1d7810bab657a503d8a45daf6ddb810c7cd12cdadf4488222139dbbe61b21d04

Analysis

max time kernel
300s
max time network
303s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2023, 20:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Emsisoft-antimalware-remains.7z
Size

8.6MB
MD5

d2a326a08538f74875a8692ccc9fe5d1
SHA1

fbc53608879f34fd94fbcabf9a383f8301068e73
SHA256

1d7810bab657a503d8a45daf6ddb810c7cd12cdadf4488222139dbbe61b21d04
SHA512

c4c2d76db75084a9edb8b182f1d2c9160db91a8518812159326a74a770457b58481da34a935eea66f2e9ea967ae410b9573e8ba866773e8bc4552f8c9cad2a22
SSDEEP

196608:LzgnnU7jPzeUdvvENgp9653IKXrJGCC/yRG2yH0/zeZAGa1:L0nU7Tzegv8u053nXVgyRG2yQzCAx1

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
864	virussign.com_a09ee04bf0a6616843dbdeae0e8c8f10.exe
4420	virussign.com_b8bfacd3c3a363d77de79de971747e70.exe
1704	virussign.com_dd40012503223da7140ab4cb22f01f40.exe
1724	virussign.com_eda65160075859ae76bd3f02536e4180.exe
4728	virussign.com_fd04a0969228c7c83b006149aed20950.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00030000000225ed-208.dat	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3668	4420	WerFault.exe	102
1128	1704	WerFault.exe	106

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133372095453000176"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4784	chrome.exe
4784	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4636	7zFM.exe
Token: 35	4636	7zFM.exe
Token: SeSecurityPrivilege	4636	7zFM.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe
Token: SeCreatePagefilePrivilege	4784	chrome.exe
Token: SeShutdownPrivilege	4784	chrome.exe

Suspicious use of FindShellTrayWindow 32 IoCs

pid	Process
4636	7zFM.exe
4636	7zFM.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe
4784	chrome.exe

