1ef9f6f47ce297fa50fe714562d32ec98773acddeec5b17b956e6d4b94bbd14f

Analysis

max time kernel
59s
max time network
63s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
24-04-2024 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Aridek shit/SpoofShit1.exe
Size

664KB
MD5

35cde0271493c188cfd476da17635f5c
SHA1

cba29bbebe1944b1c2d98b5eee4dcef36a1f18bc
SHA256

9f4ce08e8553b1690ffcf43f1d1a98091a8336e4bc4962f341872956b0e04bf7
SHA512

ba13d8cab4c56040cbae4d054f01207d3cbe25a385728514d37b84bcb0c51d0a278b36807215118a70c01d4ad8b30e62f42385314b415ed1c35061251145c8ed
SSDEEP

12288:ztzE5elwLz9Trs5inhWX/CmD1KghybW9OJmcqf+FNBkMdjzZprxqdAF:ztA4KdTA5jXbDo+ybW9OJmcqfgNTzTF3

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 21 IoCs

Processes:

extd.exeextd.exeextd.exeload.exetool.exetool.exetool.exetool.exetool.exetool.exetool.exetool.exetool.exetool.exetool.exetool.exetool.exetool.exetool.exetool.exeextd.exe

pid	process
4840	extd.exe
3836	extd.exe
1068	extd.exe
4500	load.exe
3724	tool.exe
1600	tool.exe
4492	tool.exe
2280	tool.exe
4576	tool.exe
4816	tool.exe
4408	tool.exe
4604	tool.exe
1628	tool.exe
4936	tool.exe
3832	tool.exe
4356	tool.exe
3132	tool.exe
1780	tool.exe
1924	tool.exe
4856	tool.exe
3208	extd.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\48D0.tmp\48D1.tmp\extd.exe	upx
behavioral1/memory/4840-13-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/memory/4840-15-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/memory/3836-20-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/memory/3836-21-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/memory/1068-23-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/memory/1068-24-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral1/memory/3208-50-0x0000000140000000-0x00000001400D8000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133584419424076864"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings chrome.exe
Suspicious behavior: LoadsDriver 16 IoCs

Processes:

pid process

668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings	chrome.exe

pid	process
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668
668

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	5708	WMIC.exe
Token: SeSecurityPrivilege	5708	WMIC.exe
Token: SeTakeOwnershipPrivilege	5708	WMIC.exe
Token: SeLoadDriverPrivilege	5708	WMIC.exe
Token: SeSystemProfilePrivilege	5708	WMIC.exe
Token: SeSystemtimePrivilege	5708	WMIC.exe
Token: SeProfSingleProcessPrivilege	5708	WMIC.exe
Token: SeIncBasePriorityPrivilege	5708	WMIC.exe
Token: SeCreatePagefilePrivilege	5708	WMIC.exe
Token: SeBackupPrivilege	5708	WMIC.exe
Token: SeRestorePrivilege	5708	WMIC.exe
Token: SeShutdownPrivilege	5708	WMIC.exe
Token: SeDebugPrivilege	5708	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5708	WMIC.exe
Token: SeRemoteShutdownPrivilege	5708	WMIC.exe
Token: SeUndockPrivilege	5708	WMIC.exe
Token: SeManageVolumePrivilege	5708	WMIC.exe
Token: 33	5708	WMIC.exe
Token: 34	5708	WMIC.exe
Token: 35	5708	WMIC.exe
Token: 36	5708	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5708	WMIC.exe
Token: SeSecurityPrivilege	5708	WMIC.exe
Token: SeTakeOwnershipPrivilege	5708	WMIC.exe
Token: SeLoadDriverPrivilege	5708	WMIC.exe
Token: SeSystemProfilePrivilege	5708	WMIC.exe
Token: SeSystemtimePrivilege	5708	WMIC.exe
Token: SeProfSingleProcessPrivilege	5708	WMIC.exe
Token: SeIncBasePriorityPrivilege	5708	WMIC.exe
Token: SeCreatePagefilePrivilege	5708	WMIC.exe
Token: SeBackupPrivilege	5708	WMIC.exe
Token: SeRestorePrivilege	5708	WMIC.exe
Token: SeShutdownPrivilege	5708	WMIC.exe
Token: SeDebugPrivilege	5708	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5708	WMIC.exe
Token: SeRemoteShutdownPrivilege	5708	WMIC.exe
Token: SeUndockPrivilege	5708	WMIC.exe
Token: SeManageVolumePrivilege	5708	WMIC.exe
Token: 33	5708	WMIC.exe
Token: 34	5708	WMIC.exe
Token: 35	5708	WMIC.exe
Token: 36	5708	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5740	WMIC.exe
Token: SeSecurityPrivilege	5740	WMIC.exe
Token: SeTakeOwnershipPrivilege	5740	WMIC.exe
Token: SeLoadDriverPrivilege	5740	WMIC.exe
Token: SeSystemProfilePrivilege	5740	WMIC.exe
Token: SeSystemtimePrivilege	5740	WMIC.exe
Token: SeProfSingleProcessPrivilege	5740	WMIC.exe
Token: SeIncBasePriorityPrivilege	5740	WMIC.exe
Token: SeCreatePagefilePrivilege	5740	WMIC.exe
Token: SeBackupPrivilege	5740	WMIC.exe
Token: SeRestorePrivilege	5740	WMIC.exe
Token: SeShutdownPrivilege	5740	WMIC.exe
Token: SeDebugPrivilege	5740	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5740	WMIC.exe
Token: SeRemoteShutdownPrivilege	5740	WMIC.exe
Token: SeUndockPrivilege	5740	WMIC.exe
Token: SeManageVolumePrivilege	5740	WMIC.exe
Token: 33	5740	WMIC.exe
Token: 34	5740	WMIC.exe
Token: 35	5740	WMIC.exe
Token: 36	5740	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5740	WMIC.exe

