300 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:3256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --mojo-platform-channel-handle=7328 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:3268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --mojo-platform-channel-handle=7340 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:3304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --mojo-platform-channel-handle=7352 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:3324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --mojo-platform-channel-handle=7372 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:3348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --mojo-platform-channel-handle=7388 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:3360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --mojo-platform-channel-handle=6052 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:3372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --mojo-platform-channel-handle=9648 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:4788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --mojo-platform-channel-handle=8984 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:4796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --mojo-platform-channel-handle=10152 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:4812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --mojo-platform-channel-handle=10168 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:4836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --mojo-platform-channel-handle=10188 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:4852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --mojo-platform-channel-handle=10204 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:4860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --mojo-platform-channel-handle=10576 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:4684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6776 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:8
1⤵
PID:4340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=62 --mojo-platform-channel-handle=10556 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:3360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --mojo-platform-channel-handle=12140 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:4892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5992 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:8
1⤵
PID:2976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=65 --mojo-platform-channel-handle=6800 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:2184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=66 --mojo-platform-channel-handle=11236 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:3852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=67 --mojo-platform-channel-handle=9284 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:3844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6488 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:8
1⤵
PID:3968

C:\Users\Admin\Downloads\devloader.exe
"C:\Users\Admin\Downloads\devloader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3592

C:\Users\Admin\Downloads\devloader.exe
"C:\Users\Admin\Downloads\devloader.exe"
2⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:1876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:8
1⤵
PID:3612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=70 --mojo-platform-channel-handle=5584 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:3320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5864 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:8
1⤵
PID:1652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8760 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:8
1⤵
PID:1776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=73 --mojo-platform-channel-handle=8856 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:4680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=74 --mojo-platform-channel-handle=7496 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:3888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=75 --mojo-platform-channel-handle=5932 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:4380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=12084 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:8
1⤵
PID:4092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=77 --mojo-platform-channel-handle=12180 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:5040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=78 --mojo-platform-channel-handle=8576 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:2644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=79 --mojo-platform-channel-handle=8824 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:1
1⤵
PID:4344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=9208 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:8
1⤵
PID:4776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=9668 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:8
1⤵
PID:1740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5724 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:8
1⤵
PID:2572

C:\Users\Admin\Downloads\VC_redist.x86.exe
"C:\Users\Admin\Downloads\VC_redist.x86.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4368

C:\Windows\Temp\{0CE5BFA5-0392-4FD6-ACF3-B91099EF358E}\.cr\VC_redist.x86.exe
"C:\Windows\Temp\{0CE5BFA5-0392-4FD6-ACF3-B91099EF358E}\.cr\VC_redist.x86.exe" -burn.clean.room="C:\Users\Admin\Downloads\VC_redist.x86.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1296

C:\Windows\Temp\{5A8448D0-B66D-4B65-BD42-81245079CE47}\.be\VC_redist.x86.exe
"C:\Windows\Temp\{5A8448D0-B66D-4B65-BD42-81245079CE47}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{34E3021E-AB82-47E2-82A1-1E332B6178DA} {1E198E79-C89B-4AA3-90B0-5314746E2455} 1296
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3456

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={410c0ee1-00bb-41b6-9772-e12c2828b02f} -burn.filehandle.self=504 -burn.embedded BurnPipe.{683D62BD-E117-4609-AB9A-16402F058F02} {DFDC965E-D8C0-41BF-B8E7-95B7059CFF6A} 3456
4⤵
PID:3104

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 -uninstall -quiet -burn.related.upgrade -burn.ancestors={410c0ee1-00bb-41b6-9772-e12c2828b02f} -burn.filehandle.self=504 -burn.embedded BurnPipe.{683D62BD-E117-4609-AB9A-16402F058F02} {DFDC965E-D8C0-41BF-B8E7-95B7059CFF6A} 3456
5⤵
- Loads dropped DLL
PID:2088

