chaos | d139cf9992044e972e139f409f80f7c944ae0e03541fc3fb85f0e78a1ca03440

Analysis

max time kernel
299s
max time network
287s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Avast antivirus.exe
Size

47KB
MD5

825237535c11ac8b38d3227a9b0d68e4
SHA1

afb3d9a122d1f9c5149148ead8fdeabc8f065648
SHA256

d139cf9992044e972e139f409f80f7c944ae0e03541fc3fb85f0e78a1ca03440
SHA512

6d9a7953149d979985f470746f0f53d637e85aaaef6d50b0ee2a4af5654677784b13064caab49f51ac1e9497af13b66c36954f10b7def7ecc8f66e57e1970419
SSDEEP

768:NYqo2ycN9EpGkmc1mEnHr9usUMmT/meMFAavvlXRIrpCZ4EFkrY7IB7e5:Zo21X3lEnHr9uymjBavvlXRSCtFaYMBe

Score

10^/10

chaos ransomware spyware stealer

Malware Config

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 2 IoCs

resource	yara_rule
behavioral2/memory/1284-0-0x00000000003A0000-0x00000000003B2000-memory.dmp	family_chaos
behavioral2/files/0x0009000000023415-6.dat	family_chaos

Renames multiple (186) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	Avast antivirus.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_me.txt	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2368	svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 34 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	svchost.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-4018855536-2201274732-320770143-1000\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	svchost.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvgli21w0.jpg"	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133593068563737462"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2164	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2368	svchost.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
1284	Avast antivirus.exe
1284	Avast antivirus.exe
1284	Avast antivirus.exe
1284	Avast antivirus.exe
1284	Avast antivirus.exe
1284	Avast antivirus.exe
1284	Avast antivirus.exe
1284	Avast antivirus.exe
1284	Avast antivirus.exe
1284	Avast antivirus.exe
1284	Avast antivirus.exe
1284	Avast antivirus.exe
1284	Avast antivirus.exe
1284	Avast antivirus.exe
1284	Avast antivirus.exe
1284	Avast antivirus.exe
1284	Avast antivirus.exe
1284	Avast antivirus.exe
1284	Avast antivirus.exe
1284	Avast antivirus.exe
1284	Avast antivirus.exe
1284	Avast antivirus.exe
1284	Avast antivirus.exe
1284	Avast antivirus.exe
2368	svchost.exe
2368	svchost.exe
2368	svchost.exe
2368	svchost.exe
2368	svchost.exe
2368	svchost.exe
2368	svchost.exe
2368	svchost.exe
2368	svchost.exe
2368	svchost.exe
2368	svchost.exe
2368	svchost.exe
2368	svchost.exe
2368	svchost.exe
2368	svchost.exe
2368	svchost.exe
2368	svchost.exe
2368	svchost.exe
2368	svchost.exe
2368	svchost.exe
2368	svchost.exe
2368	svchost.exe
4308	chrome.exe
4308	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1284	Avast antivirus.exe
Token: SeDebugPrivilege	2368	svchost.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
736	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 2368	1284	Avast antivirus.exe	86
PID 1284 wrote to memory of 2368	1284	Avast antivirus.exe	86
PID 2368 wrote to memory of 2164	2368	svchost.exe	95
PID 2368 wrote to memory of 2164	2368	svchost.exe	95
