eternity | f296f08aa0ad60e857270505d931392943d95cf7a2ecb2e0245ff785c157ca49

Analysis

max time kernel
374s
max time network
440s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
04-09-2023 09:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CrustaceanInstaller.exe
Size

3.4MB
MD5

bd3a90f3b268ac71630666bc7ce92406
SHA1

cb6327b43c8209c1d30517b5be9a394bf73ec739
SHA256

f296f08aa0ad60e857270505d931392943d95cf7a2ecb2e0245ff785c157ca49
SHA512

11cc492ae8647376329965e610125aa956fe575d5bd3d3bedc9822f765b5ecf672b8ffa99685a004960b3ce7998670c6c67457660f352d42331750d0a20cf62e
SSDEEP

49152:SSrSrtUT0/n2mmNu+d8dVKFpHY/o1pPcFxHLC5j9ljJrS9bbroKJeq0Tl:BNukXiFxbKl

Score

10^/10

eternity

Malware Config

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2212	2952	WerFault.exe	27

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\crustacean\shell	CrustaceanInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\crustacean\shell\open	CrustaceanInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\crustacean\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrustaceanInstaller.exe \"%1\""	CrustaceanInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\crustacean	CrustaceanInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\crustacean\ = "Installer"	CrustaceanInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\crustacean\URL Protocol	CrustaceanInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\crustacean\shell\open\command	CrustaceanInstaller.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	CrustaceanInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	CrustaceanInstaller.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
2952	CrustaceanInstaller.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 2212	2952	CrustaceanInstaller.exe	28
PID 2952 wrote to memory of 2212	2952	CrustaceanInstaller.exe	28
PID 2952 wrote to memory of 2212	2952	CrustaceanInstaller.exe	28
PID 1664 wrote to memory of 2580	1664	chrome.exe	30
PID 1664 wrote to memory of 2580	1664	chrome.exe	30
PID 1664 wrote to memory of 2580	1664	chrome.exe	30
PID 1664 wrote to memory of 2916	1664	chrome.exe	32
PID 1664 wrote to memory of 2916	1664	chrome.exe	32
PID 1664 wrote to memory of 2916	1664	chrome.exe	32
PID 1664 wrote to memory of 2916	1664	chrome.exe	32
PID 1664 wrote to memory of 2916	1664	chrome.exe	32
PID 1664 wrote to memory of 2916	1664	chrome.exe	32
PID 1664 wrote to memory of 2916	1664	chrome.exe	32
PID 1664 wrote to memory of 2916	1664	chrome.exe	32
PID 1664 wrote to memory of 2916	1664	chrome.exe	32
PID 1664 wrote to memory of 2916	1664	chrome.exe	32
PID 1664 wrote to memory of 2916	1664	chrome.exe	32
PID 1664 wrote to memory of 2916	1664	chrome.exe	32
PID 1664 wrote to memory of 2916	1664	chrome.exe	32
PID 1664 wrote to memory of 2916	1664	chrome.exe	32
PID 1664 wrote to memory of 2916	1664	chrome.exe	32
PID 1664 wrote to memory of 2916	1664	chrome.exe	32
PID 1664 wrote to memory of 2916	1664	chrome.exe	32
PID 1664 wrote to memory of 2916	1664	chrome.exe	32
PID 1664 wrote to memory of 2916	1664	chrome.exe	32
PID 1664 wrote to memory of 2916	1664	chrome.exe	32
PID 1664 wrote to memory of 2916	1664	chrome.exe	32
PID 1664 wrote to memory of 2916	1664	chrome.exe	32
PID 1664 wrote to memory of 2916	1664	chrome.exe	32
PID 1664 wrote to memory of 2916	1664	chrome.exe	32
PID 1664 wrote to memory of 2916	1664	chrome.exe	32
PID 1664 wrote to memory of 2916	1664	chrome.exe	32
PID 1664 wrote to memory of 2916	1664	chrome.exe	32
PID 1664 wrote to memory of 2916	1664	chrome.exe	32
PID 1664 wrote to memory of 2916	1664	chrome.exe	32
PID 1664 wrote to memory of 2916	1664	chrome.exe	32
PID 1664 wrote to memory of 2916	1664	chrome.exe	32
PID 1664 wrote to memory of 2916	1664	chrome.exe	32
PID 1664 wrote to memory of 2916	1664	chrome.exe	32
PID 1664 wrote to memory of 2916	1664	chrome.exe	32
PID 1664 wrote to memory of 2916	1664	chrome.exe	32
PID 1664 wrote to memory of 2916	1664	chrome.exe	32
PID 1664 wrote to memory of 2916	1664	chrome.exe	32
PID 1664 wrote to memory of 2916	1664	chrome.exe	32
PID 1664 wrote to memory of 2916	1664	chrome.exe	32
PID 1664 wrote to memory of 2752	1664	chrome.exe	33
PID 1664 wrote to memory of 2752	1664	chrome.exe	33
PID 1664 wrote to memory of 2752	1664	chrome.exe	33
PID 1664 wrote to memory of 2900	1664	chrome.exe	34
PID 1664 wrote to memory of 2900	1664	chrome.exe	34
PID 1664 wrote to memory of 2900	1664	chrome.exe	34
PID 1664 wrote to memory of 2900	1664	chrome.exe	34
PID 1664 wrote to memory of 2900	1664	chrome.exe	34
PID 1664 wrote to memory of 2900	1664	chrome.exe	34
PID 1664 wrote to memory of 2900	1664	chrome.exe	34
PID 1664 wrote to memory of 2900	1664	chrome.exe	34
PID 1664 wrote to memory of 2900	1664	chrome.exe	34
PID 1664 wrote to memory of 2900	1664	chrome.exe	34
PID 1664 wrote to memory of 2900	1664	chrome.exe	34
PID 1664 wrote to memory of 2900	1664	chrome.exe	34
PID 1664 wrote to memory of 2900	1664	chrome.exe	34
PID 1664 wrote to memory of 2900	1664	chrome.exe	34
PID 1664 wrote to memory of 2900	1664	chrome.exe	34
PID 1664 wrote to memory of 2900	1664	chrome.exe	34

