24d2666c00ecd02350af0d70c8a9b71ed2bf0ce2553e61506fc1cbba0a9156b3

Resubmissions

21/02/2024, 23:22

240221-3cw62sha56 1

21/02/2024, 23:19

240221-3a76jaha43 4

21/02/2024, 23:19

240221-3axd2aha42 1

21/02/2024, 18:19

240221-wx9vbade42 8

Analysis

max time kernel
149s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
21/02/2024, 18:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Set-up.exe
Size

7.3MB
MD5

bc0672307ff08325dc4348c89bdc8999
SHA1

45e37b595ac1b3ce6e3f6b6c12a9fa9c846addb4
SHA256

24d2666c00ecd02350af0d70c8a9b71ed2bf0ce2553e61506fc1cbba0a9156b3
SHA512

406c11bd4dbda325ee679f235988e8d1643d99de4dfd648d471857eee4892001011ffcc3fb9d1cda3161bce4fda70dcb2e5e3f1c5fd9e75091d49a6954864728
SSDEEP

98304:Rz16s9EwkidrwQwPdz9u/ZZmDZJErFXQbZT7wIX0k5:Rz16gBrd3gu/XmDZiF0tH

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	Set-up.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Set-up.exe = "11001"	Set-up.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Set-up.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Set-up.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Set-up.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\winrar-x64-624.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
348	chrome.exe
348	chrome.exe
2588	chrome.exe
2588	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
348	chrome.exe
348	chrome.exe
348	chrome.exe
348	chrome.exe
348	chrome.exe
348	chrome.exe
348	chrome.exe
348	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	348	chrome.exe
Token: SeCreatePagefilePrivilege	348	chrome.exe
Token: SeShutdownPrivilege	348	chrome.exe
Token: SeCreatePagefilePrivilege	348	chrome.exe
Token: SeShutdownPrivilege	348	chrome.exe
Token: SeCreatePagefilePrivilege	348	chrome.exe
Token: SeShutdownPrivilege	348	chrome.exe
Token: SeCreatePagefilePrivilege	348	chrome.exe
Token: SeShutdownPrivilege	348	chrome.exe
Token: SeCreatePagefilePrivilege	348	chrome.exe
Token: SeShutdownPrivilege	348	chrome.exe
Token: SeCreatePagefilePrivilege	348	chrome.exe
Token: SeShutdownPrivilege	348	chrome.exe
Token: SeCreatePagefilePrivilege	348	chrome.exe
Token: SeShutdownPrivilege	348	chrome.exe
Token: SeCreatePagefilePrivilege	348	chrome.exe
Token: SeShutdownPrivilege	348	chrome.exe
Token: SeCreatePagefilePrivilege	348	chrome.exe
Token: SeShutdownPrivilege	348	chrome.exe
Token: SeCreatePagefilePrivilege	348	chrome.exe
Token: SeShutdownPrivilege	348	chrome.exe
Token: SeCreatePagefilePrivilege	348	chrome.exe
Token: SeShutdownPrivilege	348	chrome.exe
Token: SeCreatePagefilePrivilege	348	chrome.exe
Token: SeShutdownPrivilege	348	chrome.exe
Token: SeCreatePagefilePrivilege	348	chrome.exe
Token: SeShutdownPrivilege	348	chrome.exe
Token: SeCreatePagefilePrivilege	348	chrome.exe
Token: SeShutdownPrivilege	348	chrome.exe
Token: SeCreatePagefilePrivilege	348	chrome.exe