Suspicious use of SetWindowsHookEx 28 IoCs

pid	Process
2708	OpenWith.exe
2708	OpenWith.exe
2708	OpenWith.exe
2708	OpenWith.exe
2708	OpenWith.exe
2708	OpenWith.exe
2708	OpenWith.exe
2708	OpenWith.exe
2708	OpenWith.exe
2708	OpenWith.exe
2708	OpenWith.exe
2708	OpenWith.exe
2708	OpenWith.exe
2708	OpenWith.exe
2708	OpenWith.exe
2708	OpenWith.exe
2708	OpenWith.exe
2708	OpenWith.exe
2708	OpenWith.exe
2708	OpenWith.exe
2708	OpenWith.exe
2708	OpenWith.exe
2708	OpenWith.exe
2708	OpenWith.exe
2708	OpenWith.exe
2708	OpenWith.exe
2708	OpenWith.exe
4420	virussign.com_b8bfacd3c3a363d77de79de971747e70.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4784 wrote to memory of 3020	4784	chrome.exe	112
PID 4784 wrote to memory of 3020	4784	chrome.exe	112
PID 4784 wrote to memory of 1760	4784	chrome.exe	114
PID 4784 wrote to memory of 1760	4784	chrome.exe	114
PID 4784 wrote to memory of 1760	4784	chrome.exe	114
PID 4784 wrote to memory of 1760	4784	chrome.exe	114
PID 4784 wrote to memory of 1760	4784	chrome.exe	114
PID 4784 wrote to memory of 1760	4784	chrome.exe	114
PID 4784 wrote to memory of 1760	4784	chrome.exe	114
PID 4784 wrote to memory of 1760	4784	chrome.exe	114
PID 4784 wrote to memory of 1760	4784	chrome.exe	114
PID 4784 wrote to memory of 1760	4784	chrome.exe	114
PID 4784 wrote to memory of 1760	4784	chrome.exe	114
PID 4784 wrote to memory of 1760	4784	chrome.exe	114
PID 4784 wrote to memory of 1760	4784	chrome.exe	114
PID 4784 wrote to memory of 1760	4784	chrome.exe	114
PID 4784 wrote to memory of 1760	4784	chrome.exe	114
PID 4784 wrote to memory of 1760	4784	chrome.exe	114
PID 4784 wrote to memory of 1760	4784	chrome.exe	114
PID 4784 wrote to memory of 1760	4784	chrome.exe	114
PID 4784 wrote to memory of 1760	4784	chrome.exe	114
PID 4784 wrote to memory of 1760	4784	chrome.exe	114
PID 4784 wrote to memory of 1760	4784	chrome.exe	114
PID 4784 wrote to memory of 1760	4784	chrome.exe	114
PID 4784 wrote to memory of 1760	4784	chrome.exe	114
PID 4784 wrote to memory of 1760	4784	chrome.exe	114
PID 4784 wrote to memory of 1760	4784	chrome.exe	114
PID 4784 wrote to memory of 1760	4784	chrome.exe	114
PID 4784 wrote to memory of 1760	4784	chrome.exe	114
PID 4784 wrote to memory of 1760	4784	chrome.exe	114
PID 4784 wrote to memory of 1760	4784	chrome.exe	114
PID 4784 wrote to memory of 1760	4784	chrome.exe	114
PID 4784 wrote to memory of 1760	4784	chrome.exe	114
PID 4784 wrote to memory of 1760	4784	chrome.exe	114
PID 4784 wrote to memory of 1760	4784	chrome.exe	114
PID 4784 wrote to memory of 1760	4784	chrome.exe	114
PID 4784 wrote to memory of 1760	4784	chrome.exe	114
PID 4784 wrote to memory of 1760	4784	chrome.exe	114
PID 4784 wrote to memory of 1760	4784	chrome.exe	114
PID 4784 wrote to memory of 1760	4784	chrome.exe	114
PID 4784 wrote to memory of 4292	4784	chrome.exe	115
PID 4784 wrote to memory of 4292	4784	chrome.exe	115
PID 4784 wrote to memory of 2200	4784	chrome.exe	118
PID 4784 wrote to memory of 2200	4784	chrome.exe	118
PID 4784 wrote to memory of 2200	4784	chrome.exe	118
PID 4784 wrote to memory of 2200	4784	chrome.exe	118
PID 4784 wrote to memory of 2200	4784	chrome.exe	118
PID 4784 wrote to memory of 2200	4784	chrome.exe	118
PID 4784 wrote to memory of 2200	4784	chrome.exe	118
PID 4784 wrote to memory of 2200	4784	chrome.exe	118
PID 4784 wrote to memory of 2200	4784	chrome.exe	118
PID 4784 wrote to memory of 2200	4784	chrome.exe	118
PID 4784 wrote to memory of 2200	4784	chrome.exe	118
PID 4784 wrote to memory of 2200	4784	chrome.exe	118
PID 4784 wrote to memory of 2200	4784	chrome.exe	118
PID 4784 wrote to memory of 2200	4784	chrome.exe	118
PID 4784 wrote to memory of 2200	4784	chrome.exe	118
PID 4784 wrote to memory of 2200	4784	chrome.exe	118
PID 4784 wrote to memory of 2200	4784	chrome.exe	118
PID 4784 wrote to memory of 2200	4784	chrome.exe	118
PID 4784 wrote to memory of 2200	4784	chrome.exe	118
PID 4784 wrote to memory of 2200	4784	chrome.exe	118
PID 4784 wrote to memory of 2200	4784	chrome.exe	118
PID 4784 wrote to memory of 2200	4784	chrome.exe	118

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Emsisoft-antimalware-remains.7z
1⤵
- Modifies registry class
PID:3820

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2708

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2008

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\Emsisoft-antimalware-remains.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4636

C:\Users\Admin\Desktop\Emsisoft-antimalware-remains\samples\exe32\virussign.com_a09ee04bf0a6616843dbdeae0e8c8f10.exe
"C:\Users\Admin\Desktop\Emsisoft-antimalware-remains\samples\exe32\virussign.com_a09ee04bf0a6616843dbdeae0e8c8f10.exe"
1⤵
- Executes dropped EXE
PID:864

C:\Users\Admin\Desktop\Emsisoft-antimalware-remains\samples\exe32\virussign.com_b8bfacd3c3a363d77de79de971747e70.exe
"C:\Users\Admin\Desktop\Emsisoft-antimalware-remains\samples\exe32\virussign.com_b8bfacd3c3a363d77de79de971747e70.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4420
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 568
  2⤵
  - Program crash
  PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4420 -ip 4420
1⤵
PID:1888

C:\Users\Admin\Desktop\Emsisoft-antimalware-remains\samples\exe32\virussign.com_dd40012503223da7140ab4cb22f01f40.exe
"C:\Users\Admin\Desktop\Emsisoft-antimalware-remains\samples\exe32\virussign.com_dd40012503223da7140ab4cb22f01f40.exe"
1⤵
- Executes dropped EXE
PID:1704
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 376
  2⤵
  - Program crash
  PID:1128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1704 -ip 1704
1⤵
PID:3196

C:\Users\Admin\Desktop\Emsisoft-antimalware-remains\samples\exe32\virussign.com_eda65160075859ae76bd3f02536e4180.exe
"C:\Users\Admin\Desktop\Emsisoft-antimalware-remains\samples\exe32\virussign.com_eda65160075859ae76bd3f02536e4180.exe"
1⤵
- Executes dropped EXE
PID:1724

C:\Users\Admin\Desktop\Emsisoft-antimalware-remains\samples\exe32\virussign.com_fd04a0969228c7c83b006149aed20950.exe
"C:\Users\Admin\Desktop\Emsisoft-antimalware-remains\samples\exe32\virussign.com_fd04a0969228c7c83b006149aed20950.exe"
1⤵
- Executes dropped EXE
PID:4728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd0e539758,0x7ffd0e539768,0x7ffd0e539778
  2⤵
  PID:3020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1764 --field-trial-handle=1844,i,14179831854600398782,15565123654061538240,131072 /prefetch:2
  2⤵
  PID:1760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 --field-trial-handle=1844,i,14179831854600398782,15565123654061538240,131072 /prefetch:8
  2⤵
  PID:4292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2996 --field-trial-handle=1844,i,14179831854600398782,15565123654061538240,131072 /prefetch:1
  2⤵
  PID:4876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2960 --field-trial-handle=1844,i,14179831854600398782,15565123654061538240,131072 /prefetch:1
  2⤵
  PID:1308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1872 --field-trial-handle=1844,i,14179831854600398782,15565123654061538240,131072 /prefetch:8
  2⤵
  PID:2200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4648 --field-trial-handle=1844,i,14179831854600398782,15565123654061538240,131072 /prefetch:1
  2⤵
  PID:976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4824 --field-trial-handle=1844,i,14179831854600398782,15565123654061538240,131072 /prefetch:8
  2⤵
  PID:184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3952 --field-trial-handle=1844,i,14179831854600398782,15565123654061538240,131072 /prefetch:8
  2⤵
  PID:4548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5108 --field-trial-handle=1844,i,14179831854600398782,15565123654061538240,131072 /prefetch:8
  2⤵
  PID:2952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 --field-trial-handle=1844,i,14179831854600398782,15565123654061538240,131072 /prefetch:8
  2⤵
  PID:2820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 --field-trial-handle=1844,i,14179831854600398782,15565123654061538240,131072 /prefetch:8
  2⤵
  PID:920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=1860 --field-trial-handle=1844,i,14179831854600398782,15565123654061538240,131072 /prefetch:1
  2⤵
  PID:4468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4612 --field-trial-handle=1844,i,14179831854600398782,15565123654061538240,131072 /prefetch:1
  2⤵
  PID:4252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3236 --field-trial-handle=1844,i,14179831854600398782,15565123654061538240,131072 /prefetch:8
  2⤵
  PID:2832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3520 --field-trial-handle=1844,i,14179831854600398782,15565123654061538240,131072 /prefetch:8
  2⤵
  PID:4816

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000014

Filesize
181KB

MD5
4c75aa07dd23352ee1225b5a64cc6b59

SHA1
387c73c282f9b15d8f62b2c9d830945772c88c7a

SHA256
edeab1e3b20750bb1c0d394b111109c0c7ab74d34117d16ee1487cc1cb8c23fc

SHA512
a0e185b33114a19e6ace4b7f6af1983c45b124ecf4ce82f92ff832ad9a57ae895798ccd4473a46b9fd530831482b3ec3dc729b10c2c85095a54a6834c563d86f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
3fb19aef420f08c75822f7b7c21ca36b

SHA1
9def85bab0857bb73fdba6da0512831673800b8d

SHA256
7fb3ab17b68ff20e70aa31cc39a2e137b7067150b9e37a68212c3ad727fe3f58

SHA512
3c637687827e86630a0b0afc8dbceda0401b85d8fabe3042a5d984f894f7f76ced771cba81950e07ecb93905476151b98dc512669bbc254152f9c339a95b08c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
c148a0e20daf20af69ed46db115fd977

