upatre | 7393f83f5d24d5c64e2c0298133f5052404250dfda167591019057b574ed8d1b

Resubmissions

07-12-2023 12:48

231207-p1sxmsah37 10

06-06-2022 17:10

220606-vp5pysecgn 10

Analysis

max time kernel
90s
max time network
129s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
07-12-2023 12:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7393f83f5d24d5c64e2c0298133f5052404250dfda167591019057b574ed8d1b.exe
Size

6KB
MD5

dea0e56e4ce2fafb80ace3b818eb44fe
SHA1

ce252a12317c0d0cac83b87a76db375baf05cb94
SHA256

7393f83f5d24d5c64e2c0298133f5052404250dfda167591019057b574ed8d1b
SHA512

d04ba2daa722bc929628605cc0dfa4bc2ae34e485d13685a8f8a5747754c88915f32621363955640cac49c890ac01136aef7444d3fd62ab26be048ebae50e4ee
SSDEEP

96:Z0v4mUWKh9ctgC1RhvnKymV44ShDAyBJ0CeGUAyUL7qKoTgiZ:9mUWKs/tnKfzShkgUAyUyKo7Z

Score

10^/10

upatre downloader

Malware Config

Signatures

Upatre
Upatre is a generic malware downloader.
downloader upatre

Executes dropped EXE 1 IoCs

pid	Process
2700	szgfw.exe

Loads dropped DLL 2 IoCs

pid	Process
1656	7393f83f5d24d5c64e2c0298133f5052404250dfda167591019057b574ed8d1b.exe
1656	7393f83f5d24d5c64e2c0298133f5052404250dfda167591019057b574ed8d1b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
532	chrome.exe
532	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2504	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2504	taskmgr.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe
Token: SeShutdownPrivilege	532	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
532	chrome.exe
532	chrome.exe
532	chrome.exe
532	chrome.exe
532	chrome.exe
532	chrome.exe
532	chrome.exe
532	chrome.exe
532	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
2504	taskmgr.exe
532	chrome.exe
532	chrome.exe
532	chrome.exe
532	chrome.exe
532	chrome.exe
532	chrome.exe
532	chrome.exe
532	chrome.exe
532	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 2700	1656	7393f83f5d24d5c64e2c0298133f5052404250dfda167591019057b574ed8d1b.exe	28
PID 1656 wrote to memory of 2700	1656	7393f83f5d24d5c64e2c0298133f5052404250dfda167591019057b574ed8d1b.exe	28
PID 1656 wrote to memory of 2700	1656	7393f83f5d24d5c64e2c0298133f5052404250dfda167591019057b574ed8d1b.exe	28
PID 1656 wrote to memory of 2700	1656	7393f83f5d24d5c64e2c0298133f5052404250dfda167591019057b574ed8d1b.exe	28
PID 532 wrote to memory of 600	532	chrome.exe	33
PID 532 wrote to memory of 600	532	chrome.exe	33
PID 532 wrote to memory of 600	532	chrome.exe	33
PID 532 wrote to memory of 2532	532	chrome.exe	35
PID 532 wrote to memory of 2532	532	chrome.exe	35
PID 532 wrote to memory of 2532	532	chrome.exe	35
PID 532 wrote to memory of 2532	532	chrome.exe	35
PID 532 wrote to memory of 2532	532	chrome.exe	35
PID 532 wrote to memory of 2532	532	chrome.exe	35
PID 532 wrote to memory of 2532	532	chrome.exe	35
PID 532 wrote to memory of 2532	532	chrome.exe	35
PID 532 wrote to memory of 2532	532	chrome.exe	35
PID 532 wrote to memory of 2532	532	chrome.exe	35
PID 532 wrote to memory of 2532	532	chrome.exe	35
PID 532 wrote to memory of 2532	532	chrome.exe	35
PID 532 wrote to memory of 2532	532	chrome.exe	35
PID 532 wrote to memory of 2532	532	chrome.exe	35
PID 532 wrote to memory of 2532	532	chrome.exe	35
PID 532 wrote to memory of 2532	532	chrome.exe	35
PID 532 wrote to memory of 2532	532	chrome.exe	35
PID 532 wrote to memory of 2532	532	chrome.exe	35
PID 532 wrote to memory of 2532	532	chrome.exe	35
PID 532 wrote to memory of 2532	532	chrome.exe	35
PID 532 wrote to memory of 2532	532	chrome.exe	35
PID 532 wrote to memory of 2532	532	chrome.exe	35
PID 532 wrote to memory of 2532	532	chrome.exe	35
PID 532 wrote to memory of 2532	532	chrome.exe	35
PID 532 wrote to memory of 2532	532	chrome.exe	35
PID 532 wrote to memory of 2532	532	chrome.exe	35
PID 532 wrote to memory of 2532	532	chrome.exe	35
PID 532 wrote to memory of 2532	532	chrome.exe	35
PID 532 wrote to memory of 2532	532	chrome.exe	35
PID 532 wrote to memory of 2532	532	chrome.exe	35
PID 532 wrote to memory of 2532	532	chrome.exe	35
PID 532 wrote to memory of 2532	532	chrome.exe	35
PID 532 wrote to memory of 2532	532	chrome.exe	35
PID 532 wrote to memory of 2532	532	chrome.exe	35
PID 532 wrote to memory of 2532	532	chrome.exe	35
PID 532 wrote to memory of 2532	532	chrome.exe	35
PID 532 wrote to memory of 2532	532	chrome.exe	35
PID 532 wrote to memory of 2532	532	chrome.exe	35
PID 532 wrote to memory of 2532	532	chrome.exe	35
PID 532 wrote to memory of 2176	532	chrome.exe	37
PID 532 wrote to memory of 2176	532	chrome.exe	37
PID 532 wrote to memory of 2176	532	chrome.exe	37
PID 532 wrote to memory of 1700	532	chrome.exe	36
PID 532 wrote to memory of 1700	532	chrome.exe	36
PID 532 wrote to memory of 1700	532	chrome.exe	36
PID 532 wrote to memory of 1700	532	chrome.exe	36
PID 532 wrote to memory of 1700	532	chrome.exe	36
PID 532 wrote to memory of 1700	532	chrome.exe	36
PID 532 wrote to memory of 1700	532	chrome.exe	36
PID 532 wrote to memory of 1700	532	chrome.exe	36
PID 532 wrote to memory of 1700	532	chrome.exe	36
PID 532 wrote to memory of 1700	532	chrome.exe	36
PID 532 wrote to memory of 1700	532	chrome.exe	36
PID 532 wrote to memory of 1700	532	chrome.exe	36
PID 532 wrote to memory of 1700	532	chrome.exe	36
PID 532 wrote to memory of 1700	532	chrome.exe	36
PID 532 wrote to memory of 1700	532	chrome.exe	36

