5811521cf05b04befec57554827f8426ea8743bcca3c7838872d1f58e4149cbb

Resubmissions

14-07-2023 23:09

230714-25e8kagd25 7

14-07-2023 23:06

230714-23dlysgc93 10

Analysis

max time kernel
87s
max time network
92s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
14-07-2023 23:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e79c13a28916ebea69f02e12964f9a8c.exe
Size

243KB
MD5

e79c13a28916ebea69f02e12964f9a8c
SHA1

b0a0b11f5c02aacf78cf85efcfc1b2848eec22ea
SHA256

5811521cf05b04befec57554827f8426ea8743bcca3c7838872d1f58e4149cbb
SHA512

791e585ff93f5f4b67897dca917c810a8ff793644be9e6a821e70f69c85ad2aeacc8f4b08e63b04cdf81eaf500ce7dd40795e540208a69ed2e7e96324f92f90c
SSDEEP

3072:XbGjTL3+5Pe2qFaguU9VoB90V7hEqzKwRxztCFtzr8OLbwANmz8Py5wiQ:sL3ce2qdDVy27wwR/CDrbb1mz8P3Z

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2084	656	WerFault.exe	83
1272	3956	WerFault.exe	108

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133338498423405474"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-618519468-4027732583-1827558364-1000\{19F7EED0-8140-468C-BE6B-EFE65D73F45E}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
656	e79c13a28916ebea69f02e12964f9a8c.exe
656	e79c13a28916ebea69f02e12964f9a8c.exe
1144	taskmgr.exe
656	e79c13a28916ebea69f02e12964f9a8c.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
5064	chrome.exe
5064	chrome.exe
3956	e79c13a28916ebea69f02e12964f9a8c.exe
3956	e79c13a28916ebea69f02e12964f9a8c.exe
3956	e79c13a28916ebea69f02e12964f9a8c.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1144	taskmgr.exe
Token: SeSystemProfilePrivilege	1144	taskmgr.exe
Token: SeCreateGlobalPrivilege	1144	taskmgr.exe
Token: SeDebugPrivilege	656	e79c13a28916ebea69f02e12964f9a8c.exe
Token: 33	1144	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1144	taskmgr.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeDebugPrivilege	3956	e79c13a28916ebea69f02e12964f9a8c.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe
Token: SeCreatePagefilePrivilege	5064	chrome.exe
Token: SeShutdownPrivilege	5064	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
1144	taskmgr.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe
5064	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5064 wrote to memory of 3272	5064	chrome.exe	111
PID 5064 wrote to memory of 3272	5064	chrome.exe	111
PID 5064 wrote to memory of 4324	5064	chrome.exe	112
PID 5064 wrote to memory of 4324	5064	chrome.exe	112
PID 5064 wrote to memory of 4324	5064	chrome.exe	112
PID 5064 wrote to memory of 4324	5064	chrome.exe	112
PID 5064 wrote to memory of 4324	5064	chrome.exe	112
PID 5064 wrote to memory of 4324	5064	chrome.exe	112
PID 5064 wrote to memory of 4324	5064	chrome.exe	112
PID 5064 wrote to memory of 4324	5064	chrome.exe	112
PID 5064 wrote to memory of 4324	5064	chrome.exe	112
PID 5064 wrote to memory of 4324	5064	chrome.exe	112
PID 5064 wrote to memory of 4324	5064	chrome.exe	112
PID 5064 wrote to memory of 4324	5064	chrome.exe	112
PID 5064 wrote to memory of 4324	5064	chrome.exe	112
PID 5064 wrote to memory of 4324	5064	chrome.exe	112
PID 5064 wrote to memory of 4324	5064	chrome.exe	112
PID 5064 wrote to memory of 4324	5064	chrome.exe	112
PID 5064 wrote to memory of 4324	5064	chrome.exe	112
PID 5064 wrote to memory of 4324	5064	chrome.exe	112
PID 5064 wrote to memory of 4324	5064	chrome.exe	112
PID 5064 wrote to memory of 4324	5064	chrome.exe	112
PID 5064 wrote to memory of 4324	5064	chrome.exe	112
PID 5064 wrote to memory of 4324	5064	chrome.exe	112
PID 5064 wrote to memory of 4324	5064	chrome.exe	112
PID 5064 wrote to memory of 4324	5064	chrome.exe	112
PID 5064 wrote to memory of 4324	5064	chrome.exe	112
PID 5064 wrote to memory of 4324	5064	chrome.exe	112
PID 5064 wrote to memory of 4324	5064	chrome.exe	112
PID 5064 wrote to memory of 4324	5064	chrome.exe	112
PID 5064 wrote to memory of 4324	5064	chrome.exe	112
PID 5064 wrote to memory of 4324	5064	chrome.exe	112
PID 5064 wrote to memory of 4324	5064	chrome.exe	112
PID 5064 wrote to memory of 4324	5064	chrome.exe	112
PID 5064 wrote to memory of 4324	5064	chrome.exe	112
PID 5064 wrote to memory of 4324	5064	chrome.exe	112
PID 5064 wrote to memory of 4324	5064	chrome.exe	112
PID 5064 wrote to memory of 4324	5064	chrome.exe	112
PID 5064 wrote to memory of 4324	5064	chrome.exe	112
PID 5064 wrote to memory of 4324	5064	chrome.exe	112
PID 5064 wrote to memory of 4712	5064	chrome.exe	113
PID 5064 wrote to memory of 4712	5064	chrome.exe	113
PID 5064 wrote to memory of 476	5064	chrome.exe	114
PID 5064 wrote to memory of 476	5064	chrome.exe	114
PID 5064 wrote to memory of 476	5064	chrome.exe	114
PID 5064 wrote to memory of 476	5064	chrome.exe	114
PID 5064 wrote to memory of 476	5064	chrome.exe	114
PID 5064 wrote to memory of 476	5064	chrome.exe	114
PID 5064 wrote to memory of 476	5064	chrome.exe	114
PID 5064 wrote to memory of 476	5064	chrome.exe	114
PID 5064 wrote to memory of 476	5064	chrome.exe	114
PID 5064 wrote to memory of 476	5064	chrome.exe	114
PID 5064 wrote to memory of 476	5064	chrome.exe	114
PID 5064 wrote to memory of 476	5064	chrome.exe	114
PID 5064 wrote to memory of 476	5064	chrome.exe	114
PID 5064 wrote to memory of 476	5064	chrome.exe	114
PID 5064 wrote to memory of 476	5064	chrome.exe	114
PID 5064 wrote to memory of 476	5064	chrome.exe	114
PID 5064 wrote to memory of 476	5064	chrome.exe	114
PID 5064 wrote to memory of 476	5064	chrome.exe	114
PID 5064 wrote to memory of 476	5064	chrome.exe	114
PID 5064 wrote to memory of 476	5064	chrome.exe	114
PID 5064 wrote to memory of 476	5064	chrome.exe	114
PID 5064 wrote to memory of 476	5064	chrome.exe	114

C:\Users\Admin\AppData\Local\Temp\e79c13a28916ebea69f02e12964f9a8c.exe
"C:\Users\Admin\AppData\Local\Temp\e79c13a28916ebea69f02e12964f9a8c.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:656
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 656 -s 1272
  2⤵
  - Program crash
  PID:2084

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1144

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 656 -ip 656
1⤵
PID:3600

C:\Users\Admin\Desktop\e79c13a28916ebea69f02e12964f9a8c.exe
"C:\Users\Admin\Desktop\e79c13a28916ebea69f02e12964f9a8c.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3956
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 1628
  2⤵
  - Program crash
  PID:1272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa09de9758,0x7ffa09de9768,0x7ffa09de9778
  2⤵
  PID:3272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1764 --field-trial-handle=1732,i,17109056150299191381,6319076559468901615,131072 /prefetch:2
  2⤵
  PID:4324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1732,i,17109056150299191381,6319076559468901615,131072 /prefetch:8
  2⤵
  PID:4712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2204 --field-trial-handle=1732,i,17109056150299191381,6319076559468901615,131072 /prefetch:8
  2⤵
  PID:476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2980 --field-trial-handle=1732,i,17109056150299191381,6319076559468901615,131072 /prefetch:1
  2⤵
  PID:4552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2988 --field-trial-handle=1732,i,17109056150299191381,6319076559468901615,131072 /prefetch:1
  2⤵
  PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4504 --field-trial-handle=1732,i,17109056150299191381,6319076559468901615,131072 /prefetch:1
  2⤵
  PID:4364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4720 --field-trial-handle=1732,i,17109056150299191381,6319076559468901615,131072 /prefetch:8
  2⤵
  PID:3292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4828 --field-trial-handle=1732,i,17109056150299191381,6319076559468901615,131072 /prefetch:8
  2⤵
  PID:5040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 --field-trial-handle=1732,i,17109056150299191381,6319076559468901615,131072 /prefetch:8
  2⤵
  PID:4164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5084 --field-trial-handle=1732,i,17109056150299191381,6319076559468901615,131072 /prefetch:8
  2⤵
  PID:856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 --field-trial-handle=1732,i,17109056150299191381,6319076559468901615,131072 /prefetch:8
  2⤵
  PID:4936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5336 --field-trial-handle=1732,i,17109056150299191381,6319076559468901615,131072 /prefetch:1
  2⤵
  PID:5140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5316 --field-trial-handle=1732,i,17109056150299191381,6319076559468901615,131072 /prefetch:1
  2⤵
  PID:5204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2984 --field-trial-handle=1732,i,17109056150299191381,6319076559468901615,131072 /prefetch:1
  2⤵
  PID:5780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 --field-trial-handle=1732,i,17109056150299191381,6319076559468901615,131072 /prefetch:8
  2⤵
  - Modifies registry class
  PID:5840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5156 --field-trial-handle=1732,i,17109056150299191381,6319076559468901615,131072 /prefetch:8
  2⤵
  PID:5832

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3956 -ip 3956
1⤵
PID:1804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mail.google.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
25b8b491243d240797f0bd6a3f8c3c25

SHA1
4a60dc7e1e4ec84db8f0c9243347068ccaea693a

SHA256
4fa56bac2b790e53ca3852e6a5814d8429b992b1572d1be1edcd7980b949bcb4

SHA512
001d9423a6b4420258befbc0e88e520bf0f9a127a91f34de37733231f2d7b01f7cc58f35de7d0e56b6c239a29b64c91e60417e83378900b88a268b361568c698

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
87d3d472d1cafe8e597ab06c36d09c70

SHA1
420070302cfa627e1e1e143c5c828d86d084e7e9

SHA256
a84eb5ef7e97f98234dd4d69e9c279a1c6607bde80783f89532b2f0417e95b77

SHA512
5eaf694ec738f16219ff5689809dba4341140194b29ddc7e2239f4918aff714225d0918231de76f49695a2d7b679475606218cc8be2bc70e8c2b730e1c497475

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3d50947acf5a59e3c25092be1bb3afab

SHA1
a338ef27ea6b2a6a404ec198696a5fdcc2cf46ae

SHA256
d48fc6247fc19bba9205d6cc6b26f4f113f1f56ff1ae1ce7f654e7836bd6fe5c

SHA512
4e9f20da6856d531dab50f2357cbd4a242edd3ea9648e8a86eab0c8b3d30bba9031e6e309dc93ca5090a9ad882c0876c28fd694988c3341b93bfcd0a9c780a3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
6148aaeeade69b9c03f9980fd45158a4

SHA1
958f9fe597c3f034945030e0321afd33bf2fabd4

SHA256
9fa66d1f2341ace31f161f7bce13c8880651f1027af2609ba9f1e9a5bc7bc5c5

SHA512
5a1a48a03d1d3c687f61552b2d48fdec4b03ab70f1913e85253e11d6ac37a51ee6a3c704b40803de5417ce4323cb9c174236afddf417c1e460f0a7f0b53327aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1917d2c587d81902b2f2f9f1d14592b5

SHA1
c2291dabfebff14dbcc6953dc1eb6c170870f937

SHA256
9fbcc6a0b461fe46dc97b7981b9d4111530a9fa412c676006ea3150aeb63b812

SHA512
a8335c4078b8cebf5d2abd9b29567060dae35e4aabaca50d7ecad2cda25d0666af6d0d1dcb4e656a4ed1741c2bddf85b0d185b8857be66cea25f80413534220c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
967e64199848db03d75d2f799a0924ff

SHA1
9a6f943a4db224be791ca861a34668337b41ebff

SHA256
eca1b68f1e41f4ef764da3585d2f14bda54d3872f0c0a8e58626ac536b3df529

SHA512
c1aa3ec5dfe0e4eaafa454ff7083afbef24187e859b7f990c58e5a189a74fd167e9c06315254fdabbac2ef0b62d245e8b550396c1e3ee49e06f43006cb46da8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
f165151fc94cd8d95f91becd8ee3da0f

