hxxp://45[.]74[.]19[.]84[:]80/xampp/bkp/bkp1_vbs[.]jpg

Resubmissions

12/02/2024, 23:16

240212-29gl7aff67 1

12/02/2024, 23:13

240212-27h28sea5x 1

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2024, 23:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://45.74.19.84:80/xampp/bkp/bkp1_vbs.jpg

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133522532308610021"	chrome.exe

Modifies registry class 35 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Pictures"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e8005398e082303024b98265d99428e115f0000	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3148	chrome.exe
3148	chrome.exe
5016	chrome.exe
5016	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3192	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe
Token: SeShutdownPrivilege	3148	chrome.exe
Token: SeCreatePagefilePrivilege	3148	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe
3148	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3192	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3148 wrote to memory of 3212	3148	chrome.exe	31
PID 3148 wrote to memory of 3212	3148	chrome.exe	31
PID 3148 wrote to memory of 1448	3148	chrome.exe	86
PID 3148 wrote to memory of 1448	3148	chrome.exe	86
PID 3148 wrote to memory of 1448	3148	chrome.exe	86
PID 3148 wrote to memory of 1448	3148	chrome.exe	86
PID 3148 wrote to memory of 1448	3148	chrome.exe	86
PID 3148 wrote to memory of 1448	3148	chrome.exe	86
PID 3148 wrote to memory of 1448	3148	chrome.exe	86
PID 3148 wrote to memory of 1448	3148	chrome.exe	86
PID 3148 wrote to memory of 1448	3148	chrome.exe	86
PID 3148 wrote to memory of 1448	3148	chrome.exe	86
PID 3148 wrote to memory of 1448	3148	chrome.exe	86
PID 3148 wrote to memory of 1448	3148	chrome.exe	86
PID 3148 wrote to memory of 1448	3148	chrome.exe	86
PID 3148 wrote to memory of 1448	3148	chrome.exe	86
PID 3148 wrote to memory of 1448	3148	chrome.exe	86
PID 3148 wrote to memory of 1448	3148	chrome.exe	86
PID 3148 wrote to memory of 1448	3148	chrome.exe	86
PID 3148 wrote to memory of 1448	3148	chrome.exe	86
PID 3148 wrote to memory of 1448	3148	chrome.exe	86
PID 3148 wrote to memory of 1448	3148	chrome.exe	86
PID 3148 wrote to memory of 1448	3148	chrome.exe	86
PID 3148 wrote to memory of 1448	3148	chrome.exe	86
PID 3148 wrote to memory of 1448	3148	chrome.exe	86
PID 3148 wrote to memory of 1448	3148	chrome.exe	86
PID 3148 wrote to memory of 1448	3148	chrome.exe	86
PID 3148 wrote to memory of 1448	3148	chrome.exe	86
PID 3148 wrote to memory of 1448	3148	chrome.exe	86
PID 3148 wrote to memory of 1448	3148	chrome.exe	86
PID 3148 wrote to memory of 1448	3148	chrome.exe	86
PID 3148 wrote to memory of 1448	3148	chrome.exe	86
PID 3148 wrote to memory of 1448	3148	chrome.exe	86
PID 3148 wrote to memory of 1448	3148	chrome.exe	86
PID 3148 wrote to memory of 1448	3148	chrome.exe	86
PID 3148 wrote to memory of 1448	3148	chrome.exe	86
PID 3148 wrote to memory of 1448	3148	chrome.exe	86
PID 3148 wrote to memory of 1448	3148	chrome.exe	86
PID 3148 wrote to memory of 1448	3148	chrome.exe	86
PID 3148 wrote to memory of 1448	3148	chrome.exe	86
PID 3148 wrote to memory of 4020	3148	chrome.exe	87
PID 3148 wrote to memory of 4020	3148	chrome.exe	87
PID 3148 wrote to memory of 2984	3148	chrome.exe	88
PID 3148 wrote to memory of 2984	3148	chrome.exe	88
PID 3148 wrote to memory of 2984	3148	chrome.exe	88
PID 3148 wrote to memory of 2984	3148	chrome.exe	88
PID 3148 wrote to memory of 2984	3148	chrome.exe	88
PID 3148 wrote to memory of 2984	3148	chrome.exe	88
PID 3148 wrote to memory of 2984	3148	chrome.exe	88
PID 3148 wrote to memory of 2984	3148	chrome.exe	88
PID 3148 wrote to memory of 2984	3148	chrome.exe	88
PID 3148 wrote to memory of 2984	3148	chrome.exe	88
PID 3148 wrote to memory of 2984	3148	chrome.exe	88
PID 3148 wrote to memory of 2984	3148	chrome.exe	88
PID 3148 wrote to memory of 2984	3148	chrome.exe	88
PID 3148 wrote to memory of 2984	3148	chrome.exe	88
PID 3148 wrote to memory of 2984	3148	chrome.exe	88
PID 3148 wrote to memory of 2984	3148	chrome.exe	88
PID 3148 wrote to memory of 2984	3148	chrome.exe	88
PID 3148 wrote to memory of 2984	3148	chrome.exe	88
PID 3148 wrote to memory of 2984	3148	chrome.exe	88
PID 3148 wrote to memory of 2984	3148	chrome.exe	88
PID 3148 wrote to memory of 2984	3148	chrome.exe	88
PID 3148 wrote to memory of 2984	3148	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://45.74.19.84:80/xampp/bkp/bkp1_vbs.jpg
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff53699758,0x7fff53699768,0x7fff53699778
  2⤵
  PID:3212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1784 --field-trial-handle=1876,i,482860171071579825,11935752326134837905,131072 /prefetch:2
  2⤵
  PID:1448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2012 --field-trial-handle=1876,i,482860171071579825,11935752326134837905,131072 /prefetch:8
  2⤵
  PID:4020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 --field-trial-handle=1876,i,482860171071579825,11935752326134837905,131072 /prefetch:8
  2⤵
  PID:2984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2824 --field-trial-handle=1876,i,482860171071579825,11935752326134837905,131072 /prefetch:1
  2⤵
  PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2840 --field-trial-handle=1876,i,482860171071579825,11935752326134837905,131072 /prefetch:1
  2⤵
  PID:2012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=5088 --field-trial-handle=1876,i,482860171071579825,11935752326134837905,131072 /prefetch:1
  2⤵
  PID:4396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4616 --field-trial-handle=1876,i,482860171071579825,11935752326134837905,131072 /prefetch:1
  2⤵
  PID:2168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4796 --field-trial-handle=1876,i,482860171071579825,11935752326134837905,131072 /prefetch:8
  2⤵
  PID:4484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4812 --field-trial-handle=1876,i,482860171071579825,11935752326134837905,131072 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4816 --field-trial-handle=1876,i,482860171071579825,11935752326134837905,131072 /prefetch:8
  2⤵
  PID:2220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5880 --field-trial-handle=1876,i,482860171071579825,11935752326134837905,131072 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:3192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5896 --field-trial-handle=1876,i,482860171071579825,11935752326134837905,131072 /prefetch:8
  2⤵
  PID:2524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4280 --field-trial-handle=1876,i,482860171071579825,11935752326134837905,131072 /prefetch:8
  2⤵
  PID:4996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=908 --field-trial-handle=1876,i,482860171071579825,11935752326134837905,131072 /prefetch:1
  2⤵
  PID:4196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4480 --field-trial-handle=1876,i,482860171071579825,11935752326134837905,131072 /prefetch:1
  2⤵
  PID:4844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5440 --field-trial-handle=1876,i,482860171071579825,11935752326134837905,131072 /prefetch:1
  2⤵
  PID:3240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5860 --field-trial-handle=1876,i,482860171071579825,11935752326134837905,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5016

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000d

Filesize
194KB

MD5
ac84f1282f8542dee07f8a1af421f2a7

SHA1
261885284826281a99ff982428a765be30de9029

SHA256
193b8f571f3fd65b98dc39601431ff6e91ade5f90ee7790bfc1fba8f7580a4b0

SHA512
9f4f58ab43ddadad903cea3454d79b99a750f05e4d850de5f25371d5bec16fc312015a875b8f418154f1124c400ae1c82e2efd862870cd35c3f0961426c8cd82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
753b67dd4f33dbed5b6334f0d9ce6c06

SHA1
836d16002a506b3b97f74c655424dc25804da959

SHA256
473a75aaf7777860fa7de653ccafe2cd85d200fa9d0b6979d2adee21facc2720

SHA512
6dd85e5c3fd0231058ee4c3cc2d5eb913e1dcd995346b4c183d4172a605e7b4c807e5e24045b41601e4438149209a075ae05af2d54e1522e63aa501544fbc292

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
729f2078b391349d1438061fd8c5859b

SHA1
bdc77875e452c75f31da1273d973327e7dbb1365

SHA256
e7ced4b9ef1e8c7140253e8b4ff0d4ac96bbc9c9b64ef72e4a1f94a4028ae547

SHA512
72e83d2d4e4454406eceac6cc9a8912b39f21ef560a80f768d5389783088fe2d95f25253c357cae0108841a4e22f28776d5bcfd7545131833fa08a2d54dace28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
ad338e84bce38fdad885eced25a31410

SHA1
a91ed96c5aee311d73638f96fddc0f23175ad449

SHA256
5b0bab4aa65b69ce5c055f5a903ce649db750ab0074d4fa993ac3ed02f209621

SHA512
b893b37e988041468447ae822be97db1d08dc387413f9183386d172cd9d509d7bf40ab1190778d7c749606dc240908e7041f6db1400a1d51ae73d5de37133456

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
77b09131ef92be958f2294c2723e4a07

SHA1
b971ccf4e533f437fe4ba0f86653c2a50d05b426

SHA256
f9f88110d6e27c7ef199e50672e7c8dd2848dc2690a1c420c1347fad170e750f

SHA512
ded7e664f41ca7e331c4201ba89c53fd31a55662485a68bbd60f51fe1a9667345558eb3100ab91997054ba4be61123ab7d855c813d560155c3c5b746a102edfd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
4a7ccb0fb30a4f00fe27e4e1e982a40d

SHA1
fb22c4600b25c8941a8d22cc1c5e95da4bc477cc

SHA256
926fd877beaed87b72d68e70c0bf850ae1ed288863d2785a2eb4610761c96adb

SHA512
a175e9c1bb78903f117e2f24d61c3d638bb083be80d4b0224f6bb4aa6174f1b6f8b25095931fa7eeab467609df64c96546ab9030927867661604eb39b215be12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
536B

MD5
e13d4ea2e9e76beeaa7d25ea82f6093b

SHA1
00dd350c51fade5b6da94fd0bf2bd44ef3079ca7

SHA256
25b39b766be8d5d5a18e0d7354b544ca0b0bdeb8c369a33328b1d1f0d70321ed

SHA512
227b0368d4bec62bbe24b76a4cfd8207ed3bf15e709b7a9e206a74d98568def601a61925dd44c4e797bb0352bf2cf9f08b168e61d3b6094fcfd3bf1bf239ec0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
509653761f3ca4d297f0bb430d05aedc

SHA1
fa2ad40a75cc09128ade4fbdad1f820f8499cc41

SHA256
b4b3cf1b1e1ebd617cb50982b956ef14d15b1fdc43ba0a02f23c232634a4f8df

SHA512
082341808bbd57ab118db7690117c28d66003c83fdaa916cc3b5442d0f6a23a90765a8a09ed44127db36e08817152b3cb3fea38a0d47aed54673c75db78750e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
17ceeb8a101937e48daaefb3a9a25144

SHA1
57e30e52c1d22823f6e80c730db310b737e6b579

SHA256
5c360b535d7a1c1acc8747025540695914ef850fcf1c3bbb6262c7e54a5b88b5

SHA512
ad2e950fa71fe369436ddba762e391da912ba08396a97821becc574afc52d54a05d9a3d2b7a9d0b2543d2f0d9ebff51c8690748923fa8a4040e0da68a6755ab0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
4d91706e0c92ca4fdc1e916d63f621e8

SHA1
1a5b9e7c06cd88fd418c575d3b744ec31c59d706

SHA256
b8d200e288920819db11314ce1e249cc6627b77159adc90d17c9463d33422390

SHA512
93fd1edfeeb6b920c754769bf4408a0d7d4a4c1f54a9af065d6cee765bb1eab0f80a9faadcf9c572b09f5425bdf07e71623e3ab3deb230c681d03814337bf832

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
4b4ee4cb5c43680e60c0f21da5b093d5

SHA1
265b1119951b1cf28c78d921e7980ec6b81cefe5

SHA256
219ff260b088dec0103a62c9ed96e0dd5aa00f2410b31083015e8c18e05459c2

SHA512
d5322d4186ebe3294ce63824f684f8acccce74043f9083b1d429175dec3ce7d2f1b6ef59f4b8a28c0fa827464d6632dfc717b455d809f000087a52ac301c2f2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
d5fa88dc79a7517a2be13becff353c23

SHA1
392d73c30b911ea5d2421eaf0a4355a83b0b00e1

SHA256
c5fbd557c3a625aa6ff2a55f64e839767dde69ca5713c50784e45ede3a65c601

SHA512
4afa0899fe70d8d0d6c317a6deb1608fb9b734c7fa6390a3bd1f6c10a2890985cec020fb684d9038b06f59f07e945444badb84f01e7856645b35a6c1a250129e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ffa74395acc3f158ccfaf354ed13e0e6

SHA1
2147654ea1f46c914d396b92f7560409833d24d1

SHA256
5b95db5a042ec6e3fa38e081b2f9c903f1a715c7b114b589574e0d9e53a7fd74

SHA512
18139fdcd777d7732e63700aca821d987a178dbcf02ce19517ceecd6ee6f7bc7a442e482b810ade46192dd57ad60d79682610bedb88c5cedd34e564eab46c511

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
021518925f9d696fda076b4678e8c76c

SHA1
89ebdd2ab5f158fcfefae8eec35731e40ba94c6c

SHA256
e2d8aa44c890455df90c19f0f2a46bae616d4015be4d05590fbbed23d6e612fe

SHA512
6f3405fc60876228e45cd8d7607a21c916efee34c2ff5f41a5f09420ed46fc149eaf3d712740ec2411a385a37179dd66a11742389ec092d58e05963060768f59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
a1271939029b6393947ae054f40fac6f

SHA1
861727b93c7e8af50a5ec2af5c869d2926d6e8ae

SHA256
912952dd43ca809a8a8c8bb45c06c6d3b041c566d62e30717e872f9ae256ae85

SHA512
73d70cecb28ac031c4adddcb462913b66f3616901fbe0495e0c1ff39b9cb03c9e25555f65f16e42bfa7ccb8272984c37d6d9884eb33a82332c79150cedd1066d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
5c5a83975f00a559050cdd91d66570a8

SHA1
10fb0a839bc59972f825511e7709768c29989d82

SHA256
45a6e7ccece2f4ddbb99484f85d6b6bd3a13882d8620af9ccee00e376dca1b2a

SHA512
6439bf657a381e5c1b214a77cc60b2eb1c26377f6b7287a6d2a97e964d94534cb95a52ec3d541c52a73c0d0f0863c595e59ed1884af5243adf4cdc43292c476d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
102KB

MD5
2407a9e3593f6626f5d19b62100e37e4

SHA1
fd6175a857efe46c17d9cfff6467e58fd925f058

SHA256
6d9f307a49aed69cdf820a2808620239eed7b815e15644dc9b6deb1718abcb7a

SHA512
529e365fc1b55952da11bd99391113699ac15937c1c578f84d90b383415322c52f42717994ee9b218106e1abfab4821b1eb4b06a2fa428eab50ec9513b188519

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58e6e0.TMP

Filesize
96KB

MD5
68ac3066b8ea76865f518448cf1c9972

SHA1
8c7ba6ef138d6a209f424c8c85437ce7891b381a

SHA256
dbef93bcb87d8420df47dc2e465740c83dd12302f3ab4efc81613d0316d1fa2a

SHA512
0037c1baa7bb9094d61dc2fc4de562f5a84b012f5b77f11b72f75e9a1e4c001689cfbe20dbc28228670b33187f975a7d1d963122756e9dfa2d6c1354aada1275

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\ae888bb4-02ef-4fda-863d-ffcddd3d00e9.tmp

Filesize
3.6MB

MD5
ca0455dbf7496cfd484b6341f2da6c7b

SHA1
5ab3b84b78bee013c2e1ec1165bc5a3bd71e777a

SHA256
0623bf1cd9e16b5ecba4dfab2424f7c0f21e208603891da24d74338ff5e605d4

SHA512
37ee1caacefa1a57eed803c210148eecb68e770e0b0d982bd695bfb7eaa664665ab81ba43a7fc18d43ea2f378c90992351165c8750d66c43ac7ff1b2082de4be

Download Submit