Suspicious use of WriteProcessMemory 61 IoCs

Processes:

SpoofShit1.execmd.exeload.execmd.exesetup.execmd.exe

description	pid	process	target process
PID 4800 wrote to memory of 4632	4800	SpoofShit1.exe	cmd.exe
PID 4800 wrote to memory of 4632	4800	SpoofShit1.exe	cmd.exe
PID 4632 wrote to memory of 4840	4632	cmd.exe	extd.exe
PID 4632 wrote to memory of 4840	4632	cmd.exe	extd.exe
PID 4632 wrote to memory of 3836	4632	cmd.exe	extd.exe
PID 4632 wrote to memory of 3836	4632	cmd.exe	extd.exe
PID 4632 wrote to memory of 1068	4632	cmd.exe	extd.exe
PID 4632 wrote to memory of 1068	4632	cmd.exe	extd.exe
PID 4632 wrote to memory of 4500	4632	cmd.exe	load.exe
PID 4632 wrote to memory of 4500	4632	cmd.exe	load.exe
PID 4632 wrote to memory of 4500	4632	cmd.exe	load.exe
PID 4500 wrote to memory of 2496	4500	load.exe	cmd.exe
PID 4500 wrote to memory of 2496	4500	load.exe	cmd.exe
PID 2496 wrote to memory of 3724	2496	cmd.exe	tool.exe
PID 2496 wrote to memory of 3724	2496	cmd.exe	tool.exe
PID 2496 wrote to memory of 1600	2496	cmd.exe	tool.exe
PID 2496 wrote to memory of 1600	2496	cmd.exe	tool.exe
PID 2496 wrote to memory of 4492	2496	cmd.exe	tool.exe
PID 2496 wrote to memory of 4492	2496	cmd.exe	tool.exe
PID 2496 wrote to memory of 2280	2496	cmd.exe	tool.exe
PID 2496 wrote to memory of 2280	2496	cmd.exe	tool.exe
PID 2496 wrote to memory of 4576	2496	cmd.exe	tool.exe
PID 2496 wrote to memory of 4576	2496	cmd.exe	tool.exe
PID 2496 wrote to memory of 4816	2496	cmd.exe	tool.exe
PID 2496 wrote to memory of 4816	2496	cmd.exe	tool.exe
PID 2496 wrote to memory of 4408	2496	cmd.exe	tool.exe
PID 2496 wrote to memory of 4408	2496	cmd.exe	tool.exe
PID 2496 wrote to memory of 4604	2496	cmd.exe	tool.exe
PID 2496 wrote to memory of 4604	2496	cmd.exe	tool.exe
PID 2496 wrote to memory of 1628	2496	cmd.exe	tool.exe
PID 2496 wrote to memory of 1628	2496	cmd.exe	tool.exe
PID 2496 wrote to memory of 4936	2496	cmd.exe	tool.exe
PID 2496 wrote to memory of 4936	2496	cmd.exe	tool.exe
PID 2496 wrote to memory of 3832	2496	cmd.exe	tool.exe
PID 2496 wrote to memory of 3832	2496	cmd.exe	tool.exe
PID 2496 wrote to memory of 4356	2496	cmd.exe	tool.exe
PID 2496 wrote to memory of 4356	2496	cmd.exe	tool.exe
PID 2496 wrote to memory of 3132	2496	cmd.exe	tool.exe
PID 2496 wrote to memory of 3132	2496	cmd.exe	tool.exe
PID 2496 wrote to memory of 1780	2496	cmd.exe	tool.exe
PID 2496 wrote to memory of 1780	2496	cmd.exe	tool.exe
PID 2496 wrote to memory of 1924	2496	cmd.exe	tool.exe