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{5F5F037A-FCE4-461D-8B78-EB44C16CE1EA} {59759716-D53F-47BF-BECB-941405B03EFF} 2088
6⤵
- Drops file in Windows directory
- Modifies registry class
PID:4800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=11188 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:8
1⤵
PID:4780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7888 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:8
1⤵
PID:4704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1244,i,17472371095401483815,16762244164102560111,131072 /prefetch:8
1⤵
PID:4412

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3680

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003CC" "00000000000002FC"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3984

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Users\Admin\Downloads\devloader.exe
"C:\Users\Admin\Downloads\devloader.exe"
1⤵
PID:4356

C:\Users\Admin\Downloads\devloader.exe
"C:\Users\Admin\Downloads\devloader.exe"
2⤵
- Loads dropped DLL
PID:4168

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\727b1e.rbs
Filesize
15KB

MD5
7fcbc8be5a9e6decacc6d3b8f6a68eb4

SHA1
79ef0f48872f3bd442ab840df0cfc3e25c2929c6

SHA256
41dea4686753c093c51ef06dc5bac916831a13fcc15e69f14f2d43986d80d547

SHA512
4ad500be238e8edb7536b5d8fb17b191b074be75e3ec394730913723012866cd7e37f8619c73290c7eafeea9ee81c99c43179d560c077d346e9db8c069d2f880

Download Submit
C:\Config.Msi\727b29.rbs
Filesize
14KB

MD5
916a999660d8093be13d52937ea370be

SHA1
726d97387039640adde8a886cf87344804db3b44

SHA256
0e4c6690ddadbb2094ad011bc50c6936aa722fc0e5262e0f7e2ea5b7e55c3d88

SHA512
01790e0f88257fe7b6df3f37589cb62975c2530798c24b1cabd3fb11ecc0c84beaf9a5c1cdee90057eb4d1fdcfe9aba2652e4a73a875f27e8f2857a7c6e8bd6f

Download Submit
C:\Config.Msi\727b2f.rbs
Filesize
17KB

MD5
9565ec3189a331738bd685e4548a1ad7

SHA1
7b09b4deb846633f8e640c6e5b0daa3211227308

SHA256
8e8789d8cbb6d979bcc26587e96340705328c7c864806c3d6a8729e04d5df56a

SHA512
5210b15146e5c4458d7692badb57857fb9a146e522df940e88f296eabf5dd9e3eea673e79493d735a46c924ed653bdae13c35c548d3b6922f0a36068b407c183

Download Submit
C:\Config.Msi\727b3e.rbs
Filesize
16KB

MD5
7d172da5a7b53879b636cb7627f7fb1e

SHA1
fd5840d10c8e55aaa4cc3442487de7919071f08c

SHA256
b99ea8c78219b516d9388f19f50cf462edbe2e7e00dc2b923e9418856ed6a041

SHA512
a0bb12e19690e1e9c720cc7beec5c41d8ce43cde35fc4c69cf2521097f7df840caf175bd68896030ca922317b9cad5e8bd63c4d23feb5227c44c8793b5b10c8d

Download Submit
C:\ProgramData\Package Cache\{410c0ee1-00bb-41b6-9772-e12c2828b02f}\VC_redist.x86.exe
Filesize
634KB

MD5
415e8d504ea08ee2d8515fe87b820910

SHA1
e90f591c730bd39b8343ca3689b2c0ee85aaea5f

SHA256
e0e642106c94fd585782b75d1f942872d2bf99d870bed4216e5001e4ba3374c0

SHA512
e51f185c0e9d3eb4950a4c615285c6610a4977a696ed9f3297a551835097b2122566122231437002c82e2c5cf72a7a8f67362bff16b24c0abe05fe35dddbf6a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
bc960648f2700ad3684f67a249dc12a2

SHA1
2727a0f09e72be2817e8b17fff2fd2b6b1c5314c

SHA256
ea3ac4db78ec31729171adeef1986470b4c2cf3456b84ad6f845c17d9ed0d306

SHA512
946881747dd1a24d91b1bff7816dc625fc524b16227e733a89327d71d6d4fce1a91da6c2f0c0f3352f052581f1924b1b77759d1faff6578683bcad753d741c0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\7f5f82e6-be37-49a1-9125-7171b461d9f1.tmp
Filesize
71KB

