e9184337cfa22667bcd36a9b7b4c6e31485fa583955ebda1726135c1bb2a207d

Analysis

max time kernel
101s
max time network
148s
platform
windows7_x64
resource
win7-20230712-ja
resource tags

arch:x64arch:x86image:win7-20230712-jalocale:ja-jpos:windows7-x64systemwindows
submitted
25/08/2023, 17:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

api-ms-win-crt-runtime-l1-1-0.dll
Size

11KB
MD5

894e538fbd29d9af2dac82abbb798aa8
SHA1

3c28b3063ce80b3fd61e0afc6934e3180f5bef12
SHA256

b12679d33126d2dcb0cd3625fccf5c3afc40d95c1be36dc55f7471de94929d23
SHA512

32ad7f4ba21c7ec47b374ed776cc1662de23a955a00aab509d9b82a9f4aa4b46580933c3382a1cffa526d93af686013104ca1d8d50ab3bab02a291e64b88a884
SSDEEP

192:+aajPrpJhhf4AN5/KiZWshWPBBbJz8Gjdv6suAH/7gq:+lbr7vWshWpB7dysuzq

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies Control Panel 19 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\scrnsave.scr"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Control Panel\Desktop\ScreenSaveActive = "1"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Control Panel\Desktop\ScreenSaveTimeOut = "60"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Control Panel\Desktop\ScreenSaveActive = "1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Control Panel\Appearance\Schemes	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Control Panel\Appearance\CustomColors = ffffff00ffffff00ffffff00ffffff00ffffff00ffffff00ffffff00ffffff00ffffff00ffffff00ffffff00ffffff00ffffff00ffffff00ffffff00ffffff00	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Control Panel\Appearance\Schemes	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Control Panel\Desktop	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Control Panel\Appearance\Schemes	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Bubbles.scr"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Control Panel\Desktop	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Control Panel\Desktop	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Control Panel\Desktop\ScreenSaveTimeOut = "60"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Control Panel\Appearance\Schemes	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Control Panel\Desktop\ScreenSaveTimeOut = "60"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Control Panel\Appearance\Schemes	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1436	chrome.exe
1436	chrome.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 3020	2772	rundll32.exe	40
PID 2772 wrote to memory of 3020	2772	rundll32.exe	40
PID 2772 wrote to memory of 3020	2772	rundll32.exe	40
PID 2772 wrote to memory of 1972	2772	rundll32.exe	41
PID 2772 wrote to memory of 1972	2772	rundll32.exe	41
PID 2772 wrote to memory of 1972	2772	rundll32.exe	41
PID 1852 wrote to memory of 3056	1852	rundll32.exe	44
PID 1852 wrote to memory of 3056	1852	rundll32.exe	44
PID 1852 wrote to memory of 3056	1852	rundll32.exe	44
PID 1852 wrote to memory of 3024	1852	rundll32.exe	45
PID 1852 wrote to memory of 3024	1852	rundll32.exe	45
PID 1852 wrote to memory of 3024	1852	rundll32.exe	45
PID 1456 wrote to memory of 1824	1456	rundll32.exe	48
PID 1456 wrote to memory of 1824	1456	rundll32.exe	48
PID 1456 wrote to memory of 1824	1456	rundll32.exe	48
PID 1704 wrote to memory of 1788	1704	rundll32.exe	50
PID 1704 wrote to memory of 1788	1704	rundll32.exe	50
PID 1704 wrote to memory of 1788	1704	rundll32.exe	50
PID 1436 wrote to memory of 2652	1436	chrome.exe	53
PID 1436 wrote to memory of 2652	1436	chrome.exe	53
PID 1436 wrote to memory of 2652	1436	chrome.exe	53
PID 1436 wrote to memory of 1564	1436	chrome.exe	54
PID 1436 wrote to memory of 1564	1436	chrome.exe	54
PID 1436 wrote to memory of 1564	1436	chrome.exe	54
PID 1436 wrote to memory of 1564	1436	chrome.exe	54
PID 1436 wrote to memory of 1564	1436	chrome.exe	54
PID 1436 wrote to memory of 1564	1436	chrome.exe	54
PID 1436 wrote to memory of 1564	1436	chrome.exe	54
PID 1436 wrote to memory of 1564	1436	chrome.exe	54
PID 1436 wrote to memory of 1564	1436	chrome.exe	54
PID 1436 wrote to memory of 1564	1436	chrome.exe	54
PID 1436 wrote to memory of 1564	1436	chrome.exe	54
PID 1436 wrote to memory of 1564	1436	chrome.exe	54
PID 1436 wrote to memory of 1564	1436	chrome.exe	54
PID 1436 wrote to memory of 1564	1436	chrome.exe	54
PID 1436 wrote to memory of 1564	1436	chrome.exe	54
PID 1436 wrote to memory of 1564	1436	chrome.exe	54
PID 1436 wrote to memory of 1564	1436	chrome.exe	54
PID 1436 wrote to memory of 1564	1436	chrome.exe	54
PID 1436 wrote to memory of 1564	1436	chrome.exe	54
PID 1436 wrote to memory of 1564	1436	chrome.exe	54
PID 1436 wrote to memory of 1564	1436	chrome.exe	54
PID 1436 wrote to memory of 1564	1436	chrome.exe	54
PID 1436 wrote to memory of 1564	1436	chrome.exe	54
PID 1436 wrote to memory of 1564	1436	chrome.exe	54
PID 1436 wrote to memory of 1564	1436	chrome.exe	54
PID 1436 wrote to memory of 1564	1436	chrome.exe	54
PID 1436 wrote to memory of 1564	1436	chrome.exe	54
PID 1436 wrote to memory of 1564	1436	chrome.exe	54
PID 1436 wrote to memory of 1564	1436	chrome.exe	54
PID 1436 wrote to memory of 1564	1436	chrome.exe	54
PID 1436 wrote to memory of 1564	1436	chrome.exe	54
PID 1436 wrote to memory of 1564	1436	chrome.exe	54
PID 1436 wrote to memory of 1564	1436	chrome.exe	54
PID 1436 wrote to memory of 1564	1436	chrome.exe	54
PID 1436 wrote to memory of 1564	1436	chrome.exe	54
PID 1436 wrote to memory of 1564	1436	chrome.exe	54
PID 1436 wrote to memory of 1564	1436	chrome.exe	54
PID 1436 wrote to memory of 1564	1436	chrome.exe	54
PID 1436 wrote to memory of 1564	1436	chrome.exe	54
PID 1436 wrote to memory of 612	1436	chrome.exe	55
PID 1436 wrote to memory of 612	1436	chrome.exe	55
PID 1436 wrote to memory of 612	1436	chrome.exe	55
PID 1436 wrote to memory of 1772	1436	chrome.exe	56

