763ee735000712eeacd920a5b70da5d6ac1c1f176a5dda74ffcbd286cfc20664

Analysis

max time kernel
1051s
max time network
1036s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2024, 18:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

val/Mapper.exe
Size

134KB
MD5

34cfbe3ff70461820ccc31a1afeec0b3
SHA1

5d32e91c039c9a6f723ba3c04c1179d02e6a0ce9
SHA256

6ebcc6896b243c761da4fc28a26249b0c146ae17aff7697c09bc447008e831df
SHA512

1ca4661be645e7e954d89c83f1fd126a5e936533052d4e330c9faccb83bb5942d28265375cee743e468b1625a0c1f10888e7957fe88c718e8501a86a78cdc06e
SSDEEP

3072:rOUDtpXnRNEvhxNyatnKl9rGmJTQSaMm5/6TYfEBjgQ:rOUDDXnRNEv7wEo9WlTfYjg

Score

8^/10

persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\pZOiVGthBb\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\pZOiVGthBb"	Mapper.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\IOPmimTIzNmyqScMp\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\IOPmimTIzNmyqScMp"	Mapper.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\gtvlkJYVptMqvUDP\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\gtvlkJYVptMqvUDP"	Mapper.exe

Executes dropped EXE 4 IoCs

pid	Process
2392	Mapper.exe
4020	Mapper.exe
3096	Mapper.exe
5132	Valorant.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133546546940233954"	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4248	chrome.exe
4248	chrome.exe
6024	chrome.exe
6024	chrome.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe
5132	Valorant.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
2392	Mapper.exe
4020	Mapper.exe
3096	Mapper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe
Token: SeShutdownPrivilege	4248	chrome.exe
Token: SeCreatePagefilePrivilege	4248	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
956	osk.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
1764	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe
4248	chrome.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
956	osk.exe
956	osk.exe
956	osk.exe
956	osk.exe
956	osk.exe
956	osk.exe
956	osk.exe
956	osk.exe
956	osk.exe
956	osk.exe
956	osk.exe
956	osk.exe
956	osk.exe
956	osk.exe
5132	Valorant.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4248 wrote to memory of 824	4248	chrome.exe	112
PID 4248 wrote to memory of 824	4248	chrome.exe	112
PID 4248 wrote to memory of 4264	4248	chrome.exe	113
PID 4248 wrote to memory of 4264	4248	chrome.exe	113
PID 4248 wrote to memory of 4264	4248	chrome.exe	113
PID 4248 wrote to memory of 4264	4248	chrome.exe	113
PID 4248 wrote to memory of 4264	4248	chrome.exe	113
PID 4248 wrote to memory of 4264	4248	chrome.exe	113
PID 4248 wrote to memory of 4264	4248	chrome.exe	113
PID 4248 wrote to memory of 4264	4248	chrome.exe	113
PID 4248 wrote to memory of 4264	4248	chrome.exe	113
PID 4248 wrote to memory of 4264	4248	chrome.exe	113