PID 4308 wrote to memory of 3500	4308	chrome.exe	120
PID 4308 wrote to memory of 3500	4308	chrome.exe	120
PID 4308 wrote to memory of 2688	4308	chrome.exe	121
PID 4308 wrote to memory of 2688	4308	chrome.exe	121
PID 4308 wrote to memory of 2688	4308	chrome.exe	121
PID 4308 wrote to memory of 2688	4308	chrome.exe	121
PID 4308 wrote to memory of 2688	4308	chrome.exe	121
PID 4308 wrote to memory of 2688	4308	chrome.exe	121
PID 4308 wrote to memory of 2688	4308	chrome.exe	121
PID 4308 wrote to memory of 2688	4308	chrome.exe	121
PID 4308 wrote to memory of 2688	4308	chrome.exe	121
PID 4308 wrote to memory of 2688	4308	chrome.exe	121
PID 4308 wrote to memory of 2688	4308	chrome.exe	121
PID 4308 wrote to memory of 2688	4308	chrome.exe	121
PID 4308 wrote to memory of 2688	4308	chrome.exe	121
PID 4308 wrote to memory of 2688	4308	chrome.exe	121
PID 4308 wrote to memory of 2688	4308	chrome.exe	121
PID 4308 wrote to memory of 2688	4308	chrome.exe	121
PID 4308 wrote to memory of 2688	4308	chrome.exe	121
PID 4308 wrote to memory of 2688	4308	chrome.exe	121
PID 4308 wrote to memory of 2688	4308	chrome.exe	121
PID 4308 wrote to memory of 2688	4308	chrome.exe	121
PID 4308 wrote to memory of 2688	4308	chrome.exe	121
PID 4308 wrote to memory of 2688	4308	chrome.exe	121
PID 4308 wrote to memory of 2688	4308	chrome.exe	121
PID 4308 wrote to memory of 2688	4308	chrome.exe	121
PID 4308 wrote to memory of 2688	4308	chrome.exe	121
PID 4308 wrote to memory of 2688	4308	chrome.exe	121
PID 4308 wrote to memory of 2688	4308	chrome.exe	121
PID 4308 wrote to memory of 2688	4308	chrome.exe	121
PID 4308 wrote to memory of 2688	4308	chrome.exe	121
PID 4308 wrote to memory of 2688	4308	chrome.exe	121
PID 4308 wrote to memory of 2688	4308	chrome.exe	121
PID 4308 wrote to memory of 180	4308	chrome.exe	122
PID 4308 wrote to memory of 180	4308	chrome.exe	122
PID 4308 wrote to memory of 388	4308	chrome.exe	123
PID 4308 wrote to memory of 388	4308	chrome.exe	123
PID 4308 wrote to memory of 388	4308	chrome.exe	123
PID 4308 wrote to memory of 388	4308	chrome.exe	123
PID 4308 wrote to memory of 388	4308	chrome.exe	123
PID 4308 wrote to memory of 388	4308	chrome.exe	123
PID 4308 wrote to memory of 388	4308	chrome.exe	123
PID 4308 wrote to memory of 388	4308	chrome.exe	123
PID 4308 wrote to memory of 388	4308	chrome.exe	123
PID 4308 wrote to memory of 388	4308	chrome.exe	123
PID 4308 wrote to memory of 388	4308	chrome.exe	123
PID 4308 wrote to memory of 388	4308	chrome.exe	123
PID 4308 wrote to memory of 388	4308	chrome.exe	123
PID 4308 wrote to memory of 388	4308	chrome.exe	123
PID 4308 wrote to memory of 388	4308	chrome.exe	123
PID 4308 wrote to memory of 388	4308	chrome.exe	123
PID 4308 wrote to memory of 388	4308	chrome.exe	123
PID 4308 wrote to memory of 388	4308	chrome.exe	123
PID 4308 wrote to memory of 388	4308	chrome.exe	123
PID 4308 wrote to memory of 388	4308	chrome.exe	123
PID 4308 wrote to memory of 388	4308	chrome.exe	123
PID 4308 wrote to memory of 388	4308	chrome.exe	123
PID 4308 wrote to memory of 388	4308	chrome.exe	123
PID 4308 wrote to memory of 388	4308	chrome.exe	123
PID 4308 wrote to memory of 388	4308	chrome.exe	123

