hxxps://yagoaway[.]ru/gl/?cid=19349&oid=171&v=3&utm_campaign=repacks1&trash=

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2023, 03:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://yagoaway.ru/gl/?cid=19349&oid=171&v=3&utm_campaign=repacks1&trash=

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{5BB26874-6344-4A6D-BDBA-67BE5486FA31}.catalogItem	svchost.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133381004688550678"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1712	chrome.exe
1712	chrome.exe
1692	chrome.exe
1692	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe
Token: SeShutdownPrivilege	1712	chrome.exe
Token: SeCreatePagefilePrivilege	1712	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe
1712	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 4628	1712	chrome.exe	35
PID 1712 wrote to memory of 4628	1712	chrome.exe	35
PID 1712 wrote to memory of 1952	1712	chrome.exe	86
PID 1712 wrote to memory of 1952	1712	chrome.exe	86
PID 1712 wrote to memory of 1952	1712	chrome.exe	86
PID 1712 wrote to memory of 1952	1712	chrome.exe	86
PID 1712 wrote to memory of 1952	1712	chrome.exe	86
PID 1712 wrote to memory of 1952	1712	chrome.exe	86
PID 1712 wrote to memory of 1952	1712	chrome.exe	86
PID 1712 wrote to memory of 1952	1712	chrome.exe	86
PID 1712 wrote to memory of 1952	1712	chrome.exe	86
PID 1712 wrote to memory of 1952	1712	chrome.exe	86
PID 1712 wrote to memory of 1952	1712	chrome.exe	86
PID 1712 wrote to memory of 1952	1712	chrome.exe	86
PID 1712 wrote to memory of 1952	1712	chrome.exe	86
PID 1712 wrote to memory of 1952	1712	chrome.exe	86
PID 1712 wrote to memory of 1952	1712	chrome.exe	86
PID 1712 wrote to memory of 1952	1712	chrome.exe	86
PID 1712 wrote to memory of 1952	1712	chrome.exe	86
PID 1712 wrote to memory of 1952	1712	chrome.exe	86
PID 1712 wrote to memory of 1952	1712	chrome.exe	86
PID 1712 wrote to memory of 1952	1712	chrome.exe	86
PID 1712 wrote to memory of 1952	1712	chrome.exe	86
PID 1712 wrote to memory of 1952	1712	chrome.exe	86
PID 1712 wrote to memory of 1952	1712	chrome.exe	86
PID 1712 wrote to memory of 1952	1712	chrome.exe	86
PID 1712 wrote to memory of 1952	1712	chrome.exe	86
PID 1712 wrote to memory of 1952	1712	chrome.exe	86
PID 1712 wrote to memory of 1952	1712	chrome.exe	86
PID 1712 wrote to memory of 1952	1712	chrome.exe	86
PID 1712 wrote to memory of 1952	1712	chrome.exe	86
PID 1712 wrote to memory of 1952	1712	chrome.exe	86
PID 1712 wrote to memory of 1952	1712	chrome.exe	86
PID 1712 wrote to memory of 1952	1712	chrome.exe	86
PID 1712 wrote to memory of 1952	1712	chrome.exe	86
PID 1712 wrote to memory of 1952	1712	chrome.exe	86
PID 1712 wrote to memory of 1952	1712	chrome.exe	86
PID 1712 wrote to memory of 1952	1712	chrome.exe	86
PID 1712 wrote to memory of 1952	1712	chrome.exe	86
PID 1712 wrote to memory of 1952	1712	chrome.exe	86
PID 1712 wrote to memory of 3980	1712	chrome.exe	87
PID 1712 wrote to memory of 3980	1712	chrome.exe	87
PID 1712 wrote to memory of 5108	1712	chrome.exe	88
PID 1712 wrote to memory of 5108	1712	chrome.exe	88
PID 1712 wrote to memory of 5108	1712	chrome.exe	88
PID 1712 wrote to memory of 5108	1712	chrome.exe	88
PID 1712 wrote to memory of 5108	1712	chrome.exe	88
PID 1712 wrote to memory of 5108	1712	chrome.exe	88
PID 1712 wrote to memory of 5108	1712	chrome.exe	88
PID 1712 wrote to memory of 5108	1712	chrome.exe	88
PID 1712 wrote to memory of 5108	1712	chrome.exe	88
PID 1712 wrote to memory of 5108	1712	chrome.exe	88
PID 1712 wrote to memory of 5108	1712	chrome.exe	88
PID 1712 wrote to memory of 5108	1712	chrome.exe	88
PID 1712 wrote to memory of 5108	1712	chrome.exe	88
PID 1712 wrote to memory of 5108	1712	chrome.exe	88
PID 1712 wrote to memory of 5108	1712	chrome.exe	88
PID 1712 wrote to memory of 5108	1712	chrome.exe	88
PID 1712 wrote to memory of 5108	1712	chrome.exe	88
PID 1712 wrote to memory of 5108	1712	chrome.exe	88
PID 1712 wrote to memory of 5108	1712	chrome.exe	88
PID 1712 wrote to memory of 5108	1712	chrome.exe	88
PID 1712 wrote to memory of 5108	1712	chrome.exe	88
PID 1712 wrote to memory of 5108	1712	chrome.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://yagoaway.ru/gl/?cid=19349&oid=171&v=3&utm_campaign=repacks1&trash=
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8425e9758,0x7ff8425e9768,0x7ff8425e9778
  2⤵
  PID:4628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1796,i,15623059368067630243,12584853973409622593,131072 /prefetch:2
  2⤵
  PID:1952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1796,i,15623059368067630243,12584853973409622593,131072 /prefetch:8