C:\Users\Admin\AppData\Local\Temp\CrustaceanInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\CrustaceanInstaller.exe"
1⤵
- Modifies registry class
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2952 -s 936
  2⤵
  - Program crash
  PID:2212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6dc9758,0x7fef6dc9768,0x7fef6dc9778
  2⤵
  PID:2580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1132 --field-trial-handle=1340,i,11934978429605253969,5518614067264052065,131072 /prefetch:2
  2⤵
  PID:2916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1364 --field-trial-handle=1340,i,11934978429605253969,5518614067264052065,131072 /prefetch:8
  2⤵
  PID:2752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1588 --field-trial-handle=1340,i,11934978429605253969,5518614067264052065,131072 /prefetch:8
  2⤵
  PID:2900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2252 --field-trial-handle=1340,i,11934978429605253969,5518614067264052065,131072 /prefetch:1
  2⤵
  PID:2052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2264 --field-trial-handle=1340,i,11934978429605253969,5518614067264052065,131072 /prefetch:1
  2⤵
  PID:2008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1548 --field-trial-handle=1340,i,11934978429605253969,5518614067264052065,131072 /prefetch:2
  2⤵
  PID:2780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1376 --field-trial-handle=1340,i,11934978429605253969,5518614067264052065,131072 /prefetch:1
  2⤵
  PID:2004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3508 --field-trial-handle=1340,i,11934978429605253969,5518614067264052065,131072 /prefetch:8
  2⤵
  PID:2364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3464 --field-trial-handle=1340,i,11934978429605253969,5518614067264052065,131072 /prefetch:8
  2⤵
  PID:2056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3540 --field-trial-handle=1340,i,11934978429605253969,5518614067264052065,131072 /prefetch:8
  2⤵
  PID:1816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3612 --field-trial-handle=1340,i,11934978429605253969,5518614067264052065,131072 /prefetch:8
  2⤵
  PID:2384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2716 --field-trial-handle=1340,i,11934978429605253969,5518614067264052065,131072 /prefetch:8
  2⤵
  PID:952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3544 --field-trial-handle=1340,i,11934978429605253969,5518614067264052065,131072 /prefetch:1
  2⤵
  PID:2448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3564 --field-trial-handle=1340,i,11934978429605253969,5518614067264052065,131072 /prefetch:1
  2⤵
  PID:1584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3824 --field-trial-handle=1340,i,11934978429605253969,5518614067264052065,131072 /prefetch:1
  2⤵
  PID:1716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3924 --field-trial-handle=1340,i,11934978429605253969,5518614067264052065,131072 /prefetch:8
  2⤵
  PID:2152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=3732 --field-trial-handle=1340,i,11934978429605253969,5518614067264052065,131072 /prefetch:1
  2⤵
  PID:684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4084 --field-trial-handle=1340,i,11934978429605253969,5518614067264052065,131072 /prefetch:8
  2⤵
  PID:324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4228 --field-trial-handle=1340,i,11934978429605253969,5518614067264052065,131072 /prefetch:8
  2⤵
  PID:764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2248 --field-trial-handle=1340,i,11934978429605253969,5518614067264052065,131072 /prefetch:8
  2⤵
  PID:2868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=4184 --field-trial-handle=1340,i,11934978429605253969,5518614067264052065,131072 /prefetch:1
  2⤵
  PID:2300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=4164 --field-trial-handle=1340,i,11934978429605253969,5518614067264052065,131072 /prefetch:1
  2⤵
  PID:1968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=2584 --field-trial-handle=1340,i,11934978429605253969,5518614067264052065,131072 /prefetch:1
  2⤵
  PID:1216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=4152 --field-trial-handle=1340,i,11934978429605253969,5518614067264052065,131072 /prefetch:1
  2⤵
  PID:664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=1404 --field-trial-handle=1340,i,11934978429605253969,5518614067264052065,131072 /prefetch:1
  2⤵
  PID:2316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1160 --field-trial-handle=1340,i,11934978429605253969,5518614067264052065,131072 /prefetch:8
  2⤵
  PID:2140