C:\Users\Admin\AppData\Local\Temp\Avast antivirus.exe
"C:\Users\Admin\AppData\Local\Temp\Avast antivirus.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Sets desktop wallpaper using registry
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_me.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:2164

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7fffd146ab58,0x7fffd146ab68,0x7fffd146ab78
  2⤵
  PID:3500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1744 --field-trial-handle=1856,i,6976121960841597911,9067586015275114379,131072 /prefetch:2
  2⤵
  PID:2688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1988 --field-trial-handle=1856,i,6976121960841597911,9067586015275114379,131072 /prefetch:8
  2⤵
  PID:180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2252 --field-trial-handle=1856,i,6976121960841597911,9067586015275114379,131072 /prefetch:8
  2⤵
  PID:388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3080 --field-trial-handle=1856,i,6976121960841597911,9067586015275114379,131072 /prefetch:1
  2⤵
  PID:5032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3088 --field-trial-handle=1856,i,6976121960841597911,9067586015275114379,131072 /prefetch:1
  2⤵
  PID:1628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3640 --field-trial-handle=1856,i,6976121960841597911,9067586015275114379,131072 /prefetch:1
  2⤵
  PID:344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4444 --field-trial-handle=1856,i,6976121960841597911,9067586015275114379,131072 /prefetch:8
  2⤵
  PID:5068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4664 --field-trial-handle=1856,i,6976121960841597911,9067586015275114379,131072 /prefetch:8
  2⤵
  PID:2052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4672 --field-trial-handle=1856,i,6976121960841597911,9067586015275114379,131072 /prefetch:8
  2⤵
  PID:4460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 --field-trial-handle=1856,i,6976121960841597911,9067586015275114379,131072 /prefetch:8
  2⤵
  PID:1532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4792 --field-trial-handle=1856,i,6976121960841597911,9067586015275114379,131072 /prefetch:8
  2⤵
  PID:1676
- C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:2300
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff6092dae48,0x7ff6092dae58,0x7ff6092dae68
    3⤵
    PID:3900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4288 --field-trial-handle=1856,i,6976121960841597911,9067586015275114379,131072 /prefetch:1
  2⤵
  PID:2248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5076 --field-trial-handle=1856,i,6976121960841597911,9067586015275114379,131072 /prefetch:1
  2⤵
  PID:1096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3356 --field-trial-handle=1856,i,6976121960841597911,9067586015275114379,131072 /prefetch:1
  2⤵
  PID:3428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4804 --field-trial-handle=1856,i,6976121960841597911,9067586015275114379,131072 /prefetch:1
  2⤵
  PID:1532

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1008B

MD5
41a54bf8e40b05990fddfce089f5f0bb

SHA1
96166c5185a6065675d3c4d2b604b548cbdd13da

SHA256
dbc5c878449695a8223a4698edc5b47b077d2cf953f6ef3ff208d7cf71b27ea6

SHA512
1a691920ec8bdc9036e59e8dcf08f195915281a18febb1744310625ec35078b5573d0162249e0b55b3fa27ebf0eea18d6dd57e16a65de7423c9b6c7343e84a49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.eicar.org_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.eicar.org_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\46589974-1cdc-4afe-82c7-8eb8a4bc185d.tmp

Filesize
356B

MD5
d03e2daead6d267e49ece4ac80ac1504

SHA1
921b02ab70ed0f999783edec334a804f8dbe8c20

SHA256
af762844fa4df1849cd19e6c9510691a26c15f3826edc8a99eda980b24ec212d

SHA512
779457e602ab7595b0996f0ebb96371d7f607509b86c7567aed653a4c0a078e9f57560386971945133c9c25466685173fea9799437bb7283dc35bb62ac41563d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
1cbfd6d21a0031a0f6ee55088fb06aa1

SHA1
d533aed618681eed0bed29e96cfbaabcd9ee9d8d

SHA256
5c4d8cfc1eafdc45d5e130f93b9c5f08593eed7e351f75f76e1215bc37813844

SHA512
5028db290b492e4ad3749041e2c9d185dda14cd63800b44cb02a527dc2305947f1b35fce55e62f0a62a4190e744f8943ff69adcd021806f95cec33b950d3dcf9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
c43b1738e76499dae61d9955b2764a03

SHA1
8bf7301df1b781c48d71ab495893ad8dfe27efeb

SHA256
043666b7b0797b89e1ca5d19131567f1fafaef2a5ad43a38944272e3f3949a8a

SHA512
6509bff7fc8bad3ed375bbbe334e25ad650b3c2a1ed4ffbf90f4e15b57ec4015b36ae34907d52cab184510633dcb3c31b212a74b9528d09edbdc5bc0f90db6d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
9333601a3d27094616995f16abd787e0

SHA1
14a77141cbc9020ec681f768aca5c08c0c8beb0f

SHA256
54b3e942dc79cb8f6e0e6b67f268c99506371c1dc38277525df521ac0fe5a8e6

SHA512
c3b620f9a49ab3dfa257c62ba53d89d23194dfc85de2f5cebfc0432ddf403042690083e3f78fb3d085ff9fcfaff1979df8ef64e191b42f5576aefe965f35e5e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
05a9e57967e8c029f1a295a18212aef1

SHA1
339af77c72bec8b0ab711c1692da79b0b827ea44

SHA256
b8b6353629762e4cf2429175a61a0d14f6a0d102d5b19c49a56f8fcd95c5783e

SHA512
4e103560737029bb1a84d38c6bdc637f30b11832bf52408e13607aa72eafa6b43b57dfa53ac6463e2fe1d42cd00d36c9e3a912ffd8b13fcfbeaad038aa922922

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
cda659cc556b751692e71d1292df2ee0

