7c0b9bceed390f7f28135431c09ac51469ee8e2b8095fb36a37315d811d9ba9c

Analysis

max time kernel
60s
max time network
153s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
16-10-2023 15:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MBSetup.exe
Size

2.5MB
MD5

1e885823577394ea61ea89438ffe2954
SHA1

e53e96f7374790bdad8a614949b398b055c3a27b
SHA256

7c0b9bceed390f7f28135431c09ac51469ee8e2b8095fb36a37315d811d9ba9c
SHA512

73f600833dad0047b6444110d722dc95237b38bb486abc7fc8e4f59b69e2154c885fb46d65f488d5139a0b6e76ebde33ea72711c7f58436650ef992fb8995627
SSDEEP

49152:Lw3ye9SPQ1sjDAVj+JeRanStQyfvE0Z3R0nxiIq2ddAsuysSiSF:4yeoCVj+c6KtQRq2ADSiSF

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

MBSetup.exe

description ioc process

File created C:\Windows\SysWOW64\drivers\mbamtestfile.dat MBSetup.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\mbamtestfile.dat	MBSetup.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MBSetup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	MBSetup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MBSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops file in Program Files directory 1 IoCs

Processes:

MBSetup.exe

description ioc process

File created C:\Program Files (x86)\mbamtestfile.dat MBSetup.exe

description	ioc	process
File created	C:\Program Files (x86)\mbamtestfile.dat	MBSetup.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

MBSetup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	MBSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	MBSetup.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

MBSetup.exechrome.exe

pid process

1888 MBSetup.exe
1832 chrome.exe
1832 chrome.exe

pid	process
1888	MBSetup.exe
1832	chrome.exe
1832	chrome.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exe

pid	process
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exechrome.exe

description	pid	process	target process
PID 1832 wrote to memory of 2776	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 2776	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 2776	1832	chrome.exe	chrome.exe
PID 1120 wrote to memory of 3008	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 3008	1120	chrome.exe	chrome.exe
PID 1120 wrote to memory of 3008	1120	chrome.exe	chrome.exe
PID 1832 wrote to memory of 952	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 952	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 952	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 952	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 952	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 952	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 952	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 952	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 952	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 952	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 952	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 952	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 952	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 952	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 952	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 952	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 952	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 952	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 952	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 952	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 952	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 952	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 952	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 952	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 952	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 952	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 952	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 952	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 952	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 952	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 952	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 952	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 952	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 952	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 952	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 952	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 952	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 952	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 952	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 1144	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 1144	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 1144	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 1968	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 1968	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 1968	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 1968	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 1968	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 1968	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 1968	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 1968	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 1968	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 1968	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 1968	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 1968	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 1968	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 1968	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 1968	1832	chrome.exe	chrome.exe
PID 1832 wrote to memory of 1968	1832	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\MBSetup.exe
"C:\Users\Admin\AppData\Local\Temp\MBSetup.exe"
1⤵
- Drops file in Drivers directory
- Checks BIOS information in registry
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1888

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef62a9758,0x7fef62a9768,0x7fef62a9778
2⤵
PID:2776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1152 --field-trial-handle=1220,i,4800691047460201760,2014402397704827809,131072 /prefetch:2
2⤵
PID:952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1496 --field-trial-handle=1220,i,4800691047460201760,2014402397704827809,131072 /prefetch:8
2⤵
PID:1144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1556 --field-trial-handle=1220,i,4800691047460201760,2014402397704827809,131072 /prefetch:8
2⤵
PID:1968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2264 --field-trial-handle=1220,i,4800691047460201760,2014402397704827809,131072 /prefetch:1
2⤵
PID:908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2284 --field-trial-handle=1220,i,4800691047460201760,2014402397704827809,131072 /prefetch:1
2⤵
PID:1044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2716 --field-trial-handle=1220,i,4800691047460201760,2014402397704827809,131072 /prefetch:2
2⤵
PID:1964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2916 --field-trial-handle=1220,i,4800691047460201760,2014402397704827809,131072 /prefetch:1
2⤵
PID:1388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3512 --field-trial-handle=1220,i,4800691047460201760,2014402397704827809,131072 /prefetch:8
2⤵
PID:2744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3652 --field-trial-handle=1220,i,4800691047460201760,2014402397704827809,131072 /prefetch:8
2⤵
PID:1520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3780 --field-trial-handle=1220,i,4800691047460201760,2014402397704827809,131072 /prefetch:8
2⤵
PID:1200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3584 --field-trial-handle=1220,i,4800691047460201760,2014402397704827809,131072 /prefetch:1
2⤵
PID:2692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef62a9758,0x7fef62a9768,0x7fef62a9778
2⤵
PID:3008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1132 --field-trial-handle=1252,i,17435956831403199548,10487137757817336611,131072 /prefetch:2
2⤵
PID:2044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1476 --field-trial-handle=1252,i,17435956831403199548,10487137757817336611,131072 /prefetch:8
2⤵
PID:2656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:1492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef62a9758,0x7fef62a9768,0x7fef62a9778
2⤵
PID:1636

