eternity | 42889126fca2c09eada4f2306f465e3c635299af0479aa65bbb52d1730841352

Analysis

max time kernel
65s
max time network
126s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
06/11/2023, 16:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Amax Roulette Cheat/Amax Roulette Modifier.exe
Size

888KB
MD5

cd683cf6192f6be3da001586aa10bc24
SHA1

1335efc2afc90c0abbe30a34e10189117d97eb1f
SHA256

7c2f5886b66987195429fb85833555b44ebc2656e52cce787d4f6e239a09ed4d
SHA512

048809ebf4769c591b3f779666b4dd26957a8b7a3e273afad4ecc8361eaa10325b7bef1d8f36a5287b7cc0d507cd2f72028453bb1905c5834d1405eae150ed43
SSDEEP

12288:YTEYAsROAsrt/uxduo1jB0Y96qeD2qdvKb0WcCEQ1MQY3dmJxCGchwrjX8eG5d/N:YwT7rC6qeAgPCfMQM0xCGM9KkYV

Score

10^/10

eternity stealer

Malware Config

Signatures

Detects Eternity stealer 1 IoCs

stealer

resource	yara_rule
behavioral1/memory/1936-0-0x0000000001200000-0x00000000012E6000-memory.dmp	eternity_stealer

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Amax Roulette Modifier.exe	Amax Roulette Modifier.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Amax Roulette Modifier.exe	Amax Roulette Modifier.exe

Executes dropped EXE 1 IoCs

pid	Process
1724	dcd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	Amax Roulette Modifier.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	Amax Roulette Modifier.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	Amax Roulette Modifier.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	Amax Roulette Modifier.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2344	chrome.exe
2344	chrome.exe

Suspicious use of AdjustPrivilegeToken 57 IoCs

description	pid	Process
Token: SeDebugPrivilege	1936	Amax Roulette Modifier.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe
Token: SeShutdownPrivilege	2344	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe
2344	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 1724	1936	Amax Roulette Modifier.exe	28
PID 1936 wrote to memory of 1724	1936	Amax Roulette Modifier.exe	28
PID 1936 wrote to memory of 1724	1936	Amax Roulette Modifier.exe	28
PID 1936 wrote to memory of 1724	1936	Amax Roulette Modifier.exe	28
PID 1936 wrote to memory of 2856	1936	Amax Roulette Modifier.exe	29
PID 1936 wrote to memory of 2856	1936	Amax Roulette Modifier.exe	29
PID 1936 wrote to memory of 2856	1936	Amax Roulette Modifier.exe	29
PID 2344 wrote to memory of 2016	2344	chrome.exe	33
PID 2344 wrote to memory of 2016	2344	chrome.exe	33
PID 2344 wrote to memory of 2016	2344	chrome.exe	33
PID 2344 wrote to memory of 2828	2344	chrome.exe	37
PID 2344 wrote to memory of 2828	2344	chrome.exe	37
PID 2344 wrote to memory of 2828	2344	chrome.exe	37
PID 2344 wrote to memory of 2828	2344	chrome.exe	37
PID 2344 wrote to memory of 2828	2344	chrome.exe	37
PID 2344 wrote to memory of 2828	2344	chrome.exe	37
PID 2344 wrote to memory of 2828	2344	chrome.exe	37
PID 2344 wrote to memory of 2828	2344	chrome.exe	37
PID 2344 wrote to memory of 2828	2344	chrome.exe	37
PID 2344 wrote to memory of 2828	2344	chrome.exe	37
PID 2344 wrote to memory of 2828	2344	chrome.exe	37
PID 2344 wrote to memory of 2828	2344	chrome.exe	37
PID 2344 wrote to memory of 2828	2344	chrome.exe	37
PID 2344 wrote to memory of 2828	2344	chrome.exe	37
PID 2344 wrote to memory of 2828	2344	chrome.exe	37
PID 2344 wrote to memory of 2828	2344	chrome.exe	37
PID 2344 wrote to memory of 2828	2344	chrome.exe	37
PID 2344 wrote to memory of 2828	2344	chrome.exe	37
PID 2344 wrote to memory of 2828	2344	chrome.exe	37
PID 2344 wrote to memory of 2828	2344	chrome.exe	37
PID 2344 wrote to memory of 2828	2344	chrome.exe	37
PID 2344 wrote to memory of 2828	2344	chrome.exe	37
PID 2344 wrote to memory of 2828	2344	chrome.exe	37
PID 2344 wrote to memory of 2828	2344	chrome.exe	37
PID 2344 wrote to memory of 2828	2344	chrome.exe	37
PID 2344 wrote to memory of 2828	2344	chrome.exe	37
PID 2344 wrote to memory of 2828	2344	chrome.exe	37
PID 2344 wrote to memory of 2828	2344	chrome.exe	37
PID 2344 wrote to memory of 2828	2344	chrome.exe	37
PID 2344 wrote to memory of 2828	2344	chrome.exe	37
PID 2344 wrote to memory of 2828	2344	chrome.exe	37
PID 2344 wrote to memory of 2828	2344	chrome.exe	37
PID 2344 wrote to memory of 2828	2344	chrome.exe	37
PID 2344 wrote to memory of 2828	2344	chrome.exe	37
PID 2344 wrote to memory of 2828	2344	chrome.exe	37
PID 2344 wrote to memory of 2828	2344	chrome.exe	37
PID 2344 wrote to memory of 2828	2344	chrome.exe	37
PID 2344 wrote to memory of 2828	2344	chrome.exe	37
PID 2344 wrote to memory of 2828	2344	chrome.exe	37
PID 2344 wrote to memory of 2232	2344	chrome.exe	39
PID 2344 wrote to memory of 2232	2344	chrome.exe	39
PID 2344 wrote to memory of 2232	2344	chrome.exe	39
PID 2344 wrote to memory of 1924	2344	chrome.exe	38
PID 2344 wrote to memory of 1924	2344	chrome.exe	38
PID 2344 wrote to memory of 1924	2344	chrome.exe	38
PID 2344 wrote to memory of 1924	2344	chrome.exe	38
PID 2344 wrote to memory of 1924	2344	chrome.exe	38
PID 2344 wrote to memory of 1924	2344	chrome.exe	38
PID 2344 wrote to memory of 1924	2344	chrome.exe	38
PID 2344 wrote to memory of 1924	2344	chrome.exe	38
PID 2344 wrote to memory of 1924	2344	chrome.exe	38
PID 2344 wrote to memory of 1924	2344	chrome.exe	38
PID 2344 wrote to memory of 1924	2344	chrome.exe	38
PID 2344 wrote to memory of 1924	2344	chrome.exe	38

C:\Users\Admin\AppData\Local\Temp\Amax Roulette Cheat\Amax Roulette Modifier.exe
"C:\Users\Admin\AppData\Local\Temp\Amax Roulette Cheat\Amax Roulette Modifier.exe"
1⤵
- Drops startup file
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:1724
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1936 -s 1568
  2⤵
  PID:2856

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5d59758,0x7fef5d59768,0x7fef5d59778
  2⤵
  PID:2016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1156 --field-trial-handle=1404,i,11703728153988228100,17228102194677150755,131072 /prefetch:2
  2⤵
  PID:2828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1592 --field-trial-handle=1404,i,11703728153988228100,17228102194677150755,131072 /prefetch:8
  2⤵
  PID:1924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1428 --field-trial-handle=1404,i,11703728153988228100,17228102194677150755,131072 /prefetch:8
  2⤵
  PID:2232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2312 --field-trial-handle=1404,i,11703728153988228100,17228102194677150755,131072 /prefetch:1
  2⤵
  PID:1932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2296 --field-trial-handle=1404,i,11703728153988228100,17228102194677150755,131072 /prefetch:1
  2⤵
  PID:1260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3192 --field-trial-handle=1404,i,11703728153988228100,17228102194677150755,131072 /prefetch:2
  2⤵
  PID:2964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2260 --field-trial-handle=1404,i,11703728153988228100,17228102194677150755,131072 /prefetch:2
  2⤵
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=2224 --field-trial-handle=1404,i,11703728153988228100,17228102194677150755,131072 /prefetch:1
  2⤵
  PID:2704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3516 --field-trial-handle=1404,i,11703728153988228100,17228102194677150755,131072 /prefetch:8
  2⤵
  PID:2836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3628 --field-trial-handle=1404,i,11703728153988228100,17228102194677150755,131072 /prefetch:8
  2⤵
  PID:1820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3856 --field-trial-handle=1404,i,11703728153988228100,17228102194677150755,131072 /prefetch:8
  2⤵
  PID:2432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3964 --field-trial-handle=1404,i,11703728153988228100,17228102194677150755,131072 /prefetch:1
  2⤵
  PID:2800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2480 --field-trial-handle=1404,i,11703728153988228100,17228102194677150755,131072 /prefetch:1
  2⤵
  PID:1364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=1164 --field-trial-handle=1404,i,11703728153988228100,17228102194677150755,131072 /prefetch:1
  2⤵
  PID:2364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3572 --field-trial-handle=1404,i,11703728153988228100,17228102194677150755,131072 /prefetch:1
  2⤵
  PID:1152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4116 --field-trial-handle=1404,i,11703728153988228100,17228102194677150755,131072 /prefetch:8
  2⤵
  PID:2132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4136 --field-trial-handle=1404,i,11703728153988228100,17228102194677150755,131072 /prefetch:8
  2⤵
  PID:2592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=3808 --field-trial-handle=1404,i,11703728153988228100,17228102194677150755,131072 /prefetch:1
  2⤵
  PID:1692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1404,i,11703728153988228100,17228102194677150755,131072 /prefetch:8
  2⤵
  PID:2236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=3400 --field-trial-handle=1404,i,11703728153988228100,17228102194677150755,131072 /prefetch:1
  2⤵
  PID:868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=2036 --field-trial-handle=1404,i,11703728153988228100,17228102194677150755,131072 /prefetch:1
  2⤵
  PID:1108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2376 --field-trial-handle=1404,i,11703728153988228100,17228102194677150755,131072 /prefetch:8
  2⤵
  PID:2220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2392 --field-trial-handle=1404,i,11703728153988228100,17228102194677150755,131072 /prefetch:8
  2⤵
  PID:2040

