a0f267ce25b8317beea96b42dd1d0b4e211a873cac9b2e3bcfff89f8d1c514e0

Resubmissions

14-02-2024 04:27

240214-e28z5sac24 7

14-02-2024 04:11

240214-erxjcsgf8z 10

14-02-2024 04:02

240214-els9rahf93 10

Analysis

max time kernel
92s
max time network
143s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
14-02-2024 04:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Keygen.exe
Size

200KB
MD5

9718045f5002b741172a6c659e3b97fd
SHA1

101403393b50c9de54efc4370d078922ba5f7c47
SHA256

2a8eea400ff4d71f70d7d3b5d5ff6e636a98c84fbcb6217d5ac705a10a3b1fa7
SHA512

2a68394fba1c7585d8c37fd5811285d064579a411e7d7b0616a17164f3ddccc15557e35062b03f3c5a4634b00913dad71d1756d94683571dedab8423372a9a88
SSDEEP

3072:9EbmpgY+Iu0VSdVe4DOprtjG+URYEPZL4jAoI0PRy2XDZd+p6ewDejhqrY5S/+9T:O93Iwe4qDjGR/y0oDdNd+E2qrvWIMk

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Keygen.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2232-0-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2232-3-0x0000000000400000-0x0000000000455000-memory.dmp	upx

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\o:	Keygen.exe
File opened (read-only)	\??\l:	Keygen.exe
File opened (read-only)	\??\i:	Keygen.exe
File opened (read-only)	\??\y:	Keygen.exe
File opened (read-only)	\??\u:	Keygen.exe
File opened (read-only)	\??\t:	Keygen.exe
File opened (read-only)	\??\s:	Keygen.exe
File opened (read-only)	\??\p:	Keygen.exe
File opened (read-only)	\??\r:	Keygen.exe
File opened (read-only)	\??\n:	Keygen.exe
File opened (read-only)	\??\m:	Keygen.exe
File opened (read-only)	\??\g:	Keygen.exe
File opened (read-only)	\??\z:	Keygen.exe
File opened (read-only)	\??\w:	Keygen.exe
File opened (read-only)	\??\k:	Keygen.exe
File opened (read-only)	\??\j:	Keygen.exe
File opened (read-only)	\??\x:	Keygen.exe
File opened (read-only)	\??\v:	Keygen.exe
File opened (read-only)	\??\q:	Keygen.exe
File opened (read-only)	\??\h:	Keygen.exe
File opened (read-only)	\??\e:	Keygen.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\mssys.dll	Keygen.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2232	Keygen.exe
2232	Keygen.exe
2232	Keygen.exe
2232	Keygen.exe
2232	Keygen.exe
2232	Keygen.exe
2232	Keygen.exe
2232	Keygen.exe
2360	chrome.exe
2360	chrome.exe