PID 2496 wrote to memory of 1924	2496	cmd.exe	tool.exe
PID 2496 wrote to memory of 4856	2496	cmd.exe	tool.exe
PID 2496 wrote to memory of 4856	2496	cmd.exe	tool.exe
PID 4632 wrote to memory of 3208	4632	cmd.exe	extd.exe
PID 4632 wrote to memory of 3208	4632	cmd.exe	extd.exe
PID 3664 wrote to memory of 2528	3664	setup.exe	setup.exe
PID 3664 wrote to memory of 2528	3664	setup.exe	setup.exe
PID 5652 wrote to memory of 5708	5652	cmd.exe	WMIC.exe
PID 5652 wrote to memory of 5708	5652	cmd.exe	WMIC.exe
PID 5652 wrote to memory of 5740	5652	cmd.exe	WMIC.exe
PID 5652 wrote to memory of 5740	5652	cmd.exe	WMIC.exe
PID 5652 wrote to memory of 5772	5652	cmd.exe	WMIC.exe
PID 5652 wrote to memory of 5772	5652	cmd.exe	WMIC.exe
PID 5652 wrote to memory of 5816	5652	cmd.exe	WMIC.exe
PID 5652 wrote to memory of 5816	5652	cmd.exe	WMIC.exe
PID 5652 wrote to memory of 5848	5652	cmd.exe	WMIC.exe
PID 5652 wrote to memory of 5848	5652	cmd.exe	WMIC.exe
PID 5652 wrote to memory of 5884	5652	cmd.exe	getmac.exe
PID 5652 wrote to memory of 5884	5652	cmd.exe	getmac.exe

C:\Users\Admin\AppData\Local\Temp\Aridek shit\SpoofShit1.exe
"C:\Users\Admin\AppData\Local\Temp\Aridek shit\SpoofShit1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\48D0.tmp\48D1.tmp\48D2.bat "C:\Users\Admin\AppData\Local\Temp\Aridek shit\SpoofShit1.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4632
- - C:\Users\Admin\AppData\Local\Temp\48D0.tmp\48D1.tmp\extd.exe
    C:\Users\Admin\AppData\Local\Temp\48D0.tmp\48D1.tmp\extd.exe "/getconsoletitle" "" "" "" "" "" "" "" ""
    3⤵
    - Executes dropped EXE
    PID:4840
- - C:\Users\Admin\AppData\Local\Temp\48D0.tmp\48D1.tmp\extd.exe
    C:\Users\Admin\AppData\Local\Temp\48D0.tmp\48D1.tmp\extd.exe "/resizewindow" "C:\Users\Admin\AppData\Local\Temp\Aridek shit\SpoofShit1.exe" "0" "0" "1129" "520" "" "" ""
    3⤵
    - Executes dropped EXE
    PID:3836
- - C:\Users\Admin\AppData\Local\Temp\48D0.tmp\48D1.tmp\extd.exe
    C:\Users\Admin\AppData\Local\Temp\48D0.tmp\48D1.tmp\extd.exe "/center" "" "" "" "" "" "" "" ""
    3⤵
    - Executes dropped EXE
    PID:1068
- - C:\Users\Admin\AppData\Roaming\dump\load.exe
    "load.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4500
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4C99.tmp\4CAA.tmp\4CAB.bat C:\Users\Admin\AppData\Roaming\dump\load.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2496
    - - C:\Users\Admin\AppData\Roaming\dump\tool.exe
        
