hxxps://qptr[.]ru/Vmkj

Analysis

max time kernel
203s
max time network
207s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
03-04-2024 14:44

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://qptr.ru/Vmkj

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

Processes:

bootim.exe

description ioc process

File opened for modification C:\Windows\system32\Recovery\ReAgent.xml bootim.exe

description	ioc	process
File opened for modification	C:\Windows\system32\Recovery\ReAgent.xml	bootim.exe

Drops file in Windows directory 8 IoCs

Processes:

UserOOBEBroker.exebootim.exe

description	ioc	process
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	bootim.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	bootim.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	bootim.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	bootim.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exeWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEchrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 17 IoCs

Processes:

LogonUI.exechrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "238"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133566290832485477"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 15 IoCs

Processes:

OpenWith.exeMiniSearchHost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\.svgz\ = "svgz_auto_file"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\陼䡱꼀蠀媰鞿翼\ = "svgz_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\svgz_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\\ = "svgz_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\svgz_auto_file\shell\Read\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\svgz_auto_file	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\陼䡱꼀蠀媰鞿翼	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\\ = "svgz_auto_file"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\svgz_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" \"%1\""	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\.svgz	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\svgz_auto_file\shell\Read	OpenWith.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

2148 WINWORD.EXE
2148 WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

chrome.exechrome.exeAcroRd32.exe

pid	process
4056	chrome.exe
4056	chrome.exe
4684	chrome.exe
4684	chrome.exe
3708	AcroRd32.exe
3708	AcroRd32.exe
3708	AcroRd32.exe
3708	AcroRd32.exe
3708	AcroRd32.exe
3708	AcroRd32.exe
3708	AcroRd32.exe
3708	AcroRd32.exe
3708	AcroRd32.exe
3708	AcroRd32.exe
3708	AcroRd32.exe
3708	AcroRd32.exe
3708	AcroRd32.exe
3708	AcroRd32.exe
3708	AcroRd32.exe
3708	AcroRd32.exe
3708	AcroRd32.exe
3708	AcroRd32.exe
3708	AcroRd32.exe
3708	AcroRd32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid process

420 OpenWith.exe
Suspicious behavior: LoadsDriver 6 IoCs

Processes:

pid

4
4
4
4
4
688
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

chrome.exe

pid process

4056 chrome.exe
4056 chrome.exe
4056 chrome.exe
4056 chrome.exe
4056 chrome.exe
4056 chrome.exe

pid	process
420	OpenWith.exe

pid
4
4
4
4
4
688

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe
Token: SeShutdownPrivilege	4056	chrome.exe
Token: SeCreatePagefilePrivilege	4056	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

chrome.exeAcroRd32.exe

pid	process
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
3708	AcroRd32.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

chrome.exe

pid	process
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe
4056	chrome.exe

Suspicious use of SetWindowsHookEx 44 IoCs

Processes:

WINWORD.EXEMiniSearchHost.exeOpenWith.exeAcroRd32.exeLogonUI.exe

pid	process
2148	WINWORD.EXE
2148	WINWORD.EXE
2148	WINWORD.EXE
2148	WINWORD.EXE
2148	WINWORD.EXE
2148	WINWORD.EXE
2148	WINWORD.EXE
2360	MiniSearchHost.exe
420	OpenWith.exe
420	OpenWith.exe
420	OpenWith.exe
420	OpenWith.exe
420	OpenWith.exe
420	OpenWith.exe
420	OpenWith.exe
420	OpenWith.exe
420	OpenWith.exe
420	OpenWith.exe
420	OpenWith.exe
420	OpenWith.exe
420	OpenWith.exe
420	OpenWith.exe
420	OpenWith.exe
420	OpenWith.exe
420	OpenWith.exe
420	OpenWith.exe
420	OpenWith.exe
420	OpenWith.exe
420	OpenWith.exe
420	OpenWith.exe
420	OpenWith.exe
420	OpenWith.exe
420	OpenWith.exe
420	OpenWith.exe
420	OpenWith.exe
420	OpenWith.exe
420	OpenWith.exe
3708	AcroRd32.exe
3708	AcroRd32.exe
3708	AcroRd32.exe
3708	AcroRd32.exe
3708	AcroRd32.exe
3708	AcroRd32.exe
420	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4056 wrote to memory of 4568	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4568	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4880	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4880	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4880	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4880	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4880	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4880	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4880	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4880	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4880	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4880	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4880	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4880	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4880	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4880	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4880	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4880	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4880	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4880	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4880	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4880	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4880	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4880	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4880	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4880	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4880	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4880	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4880	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4880	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4880	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4880	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4880	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4880	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4880	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4880	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4880	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4880	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4880	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4880	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 1116	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 1116	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4876	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4876	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4876	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4876	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4876	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4876	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4876	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4876	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4876	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4876	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4876	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4876	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4876	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4876	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4876	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4876	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4876	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4876	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4876	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4876	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4876	4056	chrome.exe	chrome.exe
PID 4056 wrote to memory of 4876	4056	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://qptr.ru/Vmkj
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcac499758,0x7ffcac499768,0x7ffcac499778
2⤵
PID:4568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1564 --field-trial-handle=1800,i,5635961925670675599,1937539944195521122,131072 /prefetch:2
2⤵
PID:4880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=1800,i,5635961925670675599,1937539944195521122,131072 /prefetch:8
2⤵
PID:1116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2152 --field-trial-handle=1800,i,5635961925670675599,1937539944195521122,131072 /prefetch:8
2⤵
PID:4876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2916 --field-trial-handle=1800,i,5635961925670675599,1937539944195521122,131072 /prefetch:1
2⤵
PID:3800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2924 --field-trial-handle=1800,i,5635961925670675599,1937539944195521122,131072 /prefetch:1
2⤵
PID:4436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3716 --field-trial-handle=1800,i,5635961925670675599,1937539944195521122,131072 /prefetch:1
2⤵
PID:1972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 --field-trial-handle=1800,i,5635961925670675599,1937539944195521122,131072 /prefetch:8
2⤵
PID:1592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 --field-trial-handle=1800,i,5635961925670675599,1937539944195521122,131072 /prefetch:8
2⤵
PID:616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4780 --field-trial-handle=1800,i,5635961925670675599,1937539944195521122,131072 /prefetch:1
2⤵
PID:3000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 --field-trial-handle=1800,i,5635961925670675599,1937539944195521122,131072 /prefetch:8
2⤵
PID:1152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4984 --field-trial-handle=1800,i,5635961925670675599,1937539944195521122,131072 /prefetch:1
2⤵
PID:224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=1000 --field-trial-handle=1800,i,5635961925670675599,1937539944195521122,131072 /prefetch:1
2⤵
PID:4584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4588 --field-trial-handle=1800,i,5635961925670675599,1937539944195521122,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4684

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1008

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:2424

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\These.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2148

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2360

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:420

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\DisconnectDismount.svgz"
2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3708

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
3⤵
PID:1180

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AE103300412FC11459B30EEAE0CC8B53 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:4576

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B24124DC89A1D70CCDDB8F5E127EB447 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=B24124DC89A1D70CCDDB8F5E127EB447 --renderer-client-id=2 --mojo-platform-channel-handle=1792 --allow-no-sandbox-job /prefetch:1
4⤵
PID:1472

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FD9CE65AA349E527399C90EEDF72ACB7 --mojo-platform-channel-handle=2196 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:4540

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E036A6C7694F46E0A0095DD1CFF7F090 --mojo-platform-channel-handle=1900 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:4660

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=CC57F24DB3C24CCE3CFFEA0CDF756081 --mojo-platform-channel-handle=2408 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:2540

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=597813E9424F42EFFCB07475B0911550 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=597813E9424F42EFFCB07475B0911550 --renderer-client-id=8 --mojo-platform-channel-handle=2032 --allow-no-sandbox-job /prefetch:1
4⤵
PID:4712

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1980

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:3452

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:3420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DevicesFlow -s DevicesFlowUserSvc
1⤵
PID:1556

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:3840

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39c2055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:420

C:\Windows\system32\bootim.exe
bootim.exe /startpage:1
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001
Filesize
43KB

MD5
db2a509594a5a1893b68ab6751b4821b

SHA1
de248758ad71bb86150de155daa2fae0ef82186b

SHA256
7205ea02f7af5c57824a95597af310a9a7f1cddb053abb3b4b82af8f09fb6f51

SHA512
37a82855bfdcd0f93c097883437c22362b8cd79530885f981c6e03fd6f2f80a8177a979a005feec10b61aa2b84b49faf0a05e548d472655eb50ff4df5b159e73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000004
Filesize
32KB

MD5
e13edde4a25e96e573f37bdd11e020aa

SHA1
84a0c3cc6cd74b149cc27de2b0fe48bc2acb70d2

SHA256
45b526e6aa5356b278aa37e67593a25d09c9653e8a0e71fb8e155111d3b7a515

SHA512
9ba4cce47994f949731e594538f56f423ee46a8e602fe922ab6e1d173b87831ae5a80d967d695fc45a08b25aef5c494518b43cde6b4709db690e904b2cc1c053

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000c
Filesize
115KB

MD5
ce6bda6643b662a41b9fb570bdf72f83

SHA1
87bcf1d2820b476aaeaea91dc7f6dbedd73c1cb8

SHA256
0adf4d5edbc82d28879fdfaaf7274ba05162ff8cbbda816d69ed52f1dae547f6

SHA512
8023da9f9619d34d4e5f7c819a96356485f73fddcb8adb452f3ceefa8c969c16ca78a8c8d02d8e7a213eb9c5bbe5c50745ba7602e0ee2fe36d2742fb3e979c86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000010
Filesize
119KB

MD5
d45f521dba72b19a4096691a165b1990

SHA1
2a08728fbb9229acccbf907efdf4091f9b9a232f

SHA256
6b7a3177485c193a2e80be6269b6b12880e695a8b4349f49fccf87f9205badcc

SHA512
9262847972a50f0cf8fc4225c6e9a72dbf2c55ccbcc2a098b7f1a5bd9ea87502f3c495a0431373a3c20961439d2dae4af1b1da5b9fade670d7fcaed486831d8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000016
Filesize
39KB

MD5
21edbf6edd79328b6d4f9136a061a173

SHA1
59834ba5d6c9360a93c8727eed2d92ebda24eca0

SHA256
bdcff1d99f4f7b7dd47fc0274f04c6c53b8269c50f70b5b2195a023e368e7976

SHA512
2fd97c6c2c36acda9975010be8dd4282bb6e131b7f690a3410c7df2f34fbc1c98b9e3e017049654dd894025a40fb0f9e457ecf7936796df06874085503089779

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000023
Filesize
121KB

MD5
2d64caa5ecbf5e42cbb766ca4d85e90e

SHA1
147420abceb4a7fd7e486dddcfe68cda7ebb3a18

SHA256
045b433f94502cfa873a39e72d616c73ec1b4c567b7ee0f847f442651683791f

SHA512
c96556ec57dac504919e806c7df536c4f86892b8525739289b2f2dbbf475de883a4824069dbdd4bb1770dd484f321563a00892e6c79d48818a4b95406bf1af96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000025
Filesize
119KB

MD5
57613e143ff3dae10f282e84a066de28

SHA1
88756cc8c6db645b5f20aa17b14feefb4411c25f

SHA256
19b8db163bcc51732457efa40911b4a422f297ff3cd566467d87eab93cef0c14

SHA512
94f045e71b9276944609ca69fc4b8704e4447f9b0fc2b80789cc012235895c50ef9ecb781a3ed901a0c989bed26caa37d4d4a9baffcce2cb19606dbb16a17176

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
480B

MD5
af637a9aa16a95ff6649a420b07f618b

SHA1
101640d2c111746bad11b98c16b96a936b522c2a

SHA256
96fcb723e6a65062766d39e2aa42ac28d5ed5f9650999a86587c13a26a1f32da

SHA512
1eaf105b98236dadb12c09edfa90e1a5123d63564e5fca2144f92ca6d52a6f841f7b4a56fe39195672d52489386290ede1fecfe87d14da55e24238ce4230f0b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
792B

MD5
dc435d8ed547334f24991e1c971cc3a6

SHA1
c19a998c801b4a92d4440c71eb0a9cad6bcfb39a

SHA256
39e52566b2589d8facf6549f2631505e03f756ee9988d9f56143ce98c06f44fc

SHA512
d008e02a15c68c25c79a0cfb01afa77760dcf8be66d3b5c71d63f4e17977c80c5b27c78abce6176b1b4550c188c5fe9fb3e58bd8f30584e83eaa0bf4518e01e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
744B

MD5
d7a0f6668e1104435e3ec0da74c03fa2

SHA1
ee080004cb2eee732f383a691fe5421e03215703

SHA256
7f03c1bb6b2d4c3989cc2ac1c39f9d9e24cb8bda8057ee08b7170b1086c99c3c

SHA512
fb93ab70c30d36a761800f6e5b00a923498d130b91205f51d72b438e98e0298d1b19cca60e7a1c478affe857543e0f74dff92766f59478b2102052782be7fd34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
912B

MD5
7af7b5131648fe3d9720b97b29d35f06

SHA1
8cce672c453eb4fe5c3966c4a505f658c2f5836b

SHA256
868e9d7b0a6f3c3d94d89883e4459191ed69dfe5e5a0d8ea14a3051ef2255523

SHA512
684d11dd172d7f0feff426efa5ef43868285e9943e72ad66e9b6fac599bdf334118f69f4dfe98bb7569a0cb58436afe7c97a95649181d0f3c02f9d602deb659b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
66260a16f96a1c64a4768a1a87c000c9

SHA1
ac77527422f1aa0b0b7ad177ffc781f0e2769209

SHA256
22c9b649a2945ad9f215616e2f241afdaa71e8fd9e5e61c63d97b5fc85b57fef

SHA512
c7c84e71bb3f37506950b75fcf08222c1f4f4f411c1e3dffc4fb45dd34e84f4303620e4bc0c3f00b486ba27e2bac9ef77c53fef57ae0d7729dc14fe5b0278beb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
28bad90cb4f0d3b52f254cb17ff2c83b

SHA1
66a32fc63939d8e2a1c295476c9b48cc1790b59b

SHA256
300b3a17b60ac4d9c394b80f074eba6202846595b96b2a45bc2172b0b1c7984e

SHA512
9fecfa661f7218483c15adef19d2a08da638082b90dc68429b00ecea391fbdfdcae1e029f7d0ca82885e0a14843c872a9408cc48f3a2df5a823579c705aff6b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
1f429462a4c141eac5a18f92e4adcb42

SHA1
1ea54ed687e5cc9059ab45c6a48a64b6f2266e9a

SHA256
051a861d40805114df443ab4b244513a85deb038463d6698c16d6d6ea6909836

SHA512
996fc8e3fd7d559fa9054914b05e1efc353a49755dab932c944872bf7f74a0b8701ee900ee6bb5310cfd3b0ecc3c195a44a512fee11e417945974d0b87d7e67a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
47751ac2b819d471e1abdabdfdc87d27

SHA1
d59045a0e239c72ea9c4dc85ba2e53259adb9eea

SHA256
30830ded580536dc9ede01a8c27a580e488d6294d09f25abed2c4b9bfb4509f1

SHA512
b9c5b5fda2170cf72e504fb45879837b8ef1b468b1c06cb1c0520f7ab4329165245cb01ac03f2670a5245c6f0324838292a44925f058d85efea571f312786b83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
0654b6349e80101b9102a88bcd9f181e

SHA1
885a20c1a574d1fcdbac7cb96ae93fcef7d45027

SHA256
97105dd10b95f2c36abe5a5fadd848252a6780cec9adc5f8c09d7e9dc400002d

SHA512
178f560f9687873e86fcbaaa5fb6e2d124f8e21217f948a84a96ff904a5922e7a74bf2664db75fc462a9d37e2fdceff65e9e2bf5df8f3b718319be93f2cb52fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
f390e56658231353a1b77d36c7a89c75

SHA1
46d199fec3ec7f1d89c287fd84fab76247409a07

SHA256
70ab4f28984560c338bcb85f36c3dd4869bfa4e67d59da97d6a4107c3a21ed2d

SHA512
2068df9d70728c0cb7841276d8dd4d741c3a2e284722c86113bfdd73bebbaf5a2f07ce6e64fd0642d2813498026f75f244b9e545a0992d0c7483a2a7ef57bf75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
9KB

MD5
cc9125481c068260780fd434177960b4

SHA1
add35a0210d744764720970fbe00eeb9b78467bf

SHA256
cc6d05a1f865602a3cf957d928aa45c4737eab820dd2e012e16e4a2ab61e5052

SHA512
0259887ac83d5abd9eab70bc5371d3e278a2af1921f467048c9a4355f3686686501d97f721192a06e882f181b1c01cfc5d1d68dca3589926b8802e5764b384b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
9KB

MD5
ac848b6c0056ac28f3344ebcc1194379

SHA1
8a6cdddb671b9ff82333cb93db16c6d43e4490e1

SHA256
d6940b1cca7216d0320de29d4f3963b604a73a72531175fef53f5f26f8c86699

SHA512
50fd8be22fb79b4a4ae70d5c7728589999f65f3d579118be2b6fb25f785e270e245fb92d4c47a73c43d6dfa448e5c54abc44bcaf7dd1c09174217c56433b9820

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
e2635a94e1b3ff68dd0ae4138eb7a90d

SHA1
f4387f20cc7ddbba5c7e2741a4fa24b83a11d96b

SHA256
b5e8b0b4c7468c40785bcb95c030da476e1c886027552c369e320185fa00e3a2

SHA512
d21652dddde255ae7b064d703fe0ca2ca14ea57d64dd666996b3b4ee4f22822f8521fa439aaa24e9e83732ba0edbc5cc3ffd8541c6f995ed6f8d70a11b527740

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
130KB

MD5
769bb250712da5b8fb8726223628838f

SHA1
a53c1f3afec7270dd07379438ce560d91c5591e7

SHA256
31ab58698900b36c3af36e41ec9f069141bbc33991dc63af40b678a3112f4fb0

SHA512
9e7f1280273e3ce2070ed9016c044cb9513b7da454570a2c918df8a8959029c4efb65542194184fab9ab9d8b8143f49624f2c85e6587fe64a2dc195e28287c30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
130KB

MD5
fa9c6a5cc71a1f51cbef42ba59fb5ef2

SHA1
806d564758a18530ea590ce355bfc088dc350bc7

SHA256
8f48c7fae4914dd40c7b56104319d37f7248e0616e37b7237c797f345a5b4c4f

SHA512
9268f7f0dc7344b96536d69d50aa8bb2cd296850e33073d5c33bac5698109bb12a3b0506bdabf3830d3e0f458e00ca24abe03710a0c488736f30014528a03c51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
130KB

MD5
76a38ceb37ccd8395f34b91f11712b2e

SHA1
3068639ae0bcd2ecc1113812725c780aa2555260

SHA256
3fc4421352f0ae75139b1fcb7c5f6d1b9214a403b343bd9a5a93372303622c4b

SHA512
cfb3f35e84f07ce3827350115b58419315af19bd623cfa41d1f3f420606a2d7a507af868845a7323938b1f4947c3697dd603ceef9216f5eb83a7a06ce15f0a97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
95KB

MD5
d7516f4f0e7b72321e0977f92dbb6e0b

SHA1
1c92a2263e07792ab04d90ce6e301a844ce7e6a5

SHA256
433a39fc3dfc3607fa494c6d25c0cdc875f465f89b7a984ac97abb6ee18c8f10

SHA512
bf0f527c8ff692a6b4b58af86cd6540f3f0af8761c4baf5b660cdb7138223d724ceedc3226bd57a863f753fbc375aafe0088d62d11f10c078389d3ec3940ff6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58144e.TMP
Filesize
93KB

MD5
4c800104c5b9bf22ee2b141620b34453

SHA1
39c289a7fd979277020beb62c7e92fd0b416aed5

SHA256
a0433b6ddfcfcf94a45f04946e4ab8556a1c36e93a324d968c32df605304a25a

SHA512
0182596c18cf8ff98516a045697e8c6f7299bfd1ce9355dad9c45adeb5eccf910a275e0f107e61c95b5b9109dcfa5f063ff98e0dcfd22828f33f2df6fcf43c29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-4-3.1447.3420.1.odl
Filesize
706B

MD5
1a670279d2d448706feaa0075c7d4555

SHA1
7fec9dad3fb2284514c1b0d3490f6a3d0f657241

SHA256
e032847218bf8418d85ec69aed5f6b39e802bdadd4ec167c06b124d0acab93c7

SHA512
a37ca0faab3d878612a17e3ecd2d782b47d9af91d82fb6cf740ee022d958088bccc4b65c6185957d716b59c5a72fb66048548aadbba22e4818e6a4983f786a4c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
202B

MD5
4566d1d70073cd75fe35acb78ff9d082

SHA1
f602ecc057a3c19aa07671b34b4fdd662aa033cc

SHA256
fe33f57205e2ebb981c4744d5a4ddc231f587a9a0589e6565c52e1051eadb0c0

SHA512
b9584ebfdd25cc588162dd6525a399c72ac03bf0c61709b96a19feba7217d840ae2c60d7b0d3b43307a2776f497a388e79ef8a646c12ae59a7f5cc4789bbf3c8

Download Submit
C:\Windows\System32\Recovery\ReAgent.xml
Filesize
1KB

MD5
7ae89e8f96f192e593815c7a95702145

SHA1
10154047a8f93a6cbfe8e3e1797d9c584d5c5451

SHA256
4518ab25dfb12054f1bc20eab5f15e378785feb859468a784c088abafcaebbd2

SHA512
9833b2464ffd1a90a50adf178202d6e939fe8e375d54b290f52591d9d2d3405244ae4a5258d33f40b3dbe1268025e7e3f92afb552cb6c71fc957413f909af416

Download Submit
\??\pipe\crashpad_4056_APOAUZJRVSTLWTCV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2148-260-0x00007FFCBB4A0000-0x00007FFCBB6A9000-memory.dmp

Filesize
2.0MB

Download
memory/2148-262-0x00007FFCBB4A0000-0x00007FFCBB6A9000-memory.dmp

Filesize
2.0MB

Download
memory/2148-263-0x00007FFCBB4A0000-0x00007FFCBB6A9000-memory.dmp

Filesize
2.0MB

Download
memory/2148-264-0x00007FFCBB4A0000-0x00007FFCBB6A9000-memory.dmp

Filesize
2.0MB

Download
memory/2148-265-0x00007FFCBA810000-0x00007FFCBA8CD000-memory.dmp

Filesize
756KB

Download
memory/2148-266-0x00007FFCBB4A0000-0x00007FFCBB6A9000-memory.dmp

Filesize
2.0MB

Download
memory/2148-267-0x00007FFCBB4A0000-0x00007FFCBB6A9000-memory.dmp

Filesize
2.0MB

Download
memory/2148-261-0x00007FFC78E30000-0x00007FFC78E40000-memory.dmp

Filesize
64KB

Download
memory/2148-301-0x00007FFC7B530000-0x00007FFC7B540000-memory.dmp

Filesize
64KB

Download
memory/2148-300-0x00007FFC7B530000-0x00007FFC7B540000-memory.dmp

Filesize
64KB

Download
memory/2148-302-0x00007FFC7B530000-0x00007FFC7B540000-memory.dmp

Filesize
64KB

Download
memory/2148-303-0x00007FFC7B530000-0x00007FFC7B540000-memory.dmp

Filesize
64KB

Download
memory/2148-304-0x00007FFCBB4A0000-0x00007FFCBB6A9000-memory.dmp

Filesize
2.0MB

Download
memory/2148-305-0x00007FFCBA810000-0x00007FFCBA8CD000-memory.dmp

Filesize
756KB

Download
memory/2148-259-0x00007FFC78E30000-0x00007FFC78E40000-memory.dmp

Filesize
64KB

Download
memory/2148-258-0x00007FFCBB4A0000-0x00007FFCBB6A9000-memory.dmp

Filesize
2.0MB

Download
memory/2148-257-0x00007FFCBB4A0000-0x00007FFCBB6A9000-memory.dmp

Filesize
2.0MB

Download
memory/2148-254-0x00007FFC7B530000-0x00007FFC7B540000-memory.dmp

Filesize
64KB

Download
memory/2148-256-0x00007FFCBB4A0000-0x00007FFCBB6A9000-memory.dmp

Filesize
2.0MB

Download
memory/2148-255-0x00007FFCBB4A0000-0x00007FFCBB6A9000-memory.dmp

Filesize
2.0MB

Download
memory/2148-252-0x00007FFC7B530000-0x00007FFC7B540000-memory.dmp

Filesize
64KB

Download
memory/2148-253-0x00007FFCBB4A0000-0x00007FFCBB6A9000-memory.dmp

Filesize
2.0MB

Download
memory/2148-246-0x00007FFC7B530000-0x00007FFC7B540000-memory.dmp

Filesize
64KB

Download
memory/2148-249-0x00007FFCBB4A0000-0x00007FFCBB6A9000-memory.dmp

Filesize
2.0MB

Download
memory/2148-251-0x00007FFCBB4A0000-0x00007FFCBB6A9000-memory.dmp

Filesize
2.0MB

Download
memory/2148-250-0x00007FFC7B530000-0x00007FFC7B540000-memory.dmp

Filesize
64KB

Download
memory/2148-248-0x00007FFC7B530000-0x00007FFC7B540000-memory.dmp

Filesize
64KB

Download
memory/2148-247-0x00007FFCBB4A0000-0x00007FFCBB6A9000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads