26f5b4590ff9ca791118130b05363b3ad7a438c60cbc032fc812098943640976

Analysis

max time kernel
121s
max time network
130s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
18-03-2024 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sapphire.LITE.exe
Size

1.2MB
MD5

1bbca3b8649901b50e00f8c0eca6482c
SHA1

398b31f87642bb25fd10be8f8936d0d8664e40a9
SHA256

26f5b4590ff9ca791118130b05363b3ad7a438c60cbc032fc812098943640976
SHA512

53ff755b549eff97802dcb91c193217db635c109b0be445d98f0e3deee1ff0a543b04f9e6690a45f0103a3523e033c2af9568454ea071b25940493530435c970
SSDEEP

24576:ichxoH6hdFETH5UCwIjcED7G2C/Q7xD0XVhEtmrC7l7bp8dXGI6T:ZoahdFETZhjcED7G2PxD0lLC7R18tg

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
21	discord.com
22	discord.com
23	discord.com
24	discord.com
18	discord.com
19	discord.com
20	discord.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DOMStorage\discord.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DOMStorage\discord.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 006725a26c79da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009d30d1de329527499e5593ea82e26da2000000000200000000001066000000010000200000009346771308dee0106cc946c0fc73c5606e787262586d9356d24d728e9b21c742000000000e8000000002000020000000bec9532dc95a8f5cee01423381d3946f4cdc8e1926e4deec61f7fb8ab71e43f49000000068a4fad04b6b775f1892fea48aafb78bd5218943a136edb7bba844a3e359a3fbd6d33576881ae99a2113a32bf7488fcbc59d51e4f0c4b4898d2d6bdaf9b0318406bb72f9bf1529680b7d943c74a4e08ab0866adf2ee815601a12e9b86a709269787670a87cb95cc9a521aac610dfbff1cf0dfb615526ce666693afe079c4153013ec28851370b81ffb3e34474ebed4c640000000e2ddee6e59979f69c395a16932e0bcc503a004766f46d4a7f4a7e13f09c28476c0d8e8a3c21f6f37387615a72d3f5407f8782f2a8aae229fdb31b2b60f52af3a	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C72CB1E9-E55F-11EE-882F-5E44E0CFDD1C} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009d30d1de329527499e5593ea82e26da2000000000200000000001066000000010000200000003d634c9fe874e4455fc51e71c9e94f2d11637a25bffb1c87cff0b7371f4bfda6000000000e80000000020000200000009e5dcd9670927e7c05e6cc61c1e73b0ff91dbd6f59363f6d60dc78016e1cec1720000000434ca9e1c5723ea42267e0ef0f639ca3bb5533d57082e72415e40cba0102bf724000000051938f37e5ac7386641c5cc0634d90a3e4d29972b582d418bea45e5a5d51a8467876316074f25888753d06c9a0a4da0bcc2e10e912cafc4d1b9fce106ef164aa	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "416952871"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1836	chrome.exe
1836	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2912	Sapphire.LITE.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe
Token: SeShutdownPrivilege	1836	chrome.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
3064	iexplore.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe
1836	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3064	iexplore.exe
3064	iexplore.exe
2600	IEXPLORE.EXE
2600	IEXPLORE.EXE
2600	IEXPLORE.EXE
2600	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 3064	2912	Sapphire.LITE.exe	28
PID 2912 wrote to memory of 3064	2912	Sapphire.LITE.exe	28
PID 2912 wrote to memory of 3064	2912	Sapphire.LITE.exe	28
PID 3064 wrote to memory of 2600	3064	iexplore.exe	29