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\api-ms-win-crt-runtime-l1-1-0.dll,#1
1⤵
PID:2580

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:2288

C:\Windows\System32\control.exe
"C:\Windows\System32\control.exe" SYSTEM
1⤵
PID:2512

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:1952

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:3000

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:2972

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" shell32.dll,Control_RunDLL desk.cpl,Advanced,@Advanced
1⤵
- Modifies Control Panel
PID:1596

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" shell32.dll,Control_RunDLL desk.cpl,ScreenSaver,@ScreenSaver
1⤵
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Windows\system32\Mystify.scr
  C:\Windows\system32\Mystify.scr /p 459148
  2⤵
  PID:3020
- C:\Windows\system32\scrnsave.scr
  C:\Windows\system32\scrnsave.scr /p 459148
  2⤵
  PID:1972

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" shell32.dll,Control_RunDLL desk.cpl,ScreenSaver,@ScreenSaver
1⤵
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Windows\system32\scrnsave.scr
  C:\Windows\system32\scrnsave.scr /p 1049070
  2⤵
  PID:3056
- C:\Windows\system32\Bubbles.scr
  C:\Windows\system32\Bubbles.scr /p 1049070
  2⤵
  PID:3024

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" shell32.dll,Control_RunDLL desk.cpl,ScreenSaver,@ScreenSaver
1⤵
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Windows\system32\Bubbles.scr
  C:\Windows\system32\Bubbles.scr /p 524688
  2⤵
  PID:1824

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" shell32.dll,Control_RunDLL desk.cpl,ScreenSaver,@ScreenSaver
1⤵
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\system32\Bubbles.scr
  C:\Windows\system32\Bubbles.scr /p 590224
  2⤵
  PID:1788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef4fb9758,0x7fef4fb9768,0x7fef4fb9778
  2⤵
  PID:2652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1180 --field-trial-handle=1288,i,12824875419732955033,2094745874818057877,131072 /prefetch:2
  2⤵
  PID:1564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1524 --field-trial-handle=1288,i,12824875419732955033,2094745874818057877,131072 /prefetch:8
  2⤵
  PID:612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1620 --field-trial-handle=1288,i,12824875419732955033,2094745874818057877,131072 /prefetch:8
  2⤵
  PID:1772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2296 --field-trial-handle=1288,i,12824875419732955033,2094745874818057877,131072 /prefetch:1
  2⤵
  PID:2400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=1552 --field-trial-handle=1288,i,12824875419732955033,2094745874818057877,131072 /prefetch:1
  2⤵
  PID:2292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1372 --field-trial-handle=1288,i,12824875419732955033,2094745874818057877,131072 /prefetch:2
  2⤵
  PID:2036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3212 --field-trial-handle=1288,i,12824875419732955033,2094745874818057877,131072 /prefetch:1
  2⤵
  PID:2116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3428 --field-trial-handle=1288,i,12824875419732955033,2094745874818057877,131072 /prefetch:8
  2⤵
  PID:2744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3448 --field-trial-handle=1288,i,12824875419732955033,2094745874818057877,131072 /prefetch:8
  2⤵
  PID:2696
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:2308
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x140137688,0x140137698,0x1401376a8
    3⤵
    PID:3020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3664 --field-trial-handle=1288,i,12824875419732955033,2094745874818057877,131072 /prefetch:8
  2⤵
  PID:1992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3784 --field-trial-handle=1288,i,12824875419732955033,2094745874818057877,131072 /prefetch:1
  2⤵
  PID:1852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=1208 --field-trial-handle=1288,i,12824875419732955033,2094745874818057877,131072 /prefetch:1
  2⤵
  PID:1748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3712 --field-trial-handle=1288,i,12824875419732955033,2094745874818057877,131072 /prefetch:1
  2⤵
  PID:2840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3716 --field-trial-handle=1288,i,12824875419732955033,2094745874818057877,131072 /prefetch:1
  2⤵
  PID:1724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4108 --field-trial-handle=1288,i,12824875419732955033,2094745874818057877,131072 /prefetch:8
  2⤵
  PID:2140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4060 --field-trial-handle=1288,i,12824875419732955033,2094745874818057877,131072 /prefetch:8
  2⤵
  PID:2384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3492 --field-trial-handle=1288,i,12824875419732955033,2094745874818057877,131072 /prefetch:1
  2⤵
  PID:2380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=2768 --field-trial-handle=1288,i,12824875419732955033,2094745874818057877,131072 /prefetch:1
  2⤵
  PID:1668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=2548 --field-trial-handle=1288,i,12824875419732955033,2094745874818057877,131072 /prefetch:1
  2⤵
  PID:1696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=2696 --field-trial-handle=1288,i,12824875419732955033,2094745874818057877,131072 /prefetch:1
  2⤵
  PID:2808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2600 --field-trial-handle=1288,i,12824875419732955033,2094745874818057877,131072 /prefetch:8
  2⤵
  PID:1588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4204 --field-trial-handle=1288,i,12824875419732955033,2094745874818057877,131072 /prefetch:8
  2⤵
  PID:996

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e3770a2056c26b85cd071730edb6a27e

SHA1
6d3b477a87d036d8be5525c31c125c9a88cebebb

SHA256
301c9fff9accf11cb89e3306c80ca9fd5bc745447c1c61478a1accd6b4793c45

SHA512
2c85f960537d3010f0b27e0c45032d15dc2972c9cacc648ce3092009b15ef52f7691e81f60288098614cf5ec12878a788a8977e888416f6472556bf42d60301f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\934a7fb3-4020-4828-ad1e-2f293d30666f.tmp

Filesize
180KB

MD5
e8b38b351338b522ae9a71891c86b2cd

SHA1
73f73bec8a8f5ca943f2a1dfeb2b94c13f2f0632

SHA256
21be12141878dbf3ecf8fc8f7ac497219f9962a40f42b10fecad102cb437b906

SHA512
4e7f3000991418c97e880c0ea16610c2e8887302efdcea05d36d376417955b5ff09676572db70053bbca43781edcafbe926bc14f94612060557b113e48e123c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a