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3721e405ebe46c631d32dbcec64fb1b3

SHA1
8a0c39649b75747c2e309f3a3b35d822db27d428

SHA256
53086eb4c9e94598381ff673d4924581b9f7b77a81802f5aba31b9dbb53a9052

SHA512
c65d293d7ab5946a1ede9a99f851d1c2ba1c71e9168f6bb1f33d96f1253af8d80b2eb8b4c9c10b1e0d6e4241ad74c8ccfec5728b156ebff3b4808b8c04aabe21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\7316d894-0f45-4d0d-bee7-44304bd74b1f.tmp

Filesize
5KB

MD5
c8374422ffa6646cf8448e17dcfd966e

SHA1
f21a1b07403eb3b2758f45b24c4eef7ad06b0a42

SHA256
367fa530108480210354d0b2081f309cfb8022bc5df1d2b8ffa2c902a89fb7a6

SHA512
512a0c880437988e02b071580017f4469a871402ae2f5000e9a2ae8214e727e348ecb81c4f09771c321fbe9b98fd7a580f2754b39d7d982d6819a90079cfd9c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\9c1434c9-4e69-4f8e-9490-ac33ee641ffb.tmp

Filesize
5KB

MD5
79346487fb4c3e32330daabe8ced8b5f

SHA1
e84a7b3e3bba51d522c457a6bcbd55ce7e8da95d

SHA256
f765392a0f5b0efb00ba6076ce263d9e19a885cc01fe4e010dc9966e5b94f1a0

SHA512
5a872e9315dd5e0d64bf8a6d30828ce6732a9c4049113770d61678894e91716786042107eb8c308b27b1e57c042ccb1f9152a8ec1672ab57ca4f141f4367064b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000e

Filesize
104KB

MD5
083aaf391880ac2aba7fbb53b0c0832f

SHA1
58a68007732a284b437893d93ffc36b6203f4c92

SHA256
e28de1a2f0ac4d7ecb6013d339b25aa3bc40e9c1c175d21efff789f90316272e

SHA512
d8dc24fcdee8841cdf0aec44a089136270649b4f0e5e0c6a7623a1f2778ce0dc90deaf503e8888a07fa7d371311383f5710ef5182973253aaf1ea970ae58a693

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000012

Filesize
26KB

MD5
0d5a7276f8097a390b59e29338295f0e

SHA1
8ea543ea9241427a1ed53159c6066cb8a3693d50

SHA256
bc479ab1fba91699820f7ac5c21b8fe1346857dad9665e23325a7e2d96d5b871

SHA512
4821363693ae31fe0c5086d9208db15323050bc37a7303ee5e1bca450b29633800457c7a78a98e771a2f41561269006375786d948840910f71221b4d1b5e7d40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
610e73540297f6084fbe2bb9b8564d5e