PID 4248 wrote to memory of 4264	4248	chrome.exe	113
PID 4248 wrote to memory of 4264	4248	chrome.exe	113
PID 4248 wrote to memory of 4264	4248	chrome.exe	113
PID 4248 wrote to memory of 4264	4248	chrome.exe	113
PID 4248 wrote to memory of 4264	4248	chrome.exe	113
PID 4248 wrote to memory of 4264	4248	chrome.exe	113
PID 4248 wrote to memory of 4264	4248	chrome.exe	113
PID 4248 wrote to memory of 4264	4248	chrome.exe	113
PID 4248 wrote to memory of 4264	4248	chrome.exe	113
PID 4248 wrote to memory of 4264	4248	chrome.exe	113
PID 4248 wrote to memory of 4264	4248	chrome.exe	113
PID 4248 wrote to memory of 4264	4248	chrome.exe	113
PID 4248 wrote to memory of 4264	4248	chrome.exe	113
PID 4248 wrote to memory of 4264	4248	chrome.exe	113
PID 4248 wrote to memory of 4264	4248	chrome.exe	113
PID 4248 wrote to memory of 4264	4248	chrome.exe	113
PID 4248 wrote to memory of 4264	4248	chrome.exe	113
PID 4248 wrote to memory of 4264	4248	chrome.exe	113
PID 4248 wrote to memory of 4264	4248	chrome.exe	113
PID 4248 wrote to memory of 4264	4248	chrome.exe	113
PID 4248 wrote to memory of 4264	4248	chrome.exe	113
PID 4248 wrote to memory of 4264	4248	chrome.exe	113
PID 4248 wrote to memory of 4264	4248	chrome.exe	113
PID 4248 wrote to memory of 4264	4248	chrome.exe	113
PID 4248 wrote to memory of 4264	4248	chrome.exe	113
PID 4248 wrote to memory of 4264	4248	chrome.exe	113
PID 4248 wrote to memory of 4264	4248	chrome.exe	113
PID 4248 wrote to memory of 4264	4248	chrome.exe	113
PID 4248 wrote to memory of 4628	4248	chrome.exe	114
PID 4248 wrote to memory of 4628	4248	chrome.exe	114
PID 4248 wrote to memory of 4640	4248	chrome.exe	115
PID 4248 wrote to memory of 4640	4248	chrome.exe	115
PID 4248 wrote to memory of 4640	4248	chrome.exe	115
PID 4248 wrote to memory of 4640	4248	chrome.exe	115
PID 4248 wrote to memory of 4640	4248	chrome.exe	115
PID 4248 wrote to memory of 4640	4248	chrome.exe	115
PID 4248 wrote to memory of 4640	4248	chrome.exe	115
PID 4248 wrote to memory of 4640	4248	chrome.exe	115
PID 4248 wrote to memory of 4640	4248	chrome.exe	115
PID 4248 wrote to memory of 4640	4248	chrome.exe	115
PID 4248 wrote to memory of 4640	4248	chrome.exe	115
PID 4248 wrote to memory of 4640	4248	chrome.exe	115
PID 4248 wrote to memory of 4640	4248	chrome.exe	115
PID 4248 wrote to memory of 4640	4248	chrome.exe	115
PID 4248 wrote to memory of 4640	4248	chrome.exe	115
PID 4248 wrote to memory of 4640	4248	chrome.exe	115
PID 4248 wrote to memory of 4640	4248	chrome.exe	115
PID 4248 wrote to memory of 4640	4248	chrome.exe	115
PID 4248 wrote to memory of 4640	4248	chrome.exe	115
PID 4248 wrote to memory of 4640	4248	chrome.exe	115
PID 4248 wrote to memory of 4640	4248	chrome.exe	115
PID 4248 wrote to memory of 4640	4248	chrome.exe	115