MD5
a74ce4954be22e3550ecd57afb6e4cbb

SHA1
bafee5f8af7c696b08356bcdbe686bd9d76cb8cd

SHA256
70cedf8b4247fd339724addbbcd75f8cf07d5f74bcbe606e789a4cef7739dc4b

SHA512
109c042f23bc8a42c70f451db977ee6c60439932e4f7ff49f8556c59bb376e532064fb920523705013247ee13540fc6c0394eb435e8153dd187de8edffc2a4c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001d
Filesize
65KB

MD5
8c89e3972c478531eb506b316f194dac

SHA1
418feb837853de612cd7cda97ce7bd9604908b13

SHA256
f910c11c097dd8ae68ca151b85e73934aa331abffd06e8bf8cb27f5d974710ed

SHA512
22332cea3273420cf237a16f87100bd69a4e92c3475a32a6e52d1b203b9111b2d7dd9accb662299173ae7cea271dbd58f14f59d50b58952e6222893de5d8bd33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000020
Filesize
37KB

MD5
5b0c0d429185ff30e04c93f67116d98f

SHA1
8eb3286fe16a5bee5a0164b131bc534fd131f250

SHA256
f1a0b957050b529afc0e94c436976326124ed8968183859c413986487623294d

SHA512
6295bcd662325172b15c476d26f23c8794c4f1454e0e8cfd43bca79b45aa03e1ae721ebdada1c52fe7699027fa97699156280ff259ce3cc476e322ccc0337902

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000034
Filesize
162KB

MD5
839a6afa03312253885699c84a96e70b

SHA1
7d58a182c70501beac223c48636c059632163e65

SHA256
90c81168c32945db973e0a1da67d6981293a0b3b996459c488ec409a188a7f1d

SHA512
d3759e7d1a16979833711e15b5064262ef5f3728b1f9941db34aa0b6fb9ea5891ac441bc708f3a56343763d017cd3257e368abccd5be816b9c8a9754f987b524

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00003e
Filesize
84KB

MD5
b37676ea45b84e2fc1982a25ecd328b0

SHA1
b3dd421d5e334fbdb0651b14548c2f34496f9061

SHA256
1b4a0808eeca765475832c2eb796a56b9a8b918be7b2af987a93b13239a7c75a

SHA512
130e928f350938439b86556a599c204c4e5f29347645174a51ab2a4e15dcea1dda52e5f218ee4b4318ce6b12ecafc3f4974bc65d06c2a946818c22768b991778

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000042
Filesize
82KB

MD5
ee2a28bb757ed923dfdd595000079341

SHA1
ffa09da6a513f92f4b69e249290046fb37bc2687

SHA256
9e77d84cc0b141da3717b6659925023e6047ee4509ce2fc8278ce4662703babc

SHA512
d3c509ea7f47c81a47e62cf3b4c5868e6814eb0bbe3e0fecd23bbece2962149a4fd9f09c5dfefa4a884fc459e795fc55dd7b9060c88c1cf92ab10f47f1ac2901

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000043
Filesize
17KB

MD5
8bb97ab9e9f6d411028cfebd3b662c27

SHA1
7bca6c28721ebce3bb9acca6b41e993262f6f004

SHA256
2c2f62dc6d5379444843250104680603b1eb69996abfeace92b65b91b77f601b

SHA512
1ede17de8c6d3469b7a611aa82856b054e2f1251043997d71d6b85a74e3c1a4373c46c4584d715f4d5937368c9fcb01db84162d1d2836302924ac91bc27c5ef0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000051
Filesize
16KB

MD5
5ac2a94b21e50cf51eceb678e9b6ace8

SHA1
363253ba0d4eb0c3d5c59330ad67c10b2b1c5021

SHA256
a00e3f2411441417544a86c36302fa79aeef0fa6f9e60ec30c9734ae157bac6d

SHA512
b8976275e39cbe659d7a3b4a4c3fc2e7cf1f183f269bcc6d59cdfd37d86dc444131949fa592e597b389c6d31dc577ef6a5ad7b6c34b4bd88913019fed42a6b8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00005c
Filesize
16KB