Token: SeShutdownPrivilege	348	chrome.exe
Token: SeCreatePagefilePrivilege	348	chrome.exe
Token: SeShutdownPrivilege	348	chrome.exe
Token: SeCreatePagefilePrivilege	348	chrome.exe
Token: SeShutdownPrivilege	348	chrome.exe
Token: SeCreatePagefilePrivilege	348	chrome.exe
Token: SeShutdownPrivilege	348	chrome.exe
Token: SeCreatePagefilePrivilege	348	chrome.exe
Token: SeShutdownPrivilege	348	chrome.exe
Token: SeCreatePagefilePrivilege	348	chrome.exe
Token: SeShutdownPrivilege	348	chrome.exe
Token: SeCreatePagefilePrivilege	348	chrome.exe
Token: SeShutdownPrivilege	348	chrome.exe
Token: SeCreatePagefilePrivilege	348	chrome.exe
Token: SeShutdownPrivilege	348	chrome.exe
Token: SeCreatePagefilePrivilege	348	chrome.exe
Token: SeShutdownPrivilege	348	chrome.exe
Token: SeCreatePagefilePrivilege	348	chrome.exe
Token: SeShutdownPrivilege	348	chrome.exe
Token: SeCreatePagefilePrivilege	348	chrome.exe
Token: SeShutdownPrivilege	348	chrome.exe
Token: SeCreatePagefilePrivilege	348	chrome.exe
Token: SeShutdownPrivilege	348	chrome.exe
Token: SeCreatePagefilePrivilege	348	chrome.exe
Token: SeShutdownPrivilege	348	chrome.exe
Token: SeCreatePagefilePrivilege	348	chrome.exe
Token: SeShutdownPrivilege	348	chrome.exe
Token: SeCreatePagefilePrivilege	348	chrome.exe
Token: SeShutdownPrivilege	348	chrome.exe
Token: SeCreatePagefilePrivilege	348	chrome.exe
Token: SeShutdownPrivilege	348	chrome.exe
Token: SeCreatePagefilePrivilege	348	chrome.exe
Token: SeShutdownPrivilege	348	chrome.exe
Token: SeCreatePagefilePrivilege	348	chrome.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
348	chrome.exe
348	chrome.exe
348	chrome.exe
348	chrome.exe
348	chrome.exe
348	chrome.exe
348	chrome.exe
348	chrome.exe
348	chrome.exe
348	chrome.exe
348	chrome.exe
348	chrome.exe
348	chrome.exe
348	chrome.exe
348	chrome.exe
348	chrome.exe
348	chrome.exe
348	chrome.exe
348	chrome.exe
348	chrome.exe
348	chrome.exe
348	chrome.exe
348	chrome.exe
348	chrome.exe
348	chrome.exe
348	chrome.exe
348	chrome.exe
348	chrome.exe
348	chrome.exe
348	chrome.exe
348	chrome.exe
348	chrome.exe
348	chrome.exe
348	chrome.exe
348	chrome.exe
348	chrome.exe
348	chrome.exe
348	chrome.exe
348	chrome.exe
348	chrome.exe
348	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
348	chrome.exe
348	chrome.exe
348	chrome.exe
348	chrome.exe
348	chrome.exe
348	chrome.exe
348	chrome.exe
348	chrome.exe
348	chrome.exe
348	chrome.exe
348	chrome.exe
348	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 348 wrote to memory of 3968	348	chrome.exe	84
PID 348 wrote to memory of 3968	348	chrome.exe	84
PID 348 wrote to memory of 1564	348	chrome.exe	87
PID 348 wrote to memory of 1564	348	chrome.exe	87
PID 348 wrote to memory of 1564	348	chrome.exe	87
PID 348 wrote to memory of 1564	348	chrome.exe	87
PID 348 wrote to memory of 1564	348	chrome.exe	87