C:\Users\Admin\AppData\Local\Temp\val\Mapper.exe
"C:\Users\Admin\AppData\Local\Temp\val\Mapper.exe"
1⤵
PID:2916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
PID:1100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8a14d9758,0x7ff8a14d9768,0x7ff8a14d9778
  2⤵
  PID:824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1716 --field-trial-handle=1892,i,15964380036038377927,16960974787415962170,131072 /prefetch:2
  2⤵
  PID:4264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1892,i,15964380036038377927,16960974787415962170,131072 /prefetch:8
  2⤵
  PID:4628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2240 --field-trial-handle=1892,i,15964380036038377927,16960974787415962170,131072 /prefetch:8
  2⤵
  PID:4640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3272 --field-trial-handle=1892,i,15964380036038377927,16960974787415962170,131072 /prefetch:1
  2⤵
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3304 --field-trial-handle=1892,i,15964380036038377927,16960974787415962170,131072 /prefetch:1
  2⤵
  PID:4404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4692 --field-trial-handle=1892,i,15964380036038377927,16960974787415962170,131072 /prefetch:1
  2⤵
  PID:5236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 --field-trial-handle=1892,i,15964380036038377927,16960974787415962170,131072 /prefetch:8
  2⤵
  PID:5376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 --field-trial-handle=1892,i,15964380036038377927,16960974787415962170,131072 /prefetch:8
  2⤵
  PID:5456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=244 --field-trial-handle=1892,i,15964380036038377927,16960974787415962170,131072 /prefetch:8
  2⤵
  PID:5320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=2592 --field-trial-handle=1892,i,15964380036038377927,16960974787415962170,131072 /prefetch:1
  2⤵
  PID:772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=960 --field-trial-handle=1892,i,15964380036038377927,16960974787415962170,131072 /prefetch:1
  2⤵
  PID:4944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3456 --field-trial-handle=1892,i,15964380036038377927,16960974787415962170,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=1336 --field-trial-handle=1892,i,15964380036038377927,16960974787415962170,131072 /prefetch:1
  2⤵
  PID:5892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5012 --field-trial-handle=1892,i,15964380036038377927,16960974787415962170,131072 /prefetch:1
  2⤵
  PID:5904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3452 --field-trial-handle=1892,i,15964380036038377927,16960974787415962170,131072 /prefetch:8
  2⤵
  PID:5288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5688 --field-trial-handle=1892,i,15964380036038377927,16960974787415962170,131072 /prefetch:8
  2⤵
  PID:5236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5940 --field-trial-handle=1892,i,15964380036038377927,16960974787415962170,131072 /prefetch:1
  2⤵
  PID:5364

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3256

C:\Windows\System32\ATBroker.exe
C:\Windows\System32\ATBroker.exe /start osk
1⤵
PID:608
- C:\Windows\System32\osk.exe
  "C:\Windows\System32\osk.exe"
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:956

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x50c 0x508
1⤵
PID:4044

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1828

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\val\" -spe -an -ai#7zMap8387:68:7zEvent17167
1⤵
- Suspicious use of FindShellTrayWindow
PID:1764

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\val\Load Driver [ADMIN].bat"
1⤵
PID:6124
- C:\Users\Admin\Downloads\val\Mapper.exe
  Mapper.exe Kernel.sys
  2⤵
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  PID:2392

C:\Users\Admin\Downloads\val\Mapper.exe
"C:\Users\Admin\Downloads\val\Mapper.exe" C:\Users\Admin\Downloads\val\Kernel.sys
1⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
PID:4020

C:\Users\Admin\Downloads\val\Mapper.exe
"C:\Users\Admin\Downloads\val\Mapper.exe" C:\Users\Admin\Downloads\val\Kernel.sys
1⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
PID:3096

C:\Users\Admin\Downloads\val\Valorant.exe
"C:\Users\Admin\Downloads\val\Valorant.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3852 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
PID:5420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

Filesize
194KB

MD5
f5b4137b040ec6bd884feee514f7c176

SHA1
7897677377a9ced759be35a66fdee34b391ab0ff

SHA256
845aa24ba38524f33f097b0d9bae7d9112b01fa35c443be5ec1f7b0da23513e6

SHA512
813b764a5650e4e3d1574172dd5d6a26f72c0ba5c8af7b0d676c62bc1b245e4563952bf33663bffc02089127b76a67f9977b0a8f18eaef22d9b4aa3abaaa7c40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
eebc455080b9567022bafc3f433e6837

SHA1
11957ba2247c7a492ab1552f5d34e767638fe55e

SHA256
0dcc93000baa728234f93b75a39731849fcef294c566b270b21b755439dd3f42

SHA512
392b0c0690e1a480bc09081bd736a3e8ef86403050a126c0dba9252773296f71e8b3a89290e58bef587e851114c832d15a5cdeb5882de9a04303ede335c3c0da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
552B