SHA1
3a522d53e0a206f65172f495c07aad5e117e95ef

SHA256
0c2285934e4828caf4a7ec7bbb779c34483026152eddbab997a6f25a51bc191b

SHA512
e2756a921c303bf62f28a077e0141e07eb6437cf5eabe66b7eca41c501492d610d205b63818c250537f1fd3c69fa86b87c493b2e2a576089dfc1c758a261b53f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\579544fd7d0441717f082c9eb123588966aa57ac\69d16392-8330-4d4d-a058-451044210bc7\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\579544fd7d0441717f082c9eb123588966aa57ac\index.txt

Filesize
255B

MD5
914580c799ac581164cdc4c1c1e28a55

SHA1
db510cda3ce737112085c477babb3b38c3bcf40d

SHA256
238a4ae76c6ba1a7267a7e91efbb4a42c66f0343ac40ebcf236af37a721d6057

SHA512
1f31703d7c8de1bcba75341c800dffcf73221cf0be1149e87da84db4f33e24ef2ba0fa50e2f3ba00d198c31158c801899576b9958b8196433316a902dea1bce3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\579544fd7d0441717f082c9eb123588966aa57ac\index.txt

Filesize
319B

MD5
9e6612d55f57282ef96e48eb11154c3f

SHA1
4251b0d64d0a00f87dc1da0f87be51cb359eafa7

SHA256
c62ef007287d821f6c303b93d9cca1afc2a7d020c99b6d314d232516f41b1feb

SHA512
6c4985daa746ff07deb823f1f89e903821ac460cddea60abd10d5521149474277d706149713ebcaa2ccc09ae35948cb95a0c2b56cddfb14845771773ef629b1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\579544fd7d0441717f082c9eb123588966aa57ac\index.txt

Filesize
388B

MD5
9863de795c792ee00324c332466ccb70

SHA1
62146f16ec34691e749ffac21cad27b388b47f58

SHA256
e2669adccfc4043442601cf1a2e2d59e8fd698f4c6b2709dc7423b7220743574

SHA512
4cdad3e1621b78828143ca668637b9fa2aeb55e4438d874bd837139b14e3d906e8f7c677c9591789a1835f6a17a50d1698a49878328d4386d8b23016c3f410ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\579544fd7d0441717f082c9eb123588966aa57ac\index.txt~RFe58fa68.TMP

Filesize
159B

MD5
d5cc71c2571ae5434373478465850f1a

SHA1
708d67dfe73c4f3f3f8efa25e898a1f7116a7562

SHA256
d59f412e98d4db7d17f432dc0a661a6dc0dea83e0b8058d619ec6bf7c4a62d01

SHA512
6816a52ef7577fb8291ed97fc58cceaf7e1e4eb3168d46fd573d2c3d29285424f9fd179de0f4f83235926248c89edccdd9fe72676cad52e60f1581051106bbd2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
175KB

MD5
f21400628da190f4865aa7769f489dad

SHA1
c16cb09a987274b653c71db7f318652165d313bc

SHA256
35a02292352f0f9e301d529ad1689b763765001dda9312c279098f8a91429097

SHA512
cd589199c03f678344a6a30500a64b5e02cb73a2e4000ad33b81198caa7ae38fc44883be613512fc567b698d33cbc8b87d450e9e492ccf1dea5b55ffd95a2058

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
175KB

MD5
f21400628da190f4865aa7769f489dad

SHA1
c16cb09a987274b653c71db7f318652165d313bc

SHA256
35a02292352f0f9e301d529ad1689b763765001dda9312c279098f8a91429097

SHA512
cd589199c03f678344a6a30500a64b5e02cb73a2e4000ad33b81198caa7ae38fc44883be613512fc567b698d33cbc8b87d450e9e492ccf1dea5b55ffd95a2058

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e79c13a28916ebea69f02e12964f9a8c.exe.log

Filesize
2KB

MD5
aa9a5dfa3362b176b5ecd46454db3fed

SHA1
95bab5504191a0f31c733102a2096ddd9e4c00f2

SHA256
f474ca9f05b39ef23ab106ce9d49e5f0da5aea88e1debdc1720c1bd33527c302

SHA512
5e706369c5203e0f424f480b5532235c1f8989f463d75515a3104a80db604e1be6880e083fb2265e3d197b39337651095b73e229aee81a9556704f7bc498fe85

