d5a557d08e0e3e035cce9ab05a9e350773740fda6f0fbe80a4aa8371f073d51d

Resubmissions

16/07/2023, 22:54

230716-2vqxbahh3t 10

16/07/2023, 22:53

230716-2tywjaha66 6

16/07/2023, 21:50

230716-1p1c5ahf81 3

16/07/2023, 21:45

230716-1l1jqagh24 8

Analysis

max time kernel
188s
max time network
189s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
16/07/2023, 21:45

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Server Crasher/Gtag Server Crasher/ServerCrasher.exe
Size

78KB
MD5

5cf22ad7c4d3ab44ba72fd6642aa643a
SHA1

31601a86aadbc370be0b3fa92f583b56ec20381d
SHA256

2fa42459e3f9fcc0d84bbfbef1ac65b8f2c2c16d2b7b3d7f3a30d5c9b93d6e35
SHA512

2c38548b000b119a104e97dfdc478e24596f96b5a57e8295b7eff2a3bffda5ef6db48b0f95692f339b4e722b27f6dfb62c8ad71ea36d8f4a1e57509a611282e7
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+7PIC:5Zv5PDwbjNrmAE+zIC

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
3756	NetSh.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133340175399815468"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2024	chrome.exe
2024	chrome.exe
4652	ServerCrasher.exe
4180	chrome.exe
4180	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4652	ServerCrasher.exe
Token: SeShutdownPrivilege	2024	chrome.exe
Token: SeCreatePagefilePrivilege	2024	chrome.exe
Token: SeShutdownPrivilege	2024	chrome.exe
Token: SeCreatePagefilePrivilege	2024	chrome.exe
Token: SeShutdownPrivilege	2024	chrome.exe
Token: SeCreatePagefilePrivilege	2024	chrome.exe
Token: SeShutdownPrivilege	2024	chrome.exe
Token: SeCreatePagefilePrivilege	2024	chrome.exe
Token: SeShutdownPrivilege	2024	chrome.exe
Token: SeCreatePagefilePrivilege	2024	chrome.exe
Token: SeShutdownPrivilege	2024	chrome.exe
Token: SeCreatePagefilePrivilege	2024	chrome.exe
Token: SeShutdownPrivilege	2024	chrome.exe
Token: SeCreatePagefilePrivilege	2024	chrome.exe
Token: SeShutdownPrivilege	2024	chrome.exe
Token: SeCreatePagefilePrivilege	2024	chrome.exe
Token: SeShutdownPrivilege	2024	chrome.exe
Token: SeCreatePagefilePrivilege	2024	chrome.exe
Token: SeShutdownPrivilege	2024	chrome.exe
Token: SeCreatePagefilePrivilege	2024	chrome.exe
Token: SeShutdownPrivilege	2024	chrome.exe
Token: SeCreatePagefilePrivilege	2024	chrome.exe
Token: SeShutdownPrivilege	2024	chrome.exe
Token: SeCreatePagefilePrivilege	2024	chrome.exe
Token: SeShutdownPrivilege	2024	chrome.exe
Token: SeCreatePagefilePrivilege	2024	chrome.exe
Token: SeShutdownPrivilege	2024	chrome.exe
Token: SeCreatePagefilePrivilege	2024	chrome.exe
Token: SeShutdownPrivilege	2024	chrome.exe
Token: SeCreatePagefilePrivilege	2024	chrome.exe
Token: SeShutdownPrivilege	2024	chrome.exe
Token: SeCreatePagefilePrivilege	2024	chrome.exe
Token: SeShutdownPrivilege	2024	chrome.exe
Token: SeCreatePagefilePrivilege	2024	chrome.exe
Token: SeShutdownPrivilege	2024	chrome.exe
Token: SeCreatePagefilePrivilege	2024	chrome.exe
Token: SeShutdownPrivilege	2024	chrome.exe
Token: SeCreatePagefilePrivilege	2024	chrome.exe
Token: SeShutdownPrivilege	2024	chrome.exe
Token: SeCreatePagefilePrivilege	2024	chrome.exe
Token: SeShutdownPrivilege	2024	chrome.exe
Token: SeCreatePagefilePrivilege	2024	chrome.exe
Token: SeShutdownPrivilege	2024	chrome.exe
Token: SeCreatePagefilePrivilege	2024	chrome.exe
Token: SeShutdownPrivilege	2024	chrome.exe
Token: SeCreatePagefilePrivilege	2024	chrome.exe
Token: SeShutdownPrivilege	2024	chrome.exe
Token: SeCreatePagefilePrivilege	2024	chrome.exe
Token: SeShutdownPrivilege	2024	chrome.exe
Token: SeCreatePagefilePrivilege	2024	chrome.exe
Token: SeShutdownPrivilege	2024	chrome.exe
Token: SeCreatePagefilePrivilege	2024	chrome.exe
Token: SeShutdownPrivilege	2024	chrome.exe
Token: SeCreatePagefilePrivilege	2024	chrome.exe
Token: SeShutdownPrivilege	2024	chrome.exe
Token: SeCreatePagefilePrivilege	2024	chrome.exe
Token: SeShutdownPrivilege	2024	chrome.exe
Token: SeCreatePagefilePrivilege	2024	chrome.exe
Token: SeShutdownPrivilege	2024	chrome.exe
Token: SeCreatePagefilePrivilege	2024	chrome.exe
Token: SeShutdownPrivilege	2024	chrome.exe
Token: SeCreatePagefilePrivilege	2024	chrome.exe
Token: SeShutdownPrivilege	2024	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4652	ServerCrasher.exe
4652	ServerCrasher.exe
2120	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 4964	2024	chrome.exe	71
PID 2024 wrote to memory of 4964	2024	chrome.exe	71
PID 2024 wrote to memory of 216	2024	chrome.exe	74
PID 2024 wrote to memory of 216	2024	chrome.exe	74
PID 2024 wrote to memory of 216	2024	chrome.exe	74
PID 2024 wrote to memory of 216	2024	chrome.exe	74
PID 2024 wrote to memory of 216	2024	chrome.exe	74
PID 2024 wrote to memory of 216	2024	chrome.exe	74
PID 2024 wrote to memory of 216	2024	chrome.exe	74
PID 2024 wrote to memory of 216	2024	chrome.exe	74
PID 2024 wrote to memory of 216	2024	chrome.exe	74
PID 2024 wrote to memory of 216	2024	chrome.exe	74
PID 2024 wrote to memory of 216	2024	chrome.exe	74
PID 2024 wrote to memory of 216	2024	chrome.exe	74
PID 2024 wrote to memory of 216	2024	chrome.exe	74
PID 2024 wrote to memory of 216	2024	chrome.exe	74
PID 2024 wrote to memory of 216	2024	chrome.exe	74
PID 2024 wrote to memory of 216	2024	chrome.exe	74
PID 2024 wrote to memory of 216	2024	chrome.exe	74
PID 2024 wrote to memory of 216	2024	chrome.exe	74
PID 2024 wrote to memory of 216	2024	chrome.exe	74
PID 2024 wrote to memory of 216	2024	chrome.exe	74
PID 2024 wrote to memory of 216	2024	chrome.exe	74
PID 2024 wrote to memory of 216	2024	chrome.exe	74
PID 2024 wrote to memory of 216	2024	chrome.exe	74
PID 2024 wrote to memory of 216	2024	chrome.exe	74
PID 2024 wrote to memory of 216	2024	chrome.exe	74
PID 2024 wrote to memory of 216	2024	chrome.exe	74
PID 2024 wrote to memory of 216	2024	chrome.exe	74
PID 2024 wrote to memory of 216	2024	chrome.exe	74
PID 2024 wrote to memory of 216	2024	chrome.exe	74
PID 2024 wrote to memory of 216	2024	chrome.exe	74
PID 2024 wrote to memory of 216	2024	chrome.exe	74
PID 2024 wrote to memory of 216	2024	chrome.exe	74
PID 2024 wrote to memory of 216	2024	chrome.exe	74
PID 2024 wrote to memory of 216	2024	chrome.exe	74
PID 2024 wrote to memory of 216	2024	chrome.exe	74
PID 2024 wrote to memory of 216	2024	chrome.exe	74
PID 2024 wrote to memory of 216	2024	chrome.exe	74
PID 2024 wrote to memory of 216	2024	chrome.exe	74
PID 2024 wrote to memory of 236	2024	chrome.exe	73
PID 2024 wrote to memory of 236	2024	chrome.exe	73
PID 2024 wrote to memory of 4856	2024	chrome.exe	75
PID 2024 wrote to memory of 4856	2024	chrome.exe	75
PID 2024 wrote to memory of 4856	2024	chrome.exe	75
PID 2024 wrote to memory of 4856	2024	chrome.exe	75
PID 2024 wrote to memory of 4856	2024	chrome.exe	75
PID 2024 wrote to memory of 4856	2024	chrome.exe	75
PID 2024 wrote to memory of 4856	2024	chrome.exe	75
PID 2024 wrote to memory of 4856	2024	chrome.exe	75
PID 2024 wrote to memory of 4856	2024	chrome.exe	75
PID 2024 wrote to memory of 4856	2024	chrome.exe	75
PID 2024 wrote to memory of 4856	2024	chrome.exe	75
PID 2024 wrote to memory of 4856	2024	chrome.exe	75
PID 2024 wrote to memory of 4856	2024	chrome.exe	75
PID 2024 wrote to memory of 4856	2024	chrome.exe	75
PID 2024 wrote to memory of 4856	2024	chrome.exe	75
PID 2024 wrote to memory of 4856	2024	chrome.exe	75
PID 2024 wrote to memory of 4856	2024	chrome.exe	75
PID 2024 wrote to memory of 4856	2024	chrome.exe	75
PID 2024 wrote to memory of 4856	2024	chrome.exe	75
PID 2024 wrote to memory of 4856	2024	chrome.exe	75
PID 2024 wrote to memory of 4856	2024	chrome.exe	75
PID 2024 wrote to memory of 4856	2024	chrome.exe	75

C:\Users\Admin\AppData\Local\Temp\Server Crasher\Gtag Server Crasher\ServerCrasher.exe
"C:\Users\Admin\AppData\Local\Temp\Server Crasher\Gtag Server Crasher\ServerCrasher.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4652
- C:\Windows\SYSTEM32\NetSh.exe
  "NetSh.exe" Advfirewall set allprofiles state off
  2⤵
  - Modifies Windows Firewall
  PID:3756
- C:\Windows\System32\shutdown.exe
  "C:\Windows\System32\shutdown.exe" /r /t 0
  2⤵
  PID:3356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff97fc79758,0x7ff97fc79768,0x7ff97fc79778
  2⤵
  PID:4964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1956 --field-trial-handle=1800,i,16478491790703800817,16236088205566026943,131072 /prefetch:8
  2⤵
  PID:236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1580 --field-trial-handle=1800,i,16478491790703800817,16236088205566026943,131072 /prefetch:2
  2⤵
  PID:216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2068 --field-trial-handle=1800,i,16478491790703800817,16236088205566026943,131072 /prefetch:8
  2⤵
  PID:4856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3024 --field-trial-handle=1800,i,16478491790703800817,16236088205566026943,131072 /prefetch:1
  2⤵
  PID:2948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2980 --field-trial-handle=1800,i,16478491790703800817,16236088205566026943,131072 /prefetch:1
  2⤵
  PID:4528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3548 --field-trial-handle=1800,i,16478491790703800817,16236088205566026943,131072 /prefetch:8
  2⤵
  PID:4420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4596 --field-trial-handle=1800,i,16478491790703800817,16236088205566026943,131072 /prefetch:8
  2⤵
  PID:4808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4432 --field-trial-handle=1800,i,16478491790703800817,16236088205566026943,131072 /prefetch:1
  2⤵
  PID:708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4536 --field-trial-handle=1800,i,16478491790703800817,16236088205566026943,131072 /prefetch:8
  2⤵
  PID:2836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4880 --field-trial-handle=1800,i,16478491790703800817,16236088205566026943,131072 /prefetch:8
  2⤵
  PID:4956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4632 --field-trial-handle=1800,i,16478491790703800817,16236088205566026943,131072 /prefetch:8
  2⤵
  PID:2544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 --field-trial-handle=1800,i,16478491790703800817,16236088205566026943,131072 /prefetch:8
  2⤵
  PID:2548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2160 --field-trial-handle=1800,i,16478491790703800817,16236088205566026943,131072 /prefetch:1
  2⤵
  PID:5052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=1504 --field-trial-handle=1800,i,16478491790703800817,16236088205566026943,131072 /prefetch:1
  2⤵
  PID:888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3728 --field-trial-handle=1800,i,16478491790703800817,16236088205566026943,131072 /prefetch:1
  2⤵
  PID:608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5028 --field-trial-handle=1800,i,16478491790703800817,16236088205566026943,131072 /prefetch:1
  2⤵
  PID:4724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3572 --field-trial-handle=1800,i,16478491790703800817,16236088205566026943,131072 /prefetch:8
  2⤵
  PID:4820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5136 --field-trial-handle=1800,i,16478491790703800817,16236088205566026943,131072 /prefetch:1
  2⤵
  PID:3796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5288 --field-trial-handle=1800,i,16478491790703800817,16236088205566026943,131072 /prefetch:8
  2⤵
  PID:2572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5432 --field-trial-handle=1800,i,16478491790703800817,16236088205566026943,131072 /prefetch:8
  2⤵
  PID:2608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5588 --field-trial-handle=1800,i,16478491790703800817,16236088205566026943,131072 /prefetch:8
  2⤵
  PID:3884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3044 --field-trial-handle=1800,i,16478491790703800817,16236088205566026943,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4180