SHA1
f4561e9aec427ad42e30959a8f42447a05f8afdf

SHA256
7f7afabedbcd1a804e3434b839bc48580e3cf774976fe749c2613a9d7af9c876

SHA512
954c72fb00a672ce7919fdff9769ac5ee165e2bdd8f08db3ae5fd2641631422216cd333f93a3d367e269b80247ac83070e04e86904ff77cd61dad024575d1fb1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
a0685c66386a34e81fc2152d3bd0ebba

SHA1
b37cbc7dd2fe31d62e3957fe5d33197133a73906

SHA256
b27e1a4cf5e34234933af48db598b3d8c31443346ec7f9f6257ffedcb73cd91b

SHA512
8a73cb23700dd33c9f7e38d6d9c713bcbf2f04ccd6315a3b92aebdb7ed5c6877d4bbc7d2cee2e9df8869476fa240b5dce212422ba64c05a17436990cc32ab167

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
d59c386e1c9ef8d068e7bd93761a6645

SHA1
00a8c44ec606c49bae9141fae2b498fdb7ab9b3e

SHA256
36a13faaca241230210c32e4403c82234bfa543ff7264cba3c04585f6e8cfe7b

SHA512
5da16dcc8885e70e84748da5d9f5454ef4c2ebe5bf752115a3eba2650c268afd1922994e6c2897692adc6dd4538018567d1e4391c7a32cac04656843d5fe7246

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
361B

MD5
23193748687dad09bb884650b19ab934

SHA1
a49be5b6ec49c44733724daffae3d84db0ba30dc

SHA256
4afcc1105a43d9f3f3a40729c7276d8c8c38c6dc87e75380f889460a0782e78a

SHA512
e43c51177ad5ddc2b10d14d987f565b657f6ebbe84f4f88e1d19a932d75816e2df216c998b677f4cb955fa68925d74b7b0cecd3e830f84d773769879bbd118d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
28bdec2046f67bd5b6230a9959e19d55

SHA1
cb91464ca2be043f4fe2facd3fba7a8db48d0576

SHA256
6805a7dd0a98df673f836e145b6f38679c99de24b347f90447b927b049ac7c5b

SHA512
565ee7a851a14c40ebf2c968c48d955ebabaa461a9d5a29e5db6d032c761bea4c1f4d5e995e48b49eb8b765ee45e6a699791db99b85cc0d34c37654eb9cfdb05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
834ac40219269b1a324372240bee6ce1

SHA1
ec521d9bdf21304ea6210046c27e445524c9b1b3

SHA256
d1756b50681c11e2e8d567355fc4b4e9f43148c79783ee7de006e82a147caa0a

SHA512
516eecd5952b941eba681a288cfbf9bdc4089e6ccf0f4593c52a7deccf5ba344f849668bcf9660926e32acbe7a6948dce683b7aa26b961a81210ff6a3b278aff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
192KB

MD5
a26bf8e64fcda2885bfeae554ad7b62d

SHA1
3a462c7cdde91e2b8ccbe40435d6a6f0bcca0253

SHA256
2b9e988c47149c6c2a107934b7863a47505d967437ee2ffd521a554bdcda3482

SHA512
7bca004f879ae3e109a94e8255dc245cbc6a57905cba504ce2877a8a1542838676889cc54e4a16064f512ef5fd41c8d0944e894b2834a1d12ec22b3eae171b32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
76KB

MD5
4fd49b702b33d111ef27d3f5142918fb

SHA1
f187ba0630c9e58d2e8bc097edf51589cd7e8950

SHA256
3cce70c47ae34abee18b22ca1fe25ad9b742023faec99bd4f87f7d9db774189f

SHA512
4767a491ce58c96fa0183cb5bd4909d2fd77fcf8f2a238bfd3209d55a774f431d075a39d5d1d19f9da3d95c4058af24480b29b9d16a1a9ae0e4e09516cdc6382

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9ABB.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9B2C.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
memory/2952-0-0x000000013FB00000-0x000000013FE64000-memory.dmp

Filesize
3.4MB

Download