Analysis
-
max time kernel
72s -
max time network
73s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
24-04-2024 15:01
Behavioral task
behavioral1
Sample
cracker.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
cracker.exe
-
Size
23KB
-
MD5
ee711be5ac7e4d382c21cb6cb3f9631b
-
SHA1
df2ad2e13d1160a900e730eeec7adc6503891088
-
SHA256
96954af5f3a422d26951296adeb8d9a2cae1ada61f63ee1a2c884a4ef938cf87
-
SHA512
bbd714ecbe31a75dd6d661cbcc7926e5cf2b7e0858f3931dc8ddd42d7254849e1b9a942f9ccc1140bd9f376a0149f4d79f1ef2e21b5aa45173c6f87e53fc12e2
-
SSDEEP
384:H3MLWHn3kI3fmIOyERMpOsbW+ATLJIr91Crxbo9deU:zn3kIYy6Mpzi9Ir9SxboveU
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\Desktop\read_it.txt
Family
chaos
Ransom Note
----> Chaos is multi language ransomware. Translate your note to any language <----
All of your files have been encrypted
Your computer was infected with a ransomware virus. Your files have been encrypted and you won't
be able to decrypt them without our help.What can I do to get my files back?You can buy our special
decryption software, this software will allow you to recover all of your data and remove the
ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only.
How do I pay, where do I get Bitcoin?
Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search
yourself to find out how to buy Bitcoin.
Many of our customers have reported these sites to be fast and reliable:
Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com
Payment informationAmount: 0.1473766 BTC
Bitcoin Address: 3Gq3M3xz5dstUaCn7iLLxLRTBMs3BLKwPn
And If you try to ignore or just wipe your PC, I have all your passwords so you are fucked.
Wallets
3Gq3M3xz5dstUaCn7iLLxLRTBMs3BLKwPn
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 2 IoCs
resource yara_rule behavioral1/memory/4628-0-0x00000000004B0000-0x00000000004BC000-memory.dmp family_chaos behavioral1/files/0x00080000000233eb-6.dat family_chaos -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 2392 bcdedit.exe 3316 bcdedit.exe -
pid Process 4212 wbadmin.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation cracker.exe Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation svchost.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 3952 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 34 IoCs
description ioc Process File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2177723727-746291240-1644359950-1000\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 4288 vssadmin.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings svchost.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1960 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3952 svchost.exe -
Suspicious behavior: EnumeratesProcesses 49 IoCs
pid Process 4628 cracker.exe 4628 cracker.exe 4628 cracker.exe 4628 cracker.exe 4628 cracker.exe 4628 cracker.exe 4628 cracker.exe 4628 cracker.exe 4628 cracker.exe 4628 cracker.exe 4628 cracker.exe 4628 cracker.exe 4628 cracker.exe 4628 cracker.exe 4628 cracker.exe 4628 cracker.exe 4628 cracker.exe 4628 cracker.exe 4628 cracker.exe 4628 cracker.exe 4628 cracker.exe 4628 cracker.exe 4628 cracker.exe 3952 svchost.exe 3952 svchost.exe 3952 svchost.exe 3952 svchost.exe 3952 svchost.exe 3952 svchost.exe 3952 svchost.exe 3952 svchost.exe 3952 svchost.exe 3952 svchost.exe 3952 svchost.exe 3952 svchost.exe 3952 svchost.exe 3952 svchost.exe 3952 svchost.exe 3952 svchost.exe 3952 svchost.exe 3952 svchost.exe 3952 svchost.exe 3952 svchost.exe 3952 svchost.exe 3952 svchost.exe 3952 svchost.exe 3952 svchost.exe 1896 chrome.exe 1896 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 1896 chrome.exe 1896 chrome.exe 1896 chrome.exe -