        tool.exe /SM "System manufacturer"
        5⤵
        Executes dropped EXE
        
        PID:3724
    - - C:\Users\Admin\AppData\Roaming\dump\tool.exe
        
        tool.exe /SP "System Product Name"
        5⤵
        Executes dropped EXE
        
        PID:1600
    - - C:\Users\Admin\AppData\Roaming\dump\tool.exe
        
        tool.exe /SV "System Version"
        5⤵
        Executes dropped EXE
        
        PID:4492
    - - C:\Users\Admin\AppData\Roaming\dump\tool.exe
        
        tool.exe /SS "System Serial Number"
        5⤵
        Executes dropped EXE
        
        PID:2280
    - - C:\Users\Admin\AppData\Roaming\dump\tool.exe
        
        tool.exe /SU "AUTO"
        5⤵
        Executes dropped EXE
        
        PID:4576
    - - C:\Users\Admin\AppData\Roaming\dump\tool.exe
        
        tool.exe /SK "SKU"
        5⤵
        Executes dropped EXE
        
        PID:4816
    - - C:\Users\Admin\AppData\Roaming\dump\tool.exe
        
        tool.exe /SF "To be filled by O.E.M."
        5⤵
        Executes dropped EXE
        
        PID:4408
    - - C:\Users\Admin\AppData\Roaming\dump\tool.exe
        
        tool.exe /BS 300951405119459
        5⤵
        Executes dropped EXE
        
        PID:4604
    - - C:\Users\Admin\AppData\Roaming\dump\tool.exe
        
        tool.exe /BT "Default string"
        5⤵
        Executes dropped EXE
        
        PID:1628
    - - C:\Users\Admin\AppData\Roaming\dump\tool.exe
        
        tool.exe /BLC "Default string"
        5⤵
        Executes dropped EXE
        
        PID:4936
    - - C:\Users\Admin\AppData\Roaming\dump\tool.exe
        
        tool.exe /CM "Default string"
        5⤵
        Executes dropped EXE
        
        PID:3832
    - - C:\Users\Admin\AppData\Roaming\dump\tool.exe
        
        tool.exe /CV "Default string"
        5⤵
        Executes dropped EXE
        
        PID:4356
    - - C:\Users\Admin\AppData\Roaming\dump\tool.exe
        
        tool.exe /CS "Default string"
        5⤵
        Executes dropped EXE
        
        PID:3132
    - - C:\Users\Admin\AppData\Roaming\dump\tool.exe
        
        tool.exe /CA "Default string"
        5⤵
        Executes dropped EXE
        
        PID:1780
    - - C:\Users\Admin\AppData\Roaming\dump\tool.exe
        
        tool.exe /CSK "Default string"
        5⤵
        Executes dropped EXE
        
        PID:1924
    - - C:\Users\Admin\AppData\Roaming\dump\tool.exe
        
        tool.exe /PSN 190013174529150
        5⤵
        Executes dropped EXE
        
        PID:4856
- - C:\Users\Admin\AppData\Local\Temp\48D0.tmp\48D1.tmp\extd.exe
    C:\Users\Admin\AppData\Local\Temp\48D0.tmp\48D1.tmp\extd.exe "" "" "" "" "" "" "" "" ""
    3⤵
    - Executes dropped EXE
    PID:3208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
PID:4536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe2514ab58,0x7ffe2514ab68,0x7ffe2514ab78
  2⤵
  PID:1864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1888,i,1299062606791166345,13987183472693059935,131072 /prefetch:2
  2⤵
  PID:3748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2020 --field-trial-handle=1888,i,1299062606791166345,13987183472693059935,131072 /prefetch:8
  2⤵
  PID:112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2080 --field-trial-handle=1888,i,1299062606791166345,13987183472693059935,131072 /prefetch:8
  2⤵
  PID:1604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=3076 --field-trial-handle=1888,i,1299062606791166345,13987183472693059935,131072 /prefetch:1
  2⤵
  PID:2096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=3084 --field-trial-handle=1888,i,1299062606791166345,13987183472693059935,131072 /prefetch:1