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2816

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3aea855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
124e5cebf1b493d61f861f6c87139b55

SHA1
28e6b95e86e687253bd91aee83ec4b83ea9bf6c3

SHA256
2234e2b788c4fb51690c6012057aebce5625963acc7f0c74c64f05e9944c9796

SHA512
a6bed32617f72b6ee85e00d9ab02a579c76207a948dd15c4bfd5e7b833deabf9a391b2f8381bd9081ad13307e95358fb7ef13dc58bb4c402c5784591d13a1b19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
758688210f130a33da4488722b52ca1e

SHA1
22dc4990b59911af5f829cc832abaa876bade920

SHA256
8b2ea256762c9bd473821b48f2fb69db913124a46cf57b7f91000503ae99bc69

SHA512
93143423fab6853b3bc7a7accff3d955edcdfd4c3e9420b3cd6f5e4155aad6ab35497d86a941489fdc3127b13f85023663db1ece57098c16957896a125d690dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
4aae98fe884402fdfbc833fe681f7d7e

SHA1
abd5445e0c745bc178793fb3cfa044ca0b53c7e4

SHA256
89e4b2ffdfee89943bcf1e1be00fddd1179df699aeb04f8267fa72627caa3434

SHA512
442873dd1d044fb00c614d05bc6cffc6280594f3b1f946ce33ba80bb94dd963b61d6d3552fde4613c90a3271bab35440f62fda36e28d813a8fc32848fef0ac33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
aa6b6633898ca5b4c698546b79f9fb6a

SHA1
ad9e95a16ebbc494663de6e4d589255add8b26d2

SHA256
129d382a4e9017e4ffd7be77a5a3844426695161e6edbb0ec98a4e6a5e039e80

SHA512
861fd490ed4172eb462bdf017b1bfba5c2102cbe618b43e6ad545ed2e7eecba4b3e66ea68786446acb336bfc7e46ba44c203070fc36700b36868b9490f769ed8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7d2a3a0b1832345e594a47be63793f3a

SHA1
72e50549a5c72f0e6b5e3f6be71fd4a9be627d6a

SHA256
a339b9fb786459ec2d24c6a0c1e6c87f3e62bd09f04f0c3ed561b59ff4600bf9

SHA512
7cb86b04d41c15e88fe138e46bc31f197fdab2cbaf42f2c45bac28eba01e6bd38b9c0812493a06335093d84142476d295771817b9349f72258908b3ef5b8b1b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
1982bf51ce2e410318a43df520aa5065

SHA1
cde45d7fcd62199fda753cf8725bde6fe8efc233

SHA256
4a38b6a863b3d80ef2a52cead178589b417eff9be6a53b73b7ed234d2897f58b

SHA512
9fb9296acbb4d8adf0f084b97f367d707a490689f82e12d103a9268e202ee16a41ed2835ceb78e0d438dfe73a67adf4adf4df258d878b1c07e29992c89bc62e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
522b4cf81e87c24fbb515545c70ceed0

SHA1
d6f3c5804ce8231ac22f9219eed2c90d1f917cdb

SHA256
c1af7093b680b9ad5c67abb990873fa51a2155d0461c79a91f3648562f7abec5

SHA512
02b401c86b3d44c2e79e4ec19818817b4e73cf4d9a5289de4bf222b15f861370eb1d0ae13e48c2b11f067ac85c53d3d6dc7d52f66d080d227f17c1a72ff1dbe1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
65bcb1bdfa8ae2e769f970aecbf66851

SHA1
f186fdc9550b1b39832c53845857d6b41b29f6a6

SHA256
fa503c9b6ba19f1b5e6eb173eaef66b6098b6d85321cfb18d8cbd8a109e83c62

SHA512
e81ee4c7bc56c174fdd9dce640bab0c45e6f437a7a3ceeb504fb24970cf0d14cfd8733b039df1cd8330f778848995841c2caa8af83911bc03e001164975ba419

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
3aeb7f83f376f15967502e8350446091

SHA1
5a1cad0b0683ba3fd126f5782a9c55082129ad4b

SHA256
bf403468e53be9f9588e3c147e5cfc2cbb1e745e45fdd81b0db743f4de179af3

SHA512
aec8986214e16c4c2f64afac7045ffd8a5229955b884e4861efbfc6933a6bcbb75b39640b57065e3093a4058c362bccde0f0dff76c135bf1372976c480eb6739

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
41ec4a4755dd03d07a1abdf2d57928b8

SHA1
3266f91c9877a50d905e742f5dc950db10ae1be5

SHA256
9ae9a442ba2639f6a66dc577f32c75ab6ced40a81feabbc8f5031a3a2d3a296c

SHA512
1ceac380a4f37bd084655bd838408f2a7f2b18f4c0647f92184120dd08c7c2861cf09ec68041a97b132949bbb7e084feec88c0b081595a6660fe38a233accc5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2c7575dc9f1177bf0b0898da83c51690

SHA1
a7f185297bac8010fb4f44ff4ca83a8976c9c9b3

SHA256
c617e42c0f65ff9e271af1c6de0a8a57fda1786ed67e942422070c001450cb98

SHA512
0e53c09a3112a1790dbbf3bdf065f3a5447dc329548ee461d40c4732b9683dd746761f7460c7ebfe692a0beacc2693630b3cb41452f61c825d5503b76d224d4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
175KB

MD5
bec0e2ab36b7d4484548bd79e2c4df58

SHA1
514970e176463dfa6b8351b44e8affe990202400

SHA256
a0c857c37bcfceae47c2abe17973927fa9bc892232d81837b41ec354d2c8b3a5

SHA512
82bc50120d171c8edf895e45f3a76755a72f21bf173327f49c64c4eb0f2eb3fc26b4cb11506489be8f8e9c82b14716949230337ed40fbbdb841c32e7424395f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
175KB

MD5
519119ab17b5aeb65bd7e4a1746be7b9

SHA1
d9b151ffa66ed7a39dbb228c16839a4533f5c16a

SHA256
9207400288fee17fcd6160c22c4ebcb8a0467d33d44d484c744b477f98799970

SHA512
4155b05cc9bf8d542cbdad9567c94517f2d537d73ee4644f41a4150f0a58a80f48c196385c572e2fbf0aba7299ebaaab00e9f6021012d2413ac81558e76286f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
175KB

MD5
e6f357552bc83fab291df3291670bf1e

SHA1
2de1effbc5fd61ebf014b343b3667a5c279519d5

SHA256
7d59a5f27af1b692e7b88314f6091b9aed4c64087beaffd6b199349140b3c551

SHA512
c6c5baf329f65a157d64e6c8d2a4ef83c8c2034742ee7b8ea6d607e72c5951f4e227dbdde7ece0edd1e3faf336da92e358d9063910c7b48340ce9d5d4a55fe8b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
memory/4652-122-0x00007FF9757C0000-0x00007FF9761AC000-memory.dmp

Filesize
9.9MB

Download
memory/4652-123-0x000001E5C6C00000-0x000001E5C6C10000-memory.dmp

Filesize
64KB

Download
memory/4652-121-0x000001E5E1690000-0x000001E5E1BB6000-memory.dmp

Filesize
5.1MB

Download
memory/4652-120-0x000001E5C6C00000-0x000001E5C6C10000-memory.dmp

Filesize
64KB

Download
memory/4652-119-0x00007FF9757C0000-0x00007FF9761AC000-memory.dmp

Filesize
9.9MB

Download
memory/4652-378-0x00007FF9757C0000-0x00007FF9761AC000-memory.dmp

Filesize
9.9MB

Download
memory/4652-118-0x000001E5E0E90000-0x000001E5E1052000-memory.dmp

Filesize
1.8MB

Download
memory/4652-117-0x000001E5C6870000-0x000001E5C6888000-memory.dmp

Filesize
96KB

Download