Filesize
39KB

MD5
6a3bb9c5ba28ee73af6c1b53e281b0cf

SHA1
d96e403c99c1707f82ea29c2c1f134e792c64097

SHA256
2f5adfc38558162578ffe112229f10417fbc4b3df025d153d4e22a0c95177740

SHA512
6c4844f70969938339cb6716a834a79e1a8379459c87b983c2518b9cbb560cb2f101aff980f682989928523be6cdc99bde3bfd8137f9c54a58191b900b580fbf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT~RFf78476c.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
527B

MD5
9225b336d85daa2e0ea1141cbcd0185c

SHA1
0d8d781c15e8e1f1b25e1c6a5f55d92202c657d6

SHA256
4b0f0beb48f9c13665eb532becc271d8cc2b3d6a73c213b5beb57783daea3543

SHA512
43c13ac2fe3d3c4a7f40ae5cff95fb2b42c627af0cc340b908301c649497c6af600dc15095e5f173546db6f0afeef246ea282d0a58ccc044a8985cc3a61772cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
fff278290ece96d3bb0a170ab8540f96

SHA1
70cf7067cbb1d5d42103f9aab3da09702eba9a4c

SHA256
df3518ebf9fe8530e8809ccc2da601850a91de2676937e3fa0b5264ac45cdd92

SHA512
e8556921d000b59232b895b3846a3149423489039b33dc58d15409752e9d21bd1e1c56f7ad3268969a013cec8f0f2dbdb4da69cf392daff30d25d79c604091ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
9736ae0ce69c5397a448a39a37ff001f

SHA1
90059e2cd40bfe47859317221d974d22b83bba14

SHA256
c617a25287ec9a4b00e52b78aec361f084ed3df06b6fa9fa1b42afccfe08262b

SHA512
0eb58730ac6d2b5378770919716e0e662d3f92412f7a35f4539a4f22286f978122d51accdeb18c891a3957b0ba9f90f18b7d9fb27882368c77333622a062b9ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
299149b1dba400e02b6b5cb7bd44b405

SHA1
5ef3e612075fd4fc9e7c50af78c7c1225f0d8406

SHA256
35d6eeee7085d268c1289e4bcc2aa2ea738c8e75fba5755cf0fe725bf1b31b25

SHA512
6af71f0a16deab81d01824befae1a83136166f6fc259fab42aa9cdde07a4a12ddfd6b09ca4f020c6bca981959a8f720fa0bd9400835efd6699a76d3aab0eefa2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
ecd6d25f89ba6a2a46eb58ea98ef5663

SHA1
18df55a03c86710ea17273f02a2df9c47726ee24

SHA256
b3d8ef394a3c638ff7f43231c6a8e2aa7bf1d2208b5b1bed053548187207ecec

SHA512
dc8fab4d4f7984d2d50ef7df4037b39c995ca506698442609314421997a607f9c9dc814c62478fa198f2613febb99fa09d9a7d9d96932d04d47edd54b10a8a3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
180KB

MD5
6790e313a5e33ee25274d3b5c50bda18

SHA1
4e135c76f3f386705c15a0603b72fa3eb6cd9c9f

SHA256
c8483d466c7893ed2cece08e3d69e35436dbbc0f85cc89e028970db6df7ec648

SHA512
7b815c5cce5547aa5d44174a73fd9e16a7044ce0a6e53407d5e60cab61fad995c14630b9929c788768d36eb302e1dacbfaee20a4500c8f4abe6163853b192a1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3183.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
memory/1788-6-0x00000000000F0000-0x00000000000FA000-memory.dmp

Filesize
40KB

Download
memory/1788-5-0x00000000000F0000-0x00000000000FA000-memory.dmp

Filesize
40KB

Download
memory/1824-4-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/1824-3-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/3020-0-0x0000000000080000-0x000000000008A000-memory.dmp

Filesize
40KB

Download
memory/3020-1-0x0000000000080000-0x000000000008A000-memory.dmp

Filesize
40KB

Download
memory/3024-2-0x0000000000180000-0x000000000018A000-memory.dmp

Filesize
40KB

Download