PID 3064 wrote to memory of 2600	3064	iexplore.exe	29
PID 3064 wrote to memory of 2600	3064	iexplore.exe	29
PID 3064 wrote to memory of 2600	3064	iexplore.exe	29
PID 1836 wrote to memory of 2144	1836	chrome.exe	32
PID 1836 wrote to memory of 2144	1836	chrome.exe	32
PID 1836 wrote to memory of 2144	1836	chrome.exe	32
PID 1836 wrote to memory of 2976	1836	chrome.exe	34
PID 1836 wrote to memory of 2976	1836	chrome.exe	34
PID 1836 wrote to memory of 2976	1836	chrome.exe	34
PID 1836 wrote to memory of 2976	1836	chrome.exe	34
PID 1836 wrote to memory of 2976	1836	chrome.exe	34
PID 1836 wrote to memory of 2976	1836	chrome.exe	34
PID 1836 wrote to memory of 2976	1836	chrome.exe	34
PID 1836 wrote to memory of 2976	1836	chrome.exe	34
PID 1836 wrote to memory of 2976	1836	chrome.exe	34
PID 1836 wrote to memory of 2976	1836	chrome.exe	34
PID 1836 wrote to memory of 2976	1836	chrome.exe	34
PID 1836 wrote to memory of 2976	1836	chrome.exe	34
PID 1836 wrote to memory of 2976	1836	chrome.exe	34
PID 1836 wrote to memory of 2976	1836	chrome.exe	34
PID 1836 wrote to memory of 2976	1836	chrome.exe	34
PID 1836 wrote to memory of 2976	1836	chrome.exe	34
PID 1836 wrote to memory of 2976	1836	chrome.exe	34
PID 1836 wrote to memory of 2976	1836	chrome.exe	34
PID 1836 wrote to memory of 2976	1836	chrome.exe	34
PID 1836 wrote to memory of 2976	1836	chrome.exe	34
PID 1836 wrote to memory of 2976	1836	chrome.exe	34
PID 1836 wrote to memory of 2976	1836	chrome.exe	34
PID 1836 wrote to memory of 2976	1836	chrome.exe	34
PID 1836 wrote to memory of 2976	1836	chrome.exe	34
PID 1836 wrote to memory of 2976	1836	chrome.exe	34
PID 1836 wrote to memory of 2976	1836	chrome.exe	34
PID 1836 wrote to memory of 2976	1836	chrome.exe	34
PID 1836 wrote to memory of 2976	1836	chrome.exe	34
PID 1836 wrote to memory of 2976	1836	chrome.exe	34
PID 1836 wrote to memory of 2976	1836	chrome.exe	34
PID 1836 wrote to memory of 2976	1836	chrome.exe	34
PID 1836 wrote to memory of 2976	1836	chrome.exe	34
PID 1836 wrote to memory of 2976	1836	chrome.exe	34
PID 1836 wrote to memory of 2976	1836	chrome.exe	34
PID 1836 wrote to memory of 2976	1836	chrome.exe	34
PID 1836 wrote to memory of 2976	1836	chrome.exe	34
PID 1836 wrote to memory of 2976	1836	chrome.exe	34
PID 1836 wrote to memory of 2976	1836	chrome.exe	34
PID 1836 wrote to memory of 2976	1836	chrome.exe	34
PID 1836 wrote to memory of 2680	1836	chrome.exe	35
PID 1836 wrote to memory of 2680	1836	chrome.exe	35
PID 1836 wrote to memory of 2680	1836	chrome.exe	35
PID 1836 wrote to memory of 2980	1836	chrome.exe	36
PID 1836 wrote to memory of 2980	1836	chrome.exe	36
PID 1836 wrote to memory of 2980	1836	chrome.exe	36
PID 1836 wrote to memory of 2980	1836	chrome.exe	36
PID 1836 wrote to memory of 2980	1836	chrome.exe	36
PID 1836 wrote to memory of 2980	1836	chrome.exe	36
PID 1836 wrote to memory of 2980	1836	chrome.exe	36
PID 1836 wrote to memory of 2980	1836	chrome.exe	36
PID 1836 wrote to memory of 2980	1836	chrome.exe	36
PID 1836 wrote to memory of 2980	1836	chrome.exe	36
PID 1836 wrote to memory of 2980	1836	chrome.exe	36
PID 1836 wrote to memory of 2980	1836	chrome.exe	36

C:\Users\Admin\AppData\Local\Temp\Sapphire.LITE.exe
"C:\Users\Admin\AppData\Local\Temp\Sapphire.LITE.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://discord.sapphire.ac/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3064 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef1a59758,0x7fef1a59768,0x7fef1a59778
  2⤵
  PID:2144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 --field-trial-handle=1260,i,12493358539124828571,7330536940724341826,131072 /prefetch:2
  2⤵
  PID:2976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1524 --field-trial-handle=1260,i,12493358539124828571,7330536940724341826,131072 /prefetch:8
  2⤵
  PID:2680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1260,i,12493358539124828571,7330536940724341826,131072 /prefetch:8
  2⤵
  PID:2980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2316 --field-trial-handle=1260,i,12493358539124828571,7330536940724341826,131072 /prefetch:1
  2⤵
  PID:2380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2340 --field-trial-handle=1260,i,12493358539124828571,7330536940724341826,131072 /prefetch:1
  2⤵
  PID:2400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1420 --field-trial-handle=1260,i,12493358539124828571,7330536940724341826,131072 /prefetch:2
  2⤵
  PID:1136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3340 --field-trial-handle=1260,i,12493358539124828571,7330536940724341826,131072 /prefetch:1
  2⤵
  PID:1620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3744 --field-trial-handle=1260,i,12493358539124828571,7330536940724341826,131072 /prefetch:8
  2⤵
  PID:2200

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
169bbf9a7db431e9574109e0baab35d8

SHA1
5eb429d78af7131ac851c78f1745f8d3f49d4458

SHA256
f0f9d870afa9809738a6f3367ff62520f1f144bda97d6832c0a318f8894d8eae

SHA512
f90a09e232c4d2beec3e4900c3b2caedee8070c267473be506677d284e4a076473683930a51ec49755c9f73e8f759503bbed75696d5ddd65bcf22377882b1f42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
148bedae8fa2fbd2f80f3cf0c89c9ae3

SHA1
6ebe07bbebfb169176b8e37163f62bc2f7f10f22

SHA256
61a12eb8d89d88029af772500595c5f9349a018fbbe0f10149ebf6594bd62679

SHA512
8e7dca7e9b0d08699229ab6ec4ba8185fac31f79623b39998de28eac69a52c94289625a25e1da3b62703843fa01f69b921c9567127f55aa46691c0fdf6408d35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ab9b2e5438486745b74d67ff43fbd9ca

SHA1
6a3fcfd0a924786e44be9e1742b3dd3956038e1d

SHA256
47e089854e82b519f052cefe44f874f0fa09c34a4eacdcc1bcb6dfa7d978e69f

SHA512
baf1166dcb3fdd255342fc441d9b96d478684133edbf6e8846c9d7cea91af821ab2cafed31ad674fd04b1698fe46b9bbe826e73cbe47bea0686c54fb4f425d98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e40f21365f4e6436db467e9065681945

SHA1
777f7890d2929f675c2535e317ae11870b65e59d

SHA256
652a65c1d84e9f07a6c9f1a00a5a730952088ca808243d65ac36cf6727edbd5d

SHA512
0408de43aae68a75b7b5c95460e28415e2c063185012cd5e58e81c421cdc3181e26fd80b871ffdb89ef0b9b0b4ee06ed7315cf247daf9c053e10b74071902a2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
083c642c9f9e612f1a7cf3324d9a303c

SHA1
55258d55ac3ed49894cdec060e15ac985e913b08

SHA256
a2c475eb4d611f804afa40154ecda3466835f5fd09370f3f56ab5944ae02aa75

SHA512
8e4e8b0b9ecbbb7a7ea6b67b2e82b6e3891f057b7eeb785fecee647c054bdc86740fceaf6b3091a27ca60584b15c12c9298357d6efdcdac42caabf93ba53be64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2038b8820c1d648bb7860ea779426c8d

SHA1
64ac16f898e0d6996209806fe375a7a6cfa16967

SHA256
fa08dcfdd9e828894e04d5e8314639eee62607af67c3a60e26cbc85aefb5cfc9

SHA512
8a2877c8ca0d5d4b22af5024615b27e7e4d383a4f69d845588687f74de627b9130d9da81c86d7d0aa68cf5c2df68e095dff7d19edc66c8a4f48b352bdee6120b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3bc5fbfe98c039ac9ad2b50cd7adf412

SHA1
aa1bbda7251a9c45fb26e9febce3485aac70bbf4

SHA256
4c7335730e3c885541a71adf9a4901596738c6f87b26d64b80b8c834e44f148c

SHA512
a0db5492ffe29042f12ad722caaf3ef54d040107c3aee6cf719c2bf0b97b0bf2b12475483f224f464110be6915ea60956c0a1cb344617efbd4660d1abb19dd29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fb55edd8d98220c66692a4b5d705ee76

SHA1
d1c15d95b1d89ce465d8dfe4e6c96555e7be6649

SHA256
c9173275db54aa632ce31383b9aefafad3150347aae5069f7e6e6d237507bf64

SHA512
b8d0b5c9c97b54721bdebe64c48d8e16d091a1ce46554ecfcd9b845abc29bbb864dda07c6d20e1e02e7122c0efd0cc420301e63c37d18fc4822ec77b5f5863f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3e3c33d3d3460b053531c9beca8b96ab

SHA1
fd42c80dd898b83628db813ed74a34ab245fa380

SHA256
716a79598527adcd766210963e7ebd9ec101c6e834747608dfeb1f3f0901c181

SHA512
3b755b2a8c83f85c38d0f9cd39b3dca6fb3ab7bbd2e6768c7cfa260feaae5819732ddf45be7fa9cd5783afe01aae4a962b7e11abed4362b54b332f56d98b73ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
03ad36d71ae6759d1b5e71fde81e8ed9

SHA1
ba0ba6ab269f101889229d3fd7d4da930424ce68

SHA256
d2b07dd9b74e31c70ec2ee70e9a0eaad7b10a043ab5f57500941460ac225645c

SHA512
a7f0de6eaf6874d3b9a5d4434c57c4367f724adb60ec5ba8af090cfec8aa595b17b9269729de4f827b64b4a1eac806f11e8eb99680d21abd64651248579ed94e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
955a8625720393e73384d50164e5fca4

SHA1
0e7899967095f3db4350e55dcc49bf4c1efc6a65

SHA256
7ca598005987ff7cbcad694ac80cb94686d9b86ea191356d9b5bad06b7687cf8

SHA512
8835b45c98621d08ac9c390ed317bbafb94a5d9fdfad35f2d50fe52cac53ad58a119c856fcf4d78d08994f57661d086ff7fd4cd7e159505724593f5ec34ab80b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8793deb7ffd5625a7cd3bb94d595620e

SHA1
3f7e52366e20724b21932be4ce7be7793933e64c

SHA256
0960ef76e73ba17cb679171fec77eb7e949a869abc5605e7d4be50ad416d93d7

SHA512
2b0f16e029d27322fb3fb0998fff6be4aa77ccdbeaaa1ab4c3cea519894d4d96c233aa99a718c16deeaaea759ddf160101d66991ccf0f64e8d7dbc55931323bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
bad1d63104fb7a8211fd377a311f8fd7

SHA1
48734e148048375dbe491f14971086979b534322

SHA256
0733b97ccb2160304e201665a153d0660d2d718b900d7d0a8d3c351169017281

SHA512
3acaea2ae2be461a51c7f94c03dcb4b92350922f05f305e24c86c53915d3ad3d2c7ea579b859c629a0542ab73418fb9677bb14936fc30533f6675d7ced9e5480

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\3f26122c-a500-4a6c-9a92-558b9a112c19.tmp

Filesize
133KB

MD5
0f8b3ab3b7a4b11043d75d2261fba8ce

SHA1
c2b42c5c928b39e2e4a0502d483395950e696e18

SHA256
a6ed6ea3baa2b78870bd94325994eb4d6910c56c8d729522cbde1751e5495ee9

SHA512
fd079eea0188db1c856c832ac6ef19efa7b037ec321a9e9949e17abadedb84d20e231016f95856c20241e9a4020fc85b1cba02271623406c6dfacbcf04426522

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\s8rbov0\imagestore.dat

Filesize
24KB

MD5
35aa41d576869422345ec64fd7fee7bf

SHA1
a8a96d134ba513e994ac3d589ca98350878a1cbe

SHA256
46437e858cde0f8f75ce147b9af42f70b8fb4b27097cdd17e345bb2933eab695

SHA512
f84bb2d4d37e98d200f8cd064dacafda5c4aafdca6c00d982bd7f2687320175d5cd012b625c03d39c64e95c1e504697c4a9574b46eaf0695b79d049c3cbe685e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDZK4Z8A\favicon[1].ico

Filesize
23KB

MD5
ec2c34cadd4b5f4594415127380a85e6

SHA1
e7e129270da0153510ef04a148d08702b980b679

SHA256
128e20b3b15c65dd470cb9d0dc8fe10e2ff9f72fac99ee621b01a391ef6b81c7

SHA512
c1997779ff5d0f74a7fbb359606dab83439c143fbdb52025495bdc3a7cb87188085eaf12cc434cbf63b3f8da5417c8a03f2e64f751c0a63508e4412ea4e7425c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1AC6.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
memory/2912-71-0x000000001BD70000-0x000000001BDF0000-memory.dmp

Filesize
512KB

Download
memory/2912-54-0x000007FEF61B0000-0x000007FEF6B9C000-memory.dmp

Filesize
9.9MB

Download
memory/2912-168-0x000000001BD70000-0x000000001BDF0000-memory.dmp

Filesize
512KB

Download
memory/2912-76-0x000000001BD70000-0x000000001BDF0000-memory.dmp

Filesize
512KB

Download
memory/2912-72-0x000000001BD70000-0x000000001BDF0000-memory.dmp

Filesize
512KB

Download
memory/2912-0-0x0000000000910000-0x0000000000A48000-memory.dmp

Filesize
1.2MB

Download
memory/2912-778-0x000007FEF61B0000-0x000007FEF6B9C000-memory.dmp

Filesize
9.9MB

Download
memory/2912-323-0x000000001BD70000-0x000000001BDF0000-memory.dmp

Filesize
512KB

Download
memory/2912-324-0x000000001BD70000-0x000000001BDF0000-memory.dmp

Filesize
512KB

Download
memory/2912-7-0x000000001BD70000-0x000000001BDF0000-memory.dmp

Filesize
512KB

Download
memory/2912-6-0x000000001BD70000-0x000000001BDF0000-memory.dmp

Filesize
512KB

Download
memory/2912-5-0x000000001BD70000-0x000000001BDF0000-memory.dmp

Filesize
512KB

Download
memory/2912-4-0x0000000000580000-0x00000000005B2000-memory.dmp

Filesize
200KB

Download
memory/2912-3-0x000000001C4F0000-0x000000001C672000-memory.dmp

Filesize
1.5MB

Download
memory/2912-2-0x000000001BD70000-0x000000001BDF0000-memory.dmp

Filesize
512KB

Download
memory/2912-1-0x000007FEF61B0000-0x000007FEF6B9C000-memory.dmp

Filesize
9.9MB

Download