MD5
81949b0dd131484053cfa0998516ecdf

SHA1
dea441a626589dbb40d96ad35eb052d667633afe

SHA256
476087381985bad703e1c187bdd77e578e250a14d2431f051d080e87411db67b

SHA512
620d3ca9f9c26948152c59d9359d222baf93d20f7a02e4d48ff34bd2c9c0ab851ebf99b045d2bba8e8b9b3c1156de3cd827dfc9cd856251776fed1553409d090

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
986B

MD5
7aac3447010b76e9574c3e217480334b

SHA1
141cb4aa12b28fb0f8289abf0b274c4eaf9163d4

SHA256
75669397904743586318e95433efe0454eb959ab14cd6426e3cebe56170372f8

SHA512
30577cca0ae5b4cd224f26ee5dd115691a548388b92c74b0d78110153ee5275974df907e4c2af723e1a186448ba4358461b1cbcbc30daa7f4109a579a4d2484e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
533ede4ab449b28d9acb47601c537a64

SHA1
96862ecf2fac673435fb99236d64ae13fb13bc51

SHA256
a2dd9bce44c17c805a6d3b059927b910a528a6649bcdafba95315c729e033f9d

SHA512
0adbfcbf642284549b93b2832a1503c0db3a677e7d3967712e1f3f999c0612679bc71496bc729e7b933cfbf809f30f544658530ec6f6a6665d85d02f0fd1454c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
bacea9222b6633177d8f2fc1ba9e6da7

SHA1
2ca9764a1b461f8dd35efe51931ff40f57b93459

SHA256
b09795019805210a146fa9cbc0493e6378dc9c544c10110a4fe6da7c762e3efe

SHA512
adf72ae68423ddd47decdf093b8f6a954ed6b87e0c86d229e101ef9b2fc056084ae79e45f82860200463248148f7c6273f3dd164f26d447f00f2fa982d68581c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
805af3ead61e499eb48ce0867d1acf86

SHA1
60d0cb248136084aae8eb9a8fcce56d2aa8366dc

SHA256
4de171edef88365afcb6d2e9ab3ec7bcd7dcdfa46691f09e8f85e9b101f449ef

SHA512
3b43d3798a4fbf222cf71fc79d67f6161ae930437ebbd56c9290f9f9ec110b714b1afdbdcefc1bda175b0c8a8d158c56567b0d3f22d6798a58fe864c87b4edda

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
bd6377e87ade76edfec54b4bce090a42

SHA1
bdda274d25b97c00e31175919da4acb0203ab0f6

SHA256
306bbbb3867fb54cedd41bb30cdd0f9bfc1087d721207cedcd5c3dc76fdae9e5

SHA512
be8627f54f3592c9d5fccf8837166f549fcc46d6cfd8395c0f758653f91057de2f5862f275176ea6ec82f6463d5d38bd97c889ec65d67b6e62047eefeb75bf1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
703B

MD5
40a2d2cb1f7ded1f6b0f61a249676a99

SHA1
c5e62ca373dd2092a79ef1ff4c2beac143a9993e

SHA256
34fd799afedf7076e5e78f6e505b474e680e4e1ce8c75f0be62a082e8a254853

SHA512
b7b46e06051597b7595ccf4a69d026c09618923526d8ce9a6b898a6f3bdc81b16fc4e0d0327aca7ad7a7efcca87d37e38a20391999f255c70dbd5bf456f929d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
703B

MD5
f3b154c098554cc636eef0d7069e2b28

SHA1
7d48cc614a9c2a92b5fbfd350eb3a0e4b869afcf

SHA256
dee69b57f99bdc01d984a0cdc1247a80d2fd3d1147ea6181ec93005e146c7c1f

SHA512
dffff7536470fe7a3b2287ef9ede3dc8e0bec3a54972a10aa2202315239679790171a4d3369c8a9e8c3072a60a6fc7fcc1c08cef1d3336aed72e8a5e0fba7dc3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
d6d0d8d5ad607a895a0f52bf8b6d9c19