  2⤵
  PID:3980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 --field-trial-handle=1796,i,15623059368067630243,12584853973409622593,131072 /prefetch:8
  2⤵
  PID:5108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3024 --field-trial-handle=1796,i,15623059368067630243,12584853973409622593,131072 /prefetch:1
  2⤵
  PID:1220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3004 --field-trial-handle=1796,i,15623059368067630243,12584853973409622593,131072 /prefetch:1
  2⤵
  PID:1968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4572 --field-trial-handle=1796,i,15623059368067630243,12584853973409622593,131072 /prefetch:1
  2⤵
  PID:2164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4792 --field-trial-handle=1796,i,15623059368067630243,12584853973409622593,131072 /prefetch:1
  2⤵
  PID:1468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4720 --field-trial-handle=1796,i,15623059368067630243,12584853973409622593,131072 /prefetch:1
  2⤵
  PID:3024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3032 --field-trial-handle=1796,i,15623059368067630243,12584853973409622593,131072 /prefetch:8
  2⤵
  PID:4176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5708 --field-trial-handle=1796,i,15623059368067630243,12584853973409622593,131072 /prefetch:1
  2⤵
  PID:3424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=6024 --field-trial-handle=1796,i,15623059368067630243,12584853973409622593,131072 /prefetch:1
  2⤵
  PID:4512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1812 --field-trial-handle=1796,i,15623059368067630243,12584853973409622593,131072 /prefetch:8
  2⤵
  PID:1744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5996 --field-trial-handle=1796,i,15623059368067630243,12584853973409622593,131072 /prefetch:8
  2⤵
  PID:3816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5912 --field-trial-handle=1796,i,15623059368067630243,12584853973409622593,131072 /prefetch:1
  2⤵
  PID:2852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3160 --field-trial-handle=1796,i,15623059368067630243,12584853973409622593,131072 /prefetch:1
  2⤵
  PID:4996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3044 --field-trial-handle=1796,i,15623059368067630243,12584853973409622593,131072 /prefetch:1
  2⤵
  PID:2360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6328 --field-trial-handle=1796,i,15623059368067630243,12584853973409622593,131072 /prefetch:8
  2⤵
  PID:1156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6452 --field-trial-handle=1796,i,15623059368067630243,12584853973409622593,131072 /prefetch:8
  2⤵
  PID:2568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6644 --field-trial-handle=1796,i,15623059368067630243,12584853973409622593,131072 /prefetch:8
  2⤵
  PID:3100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 --field-trial-handle=1796,i,15623059368067630243,12584853973409622593,131072 /prefetch:8
  2⤵
  PID:3840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=5440 --field-trial-handle=1796,i,15623059368067630243,12584853973409622593,131072 /prefetch:1
  2⤵
  PID:2144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5568 --field-trial-handle=1796,i,15623059368067630243,12584853973409622593,131072 /prefetch:1
  2⤵
  PID:4160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=6756 --field-trial-handle=1796,i,15623059368067630243,12584853973409622593,131072 /prefetch:1
  2⤵
  PID:4912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=6708 --field-trial-handle=1796,i,15623059368067630243,12584853973409622593,131072 /prefetch:1
  2⤵
  PID:1464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=6872 --field-trial-handle=1796,i,15623059368067630243,12584853973409622593,131072 /prefetch:1
  2⤵
  PID:2020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=5380 --field-trial-handle=1796,i,15623059368067630243,12584853973409622593,131072 /prefetch:1
  2⤵
  PID:812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=6668 --field-trial-handle=1796,i,15623059368067630243,12584853973409622593,131072 /prefetch:1
  2⤵
  PID:3592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=7072 --field-trial-handle=1796,i,15623059368067630243,12584853973409622593,131072 /prefetch:1
  2⤵
  PID:448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=5336 --field-trial-handle=1796,i,15623059368067630243,12584853973409622593,131072 /prefetch:1
  2⤵
  PID:2620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5096 --field-trial-handle=1796,i,15623059368067630243,12584853973409622593,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:208