  2⤵
  PID:5112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --mojo-platform-channel-handle=3596 --field-trial-handle=1888,i,1299062606791166345,13987183472693059935,131072 /prefetch:1
  2⤵
  PID:4500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4488 --field-trial-handle=1888,i,1299062606791166345,13987183472693059935,131072 /prefetch:8
  2⤵
  PID:4540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4500 --field-trial-handle=1888,i,1299062606791166345,13987183472693059935,131072 /prefetch:8
  2⤵
  PID:3664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4656 --field-trial-handle=1888,i,1299062606791166345,13987183472693059935,131072 /prefetch:8
  2⤵
  PID:3016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 --field-trial-handle=1888,i,1299062606791166345,13987183472693059935,131072 /prefetch:8
  2⤵
  PID:2460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4556 --field-trial-handle=1888,i,1299062606791166345,13987183472693059935,131072 /prefetch:8
  2⤵
  PID:4552
- C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3664
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff66005ae48,0x7ff66005ae58,0x7ff66005ae68
    3⤵
    PID:2528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --mojo-platform-channel-handle=5092 --field-trial-handle=1888,i,1299062606791166345,13987183472693059935,131072 /prefetch:1
  2⤵
  PID:4552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --mojo-platform-channel-handle=3128 --field-trial-handle=1888,i,1299062606791166345,13987183472693059935,131072 /prefetch:1
  2⤵
  PID:2096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3216 --field-trial-handle=1888,i,1299062606791166345,13987183472693059935,131072 /prefetch:8
  2⤵
  PID:5284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 --field-trial-handle=1888,i,1299062606791166345,13987183472693059935,131072 /prefetch:8
  2⤵
  PID:5300

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2432

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Temp1_e8649aa0636d23562b1a0219d086c144-edac1a87c84e310aae2d9b41f6da0f91daa10a43.zip\e8649aa0636d23562b1a0219d086c144-edac1a87c84e310aae2d9b41f6da0f91daa10a43\hwidChecker.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:5652
- C:\Windows\System32\Wbem\WMIC.exe
  wmic diskdrive get model, serialnumber
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5708
- C:\Windows\System32\Wbem\WMIC.exe
  wmic cpu get serialnumber
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5740
- C:\Windows\System32\Wbem\WMIC.exe
  wmic bios get serialnumber
  2⤵
  PID:5772
- C:\Windows\System32\Wbem\WMIC.exe
  wmic baseboard get serialnumber
  2⤵
  PID:5816
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_computersystemproduct get uuid
  2⤵
  PID:5848
- C:\Windows\system32\getmac.exe
  getmac
  2⤵
  PID:5884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b1f3c513f4728c914dd2adecf56853a4

SHA1
7d1c8966b307d73ba2cb62eb8f5e15c02c225ddb

SHA256
f7b2c3baa1ac151f191e4b2424942df99030b03a56ca473ed602061c0d14741b

SHA512
355d0376e3ec1618c4221b78d66e45d2dd99f3716d89dcf2181b4254206b8d48fcea8c59326bbcec16f7edb9dea95aa6b3f0f60195121a4303d0fa25a885769d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
99169ce32a1dfbadcac225c066018cf4

SHA1
60054b552e7a5bbabb4327797b8e68ee58439247

SHA256
81f286fc6022f773684cd5e4f82351d139d904806499c8558e1ef018332b0f73

SHA512
f510f228c2860232ca5ca1c5ffc1a3c0d2319a5b1f353988d4caa24c6b9ecfdeb45808321ddcf0bb2e95be31d9efda8127812a190c5fa9c4f85e10827b219c59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3c4a7106ba6383497bc366931b413a6b