SHA1
b58c6ff7bb4c3b358d4d53e0d1fc8f335bc7ce09

SHA256
348c114ff40e127d50ea800401ed136245387ccac7504e955067327cbfaa78e5

SHA512
8a92bf400e2532d2968c52e7f8aa1b50b56610386ebf916626526d64b071e59f7c638824f95cdfe0355bad1631bff9fa87497345570a076c7bc5cfc57b71dee2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5eff62cebcf867b867d42d0eac530564

SHA1
729ed2cbfa9b9516d92e8a82414bf59e13e13ee0

SHA256
625e7036f6e55fac2277596c9a22804ca1bdceb03f44b4c6a21d31b605b73713

SHA512
ffb69f6e57ec9566c21063cd9ca1c2bf89079a9731ea8f355748ebec15d64a7b7b4f631091c43c58808e756a467452b59250950c20a58dab9c02e4e7c6ba8ce0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
9bd803ea907fb5100ac5fddc874ea6bd

SHA1
a5ccdf12fee29e31da985f92818f829b5ea72252

SHA256
88b889a9c5a983097a166e4f4b70f4a3bb5db3c0e3ae18c0bb20067d8073cfb5

SHA512
964f42c4dc8bdd115a5c58f4adc5ed89baa565614f21a12336119b5ab59367d8f164cf579fd8f919b38293c0915bfd7c057fd8f32db90e53d8bde9419d850bd8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
5c15a7f1bfeae33d73c9b83b56d3e68c

SHA1
31c0430d068de7a1f459c5a073f283bc18b26831

SHA256
c47e2d0dd654c261c8d73034a8ece89b17d2d9a5771ee23d906f160af37dfbbf

SHA512
b95920ab5d9b1a01f87d21aa6737042fb1b175d55bf7758a806469e8dc3a489e8d4a06b602f04d484b59658899b6958cadaf7c0716b2641134a807fdf0cea70b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
71b7cac74fcdf4f427cbbab2527b6772

SHA1
c894504282580385f3c4734fb364e78487a8fecc

SHA256
e102ba285a5fcd00d5f6924051fc08778c1b18673b200a0c5c8dca1425c202a0

SHA512
2450722592a247ace04f25a2776fd4e1d27f2701a38161c71b1f5b5904dc51740e27420250631a3b45f12a384df1261f86238e32b0cdabbd7b000235c19aaa20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
24c88d443bdf0638077919dd1efacee9

SHA1
c5d08b62f75c5ea9601e1bfe7bc98952e487d508

SHA256
b6460a26b7379ec6ed8d8e3ccec00407d838bf963a7ca8216fbd43ae5f32bbef

SHA512
ae78fea9ec59092f6eac2bca46ad08a7aaf3e81b1ce3f935a0f7f9d4aa012746a2ed2cb2719b17e240577ba60e4b0f177aa976c0215f6800f4f1546ebfb90ef0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
3ad20b289f87c7a675ca22532bc184ee

SHA1
c6042cdc1cd3af05b08c40c5aa8d75accf1aa8f2

SHA256
aa60aa49b9963977c925e6b31d56e73409c748cd7c427e09a5345e3b6e378404

SHA512
5cc8f6cd7ae431c76fe3c83d223b27dfe63207d2e4ad81a8344a5f04bfb45e0f9322284d4377d4f7ab366cb410cfc95f903b60eb9bc7f2663c46dde299544f89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
4c4562d6c14d557cbb27f8b5273a3dc1

SHA1
fe2647b3060bf984fb5446c5347aef769906e08b

SHA256
363fc0cd811d0c113f19b3e1169555d2b80376301309a6afbbf90742af81655e

SHA512
5fe7551ab648cabd3d5aa712a14a72f1a00b0ac52635647ac6c1f02bc21cdc38a8c15b3f3e834b79e2aed24fdaeee60252837847d575862b8fec37a4667786ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
104KB

MD5
aa733897ac45bd44005aa59714658fc3

SHA1
4d0b7ba9e84dc9fdd6217d7f762c49e3ce960d54

SHA256
ebe1d473e37ee92663080b1fef8c5bb7e4c12451d1894d0272ee6fbcdf7ab719

SHA512
0564bf0fe07f2b3c34e552e7a3ae80ad123f5fe40c7a9924f2f28a31555751bc2c540f83e519d812a8aea20995848d4fbc8940d3e5d2b19e1fac76fa4d1aa224

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
98KB

MD5
ca31fce61b317cf2ec50b7467672e07d

SHA1
ff34d8d05739aefbae4810b3622796c6c94a0469

SHA256
e76933d0477840889968e21278972cf506665963312c68fa94f7852874ce6df7

SHA512
90d112634e36f23ee70d054bf6be2054c482d82d6e9efb3167d401dac3b8df5faaa4651c39f0334fa51558fc2c5e909a0b5bf12778a36e88f37e3e4af74a14c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5a593d.TMP

Filesize
97KB

MD5
429ba5b2570b264fc5e27d8dd473e609

SHA1
aa6a43961ec668329cc493274384fa71dff49b87

SHA256
3b6d706ed10d971ecf0828c81b00bf1743953e9d6bdb77cea634e19ed450259e

SHA512
abd6b3ccac172b681ebcff4d6a53cdd05b824de5e8e311c2c7536f7a2322869aa3293c585552011679ec56cd837e765d6ee43b18105d35646ecf6df06e3c737d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\val.rar.crdownload

Filesize
186KB

MD5
b4df83ddbd5c31e97e04ce52818b6583

SHA1
6b83a6dd42fb3a3ff91f5db290d89a7d0aaa7486

SHA256
763ee735000712eeacd920a5b70da5d6ac1c1f176a5dda74ffcbd286cfc20664

SHA512
43796d60d2c505af9d23dfcf4ca3c3568e4eafaf849a8ef39283d6e31a4a9c1c0f1cf6aaf4ef939380aae44ef775dc05fe8febb1815951993f840c2c1420a69a

Download Submit
C:\Users\Admin\Downloads\val\Load Driver [ADMIN].bat

Filesize
38B

MD5
b56b9ab3209f7b0958976644f03776f8

SHA1
054c58ab6b517710776fa6ed8e20aabaf37d360f

SHA256
419124eb528c4c9ddb1e3713b72be124437f5632cf0ad1cbdc5b81c52407c401

SHA512
bf2515e032f3dd8885b4e8aead91dce3d46199d3dad242b8fee980b33a99def11def0f64936da7f3d456d4d376f0c3df68a4dca04b50f9cd314e99441a3d9f77

Download Submit
C:\Users\Admin\Downloads\val\Mapper.exe

Filesize
134KB

MD5
34cfbe3ff70461820ccc31a1afeec0b3

SHA1
5d32e91c039c9a6f723ba3c04c1179d02e6a0ce9

SHA256
6ebcc6896b243c761da4fc28a26249b0c146ae17aff7697c09bc447008e831df

SHA512
1ca4661be645e7e954d89c83f1fd126a5e936533052d4e330c9faccb83bb5942d28265375cee743e468b1625a0c1f10888e7957fe88c718e8501a86a78cdc06e

Download Submit
C:\Users\Admin\Downloads\val\Valorant.exe

Filesize
247KB

MD5
0d38e569ba9f0795dccbffd5b6749ad5

SHA1
e3ca20111e19cb41582da238052bfe57c4304c4b

SHA256
dcbcf99bf143cb21d2a828362f64e4519d2d5f7e7411483f04e998aea896e2e7

SHA512
d4c3ff627e77ee594a68215962a22ae440300165411a610ff19bbe08bca89f533e5a0df4c1ae94ec4d9b889cc6d77f014eb40531d27fc32c505010af9b329f14

Download Submit