Suspicious behavior: MapViewOfSection 21 IoCs

pid	Process
2232	Keygen.exe
2232	Keygen.exe
2232	Keygen.exe
2232	Keygen.exe
2232	Keygen.exe
2232	Keygen.exe
2232	Keygen.exe
2232	Keygen.exe
2232	Keygen.exe
2232	Keygen.exe
2232	Keygen.exe
2232	Keygen.exe
2232	Keygen.exe
2232	Keygen.exe
2232	Keygen.exe
2232	Keygen.exe
2232	Keygen.exe
2232	Keygen.exe
2232	Keygen.exe
2232	Keygen.exe
2232	Keygen.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2232	Keygen.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe
Token: SeShutdownPrivilege	2360	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe
2360	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 372	2232	Keygen.exe	25
PID 2232 wrote to memory of 372	2232	Keygen.exe	25
PID 2232 wrote to memory of 372	2232	Keygen.exe	25
PID 2232 wrote to memory of 372	2232	Keygen.exe	25
PID 2232 wrote to memory of 372	2232	Keygen.exe	25
PID 2232 wrote to memory of 372	2232	Keygen.exe	25
PID 2232 wrote to memory of 372	2232	Keygen.exe	25
PID 2232 wrote to memory of 380	2232	Keygen.exe	24
PID 2232 wrote to memory of 380	2232	Keygen.exe	24
PID 2232 wrote to memory of 380	2232	Keygen.exe	24
PID 2232 wrote to memory of 380	2232	Keygen.exe	24
PID 2232 wrote to memory of 380	2232	Keygen.exe	24
PID 2232 wrote to memory of 380	2232	Keygen.exe	24
PID 2232 wrote to memory of 380	2232	Keygen.exe	24
PID 2232 wrote to memory of 420	2232	Keygen.exe	3
PID 2232 wrote to memory of 420	2232	Keygen.exe	3
PID 2232 wrote to memory of 420	2232	Keygen.exe	3
PID 2232 wrote to memory of 420	2232	Keygen.exe	3
PID 2232 wrote to memory of 420	2232	Keygen.exe	3
PID 2232 wrote to memory of 420	2232	Keygen.exe	3
PID 2232 wrote to memory of 420	2232	Keygen.exe	3
PID 2232 wrote to memory of 464	2232	Keygen.exe	2
PID 2232 wrote to memory of 464	2232	Keygen.exe	2
PID 2232 wrote to memory of 464	2232	Keygen.exe	2
PID 2232 wrote to memory of 464	2232	Keygen.exe	2
PID 2232 wrote to memory of 464	2232	Keygen.exe	2
PID 2232 wrote to memory of 464	2232	Keygen.exe	2
PID 2232 wrote to memory of 464	2232	Keygen.exe	2
PID 2232 wrote to memory of 480	2232	Keygen.exe	1
PID 2232 wrote to memory of 480	2232	Keygen.exe	1
PID 2232 wrote to memory of 480	2232	Keygen.exe	1
PID 2232 wrote to memory of 480	2232	Keygen.exe	1
PID 2232 wrote to memory of 480	2232	Keygen.exe	1
PID 2232 wrote to memory of 480	2232	Keygen.exe	1
PID 2232 wrote to memory of 480	2232	Keygen.exe	1
PID 2232 wrote to memory of 488	2232	Keygen.exe	23
PID 2232 wrote to memory of 488	2232	Keygen.exe	23
PID 2232 wrote to memory of 488	2232	Keygen.exe	23
PID 2232 wrote to memory of 488	2232	Keygen.exe	23
PID 2232 wrote to memory of 488	2232	Keygen.exe	23
PID 2232 wrote to memory of 488	2232	Keygen.exe	23
PID 2232 wrote to memory of 488	2232	Keygen.exe	23
PID 2232 wrote to memory of 600	2232	Keygen.exe	22
PID 2232 wrote to memory of 600	2232	Keygen.exe	22
PID 2232 wrote to memory of 600	2232	Keygen.exe	22
PID 2232 wrote to memory of 600	2232	Keygen.exe	22
PID 2232 wrote to memory of 600	2232	Keygen.exe	22
PID 2232 wrote to memory of 600	2232	Keygen.exe	22
PID 2232 wrote to memory of 600	2232	Keygen.exe	22
PID 2232 wrote to memory of 676	2232	Keygen.exe	21
PID 2232 wrote to memory of 676	2232	Keygen.exe	21
PID 2232 wrote to memory of 676	2232	Keygen.exe	21
PID 2232 wrote to memory of 676	2232	Keygen.exe	21
PID 2232 wrote to memory of 676	2232	Keygen.exe	21
PID 2232 wrote to memory of 676	2232	Keygen.exe	21
PID 2232 wrote to memory of 676	2232	Keygen.exe	21
PID 2232 wrote to memory of 752	2232	Keygen.exe	20
PID 2232 wrote to memory of 752	2232	Keygen.exe	20
PID 2232 wrote to memory of 752	2232	Keygen.exe	20
PID 2232 wrote to memory of 752	2232	Keygen.exe	20
PID 2232 wrote to memory of 752	2232	Keygen.exe	20
PID 2232 wrote to memory of 752	2232	Keygen.exe	20
PID 2232 wrote to memory of 752	2232	Keygen.exe	20
PID 2232 wrote to memory of 812	2232	Keygen.exe	19