SHA1
78bfde4c0de5091264d7404a2ded546290fc011f

SHA256
a962351f81ba6ee93b40d880080b611a69aa0b9f59144886ff5155c1f7df1446

SHA512
127db34bb7285157ec3a23a20e4b7261110883554683adbb0dfc7ea2d2e28e569d8c51b454baa8d19d40a64bc3b7648a5fc9c5ceefe17f0c590f9492e18806fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
ba27ca1775c74b97bd46467adbcbf524

SHA1
a4958d34b25d54ff8ad996e8ad3b9f15fc292c78

SHA256
32dd2a0309cae3bd46f723137f5d7ba2f8de2cac73bf012625c21ccf1117ab4c

SHA512
98e0f064cd79f3db5679c3837cd48e769d9c501fe156aaff09ff6ed1bb3384f781a3b7ea4028b206eccad6a2b412934eecc5a6e364d5ac87ee2d0e5fb7cfa970

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
0110cb36706f6d190fb92bfa3a0b935f

SHA1
8f1b8eb31459cf9d99b6fe3f3f3dba0a9f6089a4

SHA256
b5c1888e8e51b153b29069b39977c8cc829f2b975be86113c367c59a0f548820

SHA512
97f4a92435ae3911225e5ba35bf7f72c7a124b2a82a3f16c0cd83d5e047c821c118b4b63184cbaff8c0505c26984b5db66034a99803993022a489534a5f68355

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
742cc8ab40eab85898aacb4179b7f2e1

SHA1
13aa5966fd289d0f9bd70711a301986ee939fc8d

SHA256
bc20cd048994361214e5bf0de544bb5de6715660bf522a92c0b989f62c0ff0d6

SHA512
1bce0efce2f5f20fe03f4eb4cf21270361a53c96d5bea47005227781be27e64da87eb6371686c4e38f7c1b38a17f927c5b7cc7ddd2df67bb0402290a2c33725a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
bca5c49414aff19e0591c4090dca8b72

SHA1
2f15dd92f8efad6c4d0a9bcaa7d0280b703918c5

SHA256
5e545235515a00c998b071052ca8f32d6ff6180a72bd499f4610a308ae27fc19

SHA512
4fd95451b3985f63aa5790c08bef1f8a2d1d5db5f1bd148ddab4268bf7552f8daae5bddfed923b954fd4b985b9b2338a575a823e106fb646352208dd0b5581c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
abc31599c5410fca7c7c283fdcfb6a82

SHA1
369779cef052874bb4abb3af939e416632f839f5

SHA256
5014d5c78dc52c2a8f5d204624d52ade84a8b36cc31d1c6bebe3e03428009973

SHA512
36a3ed02f7bad3e72e64be50318c395977000ecb69550ed4df987a917235074a91806e740f9b57f8c5f8ecd7e83c570376e517999c07efe8737fb073c7a7a5c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
9eddc1ed589729801ab27b9d818dd510

SHA1
be3a596f6152211b2667f70e8cfc0477fb3744ff

SHA256
2979a427e91c96408d765b96eef1cf83abf79dc0ad23d9ebc1c17a04d8cbc428

SHA512
ca67c0b3f5949fe2633cea2c7e54a533ed2eb2ee9fd9a257845e5c62dcd143e519a1fb712e3d3e3b85ebf59e256c023e87f7ddb1cee77f9a464a7d63c8fafdb8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
47a57398b3edb85d32d530dd21adf7d7

SHA1
c96e204287b789e673a9577a3f48b84761f8e501

SHA256
778ada9723c9c6f06f26df1c5b48fa5870e6c11327e8e368d5c56bbbebd83366

SHA512
7378e837037808c1b986dd2bfc35f53b73793ea138393d0fe0351684c0cd2367c80e24b7aca4a2a06da66d3e7161ca8e099c0cb9824189fc8dc4adacfdbff92b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5ba9d9.TMP

Filesize
48B

MD5
669995b55cf52fa510d699971d973b18

SHA1
a9566249c530756e55f1da8b4fe73afea86a6e71

SHA256
cb0bd9e4898e78668689d4399ec382b844bd27677ea33e3ed9dc0626e66bd049

SHA512
9b8e5f660e28325cd4cf25c46b420508d5dbd779a6bab9faa1735551c555e9f6a4bb0b41e0174b2b5ee10eb94e6a6e2cc39f39c8366cfeaff734b8457c727625

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
177KB

MD5
66ed5262d64666630dff3ce8ef14e7fe

SHA1
9ca46201bcf2f16aaa1e402eb3585033405590d3

SHA256
b3f6d3f1325971be3fd43ab08d37b30eb43b430022ec4e8d4460f92dd67c718d

SHA512
f5405f1dd1458bc2006469ae0791412f938bd7f61b3aac323204b9efbc4db07a5f63c12a6c1e6a74014addb1a492c142ceeb92135bb5f9c09cfb30c1f84372f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
99KB

MD5
84b994eaab9c863419343dd3ecd7eea7

SHA1
07e091a88024f7adfdd62920188b4683308c9f13

SHA256
be0dd1e29887b231d39e1e85b499f754926d333092b49afb9b1dc1c68a49c6cc

SHA512
e2071972e809e05347a07cf163c69a4d2d71e7c39e19df49dc3bd1332c844b3b65db8ed1ff13556b9c7ab91be5c2f9387e1c514194e104c488b6ddc77acf778c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5bac79.TMP

Filesize
98KB

MD5
c389c1748d28069cfc6542ccba4b7fcc

SHA1
9ccd9c7ec86eb55e66e648e1af988301f5cb0bac

SHA256
b2ef6f280eae90d8282f23064b5558d4a08c13d31465836f63127da9f9f33d68

SHA512
1a4d8c6ac2d1b25d8722b985df0081dedadc859d2a07c200d50c4102518b2b2e6b2a507414b118bf477ac133f0f1aceb4d68236927bedd702c4e48e3a86bed03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Desktop\Emsisoft-antimalware-remains\samples\exe32\virussign.com_a09ee04bf0a6616843dbdeae0e8c8f10.exe

Filesize
24KB

MD5
a09ee04bf0a6616843dbdeae0e8c8f10

SHA1
d11feb21c1620f03e3d716ec3d49087d882f4054

SHA256
f198a3ac0d9317fe180433e833bb5984eb8315e0bf55ab6f951e8d95ca3865f9

SHA512
1b5ad8fb80fcb16bbf9f7e6ea3cf0428c5eedeadb9952b40fa41a723adccd0e14c6fff35326ed62608a1ae805a07b51516b1c05e7af93a6334fd838f8220e691

Download Submit
C:\Users\Admin\Desktop\Emsisoft-antimalware-remains\samples\exe32\virussign.com_a09ee04bf0a6616843dbdeae0e8c8f10.exe

Filesize
24KB

MD5
a09ee04bf0a6616843dbdeae0e8c8f10

SHA1
d11feb21c1620f03e3d716ec3d49087d882f4054

SHA256
f198a3ac0d9317fe180433e833bb5984eb8315e0bf55ab6f951e8d95ca3865f9

SHA512
1b5ad8fb80fcb16bbf9f7e6ea3cf0428c5eedeadb9952b40fa41a723adccd0e14c6fff35326ed62608a1ae805a07b51516b1c05e7af93a6334fd838f8220e691

Download Submit
C:\Users\Admin\Desktop\Emsisoft-antimalware-remains\samples\exe32\virussign.com_b8bfacd3c3a363d77de79de971747e70.exe

Filesize
8.0MB

MD5
b8bfacd3c3a363d77de79de971747e70

SHA1
8b622d43d536e8c0fc9833d9474197fbfbfb9586

SHA256
d7e6fc094b3d25131c26b4eedcef2cf7ae26d1fed2a168c31b9ddc3e04f17482

SHA512
14ecaa351822c931e7a77518e086cd02d254e5331266767462acac32813a056f3bbc57750bce0fa237bd5444aff7e52cfba8b663acd99827f09e0efebf92f475

Download Submit
C:\Users\Admin\Desktop\Emsisoft-antimalware-remains\samples\exe32\virussign.com_b8bfacd3c3a363d77de79de971747e70.exe

Filesize
8.0MB

MD5
b8bfacd3c3a363d77de79de971747e70

SHA1
8b622d43d536e8c0fc9833d9474197fbfbfb9586

SHA256
d7e6fc094b3d25131c26b4eedcef2cf7ae26d1fed2a168c31b9ddc3e04f17482

SHA512
14ecaa351822c931e7a77518e086cd02d254e5331266767462acac32813a056f3bbc57750bce0fa237bd5444aff7e52cfba8b663acd99827f09e0efebf92f475

Download Submit
C:\Users\Admin\Desktop\Emsisoft-antimalware-remains\samples\exe32\virussign.com_dd40012503223da7140ab4cb22f01f40.exe

Filesize
273KB

MD5
dd40012503223da7140ab4cb22f01f40

SHA1
1d36a7b118e6555fa71b57a9929be83301398002

SHA256
d0c740c37378012762bde020538a3071510d8f9e71714321908af1d03939454f

SHA512
918b3eb9b513411c665b458f5d283b17f709857edb99403225fad65279177029e17b8fe7485cb3c826b1c0f551daed3892ff749cbeee81513cec9e73b7c4dbf8

Download Submit
C:\Users\Admin\Desktop\Emsisoft-antimalware-remains\samples\exe32\virussign.com_dd40012503223da7140ab4cb22f01f40.exe

Filesize
273KB

MD5
dd40012503223da7140ab4cb22f01f40

SHA1
1d36a7b118e6555fa71b57a9929be83301398002

SHA256
d0c740c37378012762bde020538a3071510d8f9e71714321908af1d03939454f

SHA512
918b3eb9b513411c665b458f5d283b17f709857edb99403225fad65279177029e17b8fe7485cb3c826b1c0f551daed3892ff749cbeee81513cec9e73b7c4dbf8

Download Submit
C:\Users\Admin\Desktop\Emsisoft-antimalware-remains\samples\exe32\virussign.com_eda65160075859ae76bd3f02536e4180.exe

Filesize
2.7MB

MD5
eda65160075859ae76bd3f02536e4180

SHA1
803f1fa3da0bb41c73a5848cd081cd681217589c

SHA256
830d99113195528974aca6de0bd623180c9e3e7b1e0d16da4fc6568233acdced

SHA512
59593151484392b7b514ffd455ea3639fa1d8a70a8dc07bb3161d7490662a7e38826f832ac58b813561e6750c39c962fc36962feca6b639f4f73c5e45d1390f7

Download Submit
C:\Users\Admin\Desktop\Emsisoft-antimalware-remains\samples\exe32\virussign.com_fd04a0969228c7c83b006149aed20950.exe

Filesize
22KB

MD5
fd04a0969228c7c83b006149aed20950

SHA1
d7baf81f5fd9bf532857b25bf1a5ff1813ef16d1

SHA256
ee3cbb4a94f2fa86199cacd8ed92fe8298fb6d30c59b0d8ac0aba3843ec533e0

SHA512
e802eb368c05289a0b5e908a37b0212d0f5af9125c68982441be7429384128338c7b82e85e147a54207766c57629977b0d9740b7cf7c356e619029e6f232964a

Download Submit
C:\Users\Admin\Desktop\Emsisoft-antimalware-remains\samples\exe32\virussign.com_fd04a0969228c7c83b006149aed20950.exe

Filesize
22KB

MD5
fd04a0969228c7c83b006149aed20950

SHA1
d7baf81f5fd9bf532857b25bf1a5ff1813ef16d1

SHA256
ee3cbb4a94f2fa86199cacd8ed92fe8298fb6d30c59b0d8ac0aba3843ec533e0

SHA512
e802eb368c05289a0b5e908a37b0212d0f5af9125c68982441be7429384128338c7b82e85e147a54207766c57629977b0d9740b7cf7c356e619029e6f232964a

Download Submit
memory/4420-205-0x0000000000400000-0x0000000000C34000-memory.dmp

Filesize
8.2MB

Download
memory/4728-217-0x0000000004B10000-0x0000000004B1A000-memory.dmp

Filesize
40KB

Download
memory/4728-220-0x0000000074890000-0x0000000075040000-memory.dmp

Filesize
7.7MB

Download
memory/4728-219-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/4728-218-0x0000000004C40000-0x0000000004C96000-memory.dmp

Filesize
344KB

Download
memory/4728-221-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/4728-216-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/4728-215-0x0000000004BA0000-0x0000000004C32000-memory.dmp

Filesize
584KB

Download
memory/4728-214-0x00000000050B0000-0x0000000005654000-memory.dmp

Filesize
5.6MB

Download
memory/4728-213-0x0000000074890000-0x0000000075040000-memory.dmp

Filesize
7.7MB

Download
memory/4728-212-0x0000000004A10000-0x0000000004AAC000-memory.dmp

Filesize
624KB

Download
memory/4728-211-0x00000000000B0000-0x00000000000BE000-memory.dmp

Filesize
56KB

Download
memory/4728-223-0x0000000074890000-0x0000000075040000-memory.dmp

Filesize
7.7MB

Download