MD5
eb71f5d36955bf7b340e7830f38aae43

SHA1
26b22215302cba198a5eab5d4953a4f8fdf8569d

SHA256
478c63c26cb111a182c02206157ea202ad3e804b8bf1eff738c5c67e06445fa8

SHA512
58ab215af39f07947ab01bb10abbb2a35fde5493dcb920120b156aa6d757f4a020c6b44304ccee05e7484f159ffd5f6250b0938a56b0ae9219cf48c453ef743a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000062
Filesize
16KB

MD5
6b3f867a471213ae4bb3ea5299acecf4

SHA1
74d7cda60e43b0330605e244cf5850a8443eaf94

SHA256
60ab5d8a17520c16010221c751547923191d672fb12b11f6bf3eeb5309b9e3ba

SHA512
e651fea15751f9a5fbc1611708dac59e7da17ddac7e30f5bbbef0e9e5ab8e4dbabf261c9c9346b54bee60a8eb07df381ef3850f3dcf98ac6520de8b1be5e7c96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
e2f6463365ef9ef63f673c607eebec9b

SHA1
c76ae421dd0e055c4e9373df4067806ae99e231e

SHA256
b67dba6ab041e596e6f2d7802cebafd4117777f4fbe419acd5530ea79c816931

SHA512
0a65fe8635bf41dd8349ba1ac8424fa73271c16d1af44daa061c5555696484a212b5a355a4b136f34c6c8afd084e00cd39c69f52d1b222037e5ec2ba06056381

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
f423aca58c6018d86e0d8d9ed3287328

SHA1
cd9b595948d53ef925ee7c20d619b674d460e083

SHA256
3275c9d22930f5bb3f202ce9f0fb432ece8998ee797ef6db979c81e8c5784871

SHA512
765ec33088f51a4b16d696bee956e2c92644a4b80d486f36ecc97f91d9d66a231ab429f769af3bafbfeb7c329bee320a09bf34c40c05ef0f66abb5fc635fb90c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
15d05b307092a7c7e6486034eca4399f

SHA1
5c4bd20d666f60815ff811f0932bbd342f8b0654

SHA256
f4b4323c9fe70b527dd4fe6a29bbc1af699a3823bdecc710e69fa63e12aae1cd

SHA512
8be1e3b0b94df5ffde448a2a056fff46d4c97d74cd97ff5c8322a43342d0b766131f8915d6eb719b181107161c3bf69225b890f101e103ff626ef6bea72d23f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
11KB

MD5
91bbb9af944840389d1cd9cd8d548830

SHA1
8fcbd239bf6c1ae693153da0d2ecfd1b92e52e7e

SHA256
ee81afee735756425820bb4c7f5836d6f8553a62ed2d299c94bbabe7e9a0a323

SHA512
c1806c56e89eec478e6ca9b98aab9d6848e99b51abae99da6ca809e5a24d91af053c3576cab02ea265c2d594615ae79ed41bd1a909d34ee6abff5bce6f1fa3cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
361B

MD5
3c334b502f266bda467486dbd3dfed45

SHA1
3ac51e658b10a74f98ae47a262886f3f91f98d53

SHA256
20fed7feef539124d84102508a6540c6895c2cc551e81b9be60acb62981f8a22

SHA512
7582b674ad62ad07ebe48a17968dd0e77067844b624d92700ee32d7e4817d4f6e4c4189e07b0915720c51c19355bfa7731dd80d59e01b4d81e09a964d9b7a120

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
3KB

MD5
ad76d70bc8d2a86c3a4fb84858a3cd6b

SHA1
9ca3cbcde6a55a44043ab6102c569866c7a3894b

SHA256
b8da0c4d801cf07852c98251ecd2502b42b06704d5f7dc5ac8617e00e7b5db7f

SHA512
f22d6014132ef6b43a0daf81ecff8a182312c811713d8bf0bbd3cd64159f4e8f7cdb5bb99c7a37b2b823d21a6b012f415a47ba98edb0e4e584161022df6c6bcf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1007B

MD5
23c38090223d0b4f2d5645a7c252af54

SHA1
6b7466ff9402dd2fcaa288c37a1af6a4262f330d

SHA256
d920783dcf7af4143c8bebf37baabc3a27eddeccb2206ad108ea665442f066b8

SHA512
1d2c2b2b9781c8e18527b559bbe8f59a0ad995b3861912573301d54df680e046fa28a9bdc3e2748e94acd71351ae923b3254bc4489dcf4ff7b69c83a0ac9bde8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
31e4a5cbab764d43b59fbbe3734393f1

SHA1
dcf8e6da79d3aceb1d24a4fa2c5527f4c9c3120a

SHA256
b93aa5fcbb3317dcd074b57b1aa3638ad1975b5abafa9621295da1a4c547b8ae

SHA512
3cd2e4047a1ead956531382f30cee2a2a27345607becfc7a82a45a348c9f716b4cedc99f8798757639d75122436527a46e7046d9afd2c92777e56f70261a735b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
3253a2ce9d8ddde800d0dd05a0227073

SHA1
878d3554ee61690d3e58125207d4a1ee3771b6b5

SHA256
41cb7da5bd601260c658da5053ac789465cae00819ca8cc109dfb5ef5d7c83a4

SHA512
9b88cd97beb3013468b6068adafb1d5e26e57238eb7009b15c9820e229780c624032ba0775d9678797c6288de6766afb79d794f83e22eb59c9ba10e753979461

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
0e26fb5dbcc18e8721e151bd2cc5d324

SHA1
9ba6cdeec4f4242bbb6380b82666c9432e74fe37

SHA256
c3d2cb5724b407f71dc20176c3f8f957701213b8ffe47a00bf65d1db38a27dec

SHA512
b8d661be170da13ca5e75667b03239b12df5959d5a0c222f6f79b017e3d0a2380111391c8c8aae2ac2128e175afedfb055969d60c6648b87e764b38a98b9465a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
3KB

MD5
753b5b7de53b87e6fa1e91da91125144

SHA1
31d9c8fd06e622f854d78793baf2ea0bd402217a

SHA256
af86513422540fb61c3429a6a4a1e4fdc9d72559d9875b64b0038df40c7d835a

SHA512
6f1324b53ae222d50e422b37712b34e0cc7d3116774261514fb9760cef5e06481c56fa2d3cbaaa4ff7d8c88e41fc2b4f6655fe8f068acde2a80cd3499fa5ce2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
3KB

MD5
dbd873cf5e03e7fff793eef4de1fbde4

SHA1
e3ebe3c003ee117c0c73c5b131d7de69cc54c615

SHA256
38ff429f91ef9d1fff66e5a38cd37e4f5c395423d970531b23b559ac3c2d2c14

SHA512
249ab01108fc2bc6dadd20448dc077f8831f97c1e3597d89451679ffba92cf7660362d1b7bdcab09c56656f1631ae9595319bf6fdfbe0dfd51e117f578153a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7BE7.tmp
Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7BF9.tmp
Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35922\python311.dll
Filesize
1.6MB

MD5
bd41a26e89fc6bc661c53a2d4af35e3e

SHA1
8b52f7ab62ddb8c484a7da16efad33ce068635f6

SHA256
3cded5180dca1015347fd6ea44dbcc5ddd050adc7adbb99cf2991032320a5359

SHA512
b8dafc262d411e1c315754be4901d507893db04ea2d3f4b71cbdd0dab25d27f9274e7faf85ac880c85522d24fa57da06019c5910622003a305914cf8884ad02f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43562\python311.dll
Filesize
1.6MB

MD5
bd41a26e89fc6bc661c53a2d4af35e3e

SHA1
8b52f7ab62ddb8c484a7da16efad33ce068635f6

SHA256
3cded5180dca1015347fd6ea44dbcc5ddd050adc7adbb99cf2991032320a5359

SHA512
b8dafc262d411e1c315754be4901d507893db04ea2d3f4b71cbdd0dab25d27f9274e7faf85ac880c85522d24fa57da06019c5910622003a305914cf8884ad02f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_x86_20230607174625_000_vcRuntimeMinimum_x86.log
Filesize
2KB

MD5
1712f2bc41c1408c55b6b961393dd839

SHA1
9c6f1ab30d633b4e4662b3ccacd6eb4048b94fb3

SHA256
363a1dcded4f628aa4f16b9a00356affc1e4e1a432f8bb3d125eaf04e2f5583a

SHA512
358ae433d1c4937c148f6bbd8f71060ecd9169fbc4abef7d350c2964c1c1c58137f91a93f964fa156ede60bc4d39851378653553084828b6ce845242ae69fb9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_x86_20230607174625_001_vcRuntimeAdditional_x86.log
Filesize
2KB

MD5
020d78e175209e35d8a7ccb77eb26143

SHA1
4fe3239d1c0a1ad7af325525fb2f3160405c456e

SHA256
5c2015f8a874012af55f33501a3fb9875f5ee08b3c6de862c8660de33dc5bd21

SHA512
26f101d4ccc1c6c286a9f7beb6afb8f6c0ecf07f785400c2ef19e234226ca6fd8d410ffcba86bbdfe332203fdcdbb623488ed4d8e56bbab3529467d21b2172e6

Download Submit
C:\Windows\Installer\727b2a.msi
Filesize
180KB

MD5
7c87329a66d4c22f03acea4e817971f9

SHA1
12a2134fa09fd7df026ffc20bfe58a7d30d6ae73

SHA256
c78bc45113d0270c2154930761c3b74db714987a16c0fbe5e7a05fa3a853d0c8

SHA512
73f11aa3f9b3dbfba157a0d47dc61ff2a22509b61339882a9c2cee53ee335b18820700d7a413b81b426e71c83443f0d99bea8b3638b8b87ee9a42f01f404f955

Download Submit
C:\Windows\Temp\{0CE5BFA5-0392-4FD6-ACF3-B91099EF358E}\.cr\VC_redist.x86.exe
Filesize
634KB

MD5
415e8d504ea08ee2d8515fe87b820910

SHA1
e90f591c730bd39b8343ca3689b2c0ee85aaea5f

SHA256
e0e642106c94fd585782b75d1f942872d2bf99d870bed4216e5001e4ba3374c0

SHA512
e51f185c0e9d3eb4950a4c615285c6610a4977a696ed9f3297a551835097b2122566122231437002c82e2c5cf72a7a8f67362bff16b24c0abe05fe35dddbf6a1

Download Submit
C:\Windows\Temp\{0CE5BFA5-0392-4FD6-ACF3-B91099EF358E}\.cr\VC_redist.x86.exe
Filesize
634KB

MD5
415e8d504ea08ee2d8515fe87b820910

SHA1
e90f591c730bd39b8343ca3689b2c0ee85aaea5f

SHA256
e0e642106c94fd585782b75d1f942872d2bf99d870bed4216e5001e4ba3374c0

SHA512
e51f185c0e9d3eb4950a4c615285c6610a4977a696ed9f3297a551835097b2122566122231437002c82e2c5cf72a7a8f67362bff16b24c0abe05fe35dddbf6a1

Download Submit
C:\Windows\Temp\{5A8448D0-B66D-4B65-BD42-81245079CE47}\.ba\logo.png
Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{5A8448D0-B66D-4B65-BD42-81245079CE47}\.be\VC_redist.x86.exe
Filesize
634KB

MD5
415e8d504ea08ee2d8515fe87b820910

SHA1
e90f591c730bd39b8343ca3689b2c0ee85aaea5f

SHA256
e0e642106c94fd585782b75d1f942872d2bf99d870bed4216e5001e4ba3374c0

SHA512
e51f185c0e9d3eb4950a4c615285c6610a4977a696ed9f3297a551835097b2122566122231437002c82e2c5cf72a7a8f67362bff16b24c0abe05fe35dddbf6a1

Download Submit
C:\Windows\Temp\{5A8448D0-B66D-4B65-BD42-81245079CE47}\.be\VC_redist.x86.exe
Filesize
634KB

MD5
415e8d504ea08ee2d8515fe87b820910

SHA1
e90f591c730bd39b8343ca3689b2c0ee85aaea5f

SHA256
e0e642106c94fd585782b75d1f942872d2bf99d870bed4216e5001e4ba3374c0

SHA512
e51f185c0e9d3eb4950a4c615285c6610a4977a696ed9f3297a551835097b2122566122231437002c82e2c5cf72a7a8f67362bff16b24c0abe05fe35dddbf6a1

Download Submit
C:\Windows\Temp\{5A8448D0-B66D-4B65-BD42-81245079CE47}\.be\VC_redist.x86.exe
Filesize
634KB

MD5
415e8d504ea08ee2d8515fe87b820910

SHA1
e90f591c730bd39b8343ca3689b2c0ee85aaea5f

SHA256
e0e642106c94fd585782b75d1f942872d2bf99d870bed4216e5001e4ba3374c0

SHA512
e51f185c0e9d3eb4950a4c615285c6610a4977a696ed9f3297a551835097b2122566122231437002c82e2c5cf72a7a8f67362bff16b24c0abe05fe35dddbf6a1

Download Submit
C:\Windows\Temp\{5A8448D0-B66D-4B65-BD42-81245079CE47}\cab54A5CABBE7274D8A22EB58060AAB7623
Filesize
800KB

MD5
f706d550cf905648ccb55b47e1364022

SHA1
3c382bfe0c4c14c1ed6cbe88d6a69ad6be28a08f

SHA256
7be2d324f0cb063be8335982096f17ed4f08a7592130e04459ae818824016589

SHA512
3c946d88447504c94227fec259bbeed7ef458a0740c12345e425821644f8e0d9358b68582a1f6e1b74597b5dfd2976f328b706a72df30e3c76c899cd435a349a

Download Submit
C:\Windows\Temp\{5A8448D0-B66D-4B65-BD42-81245079CE47}\cabB3E1576D1FEFBB979E13B1A5379E0B16
Filesize
4.9MB

MD5
d141d64b6a3287548847abf5b4c1bc7e

SHA1
a161b984bb24d135353701e445a6a0babc5d25b3

SHA256
e38280421473e79ebaaa8398d86974fc7100cc8ec1c3273fb9bfe4f672c918a6

SHA512
282f64d928e19cf107b19ad39da1150045b60efb9ad599d827f9dde5f20a5bb499ea5996464a1f2ac79c21ec9af9307a363072f172f92c6669ea00c0ec48753f

Download Submit
C:\Windows\Temp\{5A8448D0-B66D-4B65-BD42-81245079CE47}\vcRuntimeAdditional_x86
Filesize
180KB

MD5
df1b1ee46deb824a89f18e228f8a4a41

SHA1
001d86480ce0a9e1b2fed8c48296bb3384dad793

SHA256
ff8884498c3174b7d2bd35bd1a43d75d3538dca2c0821ca5876fa45eb2c8a47f

SHA512
6587452fa6ebef2eac6634cd3c6d8629cdcd9f214a5a13cfbebfd232318a3a5d3cd5d3c9baa721270f5283d3127d36475d40071132ba063bdda49bc48cc21fab

Download Submit
C:\Windows\Temp\{5A8448D0-B66D-4B65-BD42-81245079CE47}\vcRuntimeMinimum_x86
Filesize
180KB

MD5
7c87329a66d4c22f03acea4e817971f9

SHA1
12a2134fa09fd7df026ffc20bfe58a7d30d6ae73

SHA256
c78bc45113d0270c2154930761c3b74db714987a16c0fbe5e7a05fa3a853d0c8

SHA512
73f11aa3f9b3dbfba157a0d47dc61ff2a22509b61339882a9c2cee53ee335b18820700d7a413b81b426e71c83443f0d99bea8b3638b8b87ee9a42f01f404f955

Download Submit
C:\Windows\Temp\{B24CAAC6-8798-4958-9D84-62AC4EDD3475}\.ba\wixstdba.dll
Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\WindowsUpdate.log
Filesize
16KB

MD5
b9979b859a80711e9c5e81f713e8f0cc

SHA1
d1e839e80b96c9442e38016e347cc843a92258be

SHA256
d8802bb623132469b5de52006e7a01a6270a27737e50f61548b4710902d4b722

SHA512
349d7e20fb080c047d786e6dc5530341792aec297752732891a71ff3172a9da2cb7be8d7d0226f93241e6f36d8e24e4d3615e97eeaca45750d40d51a05e25371

Download Submit
\??\pipe\crashpad_484_FWEJPREUHMFWAAOK
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI35922\python311.dll
Filesize
1.6MB

MD5
bd41a26e89fc6bc661c53a2d4af35e3e

SHA1
8b52f7ab62ddb8c484a7da16efad33ce068635f6

SHA256
3cded5180dca1015347fd6ea44dbcc5ddd050adc7adbb99cf2991032320a5359

SHA512
b8dafc262d411e1c315754be4901d507893db04ea2d3f4b71cbdd0dab25d27f9274e7faf85ac880c85522d24fa57da06019c5910622003a305914cf8884ad02f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI43562\python311.dll
Filesize
1.6MB

MD5
bd41a26e89fc6bc661c53a2d4af35e3e

SHA1
8b52f7ab62ddb8c484a7da16efad33ce068635f6

SHA256
3cded5180dca1015347fd6ea44dbcc5ddd050adc7adbb99cf2991032320a5359

SHA512
b8dafc262d411e1c315754be4901d507893db04ea2d3f4b71cbdd0dab25d27f9274e7faf85ac880c85522d24fa57da06019c5910622003a305914cf8884ad02f

Download Submit
\Windows\Temp\{0CE5BFA5-0392-4FD6-ACF3-B91099EF358E}\.cr\VC_redist.x86.exe
Filesize
634KB

MD5
415e8d504ea08ee2d8515fe87b820910

SHA1
e90f591c730bd39b8343ca3689b2c0ee85aaea5f

SHA256
e0e642106c94fd585782b75d1f942872d2bf99d870bed4216e5001e4ba3374c0

SHA512
e51f185c0e9d3eb4950a4c615285c6610a4977a696ed9f3297a551835097b2122566122231437002c82e2c5cf72a7a8f67362bff16b24c0abe05fe35dddbf6a1

Download Submit
\Windows\Temp\{5A8448D0-B66D-4B65-BD42-81245079CE47}\.ba\wixstdba.dll
Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
\Windows\Temp\{5A8448D0-B66D-4B65-BD42-81245079CE47}\.be\VC_redist.x86.exe
Filesize
634KB

MD5
415e8d504ea08ee2d8515fe87b820910

SHA1
e90f591c730bd39b8343ca3689b2c0ee85aaea5f

SHA256
e0e642106c94fd585782b75d1f942872d2bf99d870bed4216e5001e4ba3374c0

SHA512
e51f185c0e9d3eb4950a4c615285c6610a4977a696ed9f3297a551835097b2122566122231437002c82e2c5cf72a7a8f67362bff16b24c0abe05fe35dddbf6a1

Download Submit
\Windows\Temp\{B24CAAC6-8798-4958-9D84-62AC4EDD3475}\.ba\wixstdba.dll
Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
memory/332-85-0x00000000067A0000-0x00000000067E0000-memory.dmp

Filesize
256KB

Download
memory/332-78-0x0000000007850000-0x0000000007B82000-memory.dmp

Filesize
3.2MB

Download
memory/332-86-0x00000000067A0000-0x00000000067E0000-memory.dmp

Filesize
256KB

Download
memory/332-119-0x00000000067A0000-0x00000000067E0000-memory.dmp

Filesize
256KB

Download
memory/332-57-0x00000000067A0000-0x00000000067E0000-memory.dmp

Filesize
256KB

Download
memory/332-54-0x0000000000900000-0x0000000002484000-memory.dmp

Filesize
27.5MB

Download
memory/1876-376-0x000007FEF3AC0000-0x000007FEF40A9000-memory.dmp

Filesize
5.9MB

Download
memory/4168-990-0x000007FEF5E10000-0x000007FEF63F9000-memory.dmp

Filesize
5.9MB

Download