Download Submit
memory/656-154-0x0000000005AC0000-0x0000000005BCA000-memory.dmp

Filesize
1.0MB

Download
memory/656-156-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/656-157-0x0000000004D50000-0x0000000004D8C000-memory.dmp

Filesize
240KB

Download
memory/656-158-0x0000000000600000-0x0000000000700000-memory.dmp

Filesize
1024KB

Download
memory/656-159-0x0000000002270000-0x00000000022AF000-memory.dmp

Filesize
252KB

Download
memory/656-160-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/656-161-0x0000000074A20000-0x00000000751D0000-memory.dmp

Filesize
7.7MB

Download
memory/656-163-0x0000000005E40000-0x0000000005EB6000-memory.dmp

Filesize
472KB

Download
memory/656-164-0x0000000005EC0000-0x0000000005F52000-memory.dmp

Filesize
584KB

Download
memory/656-165-0x0000000005F60000-0x0000000005FC6000-memory.dmp

Filesize
408KB

Download
memory/656-166-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/656-167-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/656-168-0x0000000006AC0000-0x0000000006C82000-memory.dmp

Filesize
1.8MB

Download
memory/656-169-0x0000000006C90000-0x00000000071BC000-memory.dmp

Filesize
5.2MB

Download
memory/656-170-0x0000000007410000-0x0000000007460000-memory.dmp

Filesize
320KB

Download
memory/656-172-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/656-173-0x0000000074A20000-0x00000000751D0000-memory.dmp

Filesize
7.7MB

Download
memory/656-148-0x0000000002270000-0x00000000022AF000-memory.dmp

Filesize
252KB

Download
memory/656-147-0x0000000000600000-0x0000000000700000-memory.dmp

Filesize
1024KB

Download
memory/656-149-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/656-150-0x0000000074A20000-0x00000000751D0000-memory.dmp

Filesize
7.7MB

Download
memory/656-153-0x00000000054A0000-0x0000000005AB8000-memory.dmp

Filesize
6.1MB

Download
memory/656-151-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/656-152-0x0000000004DF0000-0x0000000005394000-memory.dmp

Filesize
5.6MB

Download
memory/656-155-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/1144-143-0x000001FE065B0000-0x000001FE065B1000-memory.dmp

Filesize
4KB

Download
memory/1144-142-0x000001FE065B0000-0x000001FE065B1000-memory.dmp

Filesize
4KB

Download
memory/1144-141-0x000001FE065B0000-0x000001FE065B1000-memory.dmp

Filesize
4KB

Download
memory/1144-140-0x000001FE065B0000-0x000001FE065B1000-memory.dmp

Filesize
4KB

Download
memory/1144-134-0x000001FE065B0000-0x000001FE065B1000-memory.dmp

Filesize
4KB

Download
memory/1144-144-0x000001FE065B0000-0x000001FE065B1000-memory.dmp

Filesize
4KB

Download
memory/1144-145-0x000001FE065B0000-0x000001FE065B1000-memory.dmp

Filesize
4KB

Download
memory/1144-136-0x000001FE065B0000-0x000001FE065B1000-memory.dmp

Filesize
4KB

Download
memory/1144-135-0x000001FE065B0000-0x000001FE065B1000-memory.dmp

Filesize
4KB

Download
memory/1144-146-0x000001FE065B0000-0x000001FE065B1000-memory.dmp

Filesize
4KB

Download
memory/3956-201-0x0000000074A20000-0x00000000751D0000-memory.dmp

Filesize
7.7MB

Download
memory/3956-318-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/3956-320-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/3956-321-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/3956-322-0x0000000074A20000-0x00000000751D0000-memory.dmp

Filesize
7.7MB

Download
memory/3956-319-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/3956-311-0x0000000074A20000-0x00000000751D0000-memory.dmp

Filesize
7.7MB

Download
memory/3956-302-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/3956-299-0x0000000000600000-0x0000000000700000-memory.dmp

Filesize
1024KB

Download
memory/3956-207-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/3956-204-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/3956-203-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/3956-202-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/3956-199-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/3956-198-0x0000000000600000-0x0000000000700000-memory.dmp

Filesize
1024KB

Download