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
abe51d58e0b7f1c5f197a01cbb84a0d4

SHA1
54e46682d44d85a852aa536ee90d5d4de8eae266

SHA256
f984c571f11e5e61b2cd3b31e5be3a5bd02598c8cf75ae901199ce825163e15b

SHA512
97887b2234bed5b9ad8580885e047703cb7bc0df02632d081c331d47e79f68bcd80c1edd0d500e5d35cd66e1eeacfe378575ef784029b2e61c0b600a8a65d355

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\37726dea-ead5-4705-9bab-85dfbecc0b35.tmp

Filesize
5KB

MD5
6a4f401cdcaac40df5b3f89c46cb7fce

SHA1
53010478250f8c9e4a285661b3461c2c3695a410

SHA256
9b7c1cb491e54e00532a1c2ed0487a7900b599d12ef7d5524fe34cc2010e69a6

SHA512
15ce06e5425b254e7013f76202c98d23b6a4891d7064dd8b4b52f41ffa4d2f56cdedbcb84597635ac02fc07b55a6820fc0d99e0e209cb4fbea4bfbd31e5b7926

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
57KB

MD5
a499e1975904a648129325e2e826bbf3

SHA1
cb5bf09a711036c48d46a1e42baee19456c92e52

SHA256
5809dfaa4edb2bbe57ea87b85ff6845ae43bc992a292027d62204154660e6251

SHA512
db9a008fca62cc101f09101d090c0b4838ca6ea1fc069f039c5c827aead37fd8e4ffbb5621f630a25eaa30ed27a7533f06ceb70502fa93843907f8ca0f3d7a8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1015B

MD5
16839051cada030d2dbec9033c5bcae4

SHA1
ce852e21a41a0ae02b7c33dc6f988eccfddb1586

SHA256
b81c8590aeb681cc7a85c3eb86cbd4919d6978b287d31b31760164486ac40e74

SHA512
6f8fef95976989d2ca81df5a3dbf9f670aa7f0729fd4fb71a6a97c6268f0e8386f816a4a12372d3b6b81aeafb81554e98422d9e9cb24c18925c89ae4ed291edf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
a42a9566b35afcb2832b64e3d7874801

SHA1
4483d206f51ee21bb8d01012b58ccb66c0063f12

SHA256
f124e0fe7297b06d579acaed7f930a2df9f91edf529d5814041c698f2126fa22

SHA512
df2cbb66e607f9497925ce79e1452e3269c7ee5d3cde130aca76e4aceb8345f9b555486a9a12bee1294a7c4dc5405ca48d2dc4e1f8d811d4fa3626fd6ed6370f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
9b6429b41cf0d63d5805ec0db7d6f8f5

SHA1
f7f7cb6bd896746425e9ac09f4342ca10e1b213b

SHA256
a0fc1708c7d8cb48650da423b072020b5ecc7334dc1e93d0ab94aaf4429e98b4

SHA512
468b38339b9523eb3bf14b978c913bcb1c95b2b0f9fb80a568d1f25b0e8f5c667ed1e3c94b0f738cdc567664f03a77d6c9da8b0588135028ec72a54de8df2eb4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
220KB