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:448

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x510 0x514
1⤵
PID:436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00003a

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
6275109f946dc6045da008663c2f04de

SHA1
b500567d863573b0c7f049d3d26e7b9810e5ada0

SHA256
54f0dacc648a6d00995c0ff315372fa4f84633b65befa3092d4c2800e2c706d9

SHA512
e6e99f92754add81682634ecded2f56f71091497ce5c9d949d99bb88df5be2ef99fab4a3b75c34dc178ab8500e7ce52396990229d679b0b70a1b673fedd10f15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
f6c48bd8192b1e3224cd448001e47fd4

SHA1
7443167ce299edbfecfbe9fbdfcc3583fe955f21

SHA256
e2ea2ffb784fcfaa442455d058b65edaaf6651b69cf702d7df7b223c732752a3

SHA512
084f24a7fa894084c9ed556c7eec91e854d6a383cffc82435bcde613fe0167f2fe6688ca8b19cb6aeb9671b953686a3fe2aa400e84bfa030ab3a3383e14b078a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
8448591f751d4d32515b533ffce66237

SHA1
d6d37cc154ced9eadfb2cba8e002a556be842655

SHA256
b1cfc096158f57782ec38ace976bbb00ce5d4879ecdceab34364b7664594e0c3

SHA512
49ee90b6bec9b5768d7cf849e4f63e30d9108e8dcd0a787f1fad81db9be48fae413c509b5584f527432ca4cac2a74c26b907383afa1d65217aa62a535d206850

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c44ea0cf2412bc1378323ae9d8d5e9c1

SHA1
f9e03bfaae48326938d4aa96cfd4b93253264ff1

SHA256
96859e307dc073362e555c8255cd6bf5f5a74c8af6448ee7eb1f0ba640c4377d

SHA512
191786bc905ee887250ff8e00b24191a402cbe620135605b096ade778d3d1c3bb1805c56c7c7df9551a46102002c80fb8dfb844e349e684fa2ebcc71a6f357ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
08fd3b8c814db56471a98147fa63cf3c

SHA1
bdb16f0de499c7f6ff7cb682bb48e90834ac0052

SHA256
ad6ebfe77807177a98a507723122d374fe31bf902f639f6e4d8ced451bdd7cdd

SHA512
1de25018f0bc01d22b992d15bd6a4e75ec5025c196ec3413d49e23efb595886a5a15f521b41bdcd1a1bd0743dfd839e01f9250315e8453f80c15557f79eb4f8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
4c3301fdfbbf86bd7408fbc003367918

SHA1
9f053aab12b32ca634ffdf319f296c1d8884187e

SHA256
27c384819e48fccaa0d3d45a30b0a2a4fba55de8b23c0a3481c552e23e0c581a

SHA512
b63f4b9b960de7b38ce4f51730d5723cf78bb617d2b5db0e61304656e12e5fb2d8961cdb727235f687a55364e9fe2bb75d16dce3ccc675ce987bff6d23b2e2b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
3ef44ab7d78e26bc94deadcf89237ed2

SHA1
2f5ffd5b0b455fcceff8341b7e57958645081aff

SHA256
f681a5cea951e2b851bfde0825dd5394b4513255b5e17dc912b20391b9a330d2

SHA512
5345675132c077192f548bc863a4ce6f37a303503f070976c87241bd6e68798f799c211ab3bab8a08d64186e81328ed93bd7bb7373c03fa61bfb328c4068a8e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
872B

MD5
95c0caf4cbe5bc3b23927a36946df124

SHA1
702c69bbbcf2038e167742d4896f144aea2a67a0

SHA256
516e9f3ecc2bf55c8d3f613eca43a4c959a465e776cdf9b9bb57bfe31c67a4b0

SHA512
6e4839f9d7450844e3247ee2b0c8c18f7a3af3ba7b740345081f12ff95e965644ebcfcd3d1d527b95a2e02708cf3150dfb3fd0599a4b59f8d84f49cc96fd56e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
ee64581d54fd450727b1bee1b932a822

SHA1
eb771265ff950e458fa6372f82f0f1cc735af76a

SHA256
44ac062966320d9f317687338162855551aa3716121e661c88b6a5678f887267

SHA512
400a877a77b48960969babe2fcf416a3a21684e077abd8e4363fa7185e81620ac80b66e935492fbfd4d8896d09acf7f5c268f386d3a122a33c8d1c13515cf5c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
614f2223531a9dc9a3c3e795f81e25e0

SHA1
676751f2dddd76bc80980f179026ab748e9e92c1

SHA256
48f3a5c5f44084a75599e65ffb21b9c8743881dd666bf73066fbf05c99d6256d

SHA512
2b3ae3f71741e53e9e6c5d388df1d11c39b41688f7c6181c3e6c6ce42e0f3d7e1928cfd119bbf2bc8e151d103baeb9e43c66761ae0719403c2b88a9b9fd2ce0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
ba7035f2965e89a9205447eaf40cc065

SHA1
f17039816147bce6d1afc9453388823e03c61084

SHA256
d36308c12b02331fea21e396f66fb6de32a745d5999f3910a8ebfb59a7330ded

SHA512
0ea4b4c4b44172738f156dc4672d5a162cdbad42f532ebbd7e25af9cf1b056c84f87addb97a2414c6bdc1a4d7de223596b4efdf668779584f26543247c18acc1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
efaa668e7718229c99258fdc90333108

SHA1
9616b4b32c3e332ef080ffb91d89bfeb322c26d1

SHA256
50b246ca284b8265fa8177b755c23fec40dea6e5c30963ad29b73bc5b7a5eeea

SHA512
915f521c14d6379ddc84852617d05c933e3f0ca315c066f4d61b5b0cd39de29287d14a18ce916d8c364450aae870ce8a8e8e1f5742155c7e8537c1f79d2fe678

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
84816e7c7033c382e875ecd73cb1d7f5

SHA1
5477a388c5fbe12a5041d67987a7a901492b3df5

SHA256
ccc7a5661e272efca77365b757c7c1acd815329b5f592fd72da86138bd7a72af

SHA512
1ec06f1f6324eb704217d4494255b0ed36a4481d7e1b62cb8a966e3bdcb66e15f28a25b922cfb06b5c5a1a86c8fac96ab8b443e02145cadaec1aabe9357d367c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
80f6de457f604d7e76efa38cf8d1a892

SHA1
8ca04852fddd97612f70e211808533dfc22189b1

SHA256
62e5697c07d52c0e70d0a620968200f97d4cd927d3b2f8a9ddc82698b8e88f62

SHA512
d467db04abef9dc085a0e546d00d797ba9c8a697c4e190cac826504348289469592e438ecef5a53601ab69bdb0322afb13831b5ec05c30d66109d1c4ee2e94ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
a14ee38148409054adcdf2a52fa479bb

SHA1
3bd225c732d2d9bf713fd23a3c70b4f822205688

SHA256
58e87c916598a3b87f215db5bb66b95a2de36e2672ebab247a9555fe034a52aa

SHA512
919bf3c4bf59be424433a67c79d95a949b4c9dd4bd892e6ab4382cde5ca9f8462bc23e0210a9c385d1d808bfdae474e58add07d8abad1952ab026c13bc985a2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
dc55be4040eabe34cb7716bc2bedce04

SHA1
a01a931d6a35d62befda0a344bdfbe008e03035c

SHA256
d412dc0b406bcac44ee2ca9fc3fa418e5508fed7fcac8794a92b315e2b3a6b96

SHA512
a4f64a2bd7034f21bf3719d989ff4b68cd41bc0a9fd402896056b634a0042986f8a92c7782125e61624f3943e1086b98f0a1f97f518c9da2b8c45415699a32ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c5b031417b7e4f5eb70ba9ef6382085c

SHA1
f6ddc88b9b767c7d36c896e3aef8fc922c7add9c

SHA256
f2d5bdda95b20ad8ac37575336f164084c146deb2cc8f801908e013a8a95ae0b

SHA512
23a5b0dae1f3d146d08bc7d760bcac09b24a8fcd1d2a418cdd6365e306f67a269d2f57c9fc4acbf9a69d26eef19e3e9e26259b3f4245393c0c58979332a3cec2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9e4d1d99473e4643ef86fb7a30fb8303

SHA1
a6fee35344f67b0b828a5f33b30b0e0429f86172

SHA256
6f618a073b7b4dcbce16936ccc50303722a076e51f1a6cfccda8208af5b36ecd

SHA512
9eb1e2c2ae781c912ab39739357561186cd1ecb84e382663356e6713c13028f35cc4ec14348e64b839ea23f02cabe34770dbaa099725af4f9dcde5f8d7dee88e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a2c1199dccc52ac9259d0da2f1068b12

SHA1
eec822687c5cf4ff0241f29f95b15be3d19671f4

SHA256
cceec8d9e7d00ba19a007247e461cc91c587269036f44670957c4a7c6b6bf184

SHA512
75099f3f794b980568cefb8a5f40debbbbb1621cdcf8a4f59176f786406d841106e4a2da8ebc069372bde1eeadd7f6424a08ea2ed8c2a2ed287d44ac2206eeed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
97KB

MD5
1bb32bf58d45abd32628a703f4d03156

SHA1
332d6f4e35d7cb49bdbdbe2c0409944997001bbb

SHA256
17de9b105bab012414e73fc7a200a2ccfab333be7da27a358f4b9aa2e53d1d20

SHA512
0edcad236574a3f6f9fa0be1bf286ca017a1e32f39c4e6e649fb5f73c1ba7d85e2cd332039e0ad6e695ac68aba64dc0762b9386166b0a889d6bd18b138f929c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
97KB

MD5
01cba7aba7013cf53f5ae984bfdd8b69

SHA1
013e9267165708954c3e017283958b000ba7a1dd

SHA256
ed2bf7dc721b31ecfe31b68b5f67d0c9bb5fa38d9ad8ca3fa146868e1bbe2618

SHA512
80e453f6e2e40e55b7951de2a87bc79b736a54296e6a9559b1057ab0666bb8bf5c6d0b5fb944a73e784722c5faef3316654b1dc8bca4b8cc7af27637b869c9b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
97KB

MD5
3fe9ad9a873ad2fb491d27b0d597e606

SHA1
46e3a118128fa29310c2cee86cb762cd8d898638

SHA256
c9a813b33190aeb6965b3d06e08299e147d11aa3535f1fd644c07dc594c4b69e

SHA512
0ad04afed11e9546a638a2df91a15dc90cafc9824080353328e9625004038a796cb65a7692f6e1d73d8347edc210a4c22759a494d954f7492bd7de65c658adbb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit