c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 18:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
Size

1.1MB
MD5

693bdc5dc86cf6a6d2ecd692a7844288
SHA1

14ff852b9337849371e66043e78413be0c7fcbe9
SHA256

c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe
SHA512

19fe11d51e3e9418c1b89cf1e9dae7d930eeb9e3ea02c8671b7d5a4c90325a31395f817b5211b3a1c3ace9376fb5b962554263e2d3c9ab5bc634d2aa08887eac
SSDEEP

24576:RqDEvCTbMWu7rQYlBQcBiT6rprG8au62+b+HdiJUX:RTvC/MTQYxsWR7au62+b+HoJU

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133581993926903963"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4084619521-2220719027-1909462854-1000\{EF5ACC75-EB19-4502-8C65-7D9305255161}	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1876	chrome.exe
1876	chrome.exe
748	chrome.exe
748	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeCreatePagefilePrivilege	1876	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
1876	chrome.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe

Suspicious use of SendNotifyMessage 60 IoCs

pid	Process
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4852 wrote to memory of 1876	4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe	87
PID 4852 wrote to memory of 1876	4852	c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe	87
PID 1876 wrote to memory of 3124	1876	chrome.exe	89
PID 1876 wrote to memory of 3124	1876	chrome.exe	89
PID 1876 wrote to memory of 3224	1876	chrome.exe	92
PID 1876 wrote to memory of 3224	1876	chrome.exe	92
PID 1876 wrote to memory of 3224	1876	chrome.exe	92
PID 1876 wrote to memory of 3224	1876	chrome.exe	92
PID 1876 wrote to memory of 3224	1876	chrome.exe	92
PID 1876 wrote to memory of 3224	1876	chrome.exe	92
PID 1876 wrote to memory of 3224	1876	chrome.exe	92
PID 1876 wrote to memory of 3224	1876	chrome.exe	92
PID 1876 wrote to memory of 3224	1876	chrome.exe	92
PID 1876 wrote to memory of 3224	1876	chrome.exe	92
PID 1876 wrote to memory of 3224	1876	chrome.exe	92
PID 1876 wrote to memory of 3224	1876	chrome.exe	92
PID 1876 wrote to memory of 3224	1876	chrome.exe	92
PID 1876 wrote to memory of 3224	1876	chrome.exe	92
PID 1876 wrote to memory of 3224	1876	chrome.exe	92
PID 1876 wrote to memory of 3224	1876	chrome.exe	92
PID 1876 wrote to memory of 3224	1876	chrome.exe	92
PID 1876 wrote to memory of 3224	1876	chrome.exe	92
PID 1876 wrote to memory of 3224	1876	chrome.exe	92
PID 1876 wrote to memory of 3224	1876	chrome.exe	92
PID 1876 wrote to memory of 3224	1876	chrome.exe	92
PID 1876 wrote to memory of 3224	1876	chrome.exe	92
PID 1876 wrote to memory of 3224	1876	chrome.exe	92
PID 1876 wrote to memory of 3224	1876	chrome.exe	92
PID 1876 wrote to memory of 3224	1876	chrome.exe	92
PID 1876 wrote to memory of 3224	1876	chrome.exe	92
PID 1876 wrote to memory of 3224	1876	chrome.exe	92
PID 1876 wrote to memory of 3224	1876	chrome.exe	92
PID 1876 wrote to memory of 3224	1876	chrome.exe	92
PID 1876 wrote to memory of 3224	1876	chrome.exe	92
PID 1876 wrote to memory of 3224	1876	chrome.exe	92
PID 1876 wrote to memory of 1496	1876	chrome.exe	93
PID 1876 wrote to memory of 1496	1876	chrome.exe	93
PID 1876 wrote to memory of 2344	1876	chrome.exe	94
PID 1876 wrote to memory of 2344	1876	chrome.exe	94
PID 1876 wrote to memory of 2344	1876	chrome.exe	94
PID 1876 wrote to memory of 2344	1876	chrome.exe	94
PID 1876 wrote to memory of 2344	1876	chrome.exe	94
PID 1876 wrote to memory of 2344	1876	chrome.exe	94
PID 1876 wrote to memory of 2344	1876	chrome.exe	94
PID 1876 wrote to memory of 2344	1876	chrome.exe	94
PID 1876 wrote to memory of 2344	1876	chrome.exe	94
PID 1876 wrote to memory of 2344	1876	chrome.exe	94
PID 1876 wrote to memory of 2344	1876	chrome.exe	94
PID 1876 wrote to memory of 2344	1876	chrome.exe	94
PID 1876 wrote to memory of 2344	1876	chrome.exe	94
PID 1876 wrote to memory of 2344	1876	chrome.exe	94
PID 1876 wrote to memory of 2344	1876	chrome.exe	94
PID 1876 wrote to memory of 2344	1876	chrome.exe	94
PID 1876 wrote to memory of 2344	1876	chrome.exe	94
PID 1876 wrote to memory of 2344	1876	chrome.exe	94
PID 1876 wrote to memory of 2344	1876	chrome.exe	94
PID 1876 wrote to memory of 2344	1876	chrome.exe	94
PID 1876 wrote to memory of 2344	1876	chrome.exe	94
PID 1876 wrote to memory of 2344	1876	chrome.exe	94
PID 1876 wrote to memory of 2344	1876	chrome.exe	94
PID 1876 wrote to memory of 2344	1876	chrome.exe	94
PID 1876 wrote to memory of 2344	1876	chrome.exe	94
PID 1876 wrote to memory of 2344	1876	chrome.exe	94
PID 1876 wrote to memory of 2344	1876	chrome.exe	94

C:\Users\Admin\AppData\Local\Temp\c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe
"C:\Users\Admin\AppData\Local\Temp\c1c410436a7c33f631e97fd62e2c906d4352cd04c8980073c56d5cfebd0986fe.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff4ae5ab58,0x7fff4ae5ab68,0x7fff4ae5ab78
    3⤵
    PID:3124
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1668 --field-trial-handle=1984,i,9693443983064342253,362676873485684895,131072 /prefetch:2
    3⤵
    PID:3224
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1920 --field-trial-handle=1984,i,9693443983064342253,362676873485684895,131072 /prefetch:8
    3⤵
    PID:1496
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2256 --field-trial-handle=1984,i,9693443983064342253,362676873485684895,131072 /prefetch:8
    3⤵
    PID:2344
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2976 --field-trial-handle=1984,i,9693443983064342253,362676873485684895,131072 /prefetch:1
    3⤵
    PID:2124
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2996 --field-trial-handle=1984,i,9693443983064342253,362676873485684895,131072 /prefetch:1
    3⤵
    PID:3464
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4256 --field-trial-handle=1984,i,9693443983064342253,362676873485684895,131072 /prefetch:1
    3⤵
    PID:1260
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4416 --field-trial-handle=1984,i,9693443983064342253,362676873485684895,131072 /prefetch:1
    3⤵
    PID:4916
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4492 --field-trial-handle=1984,i,9693443983064342253,362676873485684895,131072 /prefetch:8
    3⤵
    PID:4088
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4504 --field-trial-handle=1984,i,9693443983064342253,362676873485684895,131072 /prefetch:8
    3⤵
    - Modifies registry class
    PID:3112
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 --field-trial-handle=1984,i,9693443983064342253,362676873485684895,131072 /prefetch:8
    3⤵
    PID:5088
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5036 --field-trial-handle=1984,i,9693443983064342253,362676873485684895,131072 /prefetch:8
    3⤵
    PID:4368
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 --field-trial-handle=1984,i,9693443983064342253,362676873485684895,131072 /prefetch:8
    3⤵
    PID:936
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 --field-trial-handle=1984,i,9693443983064342253,362676873485684895,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:748

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
360B

MD5
884a46ea7911bd91cc9c532737663745

SHA1
3424c3e79cf89b0b136882c2bdd3b28dc4af090f

SHA256
dd305c7c09c2aaa401f1a3f336b84ca0b4de891934a64b0485b66e4f3b7c0d22

SHA512
447944277417f66a41d884563a8ff0a32bf305fd15ad44e66ba7c953b89d62f4fae7f99e56c8f399aaef9d87167537e69ffcaead10f0e8e297875f01ea3f7d61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
583d94fad8e9c665f55ce4b5b81d381f

SHA1
fd064c5874bec944ff3d5d80677b41c27807bc25

SHA256
e59854f96c640b1ea09918a3b0dc3929db9952fdb50cdc259e1958b6dcd9888e

SHA512
5ea2f5843d1ba6250ba578b553663d71b21c919bc8af46ec33d16813141632df360733af12e47261f5f644a77c5662817611148cd8869a796c71ffd1ed914675

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
943f13dc73ba3cd871e2607dd7019ebe

SHA1
d40061a39b671d92a407a170750d75ae1987cdf2

SHA256
1cc5545694e77b96e55bb2fd8aa1bac7066016bdb1ac13670c6da34a490e0df1

SHA512
10f2e1d402ebc468a2a0c30a9a6cb647d5cb9374d76dc2880de20a13e12b50c44e916ac765bb7dd0cb1cfaaa7354c953e49ae442c5ed03873d30689e8c2acd99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
268321937fbffb55d3a8c075356464ae

SHA1
c3c0d38d6fe783c9a3da85e10b423ba27df25ffe

SHA256
a5cae2ac90bd41386d5ef1c81ba5aa326a046cb6656890e6b5665082e02c7fea

SHA512
b82352a9198626ae29886fc528a0861135bddbc8fd10736aa879fe721dd0df2ae6ea3cd691135803d27e14249166bbf9e244128ac25d2dae9a6488db2607cfa4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
08fdd9b72627ffa4c78fc746c2b65992

SHA1
4607aad281c5d054cbd7b3c781d3b8d75c4a7770

SHA256
abcec563f3728f15474fd35a27e3d8cf718c3dc6ffaee451e0b0a509acaeaeb6

SHA512
67a8429c75c24502e7788b1e1ac18625709d4815fd4d91efaaa09bc1df49723448d371448f77c8f414eceb825318447790108cd19f76cf370373a2b6c4de0f14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
5480e21c758973bf1f3102e83389b859

SHA1
ac31ab661faea9281f1074cf41cb4b24e4eafed9

SHA256
8848a17a1bab1a9b6ef930e1a7c74425486bd59912a7b2731cd0f5c59bdcf98d

SHA512
bfa9ebc8dea1a01c53f71515184064e9da7a67baca1bd158240b643b2130f63fc31f0779d07c8650d96d4eff115055134f49500b186c11ac52185ccc2672adf4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
3b193892e7070c0d5d36e68dc8a85e28

SHA1
ec4ca6eb8bbd83cf070c1785ba68deb90c726d4d

SHA256
fcac54e1c1ee93e6020bbe2636328d99f8f1b1a9c94f38aaa55322c642387207

SHA512
22f854d53104a92cf6673b1bc1adf73a1e1bc2ed4a1bc5f2681af9ce321c6cafdbcd64427b9de6d01d90c9db418deb7958ad5173fce3f8a9192215e0a6229323

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
252KB

MD5
c6abe9b27a6919e5aaddea094ab64bb7

SHA1
0f5f9fe03ad9dcba64de3994658bcc45fc00447a

SHA256
7a3e19cb5dfa501c83464c926c97e11a0303aa3805d9d21cd20281fa3ff34db6

SHA512
ec6456a3906ed99944003b0322d0284d53ba76d5c75a62d6502e7446b163b15d7470c14a5a6d3f90d9d06bc1a595561f6099da0ccf04c2eba79828ff1f9aca34

Download Submit