MD5
ab1effbeaca678c6f76b7f2e935534b6

SHA1
e25a5be023c182c2d41a8149b4ef97ebb7fd27ae

SHA256
6fc1fe260664b0930c1278cf346941e0667cf39a630f2c1f4956f03a312b39bf

SHA512
93d03ebfc42872952a3c5996665bba402e39aa8527a2b3f73193ba458c4c18b4f8cc04dd2707fd7a0bb818b8157bc5b1649f3bc4edc3a5e1f7c3d721c6ee20eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
220KB

MD5
497254e1a26f08731706795345fdd24c

SHA1
81a81864b826e1f225f65288b65274a8352106b9

SHA256
c57e283a7089f3bffe9ef104d031d5be3325634dfe0a1a1ac1cec48912efc45c

SHA512
329862dee0046820760108b9db6c66f95e6c8c5afcbc7c780bcb4ad6bba502a9ed11b071b3e07bfdda7dd60394284c9f61cbe0dfeab9377a229e0f03aac6d2f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
220KB

MD5
362c1cdc2d70809d666147c27f5f9dc4

SHA1
09e0748fc301021d9821f2d86893673428f3bfb8

SHA256
f1d254a7ae1cd31d53a0fa43d31561ebd1d7567535c2c297a1d10e83bed89af2

SHA512
ab71b328fb54039e6fc08905fe04b7dbf8b38c68f18325415d1e1d291752dfa2546123611ebe3e4191dcc7ff5bac383e93510ec2c8f60beeaebe592d3e26a03d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
74KB

MD5
a99ecc49bfbbf8250633f177382fcf09

SHA1
64f7b03a758a5818867313281f578625a16aaf16

SHA256
6c546d5a52911f9316c5f2b96f8c77426f33e864dc97820c20992527bde43320

SHA512
b8b12831cf6e541c46b297276c1b34cc72fd1a12a05b79413f79cd5d593af18249cf3ac47720dc83defebf528915e76d762a0e61b33811e6951c96909a42b0c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\a55278b2-6985-4289-bd1b-e9c67c2f867c.tmp

Filesize
220KB

MD5
f69a9404b344b7be50d94721e716fa22

SHA1
af51e350b8529a58a1ce55301d8a9ac227b33fc6

SHA256
722fc6708465ddf6599518cf03e4591e9de5626536a18896dfd26ec5b06349a7

SHA512
eef3b51b3d86c8aab2e528a7da52b43ace5378b7a36e67959af177322f5b59fb912fd91b989da78bfc9c440bcf3921ccb83dfd56dfb938e423482782e9750c6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5AFE.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5B20.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcd.exe

Filesize
227KB

MD5
b5ac46e446cead89892628f30a253a06

SHA1
f4ad1044a7f77a1b02155c3a355a1bb4177076ca

SHA256
def7afcb65126c4b04a7cbf08c693f357a707aa99858cac09a8d5e65f3177669

SHA512
bcabbac6f75c1d41364406db457c62f5135a78f763f6db08c1626f485c64db4d9ba3b3c8bc0b5508d917e445fd220ffa66ebc35221bd06560446c109818e8e87

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms~RFf77be31.TMP

Filesize
3KB

MD5
03452247b7f9cc6664d04214633e13a8

SHA1
810b2e9468024933b05abcbfe65316e894fc1b91

SHA256
2e934a8f2b6c6c4b12b113a39cc1a8b13facc4d1399fb51fb802b32b58de4d57

SHA512
9a82bb11585df8af63da75a4402f6ddd0d177cfe4c2818fcfeb819fcbc522361f5671d03f4a9e1f05c1a07d1fff9667ac60344b883238ff5b003b70de57fa4e2

Download Submit
memory/1936-5-0x00000000005B0000-0x00000000005EE000-memory.dmp

Filesize
248KB

Download
memory/1936-4-0x000000001B470000-0x000000001B4F0000-memory.dmp

Filesize
512KB

Download
memory/1936-3-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1936-0-0x0000000001200000-0x00000000012E6000-memory.dmp

Filesize
920KB

Download
memory/1936-2-0x000007FEF5FA0000-0x000007FEF698C000-memory.dmp

Filesize
9.9MB

Download
memory/1936-46-0x000007FEF5FA0000-0x000007FEF698C000-memory.dmp

Filesize
9.9MB

Download
memory/1936-1-0x000007FEF5FA0000-0x000007FEF698C000-memory.dmp

Filesize
9.9MB

Download