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:480

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:840
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1116
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:2092
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:2408
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1048
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:272
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:108
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:968
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:812
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:752
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:676
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:600
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
  2⤵
  PID:2568

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2240

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1276
- C:\Users\Admin\AppData\Local\Temp\Keygen.exe
  "C:\Users\Admin\AppData\Local\Temp\Keygen.exe"
  2⤵
  - Checks BIOS information in registry
  - Enumerates connected drives
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2360
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef74a9758,0x7fef74a9768,0x7fef74a9778
    3⤵
    PID:2728
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1184 --field-trial-handle=1096,i,3836303692089882152,8305000844316632404,131072 /prefetch:2
    3⤵
    PID:2696
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1348 --field-trial-handle=1096,i,3836303692089882152,8305000844316632404,131072 /prefetch:8
    3⤵
    PID:2584
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1624 --field-trial-handle=1096,i,3836303692089882152,8305000844316632404,131072 /prefetch:8
    3⤵
    PID:2600
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2188 --field-trial-handle=1096,i,3836303692089882152,8305000844316632404,131072 /prefetch:1
    3⤵
    PID:2340
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2196 --field-trial-handle=1096,i,3836303692089882152,8305000844316632404,131072 /prefetch:1
    3⤵
    PID:1876
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1180 --field-trial-handle=1096,i,3836303692089882152,8305000844316632404,131072 /prefetch:2
    3⤵
    PID:436
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3244 --field-trial-handle=1096,i,3836303692089882152,8305000844316632404,131072 /prefetch:1
    3⤵
    PID:1140
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3716 --field-trial-handle=1096,i,3836303692089882152,8305000844316632404,131072 /prefetch:8
    3⤵
    PID:1352
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3852 --field-trial-handle=1096,i,3836303692089882152,8305000844316632404,131072 /prefetch:1
    3⤵
    PID:1788
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3484 --field-trial-handle=1096,i,3836303692089882152,8305000844316632404,131072 /prefetch:1
    3⤵
    PID:1072
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3416 --field-trial-handle=1096,i,3836303692089882152,8305000844316632404,131072 /prefetch:1
    3⤵
    PID:2496

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1184

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:488

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:380

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Filesize
230B

MD5
27828ee402a6ba837b9666eca9483a74

SHA1
46def18b7a06951841121e49fffa198ab263b74e

SHA256
cc255830afbbd44158d3f5323c1be1c266097282375e30e403760d436e6f557f

SHA512
2da6fbfd1e7b34f3ca95ee00be62e9b1428b625f5287e4c287debbf7865d0e81c7d7518b3b3a327bdb881ad86d9ed151ad5a1efdc5f91cb6a8cf688be1ac5c79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
54331ceb5c37e7bb14e612fa2a6d7d61

SHA1
761229e18b1e68f94c3788071f6b7228e42e234c

SHA256
4ebb6f8b3d11477cd7e0210b36223bdf31f5c0e8e279f02d18c1c6f93b9efcad

SHA512
3f5d0fd8e965dd56e89746dfd3fc3ffa68af791787b3702261821f4bed48012640ef24f451c87ebe6fdc49af9f03f152e72600f04fc0e1de27e92b7153ef5459

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
20b77cb0c2991e9076a6f0457c30821a

SHA1
43b6c38df068cf03d06ef994565cd591a037b1a2

SHA256
2808e996e784fd7d5c85d6496b1e8a19ec943dd21ff790f47ff322304e87b143

SHA512
48a7a2b23359d227d9108b7debefc393302e5794869ad04f2e358a61d85d6126d2bfbb1b292fbe739cb2ac8159c7680f77db22ebc42cee7aacfa6d8a14ee4191

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bfbc4735ca3c6a1fe2828ba619d1cf08

SHA1
0314415861988454c5a8eba5ab2db5ee2fbea9c9

SHA256
62d477c444d00852e283bb0e5ac2778ed62caa03a21c9eba8c7f35461c1d9ec6

SHA512
3f40b5ffc321a25452b64ef986ec1cc61cca170adb994ea3fe93c3142d5c28b8db0eb43103b7d9ef81060584341e0b75b6cf9743eb15d4d5a2f441e7a4627f22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1f6a618eb340b500dbf1054b4e4971e3

SHA1
6d439c90a1327112f5b69f89dbff0ef4e2f14701

SHA256
5b1cc48d1859b30a77565e908fe2dd824f056d98e1697364e32700b7a096c2f0

SHA512
6f5698c2b53d419cddf871fa34f4af988da7127e313adb1a4aaba16bea7ad5cbe3e9f2eb1fdea9215121a28d7ff2f7682af71461b701cba71734464c68e48d6e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
844b9b60c0e8aab6ebf5d1eac31853b2

SHA1
0b42522a414c2b2ccfe08bb45008f5d3f7eb3491

SHA256
1f6bd42a25e68c5773579976215ead072973f7e9a30b294cf41814c3103a81e9

SHA512
022bca7c172cd1e29ed0cd9ed040bdf1170cc1abc38307d346105ac4d6a60368c5ce811af0234e482778b1fa9c8e00943cbf79db968362dc16087546b4d0e3b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ef234a4927ee4f6f65fbe212d512d396

SHA1
da40dcb54b46c20efff037ba5244a3467fc8380d

SHA256
5eeb6fd519eabb23a8f50a8fe6858ba0e816526c0d2c161fa937a05e68b4c3bf

SHA512
f543e6c05edc76b692728a7126e096afe91929f036f6ad47ce5f7a372eee929d81eda61e4d5e34aac0e151629b095ffbc486f5a56b6a821a40f1df92d43c2c8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1ca20ad30779f6d4108674ae812e4f47

SHA1
c1886996eff0c6ba9b27927fe733f15c8bef54b1

SHA256
53387da64556937bf544e92d56e2a043e1ce17bb7d5c121c4bbeae3009b65350

SHA512
4005ec52ebdd2572ce12706ef291a228805b3be0ad99c45a70a04c7070ca5b83c07e96e28e6e3bc6ba091efcb70dea082ae28618c6fd7d71fad3ae0caca84715

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
56c9379a37c84a832f0b68359145e04c

SHA1
248771d07ceda262e9268f7b17990c28d01fb3fd

SHA256
fa908857667ab363a525347c559d28182b6cd98929bc8322f560f2179c109531

SHA512
6fcaf8dbf9d992ded0d038ba6d99614ee1e400983d9c66a2b992ca0ba6ae19d676d7c34eb46eda769b03c70910c33026063328a03a6ea3972e142ca87fa246bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7a657ae48c95e4cce4dbcc51287778e4

SHA1
15c7bebf679affb8feaed9fc42d83887ad0af55c

SHA256
3684b19e0df840485ff2b74507cb7a0d017e201647106be6555d640f855b7773

SHA512
e287ddb37ce358969431ed15198c6a699ee1a30df5f6ab7dd05e86b304532ce271b8a8d3ddd4721d1d94c0c04cd92782adcd3ba1a9fb6476336e26f4a7c84c62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
75cd86572febb9c063c71cdab3f22f8c

SHA1
077d820a2dc69825f589a3703b5b74c77113593a

SHA256
e385d7ab4a36dab260253f87c1745da9fba3ab2be37ae7eac73de94c6f0c2a6b

SHA512
1ca026b9e7760a2ab5a4cb164bcae72aa4c860ff36475bcc3626b6309814804438ed8b958a413fe9684eac9e5cae0eca4ea4e364be309cd3a46496dfec2452c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000e

Filesize
103KB

MD5
75db5319e7e87c587019a5df08d7272c

SHA1
92b30527304b5dc80f45e997e0b1ac4c70110a18

SHA256
1b498b959e5b7decbf9185803591d25bc1fbf83e798372ed30d32d5c79d82ff6

SHA512
4e556d80b52ddbadddf9287f6cdaef0d12113d0fa4a07728fd67767b97806eba5fa0f82711f71e76ee2875192d7618a9b6c277ceb6d69a30f76ca8e3ebb74aa1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000010

Filesize
96KB

MD5
dc131113894217b5031000575d9de002

SHA1
f96348260751ea78b1d23e9557db297290bdaf28

SHA256
d612f1212b452af07f1a5defb2b672e76a91f7139e7499fa48bb9b2b985c22d6

SHA512
0aa4420c7b7dcc70238371f9d21d521d0673caf4c1883eeb2d3254c5a1dad941f4569f418350ffc61e93303466c504179b90ba0acf008250dc9c2c6ddf6f850b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
684B

MD5
bc6f4263d90515d15f0b530b8102d3f7

SHA1
fcce88dd610c4dcbb00aef2ceee409e2107012c4

SHA256
0de23a61cd74ce306cd04d869d43c0dabef5162f87d2eff80e48a813656f5e7a

SHA512
cdb514911da7cee5b04e80ceac943307c96efd9ec3fa6c21d30533f99c1d42a5d982f9df8149e86d8e914ce3de29c40ee141e16403e3d946452e22b02d776428

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
361B

MD5
b07eb79cb5777bdd20b8413e841c5e9c

SHA1
828c6418f6e5b664a54df6a282430c4bb18fe3b5

SHA256
f4e68dd3585742b5d8fa03f5e64d356fba72373419ba1f3b7e59e54945116ac6

SHA512
2cd8ec10af7e92e962104316ee66ff6bd88aeb123cb3a8d99dbce3e560a24c72484f0918b8bea4d8cec873ca0cbd8ac591d51c20dbb99d447d9b259bd2f4db6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
66ab953e268fd7d64aad800c1ff8d90d

SHA1
e96ed5c2678c4db94ea22b871624de93de76c8ab

SHA256
9ac0c22b2298bafb62e2239fbb9d07df02c96355f8185c42f1dcadef98d39539

SHA512
f01e5ae9fc63e17d4c488964df2dd547b9daa3ba964b82dd9f6b602f531255d18412846cc6a189279574ac32479bd02715552afc06d718e49ef6064b7c2cfbf4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
bb5f08b88339fb68f131f3c8ab4dca21

SHA1
b7e480715c0fecb65938004d4e6e082963c965b1

SHA256
9b28d819040876c8436464297f140bb6d495347c08a79b5c2b917da6d6ab71c3

SHA512
c62924ab843f383ac2aa523643b121b1b2e58efabfbf151ecdd3550cc7c92c92a1095f79588dfa9567a0954973420a925a992fc423487b926ec09a10de18e467

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
ce46e1a4769b6b915cfb2bd56c29a29e

SHA1
0c7ff507907cec9dcfc545497534fb63e52f9b98

SHA256
76ce81c23e15c3dffb88ea9bd13a4f193d9302fce22a05699f2da4135dbc3427

SHA512
2a89a6f233528e3836dad94db4625aadc2ec7def887719a8d10be2ddf29190554aa9fb3634b372bc9f6ab0e52e4bb8ef3bcaad420078ec480256f714d6048721

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBFD8.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC077.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/2232-3-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2232-1-0x0000000077E9F000-0x0000000077EA0000-memory.dmp

Filesize
4KB

Download
memory/2232-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2232-2-0x0000000077EA0000-0x0000000077EA1000-memory.dmp

Filesize
4KB

Download