PID 348 wrote to memory of 1564	348	chrome.exe	87
PID 348 wrote to memory of 1564	348	chrome.exe	87
PID 348 wrote to memory of 1564	348	chrome.exe	87
PID 348 wrote to memory of 1564	348	chrome.exe	87
PID 348 wrote to memory of 1564	348	chrome.exe	87
PID 348 wrote to memory of 1564	348	chrome.exe	87
PID 348 wrote to memory of 1564	348	chrome.exe	87
PID 348 wrote to memory of 1564	348	chrome.exe	87
PID 348 wrote to memory of 1564	348	chrome.exe	87
PID 348 wrote to memory of 1564	348	chrome.exe	87
PID 348 wrote to memory of 1564	348	chrome.exe	87
PID 348 wrote to memory of 1564	348	chrome.exe	87
PID 348 wrote to memory of 1564	348	chrome.exe	87
PID 348 wrote to memory of 1564	348	chrome.exe	87
PID 348 wrote to memory of 1564	348	chrome.exe	87
PID 348 wrote to memory of 1564	348	chrome.exe	87
PID 348 wrote to memory of 1564	348	chrome.exe	87
PID 348 wrote to memory of 1564	348	chrome.exe	87
PID 348 wrote to memory of 1564	348	chrome.exe	87
PID 348 wrote to memory of 1564	348	chrome.exe	87
PID 348 wrote to memory of 1564	348	chrome.exe	87
PID 348 wrote to memory of 1564	348	chrome.exe	87
PID 348 wrote to memory of 1564	348	chrome.exe	87
PID 348 wrote to memory of 1564	348	chrome.exe	87
PID 348 wrote to memory of 1564	348	chrome.exe	87
PID 348 wrote to memory of 1564	348	chrome.exe	87
PID 348 wrote to memory of 1564	348	chrome.exe	87
PID 348 wrote to memory of 1564	348	chrome.exe	87
PID 348 wrote to memory of 1564	348	chrome.exe	87
PID 348 wrote to memory of 1564	348	chrome.exe	87
PID 348 wrote to memory of 1564	348	chrome.exe	87
PID 348 wrote to memory of 1564	348	chrome.exe	87
PID 348 wrote to memory of 1564	348	chrome.exe	87
PID 348 wrote to memory of 3368	348	chrome.exe	86
PID 348 wrote to memory of 3368	348	chrome.exe	86
PID 348 wrote to memory of 4032	348	chrome.exe	90
PID 348 wrote to memory of 4032	348	chrome.exe	90
PID 348 wrote to memory of 4032	348	chrome.exe	90
PID 348 wrote to memory of 4032	348	chrome.exe	90
PID 348 wrote to memory of 4032	348	chrome.exe	90
PID 348 wrote to memory of 4032	348	chrome.exe	90
PID 348 wrote to memory of 4032	348	chrome.exe	90
PID 348 wrote to memory of 4032	348	chrome.exe	90
PID 348 wrote to memory of 4032	348	chrome.exe	90
PID 348 wrote to memory of 4032	348	chrome.exe	90
PID 348 wrote to memory of 4032	348	chrome.exe	90
PID 348 wrote to memory of 4032	348	chrome.exe	90
PID 348 wrote to memory of 4032	348	chrome.exe	90
PID 348 wrote to memory of 4032	348	chrome.exe	90
PID 348 wrote to memory of 4032	348	chrome.exe	90
PID 348 wrote to memory of 4032	348	chrome.exe	90
PID 348 wrote to memory of 4032	348	chrome.exe	90
PID 348 wrote to memory of 4032	348	chrome.exe	90
PID 348 wrote to memory of 4032	348	chrome.exe	90
PID 348 wrote to memory of 4032	348	chrome.exe	90
PID 348 wrote to memory of 4032	348	chrome.exe	90
PID 348 wrote to memory of 4032	348	chrome.exe	90

C:\Users\Admin\AppData\Local\Temp\Set-up.exe
"C:\Users\Admin\AppData\Local\Temp\Set-up.exe"
1⤵
- Modifies Internet Explorer settings
- Modifies system certificate store
PID:3432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff829799758,0x7ff829799768,0x7ff829799778
  2⤵
  PID:3968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1860,i,5132935066296594980,1315822742868571275,131072 /prefetch:8
  2⤵
  PID:3368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1572 --field-trial-handle=1860,i,5132935066296594980,1315822742868571275,131072 /prefetch:2
  2⤵
  PID:1564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3220 --field-trial-handle=1860,i,5132935066296594980,1315822742868571275,131072 /prefetch:1
  2⤵
  PID:2156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3188 --field-trial-handle=1860,i,5132935066296594980,1315822742868571275,131072 /prefetch:1
  2⤵
  PID:244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2204 --field-trial-handle=1860,i,5132935066296594980,1315822742868571275,131072 /prefetch:8
  2⤵
  PID:4032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4464 --field-trial-handle=1860,i,5132935066296594980,1315822742868571275,131072 /prefetch:1
  2⤵
  PID:4540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 --field-trial-handle=1860,i,5132935066296594980,1315822742868571275,131072 /prefetch:8
  2⤵
  PID:480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5048 --field-trial-handle=1860,i,5132935066296594980,1315822742868571275,131072 /prefetch:8
  2⤵
  PID:2464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5148 --field-trial-handle=1860,i,5132935066296594980,1315822742868571275,131072 /prefetch:8
  2⤵
  PID:1192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3936 --field-trial-handle=1860,i,5132935066296594980,1315822742868571275,131072 /prefetch:1
  2⤵
  PID:1144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3404 --field-trial-handle=1860,i,5132935066296594980,1315822742868571275,131072 /prefetch:1
  2⤵
  PID:1096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4508 --field-trial-handle=1860,i,5132935066296594980,1315822742868571275,131072 /prefetch:1
  2⤵
  PID:4488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5400 --field-trial-handle=1860,i,5132935066296594980,1315822742868571275,131072 /prefetch:1
  2⤵
  PID:452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4604 --field-trial-handle=1860,i,5132935066296594980,1315822742868571275,131072 /prefetch:1
  2⤵
  PID:1540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3376 --field-trial-handle=1860,i,5132935066296594980,1315822742868571275,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5568 --field-trial-handle=1860,i,5132935066296594980,1315822742868571275,131072 /prefetch:8
  2⤵
  PID:3616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2728 --field-trial-handle=1860,i,5132935066296594980,1315822742868571275,131072 /prefetch:8
  2⤵
  PID:3572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5640 --field-trial-handle=1860,i,5132935066296594980,1315822742868571275,131072 /prefetch:8
  2⤵
  PID:3540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 --field-trial-handle=1860,i,5132935066296594980,1315822742868571275,131072 /prefetch:8
  2⤵
  - NTFS ADS
  PID:848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5528 --field-trial-handle=1860,i,5132935066296594980,1315822742868571275,131072 /prefetch:8
  2⤵
  PID:3324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5532 --field-trial-handle=1860,i,5132935066296594980,1315822742868571275,131072 /prefetch:8
  2⤵
  PID:1976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5768 --field-trial-handle=1860,i,5132935066296594980,1315822742868571275,131072 /prefetch:8
  2⤵
  PID:1900

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\9018f468-db40-4a4c-82c9-bd2eb46a9968.tmp

Filesize
6KB

MD5
9407a7881f85d0ae5dcb513dd9a99d75

SHA1
29e00db5d3b3673228735997de88afc2cf694076

SHA256
2ca2cf48a2da91f8013cd350456a3985fdfb33d4d79b39e1275809e76bc15044

SHA512
78a05cea4fe47e0567a82c97077b9665ca14a55820db1299951b229158384bc98d86d8afb82053f7125d27c0f3a9e8007bbc612ff968d7b2caafaaf4c18c0ed9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
194KB

MD5
ac84f1282f8542dee07f8a1af421f2a7

SHA1
261885284826281a99ff982428a765be30de9029

SHA256
193b8f571f3fd65b98dc39601431ff6e91ade5f90ee7790bfc1fba8f7580a4b0

SHA512
9f4f58ab43ddadad903cea3454d79b99a750f05e4d850de5f25371d5bec16fc312015a875b8f418154f1124c400ae1c82e2efd862870cd35c3f0961426c8cd82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
eef3d9f9e07bac80663c5d262461cb9a

SHA1
4cb0f949abfc893c274f1ebcb4d5b147f3d80552

SHA256
59e0414d40905a8609b45d8545a6c4bae364ba7ccfb96ac5d88498981701a956

SHA512
f1641684389cef11e8f8ea5664b85c03108498866be9de88487a1b904fae593f611db2ef9ff3c4b9b1136c8fd326947bd207e1d45a96268b23f8b79a8558aa84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
e93e04783aa5f240e4eec398742df590

SHA1
5c865a22585e4df467f915d73d12c33020607b4f

SHA256
a8d35230ea5e6dd363ceaa6ba95fb6a51fea0cd3804ab72378d82993f3ddf06f

SHA512
36637dd9501d47bd985c0f6dc8d2d64be8a4808c4a81fba395d0d2816b9527585cb199e6f9fc97c9e997931ce803bafda29a4bff2ac5df03a000eda63b384884

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\8580eca2-0451-48aa-85a0-2578de7dd2e9.tmp

Filesize
1KB

MD5
0d36ded0c09dcaaa064ebdb2e802e6e1

SHA1
63f51fb9ce59d3002af06696d967d6ad56cc04a8

SHA256
a4ded695ccd563e067631ac144ea9117c09acf3a281d473729e9ecd57baf86ee

SHA512
64f95e854b25c6b5c00afab9b516bda21b20c6b069e84b3d9bfdf317faaefa506a8bb2fe6f23acd2545a84c741b88ec506a03bb0be3aadcf23546cd74a060bcb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
33159c90c2eb64fc3de25772d5c61a61

SHA1
5f4573253811fe8b7014bcff669086d78943799a

SHA256
d822e057a341a0edcf6ad394153004c2545ab8da0f35b18b2575f9c000389a03

SHA512
17dc255afc1926faab3e5e14aa18f5e03ca9f829222bcf0460fd9d30fc3f0f5af1f71ee7a44167332ad2ac17bd78e992efc46cfb7610f5dac2349264aeab1679

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
0e57c0860036da0187453a950a90674b

SHA1
b070d0ccf242b8f42bcf403566e22e93ba625979

SHA256
8bca7e1a39fc1237f203ec010df80f42d09b13deb78ddc4ead847313d16b1b6e

SHA512
6da747e0cd481e18c0458451ad942e404f9dcbc67d4a0dbe3e3d607ea81c6223f7f4f06eae1ded9e99b9210e8a79ea84d70fe3be149718598cfbdbe5db093782

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
536B

MD5
b80b417f3b463f9f77866a144b1ffdff

SHA1
c6ae6a31d77222ced91099da58143816b25e45cd

SHA256
6e1ac6db0d2b6d9f39796c6a79d5a011dd06972de19b38478e0baa4770257606

SHA512
80a8b3ed01436bf18c4cd02ee1e855eedc27da77314c97ee33d53fdbc5b1aaf72a2c579343c04486eb52112aa866747902c1fd463f6b2bf62b8a4dc6b62f0e3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
9ca0233d2545f707b22ec8fa3699c584

SHA1
59125af3b9e92a94c690b5f8ba838770dfb3845a

SHA256
65537e4f8959a724706dc21a78f9bf2ef9d203bbd84f52c4c7b22077eb8423cb

SHA512
a5b3fcc4c2f07234def4ff40d5d50c55737fccacb2a0928af4fb642d8a21757509b591753ebded9c1bcce0203008a0db2233ef5448038208624d0db245d78e47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
ae3d08ce1d2387be3f98a87c71e33633