SHA1
e1fbc7054c6f9e27f8bc2f873cba539d3fb6bdbc

SHA256
27dff0cbe362ead1ffafb0873f27d7e669d26abc645a57c495c8577aa6e7add8

SHA512
af08660fc1d11bb8f49977fc65fe6f734fc0ff66bff406f116b07df37a251e297d5a6fd31f694e8a1b57c26319ffbac2a04d9f81d8a1b606232b6acf7111bc63

Download Submit
C:\Users\Admin\AppData\Local\Temp\48D0.tmp\48D1.tmp\48D2.bat

Filesize
674B

MD5
ece006a13fa06915acb6cf8e3c16f7c3

SHA1
9f444a56d82c7123fefad55698a53f52fdd2bcde

SHA256
ed1ec636e121c5ddebbd4da42d893ee9e1584ce6d19a485befddc8ea9ed395f8

SHA512
7506d201a7fba1208c9dfa3a5467c5804430c457db10d946ef333d3110cf3752070ce9bc69e7b1441b14f253eaa6ef30bf814c81adc61d9e6059d543ba234156

Download Submit
C:\Users\Admin\AppData\Local\Temp\48D0.tmp\48D1.tmp\extd.exe

Filesize
326KB

MD5
c14ce13ab09b4829f67a879d735a10a1

SHA1
537e1ce843f07ce629699ef5742c42ee2f06e9b6

SHA256
ef2699ba677fcdb8a3b70a711a59a5892d8439e108e3ac4d27a7f946c4d01a4a

SHA512
c1cf8eb4a5ca6539e5d2608c2085e7804ca77b7244aa7bfa7e1dde30cb88b9a4e6bb9e3d80304b7d8825355eab63d05e6425fa8267a9d20ac5f1998bed05fa38

Download Submit
C:\Users\Admin\AppData\Local\Temp\4C99.tmp\4CAA.tmp\4CAB.bat

Filesize
545B

MD5
a8d805349e3718d67fb16fea2e860186

SHA1
394704bef9cf3580aae4ea83f7e698d38ccd5a53

SHA256
f5662df0ec4b20f0503ca6a1ffb0180f36e28127e00e565546360550585c76b6

SHA512
37546bd2430906c1bb7096f1d67ce0b9e71bd69e902a028f590df8637af9c57aa4b77a517f2670b8c8000177872251efb3782502b8cb8c5efe8cb2f89c6cba69

Download Submit
C:\Users\Admin\AppData\Roaming\dump\amifldrv64.sys

Filesize
18KB

MD5
785045f8b25cd2e937ddc6b09debe01a

SHA1
029c678674f482ababe8bbfdb93152392457109d

SHA256
37073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba

SHA512
40bbeb41816146c7172aa3cf27dace538908b7955171968e1cddcd84403b2588e0d8437a3596c2714ccdf4476eefa3d4e61d90ea118982b729f50b03df1104a9

Download Submit
C:\Users\Admin\AppData\Roaming\dump\load.exe

Filesize
89KB

MD5
5700cabc6bf4e6aea2f3535fe34f14e2

SHA1
9b0bd296120b99060c88fb5f870f8da1e046d640

SHA256
18c0da701463f2f99e5b8c91d2aa6315b4538960fe883a6bfb519f623fc2696b

SHA512
8db7bcf3e6babbcd2d122d55b6eb17136392ce7951cfbec550b1e8ea2d08348ffdaea37666be0e9df3889867907180c3bfa95ffbe8a307a94b147cc397bead5b

Download Submit
C:\Users\Admin\AppData\Roaming\dump\tool.exe

Filesize
453KB

MD5
b696823b80d01a67c1e25355fdaa8bab

SHA1
932d2cd264daa771e93b094de870feb4ec0e1d93

SHA256
4ef86ce5877adc7f861b79da511ca2cbc7b454d6acc33e4a3ccbf21092fe6d94

SHA512
7eadf67c666152002a8d168e6beea36f3f7a7b2c57c313461dea1ba8cb0590fe0d6f6c2c0b4cd147e3ff2429fb99de8e84f3a036c8c7dbf5012d1346e4aff65f

Download Submit
\??\pipe\crashpad_4536_WMNXBOZSHAJSKMCU

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1068-24-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/1068-23-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/3208-50-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/3836-21-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/3836-20-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/4840-15-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/4840-13-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download