Suspicious use of AdjustPrivilegeToken 54 IoCs
description pid Process Token: SeDebugPrivilege 4628 cracker.exe Token: SeDebugPrivilege 3952 svchost.exe Token: SeBackupPrivilege 3928 vssvc.exe Token: SeRestorePrivilege 3928 vssvc.exe Token: SeAuditPrivilege 3928 vssvc.exe Token: SeIncreaseQuotaPrivilege 1128 WMIC.exe Token: SeSecurityPrivilege 1128 WMIC.exe Token: SeTakeOwnershipPrivilege 1128 WMIC.exe Token: SeLoadDriverPrivilege 1128 WMIC.exe Token: SeSystemProfilePrivilege 1128 WMIC.exe Token: SeSystemtimePrivilege 1128 WMIC.exe Token: SeProfSingleProcessPrivilege 1128 WMIC.exe Token: SeIncBasePriorityPrivilege 1128 WMIC.exe Token: SeCreatePagefilePrivilege 1128 WMIC.exe Token: SeBackupPrivilege 1128 WMIC.exe Token: SeRestorePrivilege 1128 WMIC.exe Token: SeShutdownPrivilege 1128 WMIC.exe Token: SeDebugPrivilege 1128 WMIC.exe Token: SeSystemEnvironmentPrivilege 1128 WMIC.exe Token: SeRemoteShutdownPrivilege 1128 WMIC.exe Token: SeUndockPrivilege 1128 WMIC.exe Token: SeManageVolumePrivilege 1128 WMIC.exe Token: 33 1128 WMIC.exe Token: 34 1128 WMIC.exe Token: 35 1128 WMIC.exe Token: 36 1128 WMIC.exe Token: SeIncreaseQuotaPrivilege 1128 WMIC.exe Token: SeSecurityPrivilege 1128 WMIC.exe Token: SeTakeOwnershipPrivilege 1128 WMIC.exe Token: SeLoadDriverPrivilege 1128 WMIC.exe Token: SeSystemProfilePrivilege 1128 WMIC.exe Token: SeSystemtimePrivilege 1128 WMIC.exe Token: SeProfSingleProcessPrivilege 1128 WMIC.exe Token: SeIncBasePriorityPrivilege 1128 WMIC.exe Token: SeCreatePagefilePrivilege 1128 WMIC.exe Token: SeBackupPrivilege 1128 WMIC.exe Token: SeRestorePrivilege 1128 WMIC.exe Token: SeShutdownPrivilege 1128 WMIC.exe Token: SeDebugPrivilege 1128 WMIC.exe Token: SeSystemEnvironmentPrivilege 1128 WMIC.exe Token: SeRemoteShutdownPrivilege 1128 WMIC.exe Token: SeUndockPrivilege 1128 WMIC.exe Token: SeManageVolumePrivilege 1128 WMIC.exe Token: 33 1128 WMIC.exe Token: 34 1128 WMIC.exe Token: 35 1128 WMIC.exe Token: 36 1128 WMIC.exe Token: SeBackupPrivilege 2268 wbengine.exe Token: SeRestorePrivilege 2268 wbengine.exe Token: SeSecurityPrivilege 2268 wbengine.exe Token: SeShutdownPrivilege 1896 chrome.exe Token: SeCreatePagefilePrivilege 1896 chrome.exe Token: SeShutdownPrivilege 1896 chrome.exe Token: SeCreatePagefilePrivilege 1896 chrome.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
pid Process 1896 chrome.exe 1896 chrome.exe 1896 chrome.exe 1896 chrome.exe 1896 chrome.exe 1896 chrome.exe 1896 chrome.exe 1896 chrome.exe 1896 chrome.exe 1896 chrome.exe 1896 chrome.exe 1896 chrome.exe 1896 chrome.exe 1896 chrome.exe 1896 chrome.exe 1896 chrome.exe 1896 chrome.exe 1896 chrome.exe 1896 chrome.exe 1896 chrome.exe 1896 chrome.exe 1896 chrome.exe 1896 chrome.exe 1896 chrome.exe 1896 chrome.exe 1896 chrome.exe 1896 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1896 chrome.exe 1896 chrome.exe 1896 chrome.exe 1896 chrome.exe 1896 chrome.exe 1896 chrome.exe 1896 chrome.exe 1896 chrome.exe 1896 chrome.exe 1896 chrome.exe 1896 chrome.exe 1896 chrome.exe 1896 chrome.exe 1896 chrome.exe 1896 chrome.exe 1896 chrome.exe 1896 chrome.exe 1896 chrome.exe 1896 chrome.exe 1896 chrome.exe 1896 chrome.exe 1896 chrome.exe 1896 chrome.exe 1896 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4628 wrote