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\8293035a-13b8-4e29-b2b3-ad6c15668bd1.tmp
Filesize
97KB

MD5
d06425fdeaa1d2e9aa57fb62f91a4e78

SHA1
4071dd4958f1f67346ea04ba4d358418e49902ec

SHA256
b64361fb6c7ef9d3de00de415f8f73e490b2452c464db10c24e37ac2a88485ce

SHA512
61b50e55a99082568976d0dca3f9d44bb3baa8ed6692447abb420f6c576d2d73ffdf9bd5e4e2c0da8505b15593ef443188dab26b2b785c2aa4c178466408af60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
dd8ae1ab2dca6d7383eee3bab4e7e46a

SHA1
8e33f7393fef4a04442dbca54aaeb97b13ff0887

SHA256
af6d810a9d71dd3e470ed13eb46106c225542bf7e99094d4042e57729a38d883

SHA512
ac14000f5a2acb6a1083236cfc5290db8581f1f7e137671c46752511bd3d0b07b6cd4c77028e6c9caa8ac8d3fe39f3647ca7ad1468a313ac6ae99cd357abc187

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
dd8ae1ab2dca6d7383eee3bab4e7e46a

SHA1
8e33f7393fef4a04442dbca54aaeb97b13ff0887

SHA256
af6d810a9d71dd3e470ed13eb46106c225542bf7e99094d4042e57729a38d883

SHA512
ac14000f5a2acb6a1083236cfc5290db8581f1f7e137671c46752511bd3d0b07b6cd4c77028e6c9caa8ac8d3fe39f3647ca7ad1468a313ac6ae99cd357abc187

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
dd8ae1ab2dca6d7383eee3bab4e7e46a

SHA1
8e33f7393fef4a04442dbca54aaeb97b13ff0887

SHA256
af6d810a9d71dd3e470ed13eb46106c225542bf7e99094d4042e57729a38d883

SHA512
ac14000f5a2acb6a1083236cfc5290db8581f1f7e137671c46752511bd3d0b07b6cd4c77028e6c9caa8ac8d3fe39f3647ca7ad1468a313ac6ae99cd357abc187

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
dd8ae1ab2dca6d7383eee3bab4e7e46a

SHA1
8e33f7393fef4a04442dbca54aaeb97b13ff0887

SHA256
af6d810a9d71dd3e470ed13eb46106c225542bf7e99094d4042e57729a38d883

SHA512
ac14000f5a2acb6a1083236cfc5290db8581f1f7e137671c46752511bd3d0b07b6cd4c77028e6c9caa8ac8d3fe39f3647ca7ad1468a313ac6ae99cd357abc187

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
dd8ae1ab2dca6d7383eee3bab4e7e46a

SHA1
8e33f7393fef4a04442dbca54aaeb97b13ff0887

SHA256
af6d810a9d71dd3e470ed13eb46106c225542bf7e99094d4042e57729a38d883

SHA512
ac14000f5a2acb6a1083236cfc5290db8581f1f7e137671c46752511bd3d0b07b6cd4c77028e6c9caa8ac8d3fe39f3647ca7ad1468a313ac6ae99cd357abc187

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
dd8ae1ab2dca6d7383eee3bab4e7e46a

SHA1
8e33f7393fef4a04442dbca54aaeb97b13ff0887

SHA256
af6d810a9d71dd3e470ed13eb46106c225542bf7e99094d4042e57729a38d883

SHA512
ac14000f5a2acb6a1083236cfc5290db8581f1f7e137671c46752511bd3d0b07b6cd4c77028e6c9caa8ac8d3fe39f3647ca7ad1468a313ac6ae99cd357abc187

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
dd8ae1ab2dca6d7383eee3bab4e7e46a

SHA1
8e33f7393fef4a04442dbca54aaeb97b13ff0887

SHA256
af6d810a9d71dd3e470ed13eb46106c225542bf7e99094d4042e57729a38d883

SHA512
ac14000f5a2acb6a1083236cfc5290db8581f1f7e137671c46752511bd3d0b07b6cd4c77028e6c9caa8ac8d3fe39f3647ca7ad1468a313ac6ae99cd357abc187

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000f
Filesize
39KB

MD5
17b9bb9509fa8aa6e3ef890dc6cb9917

SHA1
81d4f55fe01ad0a40d0d798b102ca826e97c0de1

SHA256
b1e8315c3e639293576ca2ff44b6374643ec3d70faad0b74972bd3d0183d1efe

SHA512
0a22b4d514642116d483d522bf3a86ac3fa4ed7e9931a67e401cb98ced433316711416f49682ba3014dc0249356a65122e09465d84331574c59e62c293b0344c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
361B

MD5
5a4536810217d4e26ded4da57bc39f9d

SHA1
35d35b4ec53a82207638d61c9bffa5d0fb0a5dd8

SHA256
d5d9597d40653162912d7d8d9b9494878972e7236fd08d0925bb7ed5a58924d3

SHA512
eb5bcea6ab1559e99bc22bcda51c92c813ec78e1f983146b81d741a34fb6bf539682ea64eee5affb9bff253c2c2a7d4165a08c2e60ed2763f37982ff2cfb1a1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
361B

MD5
d19fb496f0d965e72f56ba5eb6636739

SHA1
048f3cd206040edb7d3f97534c15494d40d9f285

SHA256
b756faeb1a9ef85b03155ef52a8c730333e0cc49e38fcecea0d20fa3b03877ef

SHA512
dd1b26f92f3a0244a315a1e40b836e1fa19b0defa76863ca12ee232260dd03f6847c8603d70e0a2a63975b1a3aaa61b124e8a245c97451708608e29185bf3da2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
8601f5eba67d02a759b56e43322dce4a

SHA1
6b7854b0c310fda30826d4331083942330d7dcec

SHA256
30b495c570778189c3a65c7bda9b1ea91c35816e3374d520c157b2c0132e5500

SHA512
d670dff4b677a88b8ddce19f275f47178fa621abe32b652219bc3400d038321a9baf0eda60a2fbafecedaa854cc463660f4844ca48a9af9c40f8e2cd3c8e535d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
72c54914d66b6f1ddcd5c299831599c7

SHA1
053b09f8b300f942be021937e0a3bdf9cf1c99f6

SHA256
b74738e3b5c51020fd33a25df365b54bdb3a870833be2fd7212ac3c238b4fda3

SHA512
a209226a20412da4c12980592c1e8d58583551ea9785a760229fd7277bdf2918c1e63b85d3391c4cef44aaa85bdab5ed04c76164caacd2f7d811fc175c7a00f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
dc0cda250beb9d1f0992335fc370d931

SHA1
c88a524759fc8c4dcd4fbe6b3608fac45ba3b31a

SHA256
f78584d0291ec5e0e73a2c3c79c3bc8f7880fb59b184ee4dcb3a34e980a9a8cc

SHA512
ce7fb94b5812ceafa8f8a2848fe10a964d7cf1e26dec2d02623ede2f2835f0bee22d66e6531a5af5e7e54aa4aceb0e8444a5deff7c8643c1eacdd19af13fefb6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
97KB

MD5
d06425fdeaa1d2e9aa57fb62f91a4e78

SHA1
4071dd4958f1f67346ea04ba4d358418e49902ec

SHA256
b64361fb6c7ef9d3de00de415f8f73e490b2452c464db10c24e37ac2a88485ce

SHA512
61b50e55a99082568976d0dca3f9d44bb3baa8ed6692447abb420f6c576d2d73ffdf9bd5e4e2c0da8505b15593ef443188dab26b2b785c2aa4c178466408af60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations
Filesize
86B

MD5
f732dbed9289177d15e236d0f8f2ddd3

SHA1
53f822af51b014bc3d4b575865d9c3ef0e4debde

SHA256
2741df9ee9e9d9883397078f94480e9bc1d9c76996eec5cfe4e77929337cbe93

SHA512
b64e5021f32e26c752fcba15a139815894309b25644e74ceca46a9aa97070bca3b77ded569a9bfd694193d035ba75b61a8d6262c8e6d5c4d76b452b38f5150a4

Download Submit
\??\pipe\crashpad_1120_JPKLHBTKNKGBLJPJ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1888-6-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1888-7-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download