C:\Users\Admin\AppData\Local\Temp\7393f83f5d24d5c64e2c0298133f5052404250dfda167591019057b574ed8d1b.exe
"C:\Users\Admin\AppData\Local\Temp\7393f83f5d24d5c64e2c0298133f5052404250dfda167591019057b574ed8d1b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Users\Admin\AppData\Local\Temp\szgfw.exe
  "C:\Users\Admin\AppData\Local\Temp\szgfw.exe"
  2⤵
  - Executes dropped EXE
  PID:2700

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef52a9758,0x7fef52a9768,0x7fef52a9778
  2⤵
  PID:600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1140 --field-trial-handle=1348,i,7569376447859238983,6505080197644158071,131072 /prefetch:2
  2⤵
  PID:2532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1604 --field-trial-handle=1348,i,7569376447859238983,6505080197644158071,131072 /prefetch:8
  2⤵
  PID:1700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1492 --field-trial-handle=1348,i,7569376447859238983,6505080197644158071,131072 /prefetch:8
  2⤵
  PID:2176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2256 --field-trial-handle=1348,i,7569376447859238983,6505080197644158071,131072 /prefetch:1
  2⤵
  PID:836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2264 --field-trial-handle=1348,i,7569376447859238983,6505080197644158071,131072 /prefetch:1
  2⤵
  PID:892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2864 --field-trial-handle=1348,i,7569376447859238983,6505080197644158071,131072 /prefetch:2
  2⤵
  PID:1800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3236 --field-trial-handle=1348,i,7569376447859238983,6505080197644158071,131072 /prefetch:1
  2⤵
  PID:2408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3464 --field-trial-handle=1348,i,7569376447859238983,6505080197644158071,131072 /prefetch:8
  2⤵
  PID:2460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3580 --field-trial-handle=1348,i,7569376447859238983,6505080197644158071,131072 /prefetch:8
  2⤵
  PID:1932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3700 --field-trial-handle=1348,i,7569376447859238983,6505080197644158071,131072 /prefetch:8
  2⤵
  PID:304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3576 --field-trial-handle=1348,i,7569376447859238983,6505080197644158071,131072 /prefetch:8
  2⤵
  PID:2232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3672 --field-trial-handle=1348,i,7569376447859238983,6505080197644158071,131072 /prefetch:8
  2⤵
  PID:2720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3592 --field-trial-handle=1348,i,7569376447859238983,6505080197644158071,131072 /prefetch:1
  2⤵
  PID:2500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2428 --field-trial-handle=1348,i,7569376447859238983,6505080197644158071,131072 /prefetch:1
  2⤵
  PID:2000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2520 --field-trial-handle=1348,i,7569376447859238983,6505080197644158071,131072 /prefetch:8
  2⤵
  PID:1624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3484 --field-trial-handle=1348,i,7569376447859238983,6505080197644158071,131072 /prefetch:1
  2⤵
  PID:2064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3752 --field-trial-handle=1348,i,7569376447859238983,6505080197644158071,131072 /prefetch:8
  2⤵
  PID:3032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4120 --field-trial-handle=1348,i,7569376447859238983,6505080197644158071,131072 /prefetch:8
  2⤵
  PID:1048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3348 --field-trial-handle=1348,i,7569376447859238983,6505080197644158071,131072 /prefetch:8
  2⤵
  PID:1076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=1104 --field-trial-handle=1348,i,7569376447859238983,6505080197644158071,131072 /prefetch:1
  2⤵
  PID:2152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=2796 --field-trial-handle=1348,i,7569376447859238983,6505080197644158071,131072 /prefetch:1
  2⤵
  PID:440

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

Filesize
58KB

MD5
5d05ba495d37acd79c70e5b557a0c16c

SHA1
e96ad98168fa375dea9c37c8a3263437224300a7

SHA256
21b00ea3a3278814e1e425f24bdeb0fdd79f9cbef6a4417648e711c90fb1660d

SHA512
90e9777de33256df5104001b3c76ba5c52dd71c883661e0cfb02426d45bfd805cff05bae308589f3d1a451f5163afe59ca6a3107ef0b9343c10b5c436cfb2cae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

Filesize
40KB

MD5
929729aa7cff46b3dad2f748a57af24c

SHA1
81aa5db7dd63c79e23ccd23bf2520ab994295f2e

SHA256
3c63e6c7fa25849799d08bf54988bfb3b77b1d1eebb1e55a94b64995850cba2f

SHA512
a10eaa6f2708b683bd43295b9c3da5840c0eb6d8a6b9e1922a534270fecbc0dcdb4cdcc28768df292a06f6210885b510254bdca17e5b3c507b0337fe7dc3d743

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
8799c1284e8368c518808bf44bcc278f

SHA1
36e02eb41d7e89585e4c1c07ad005dbfa00a6b72

SHA256
e4aaafe3ace25dbae2ded01fc75ad556b86b12d1ecdee0a37af67e21f4316b00

SHA512
71e6ea4869d25026aa3032a521fd8bb3d59a6a2508804a43c75c97bb862ee5fa3e00003cf1466c99276f5c7915f74b416507e6124d1d319c7fa1d35d83a4081f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT~RFf7846ef.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
527B

MD5
e5d95fcd90a1dc7a2a3559a845a70d53

SHA1
94b0c36990e295eacdc522242fd6ac0367d081fc

SHA256
3e28d58ebf44ed3433a838ef63fa6954259edd6c252df96071667d8da96fc7ee

SHA512
b8024e44558507d7eaee0fc266376a848d14c1043bfc66a5a8b3a535319f12ad184819360fda22e2b117c2317a8377e660ffba29203796763dd51d54779a852b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
527B

MD5
23b047515faf7e2dd5468c3900ec590f

SHA1
f029ea48c28981a1505dd1057898229476656b4a

SHA256
59e28b5f96654931413d605f8d09f2f6cdd9fe2cd17cba83bd9888c56c100acb

SHA512
271e46a4d9bb24ddab9cfafce44d64e63f1b2777d362975686ae7184a9152b29d0b68bfe1fadbe5b4e780a71a1de1e846a8c5da67a2186489317b61448c25a71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
aeac8ba492da60a8176733ed0d7ffdc2

SHA1
2ebc1e26bef45b73d76053680b7b93d1f8e9c95f

SHA256
c9e4a19aa9feb443de6119f49a075459189766f641e037baadb98a6722bab9b9

SHA512
d304ea997453b7d2c5e4935f7fe8416a26f53e189fd98eecf0961efba203b3e08ffb645c7a36e2d1425b5a14852301f769209850f7585784f6caf48415fe568c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
af443d84791b73e197f3c8d389a99b4b

SHA1
9d059a6d9ca6265fc85e682cb1f72e2adf1fc427

SHA256
d04a9819d2ce04009b6356d0d2900dd921b655fe0cba9db5af9329bbe6e7526c

SHA512
a995802057894a4434fa5a58830da722c4ee72d0a4ded39df323e452a9135c100d61985ab76ca165da9bcfb8caedc1458d90fd8dc2c72b325b9ece4266aeb1d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
9b92974837d4b5cd1c882b3da74c8282

SHA1
f3fbeee71748ff072c8193f0ff69934e854419a0

SHA256
062db78acdd4a4f8db68a077fc2bba76d6deee267dbea5f1e017551c71d0a15f

SHA512
28dd0190061c156ed801ea614794a18ccd8258b4f4859cd9e087a893a956061bbc33d53b140c6004ba43a3a0c1202eedc8ed8c946ca888b10db6710021c143dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
217KB

MD5
bddba2abe30da897906298159f41c006

SHA1
51acb996be626e35fd5142645768e7ba798bce3e

SHA256
5ab87eb25112cc43c47a4f4b8832d39bc184a4b65e4734338c07991ce1f54f45

SHA512
29915f31bb0b4f059771e8dd4f88f6e428a20224464a17be1c846f7e1d2c31377592d5de4d5c816a340a075bfc137a3b2147d4bbf8601f0846bd88016940f7d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
217KB

MD5
96fe0a047a6ee01e0c0b3c9bb8b71dfb

SHA1
3fdf7cfa3b43091bc1fac73edde165ba1c0e0eb4

SHA256
ed7dd5d4cd020eda9cf7e9b1a5f211c5e795d850f412302e7875a9e6e082080b

SHA512
496e7a05ddae643eda0033c3e454ec25fab039f599a2ddbadcb937348eff54860206438f49f78fe011d317233eb260cd78840db9083947c3d29c0af6b91b909a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\d991d929-311e-45f8-8b85-198c05e03e95.tmp

Filesize
217KB

MD5
0fdd1891b0159f1978118e14ed1fd5aa

SHA1
d8235d295a68b9e813ea7324756bc09fc3c88f31

SHA256
a5476c192b1e76674fd0fff15f3b0c484933d790a81e9b2030ea7517b19d834d

SHA512
5c5dd561a559dc920171ac515991d64031b2dcefbe7f7283d4c7a814653f97778261491cf2699b62519c55d5c392e6870fe475cd45f99e39f2745e311f79c83c

Download Submit
C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
6KB

MD5
c477fe759712d5ab52fc7a4b50ef8469

SHA1
1e9a85d58af7dc2d37048cc62e7510f3be03e1be

SHA256
07e7cd0b05aeba1858f5674c488f618b91c62e358758a8b9880c8d96abb69746

SHA512
fb47eea8b35228b4e0e49c3b51997c572f292f15b0bcdd57e0b18001fd8217d726410d02479b03a2f1484e7893ef105079cadc3239fe7ff21170282901a9ece3

Download Submit
C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
6KB

MD5
c477fe759712d5ab52fc7a4b50ef8469

SHA1
1e9a85d58af7dc2d37048cc62e7510f3be03e1be

SHA256
07e7cd0b05aeba1858f5674c488f618b91c62e358758a8b9880c8d96abb69746

SHA512
fb47eea8b35228b4e0e49c3b51997c572f292f15b0bcdd57e0b18001fd8217d726410d02479b03a2f1484e7893ef105079cadc3239fe7ff21170282901a9ece3

Download Submit
C:\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
6KB

MD5
c477fe759712d5ab52fc7a4b50ef8469

SHA1
1e9a85d58af7dc2d37048cc62e7510f3be03e1be

SHA256
07e7cd0b05aeba1858f5674c488f618b91c62e358758a8b9880c8d96abb69746

SHA512
fb47eea8b35228b4e0e49c3b51997c572f292f15b0bcdd57e0b18001fd8217d726410d02479b03a2f1484e7893ef105079cadc3239fe7ff21170282901a9ece3

Download Submit
\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
6KB

MD5
c477fe759712d5ab52fc7a4b50ef8469

SHA1
1e9a85d58af7dc2d37048cc62e7510f3be03e1be

SHA256
07e7cd0b05aeba1858f5674c488f618b91c62e358758a8b9880c8d96abb69746

SHA512
fb47eea8b35228b4e0e49c3b51997c572f292f15b0bcdd57e0b18001fd8217d726410d02479b03a2f1484e7893ef105079cadc3239fe7ff21170282901a9ece3

Download Submit
\Users\Admin\AppData\Local\Temp\szgfw.exe

Filesize
6KB

MD5
c477fe759712d5ab52fc7a4b50ef8469

SHA1
1e9a85d58af7dc2d37048cc62e7510f3be03e1be

SHA256
07e7cd0b05aeba1858f5674c488f618b91c62e358758a8b9880c8d96abb69746

SHA512
fb47eea8b35228b4e0e49c3b51997c572f292f15b0bcdd57e0b18001fd8217d726410d02479b03a2f1484e7893ef105079cadc3239fe7ff21170282901a9ece3

Download Submit
memory/2504-10-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2504-11-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download