to memory of 3952 4628 cracker.exe 88 PID 4628 wrote to memory of 3952 4628 cracker.exe 88 PID 3952 wrote to memory of 2960 3952 svchost.exe 89 PID 3952 wrote to memory of 2960 3952 svchost.exe 89 PID 2960 wrote to memory of 4288 2960 cmd.exe 91 PID 2960 wrote to memory of 4288 2960 cmd.exe 91 PID 2960 wrote to memory of 1128 2960 cmd.exe 94 PID 2960 wrote to memory of 1128 2960 cmd.exe 94 PID 3952 wrote to memory of 2612 3952 svchost.exe 96 PID 3952 wrote to memory of 2612 3952 svchost.exe 96 PID 2612 wrote to memory of 2392 2612 cmd.exe 98 PID 2612 wrote to memory of 2392 2612 cmd.exe 98 PID 2612 wrote to memory of 3316 2612 cmd.exe 99 PID 2612 wrote to memory of 3316 2612 cmd.exe 99 PID 3952 wrote to memory of 5036 3952 svchost.exe 100 PID 3952 wrote to memory of 5036 3952 svchost.exe 100 PID 5036 wrote to memory of 4212 5036 cmd.exe 102 PID 5036 wrote to memory of 4212 5036 cmd.exe 102 PID 3952 wrote to memory of 1960 3952 svchost.exe 107 PID 3952 wrote to memory of 1960 3952 svchost.exe 107 PID 1896 wrote to memory of 1992 1896 chrome.exe 122 PID 1896 wrote to memory of 1992 1896 chrome.exe 122 PID 1896 wrote to memory of 4380 1896 chrome.exe 123 PID 1896 wrote to memory of 4380 1896 chrome.exe 123 PID 1896 wrote to memory of 4380 1896 chrome.exe 123 PID 1896 wrote to memory of 4380 1896 chrome.exe 123 PID 1896 wrote to memory of 4380 1896 chrome.exe 123 PID 1896 wrote to memory of 4380 1896 chrome.exe 123 PID 1896 wrote to memory of 4380 1896 chrome.exe 123 PID 1896 wrote to memory of 4380 1896 chrome.exe 123 PID 1896 wrote to memory of 4380 1896 chrome.exe 123 PID 1896 wrote to memory of 4380 1896 chrome.exe 123 PID 1896 wrote to memory of 4380 1896 chrome.exe 123 PID 1896 wrote to memory of 4380 1896 chrome.exe 123 PID 1896 wrote to memory of 4380 1896 chrome.exe 123 PID 1896 wrote to memory of 4380 1896 chrome.exe 123 PID 1896 wrote to memory of 4380 1896 chrome.exe 123 PID 1896 wrote to memory of 4380 1896 chrome.exe 123 PID 1896 wrote to memory of 4380 1896 chrome.exe 123 PID 1896 wrote to memory of 4380 1896 chrome.exe 123 PID 1896 wrote to memory of 4380 1896 chrome.exe 123 PID 1896 wrote to memory of 4380 1896 chrome.exe 123 PID 1896 wrote to memory of 4380 1896 chrome.exe 123 PID 1896 wrote to memory of 4380 1896 chrome.exe 123 PID 1896 wrote to memory of 4380 1896 chrome.exe 123 PID 1896 wrote to memory of 4380 1896 chrome.exe 123 PID 1896 wrote to memory of 4380 1896 chrome.exe 123 PID 1896 wrote to memory of 4380 1896 chrome.exe 123 PID 1896 wrote to memory of 4380 1896 chrome.exe 123 PID 1896 wrote to memory of 4380 1896 chrome.exe 123 PID 1896 wrote to memory of 4380 1896 chrome.exe 123 PID 1896 wrote to memory of 4380 1896 chrome.exe 123 PID 1896 wrote to memory of 4380 1896 chrome.exe 123 PID 1896 wrote to memory of 1424 1896 chrome.exe 124 PID 1896 wrote to memory of 1424 1896 chrome.exe 124 PID 1896 wrote to memory of 1624 1896 chrome.exe 125 PID 1896 wrote to memory of 1624 1896 chrome.exe 125 PID 1896 wrote to memory of 1624 1896 chrome.exe 125 PID 1896 wrote to memory of 1624 1896 chrome.exe 125 PID 1896 wrote to memory of 1624 1896 chrome.exe 125 PID 1896 wrote to memory of 1624 1896 chrome.exe 125 PID 1896 wrote to memory of 1624 1896 chrome.exe 125 PID 1896 wrote to memory of 1624 1896 chrome.exe 125 PID 1896 wrote to memory of 1624 1896 chrome.exe 125 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\cracker.exe"C:\Users\Admin\AppData\Local\Temp\cracker.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:4288
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1128
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:2392
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:3316
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:4212
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt3⤵
- Opens file in notepad (likely ransom note)
PID:1960
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3928
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2268
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:4160
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:2076
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1568
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffef838ab58,0x7ffef838ab68,0x7ffef838ab782⤵PID:1992
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1992,i,16735311449591188012,5512348073132699958,131072 /prefetch:22⤵PID:4380
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2008 --field-trial-handle=1992,i,16735311449591188012,5512348073132699958,131072 /prefetch:82⤵PID:1424
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2264 --field-trial-handle=1992,i,16735311449591188012,5512348073132699958,131072 /prefetch:82⤵PID:1624
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2964 --field-trial-handle=1992,i,16735311449591188012,5512348073132699958,131072 /prefetch:12⤵PID:4952
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2972 --field-trial-handle=1992,i,16735311449591188012,5512348073132699958,131072 /prefetch:12⤵PID:1980
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4320 --field-trial-handle=1992,i,16735311449591188012,5512348073132699958,131072 /prefetch:12⤵PID:3600
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:872
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD56db5c64852810fc2cead96f5cebbd11e
SHA100353704980b5990c38683d444a53cda0c0a76af
SHA2560e0d6fdb38f4f22a3b54566e54f50e5804b2cd639ac24b6ef741567c499a4529
SHA5129560b157d13b9cdb7015107e8f1efa2f138dbfad8855bdc85765813499ebdfd5ac5a6c1fdc708d2aafa6ced2419a93409c3ebf9c42587b69f231410d73a11950
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\bd4a5827-bf8f-48c9-8f51-a24b25b2667c.tmp
Filesize6KB
MD50f8c2cd1b9f1261972cc0cc1e28e7c4e
SHA1a1d65205892ab7f0dcb93919800414e379d46afa
SHA2569515adf64974061167e0197e80ba6b26aff109efaa3ee40c5c957d3d7510a61c
SHA512f8c33ac1960cba4b922c15976bc111c4a52ce97595dc74f8559a4158a1a3bbd3971c39abd65d6c17e735429fc8cbc526f19b91c0d8e09e29a70bd172d960ca1b
-
Filesize
127KB
MD50c0119258de2d5500962eede69fd63e1
SHA19fae84367ff4ecfd475b76396e353c5053df1f2c
SHA2561b41bf0ab4cb59a1d33bfb5f24457818430411f2208ecc345316d8aa1acc4d64
SHA512d57164d906204f6bab789ff378bbafb90bb2de3268c83dbc9a452c4bea326194456dd454e7647f070460b70acb1296249eaed6ef308942c3d7afa8085fd490b0
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
23KB
MD5ee711be5ac7e4d382c21cb6cb3f9631b
SHA1df2ad2e13d1160a900e730eeec7adc6503891088
SHA25696954af5f3a422d26951296adeb8d9a2cae1ada61f63ee1a2c884a4ef938cf87
SHA512bbd714ecbe31a75dd6d661cbcc7926e5cf2b7e0858f3931dc8ddd42d7254849e1b9a942f9ccc1140bd9f376a0149f4d79f1ef2e21b5aa45173c6f87e53fc12e2
-
Filesize
1KB
MD5b1a5c367bb7f0c30db6a506a3e3a2db8
SHA154b0d78890b96de58b22b718e04acd416bfb2f6d
SHA25678e0b22120fa86f094a470a6b9f0ee786aa8dd3f683f172dc2a80a7194e41ba0
SHA512b910fc7b20cf9c3b85548b1e212c4c0053014d6f4524787488052ec28dbebdc857d94b2fe3ca38efbfeab1bca73a9e6a345fc3578224410c757293e44b4d96a7