SHA1
aaa596dc4f85089cf92d290d6f2dafad8f94c946

SHA256
bc1aead3222ea11923d4b3dec8a3c724ff2795bda9d6df01026fcc0bd879f667

SHA512
8bf4710bb97472a00f1efa0e956ea725695b27f8a0c8e267f686988fc471e6c0886604326eb09d53a9be6276a0c43096510184f3473aeba12dad1eaabaaf7978

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
8ef09214d00739c71bc5ad67cfe39dd6

SHA1
3dbf4c9fe27cee95967d8390612b2b411844648b

SHA256
0f678fdf4303f54753c39661080748041f0c0b706f32e478a236433792840880

SHA512
443a7a9d974d842f6cb5a27c08eb86235ad88008ba7187c6321988e12f82b7193ae9d4a6c6a08c8130d1e2c0dce4725da0ea369f9cddaab9f7c88b0358b067fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7cf5ba8d6fb68963031f9b3f47f3644c

SHA1
174d7362da7ceae57fa06e0da73c3080e5580636

SHA256
6ea0c0d9859242912a86db5436bb81fdee8f73f5b250d47f385d5120005d8df3

SHA512
beee53a52fa4bc5a6afa6118412492ad6e77bbd16b31eb8c4ca38572506cd40f5651c2ff0ae042f6fe4789acdc609de6e4f196944bbf97ca2b55ad38ee01740e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1bd3190f01d33690f458a9ce10595e58

SHA1
479d3dec0bd6abd13bd6d7122e73f6e51d16f6f7

SHA256
e115ef6cd40dad4a525b873e15863e71d4f67d5fa165cca0cb0829db9de49c8b

SHA512
49e1c7212f6d4a0e98dcc22ebb7d2f73507d037149965b497b1caf4f21a940ec7e016ae1816c203156ea8e5614b49464d5af18ffb5494b9ba47371153ed38f77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a41381c6f7d897d709fe05c3be8185d4

SHA1
a5ee61c0ef1e062f2805fc5230eeaa922126fe87

SHA256
8cb4bcf188dd907dec19993c53e9926ff2fa7395cb119733328ecd78b6cef79e

SHA512
56eae7c38a70fd58d1b6a18f884b30079a74bdc9872c283444e033f3fbb2bb6bcd539e07684575728f30f703182e008e826245c84822103248229ae88a1c4d83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
256KB

MD5
4a5484afe3ebba53dad89624026b8028

SHA1
0b86f6cd8bd70e7fb77bbea1f1b8f5003f1e3306

SHA256
c6ec3176289b26a38c719574e5c91c870379e46c8b6cdede7563fd42cbd0b501

SHA512
5b11b121b0a0ff26b0b10e5a4397ef194d470e9a349a6720b17ce12a06eb482f5bb0a39b2830e401e8f44bf45693a68ae8a7d20af514662dfd786747ae2f904f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
256KB

MD5
1d35a599163e7ab3e7f8a90ae4d7e301

SHA1
a14b69fcc425a695290318d2b63299a634ae279d

SHA256
ecb6f45260f07952d6a86c5fce29462122c8a0f41255ef4f5af32d0e953fbbb8

SHA512
64c8d43c5d826bf307388ffb2624a5185738dda4cd218ce3471186701c52c8bb991a047c70c796f0d45fcd6763bfe6f850682d5c814da2ae55a3d1f131ab95e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\winrar-x64-624.exe

Filesize
3.4MB

MD5
15596b41dba42cdcce4f677fbbc86b6e

SHA1
1ed1e69e72028150f8562bff5ca1dd745874329a

SHA256
377abc9d367e61cb5c4761bf48dcfdf5bcd3822f303e0f972d7f4c8295a2ea79

SHA512
d4e0d64f71027ecc6d85479542ed682359b37446cb1dccce5fa2972f152e27f3cb91a8ec0dc61270bc40038751a58982d4678efb929a3bc6d3546e072f51a9f2

Download Submit
C:\Users\Admin\Downloads\winrar-x64-624.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit