bumblebee | 0f30beb3de8cf1eff1998c8fefc4884e2bcea97b979783f243f6fcf008b32f30

Resubmissions

23-06-2023 03:02

230623-djzhbacg8z 10

23-06-2023 01:00

230623-bcm5lacb9y 10

Analysis

max time kernel
851s
max time network
850s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
23-06-2023 03:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1270e29d9a235bb456db76f5c88042eb06964145dd2b31f2ef87d5af1254e57.dll
Size

2.5MB
MD5

04889da884690bd296877a6a2453a715
SHA1

235a8e9a16a4e963fb2c453cbb469ea3e1590da3
SHA256

d1270e29d9a235bb456db76f5c88042eb06964145dd2b31f2ef87d5af1254e57
SHA512

74875267c6b96ef6c44ac19021f96213cd115061f881b22d849ebc98aa21c92af64f46c86b908b2da53d3f6fe8d9e7bd291ce11882cff0d11bf1294a39c58cc2
SSDEEP

49152:Z0wKKSxGGChwZr059ETh7eT4lPo39vRa0Kx6TGpJah:Z0AuYwpOW7Y4lPora0NMa

Score

10^/10

bumblebee msi11606 trojan

Malware Config

Extracted

Family

bumblebee

Botnet

msi11606

176.111.174.67:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
884	regsvr32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133319632217258222"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
4920	chrome.exe
4920	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2404	chrome.exe
Token: SeCreatePagefilePrivilege	2404	chrome.exe
Token: SeShutdownPrivilege	2404	chrome.exe
Token: SeCreatePagefilePrivilege	2404	chrome.exe
Token: SeShutdownPrivilege	2404	chrome.exe
Token: SeCreatePagefilePrivilege	2404	chrome.exe
Token: SeShutdownPrivilege	2404	chrome.exe
Token: SeCreatePagefilePrivilege	2404	chrome.exe
Token: SeShutdownPrivilege	2404	chrome.exe
Token: SeCreatePagefilePrivilege	2404	chrome.exe
Token: SeShutdownPrivilege	2404	chrome.exe
Token: SeCreatePagefilePrivilege	2404	chrome.exe
Token: SeShutdownPrivilege	2404	chrome.exe
Token: SeCreatePagefilePrivilege	2404	chrome.exe
Token: SeShutdownPrivilege	2404	chrome.exe
Token: SeCreatePagefilePrivilege	2404	chrome.exe
Token: SeShutdownPrivilege	2404	chrome.exe
Token: SeCreatePagefilePrivilege	2404	chrome.exe
Token: SeShutdownPrivilege	2404	chrome.exe
Token: SeCreatePagefilePrivilege	2404	chrome.exe
Token: SeShutdownPrivilege	2404	chrome.exe
Token: SeCreatePagefilePrivilege	2404	chrome.exe
Token: SeShutdownPrivilege	2404	chrome.exe
Token: SeCreatePagefilePrivilege	2404	chrome.exe
Token: SeShutdownPrivilege	2404	chrome.exe
Token: SeCreatePagefilePrivilege	2404	chrome.exe
Token: SeShutdownPrivilege	2404	chrome.exe
Token: SeCreatePagefilePrivilege	2404	chrome.exe
Token: SeShutdownPrivilege	2404	chrome.exe
Token: SeCreatePagefilePrivilege	2404	chrome.exe
Token: SeShutdownPrivilege	2404	chrome.exe
Token: SeCreatePagefilePrivilege	2404	chrome.exe
Token: SeShutdownPrivilege	2404	chrome.exe
Token: SeCreatePagefilePrivilege	2404	chrome.exe
Token: SeShutdownPrivilege	2404	chrome.exe
Token: SeCreatePagefilePrivilege	2404	chrome.exe
Token: SeShutdownPrivilege	2404	chrome.exe
Token: SeCreatePagefilePrivilege	2404	chrome.exe
Token: SeShutdownPrivilege	2404	chrome.exe
Token: SeCreatePagefilePrivilege	2404	chrome.exe
Token: SeShutdownPrivilege	2404	chrome.exe
Token: SeCreatePagefilePrivilege	2404	chrome.exe
Token: SeShutdownPrivilege	2404	chrome.exe
Token: SeCreatePagefilePrivilege	2404	chrome.exe
Token: SeShutdownPrivilege	2404	chrome.exe
Token: SeCreatePagefilePrivilege	2404	chrome.exe
Token: SeShutdownPrivilege	2404	chrome.exe
Token: SeCreatePagefilePrivilege	2404	chrome.exe
Token: SeShutdownPrivilege	2404	chrome.exe
Token: SeCreatePagefilePrivilege	2404	chrome.exe
Token: SeShutdownPrivilege	2404	chrome.exe
Token: SeCreatePagefilePrivilege	2404	chrome.exe
Token: SeShutdownPrivilege	2404	chrome.exe
Token: SeCreatePagefilePrivilege	2404	chrome.exe
Token: SeShutdownPrivilege	2404	chrome.exe
Token: SeCreatePagefilePrivilege	2404	chrome.exe
Token: SeShutdownPrivilege	2404	chrome.exe
Token: SeCreatePagefilePrivilege	2404	chrome.exe
Token: SeShutdownPrivilege	2404	chrome.exe
Token: SeCreatePagefilePrivilege	2404	chrome.exe
Token: SeShutdownPrivilege	2404	chrome.exe
Token: SeCreatePagefilePrivilege	2404	chrome.exe
Token: SeShutdownPrivilege	2404	chrome.exe
Token: SeCreatePagefilePrivilege	2404	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe
2404	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 2940	2404	chrome.exe	83
PID 2404 wrote to memory of 2940	2404	chrome.exe	83
PID 2404 wrote to memory of 664	2404	chrome.exe	85
PID 2404 wrote to memory of 664	2404	chrome.exe	85
PID 2404 wrote to memory of 664	2404	chrome.exe	85
PID 2404 wrote to memory of 664	2404	chrome.exe	85
PID 2404 wrote to memory of 664	2404	chrome.exe	85
PID 2404 wrote to memory of 664	2404	chrome.exe	85
PID 2404 wrote to memory of 664	2404	chrome.exe	85
PID 2404 wrote to memory of 664	2404	chrome.exe	85
PID 2404 wrote to memory of 664	2404	chrome.exe	85
PID 2404 wrote to memory of 664	2404	chrome.exe	85
PID 2404 wrote to memory of 664	2404	chrome.exe	85
PID 2404 wrote to memory of 664	2404	chrome.exe	85
PID 2404 wrote to memory of 664	2404	chrome.exe	85
PID 2404 wrote to memory of 664	2404	chrome.exe	85
PID 2404 wrote to memory of 664	2404	chrome.exe	85
PID 2404 wrote to memory of 664	2404	chrome.exe	85
PID 2404 wrote to memory of 664	2404	chrome.exe	85
PID 2404 wrote to memory of 664	2404	chrome.exe	85
PID 2404 wrote to memory of 664	2404	chrome.exe	85
PID 2404 wrote to memory of 664	2404	chrome.exe	85
PID 2404 wrote to memory of 664	2404	chrome.exe	85
PID 2404 wrote to memory of 664	2404	chrome.exe	85
PID 2404 wrote to memory of 664	2404	chrome.exe	85
PID 2404 wrote to memory of 664	2404	chrome.exe	85
PID 2404 wrote to memory of 664	2404	chrome.exe	85
PID 2404 wrote to memory of 664	2404	chrome.exe	85
PID 2404 wrote to memory of 664	2404	chrome.exe	85
PID 2404 wrote to memory of 664	2404	chrome.exe	85
PID 2404 wrote to memory of 664	2404	chrome.exe	85
PID 2404 wrote to memory of 664	2404	chrome.exe	85
PID 2404 wrote to memory of 664	2404	chrome.exe	85
PID 2404 wrote to memory of 664	2404	chrome.exe	85
PID 2404 wrote to memory of 664	2404	chrome.exe	85
PID 2404 wrote to memory of 664	2404	chrome.exe	85
PID 2404 wrote to memory of 664	2404	chrome.exe	85
PID 2404 wrote to memory of 664	2404	chrome.exe	85
PID 2404 wrote to memory of 664	2404	chrome.exe	85
PID 2404 wrote to memory of 664	2404	chrome.exe	85
PID 2404 wrote to memory of 768	2404	chrome.exe	86
PID 2404 wrote to memory of 768	2404	chrome.exe	86
PID 2404 wrote to memory of 2356	2404	chrome.exe	87
PID 2404 wrote to memory of 2356	2404	chrome.exe	87
PID 2404 wrote to memory of 2356	2404	chrome.exe	87
PID 2404 wrote to memory of 2356	2404	chrome.exe	87
PID 2404 wrote to memory of 2356	2404	chrome.exe	87
PID 2404 wrote to memory of 2356	2404	chrome.exe	87
PID 2404 wrote to memory of 2356	2404	chrome.exe	87
PID 2404 wrote to memory of 2356	2404	chrome.exe	87
PID 2404 wrote to memory of 2356	2404	chrome.exe	87
PID 2404 wrote to memory of 2356	2404	chrome.exe	87
PID 2404 wrote to memory of 2356	2404	chrome.exe	87
PID 2404 wrote to memory of 2356	2404	chrome.exe	87
PID 2404 wrote to memory of 2356	2404	chrome.exe	87
PID 2404 wrote to memory of 2356	2404	chrome.exe	87
PID 2404 wrote to memory of 2356	2404	chrome.exe	87
PID 2404 wrote to memory of 2356	2404	chrome.exe	87
PID 2404 wrote to memory of 2356	2404	chrome.exe	87
PID 2404 wrote to memory of 2356	2404	chrome.exe	87
PID 2404 wrote to memory of 2356	2404	chrome.exe	87
PID 2404 wrote to memory of 2356	2404	chrome.exe	87
PID 2404 wrote to memory of 2356	2404	chrome.exe	87
PID 2404 wrote to memory of 2356	2404	chrome.exe	87

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\d1270e29d9a235bb456db76f5c88042eb06964145dd2b31f2ef87d5af1254e57.dll
1⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
PID:884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffca8e19758,0x7ffca8e19768,0x7ffca8e19778
  2⤵
  PID:2940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1868 --field-trial-handle=1880,i,11865848812324465763,17631876703721539767,131072 /prefetch:2
  2⤵
  PID:664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1648 --field-trial-handle=1880,i,11865848812324465763,17631876703721539767,131072 /prefetch:8
  2⤵
  PID:768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2300 --field-trial-handle=1880,i,11865848812324465763,17631876703721539767,131072 /prefetch:8
  2⤵
  PID:2356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3244 --field-trial-handle=1880,i,11865848812324465763,17631876703721539767,131072 /prefetch:1
  2⤵
  PID:3624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3384 --field-trial-handle=1880,i,11865848812324465763,17631876703721539767,131072 /prefetch:1
  2⤵
  PID:1440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4552 --field-trial-handle=1880,i,11865848812324465763,17631876703721539767,131072 /prefetch:1
  2⤵
  PID:4368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4652 --field-trial-handle=1880,i,11865848812324465763,17631876703721539767,131072 /prefetch:8
  2⤵
  PID:1800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4792 --field-trial-handle=1880,i,11865848812324465763,17631876703721539767,131072 /prefetch:8
  2⤵
  PID:1844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4704 --field-trial-handle=1880,i,11865848812324465763,17631876703721539767,131072 /prefetch:8
  2⤵
  PID:3312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 --field-trial-handle=1880,i,11865848812324465763,17631876703721539767,131072 /prefetch:8
  2⤵
  PID:868
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:1448
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff750e07688,0x7ff750e07698,0x7ff750e076a8
    3⤵
    PID:3736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5388 --field-trial-handle=1880,i,11865848812324465763,17631876703721539767,131072 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5468 --field-trial-handle=1880,i,11865848812324465763,17631876703721539767,131072 /prefetch:1
  2⤵
  PID:640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4576 --field-trial-handle=1880,i,11865848812324465763,17631876703721539767,131072 /prefetch:1
  2⤵
  PID:3464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3408 --field-trial-handle=1880,i,11865848812324465763,17631876703721539767,131072 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 --field-trial-handle=1880,i,11865848812324465763,17631876703721539767,131072 /prefetch:8
  2⤵
  PID:3864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 --field-trial-handle=1880,i,11865848812324465763,17631876703721539767,131072 /prefetch:8
  2⤵
  PID:2712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5204 --field-trial-handle=1880,i,11865848812324465763,17631876703721539767,131072 /prefetch:1
  2⤵
  PID:3148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5208 --field-trial-handle=1880,i,11865848812324465763,17631876703721539767,131072 /prefetch:1
  2⤵
  PID:4372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --pdf-renderer --disable-gpu-compositing --lang=en-US --js-flags=--jitless --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5320 --field-trial-handle=1880,i,11865848812324465763,17631876703721539767,131072 /prefetch:1
  2⤵
  PID:1672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5796 --field-trial-handle=1880,i,11865848812324465763,17631876703721539767,131072 /prefetch:8
  2⤵
  PID:4736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5624 --field-trial-handle=1880,i,11865848812324465763,17631876703721539767,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4920

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\SetupMetrics\20230623030702.pma

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000018

Filesize
49KB

MD5
8991c3ec80ec8fbc41382a55679e3911

SHA1
8cc8cee91d671038acd9e3ae611517d6801b0909

SHA256
f55bacd4a20fef96f5c736a912d1947be85c268df18003395e511c1e860e8800

SHA512
4968a21d8cb9821282d10ba2d19f549a07f996b9fa2cdbcc677ac9901627c71578b1fc65db3ca78e56a47da382e89e52ac16fee8437caa879ece2cfba48c5a6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000032

Filesize
72KB

MD5
eb18b81d95495a85e9a9ef1d69ec0aa3

SHA1
979c34033cb28a7ec034e3805778026c1fafb429

SHA256
73dac8d2c97e984fd8d1d3e580dd04af4b20d0796a73f1a867abc73a16786635

SHA512
c096ceb2cdd81ac92cbb324cf7e814f099464ecb74b9f8631cb9fb7b5cc06a8919138ddc455308679921720b9dc6fbefba6388aa4a1c110c89973f2166fc03e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
912B

MD5
044dad361c6fa83294606615d66b8177

SHA1
db67584dde476d9a0bd8737aa6a9c484fc7a4f87

SHA256
47310a8296b241f157aa1951b7733c811ce2864b084797467851485bf1e98404

SHA512
a4f76f1110857b9f70a5eab0ed1ebee0c836ce5e8beca8c8420ba3a381d9efb50db50e538447b1320bd7e8f661817fbaa3318c99b40eb937d1d4dcf1ca8d63bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
adf8ab6ec4d111c4362e0646040cfc6f

SHA1
74499edfcfa6d021383e987d1fbb5391d15956ae

SHA256
05a95f5c3f278fb86129f1536d404c669365f6d2252cf6317179ded83611884d

SHA512
c69934e1911258356152ae606e62906b00cd4fec3faa456dbe482678a3c7ef8323036d63290f1d095147384381d894af8a61a65d0c371c345cf00d32ceff3548

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
940703c2d26760d7ee200e55b64bc11e

SHA1
5c3a160265de0e762025815310c5a56e2dc97c9d

SHA256
f712365591783e70cb8d629c450ac36aaa79f01d9fd2733802299ac93dac37d6

SHA512
3e38ba5f2f2cd018104cb8114115e72512700a4cc30c2d0cf4dd0e5f4ada6c71e5d1b590b850af891faa27562e42a735bf80e384449b8432e670eea1dae8ef48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
c37d1a9186522275e57a836be45da05f

SHA1
34a37490c735a122bb6f3868b7dd7b3984ae5189

SHA256
c3cebed7dd59c4999f6a9cd32038b34439952d6af442ee127a401c02816f7ba7

SHA512
66f5283f22a6a6c30c2c67d29634ad2f5051f8cfcd6dcebd605d19b284dadd661224752f40a37f9d2252eadb2c78bf233f41895f27b1526e31675ac22de476da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
1910f43eed997dd66c55afec8de021ce

SHA1
492b0b8231c4b65c3d99bc1c95a0584d2d50f391

SHA256
d25fab54a088c53000cafcf82c4d8764e9a933218dd535add668a951bd3ea849

SHA512
103871c21606f6f656feb038b2ec5afd5faff0ec970f4836f1e5feb1f432442b89f6aa2e7a0d8eb6daae641a041ded6c45e50a674b7d8bd2d5586a1c5fee4729

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
b7aa3e97adbce0505681d10c0dab30f6

SHA1
aa987dc5c1ef28505e71cffa2fd56aa8504b7c0f

SHA256
e2d689bc7b4b61dd20ead15374bb718ee2639258773487ec576f96fc8e18e4a8

SHA512
ba5a613d7b5806a0c459df0852e5f06ebe1313b1b063ed6dd94df8f005202e95e37f184999bc02c7c0a46b83f51352f781c3c0375a9b01f7f01d1fbdfd853fe3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
a5d8659387332acef2f7f7f12baa401d

SHA1
e2b07d725969be5bb3686530a94a3a72f95dc873

SHA256
274f64706405fbdd96b25b61cd736ad15e47d090bba1927914b2841052b858d7

SHA512
8eb0593a75f63ac9fc28eeada919a89d7cf8ec72038855e23d5af7d331ab21026543d2ad95d1d183f873aefb007e920a569427f0ef9099cdef991259e8082d7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
98932e60d14ab4c2a5329807a8d6dfb8

SHA1
2a9944793cbcd4e31d9b9123b5da279dfc19ba7a

SHA256
5ff02ac651696d0fd456dc6bcacd50172cb58108ba4546e02a168300dd0b6ba6

SHA512
f19a346cb67be1bf77692a8e8c9bc2550afebde0cf145dfbda4a58955378385240654f305d67594c76a1cbf98d952656f92c6ba543bf7e2543442bcb40ba6504

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
c3c6a2496de87807bfe702df1f867e20

SHA1
d09456a2c8ba28a1a18e4f8ade4ec4bcf6be1a5a

SHA256
525cd74d09df4b4bc07e694850e16ed2e2d532076ec475cb501c21c365e68089

SHA512
291e15caee77d283cb22c1ad44a095b8edfc95891bec6d5276e6786a20a98bd8db17d992496a6d334fb91a2719ad9649e0109d27407f4e03c8cc1754342812bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
fa5a5caee73267b5ac7468a554d6d899

SHA1
b36df14281abee5315b1453a2b6e806c753abef3

SHA256
aa04464600b5084ed2eb08309802e34814bb6d2ae86495cbdc3d75c00d8872e5

SHA512
423559d479a6e2ae0e40d52b0800c71d13d5871089c2fd444a73e0e408d2ce40698eea5c9cf542e33c1fbcccf17626ad9782cfc329ebc722af6afa3255f36e61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
89KB

MD5
2e24b4f7607ee0f2f41062d1c8bf010f

SHA1
5583fb4e50628615a03ee5a8150ed72f8d6331f1

SHA256
3989ddf86589845966ddfa5a8f88b38653ff03ef8be075bc119229f7b3131fb5

SHA512
626fe21f0783a5797755048d5f4596a8fa225568b5308393097ce217efd2f6d011e300214adcad0fbde9e0d4a9f4ae6c20c99d0cd18bc6db74b48ee0b68357b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
175KB

MD5
3dded42dc1c238a51b917bd756d24d3e

SHA1
82ace3af4bfe5b75ed2e680bd2c391764a896205

SHA256
c6228a8d2946d3611ed79b65a4ecb92745aea1e1351fe8873112617695a30801

SHA512
543fbce48f5d1ab008603d9dbf18cc27ff2c2d6905b7eba35c2f2f85ae976466e829b7a2ecd9fec654dfd31b89d4551bad69ec7278ecd32e9379fdc7287ade2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
175KB

MD5
5882800c7a491d46a4d2d661629fb284

SHA1
b5bf7ff2895fb765654701670f9dd28539279833

SHA256
2bc74cfeb56ac004737fedf3eb6acbeea2c2d8c50561e7c5bb932dd79ff0479c

SHA512
3ee4c1e899e6aae9326726126d0bc753e0780b87e74a22da4655538a374decf2b685f13b23ca775a7660f3d32f53a806c4a0cf2c43efc22fbe0a0db88e2de5d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
175KB

MD5
ced0798846eb8f28a063ddd43f9aec63

SHA1
28a49bae2607a58717db501ebe2f24d2bb6b1f4a

SHA256
0fa072c6fd5458d4d936e170fd9912ed44f30c5d8b5a2f05cfa7948a99229636

SHA512
3f451002a5d6f8c256a785a4b285c972aab1a0794510f4f68632982809923833a836b27619d1907eb1b6f48409d2f973e2b0272d97ef97580ba15959c2e9cc97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
175KB

MD5
ddc000c5e5d788915678861ee93b72bc

SHA1
e8f6ed0ae806a5eff9851d34a5b552ff353fcb40

SHA256
f56bb21b581edff6dc038f96ab70ef310b7fe55a98f187705929d40286392029

SHA512
e989cae9ac1f3e8f8fbf0559ec467f431a4e0a71f0c7b70ebf224ac6a91760a85508351c926d6a8bed2f9c16ef3dd7060e6dfe660aa03b85c01684819e1766fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
175KB

MD5
3ba926967075fd5254d441cc453a2d97

SHA1
01609eaeaa000a5cacf247c0588731d709421991

SHA256
1bf251b27d389ea298685edf824c6ced175d34e0cbe4f4a8491264ecb67a086f

SHA512
5429489efd651134a58a845120d53a869144842ffd97c47b2ee4c9a6a4d71e927c588a8ac90af98c73072f13187882a790fe76a87aeb7e4094843707f0659379

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
105KB

MD5
666ec8ae7973f6cb32d2594a60d764b1

SHA1
50ffb943c35e98b62db5e98337546b1ffb46def3

SHA256
8d49c6acb20b77f423f4a36a143fc193d8eb1451f954529e46dc989e9c3ac4d2

SHA512
1b0cf05cbefb18438d3dbb857dc313cb20c1e163f4f6f32eaa0c579d0a5c597a9a43c6f6680eb3163d7758ec2e3358641156a3b958306853032c4962d44ef328

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5ac063.TMP

Filesize
104KB

MD5
9d075356727320f69328f1a5c8befcc6

SHA1
7d2d211825cb4cc35006477dfc97688800e9487f

SHA256
a0b7ec3fc3a2e240cb9679b733d6bfda081c32a5352cce5e9a1a9eb93e52ae33

SHA512
cb5041d9c321a73daf8b2d547a5aa5b16ce844789eaa00b2d341f03c8ac0599cc4a20ecfbe89419f0f3de8c796f0689d38676ee5841ccff412aa3a0c819a077d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
memory/884-133-0x0000000002D00000-0x0000000002E61000-memory.dmp

Filesize
1.4MB

Download
memory/884-138-0x0000000002B90000-0x0000000002CF6000-memory.dmp

Filesize
1.4MB

Download
memory/884-137-0x0000000002D00000-0x0000000002E61000-memory.dmp

Filesize
1.4MB

Download
memory/884-136-0x0000000002D00000-0x0000000002E61000-memory.dmp

Filesize
1.4MB

Download
memory/884-135-0x0000000002D00000-0x0000000002E61000-memory.dmp

Filesize
1.4MB

Download
memory/884-134-0x0000000002D00000-0x0000000002E61000-memory.dmp

Filesize
1.4MB

Download