SHA1
a689686753282a3efb48de2c92defb403d94dcf7

SHA256
f0a859133a8c69b1a6bfb3757d3dcc94c8df23d510769f56a52bb116ede13ce3

SHA512
5f470f532105898ecf4fedbe485a7c178020545b54cb36f3dbbc3e6da56bc17f8c108ba2f1ab8506a56a597f0a1c205696768b5ff66064b6857f0730b8c122ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
5ce69812cc19bb78d01490f71f151e79

SHA1
0d8118460369ea4dfe4153fc71d7c8dc7fffc942

SHA256
215163530aa4f510cc04d2b00a33f0526b023f15abc59e0382212b71a7962544

SHA512
7a56ac3fe761a99fb67cd915e6f9077eab97e23ccfb14e54d026f9637c59455b397e644df7503ff071d6c112c5a97082caa7af40bf172f8b97c8bcf76f084cdc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
3b828a1d42744597654222de50a3194f

SHA1
8cb611ebcbe53a2deef4747bec82ddc6a571205b

SHA256
486fdda36f8ecc103862c7eefa7f9f87486220d3efcc5d03502e98dd4884ea4b

SHA512
f01523948d2a08ca394941a04b945267f9936e8b7db44a0be92a594200c647e51d3006416ed7bad82350f688882dc7d1aaafbf6b351604f42f70c46deff9d4e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\2cd97a63ed40912750b02b59ddac80637f281775\9e119db8-986c-4978-9402-4c5b3cd94833\index-dir\the-real-index

Filesize
96B

MD5
7a05fe963fbb5a8ac25ed95c7d549b32

SHA1
cca79dce2bda382070a439fb2a28884fce34aba8

SHA256
6ea9269151c1525b31cf7b79209cf93a6a13abf1011dffb16a9ca695ec3a1d62

SHA512
a6798f36739f50ab5772b066768f3c31605b98b82efe5fd095d6a21e8fb399eba3c4fb5525727567989684c67486a754d558c7fbba3079557c2796d45769d469

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\2cd97a63ed40912750b02b59ddac80637f281775\9e119db8-986c-4978-9402-4c5b3cd94833\index-dir\the-real-index~RFe5bb504.TMP

Filesize
48B

MD5
7a371580c948e7ee6bc35a720b2ab128

SHA1
716f91f8b18fcf90943ab544e3215740207e420d

SHA256
0075ccfd24db9f8d68b50fa0bfc02095085ad730e45601d8a01215f2a64833fe

SHA512
e60315985cb0f106e60fad6fa1be75e5ad60c6f4d3e72d7e51432054006ec786abe071915035e62e707c44acb4e2ed7873bcc48b4c7d68a73a33f52b5b0887d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\2cd97a63ed40912750b02b59ddac80637f281775\index.txt

Filesize
198B

MD5
d1f150854dc8cc8bcdcc4a912a274935

SHA1
7bffbd5a100252eae58b3855308c6d45fa1a12f1

SHA256
b7272ff7245c77eacfbb2f30ec18acaf634e5154c3eff43038c1f0cedbd1007f

SHA512
1a6e0b4a127a11323758e0a36acf97e997005b07a6f8b68377cee2a2f7b131930a201361360d31596ac0c507afdd796eb44b744cb4ccb455541d7df48aa25735

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\2cd97a63ed40912750b02b59ddac80637f281775\index.txt~RFe5b7f2f.TMP

Filesize
129B

MD5
0909bd1be0e96242ac11da35f42e973a

SHA1
7d39fd38a7085dc8075eec665971821458a27eea

SHA256
8a2129db15919db91f282dda052fa7d9a5aff7b0f8b261765142e66158d5fcc5

SHA512
388cc344643eff966aa8d377f01cc3a2ba6f0caed7092205b6116a41600e4f14bad027fd962fa4fc2505459ceff5bd2e6dae8ee6b10a516fd5379466e7bf270a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
56B

MD5
94275bde03760c160b707ba8806ef545

SHA1
aad8d87b0796de7baca00ab000b2b12a26427859

SHA256
c58cb79fa4a9ade48ed821dd9f98957b0adfda7c2d267e3d07951c2d371aa968

SHA512
2aabd49bc9f0ed3a5c690773f48a92dbbbd60264090a0db2fe0f166f8c20c767a74d1e1d7cc6a46c34cfbd1587ddb565e791d494cd0d2ca375ab8cc11cd8f930

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe5b3c98.TMP

Filesize
120B

MD5
1d992340245b61e10e9a36bd7c12c20f

SHA1
8be645d8494fdabb9078dbf19c091719b4a38ee8

SHA256
9dd45e53ef591dbe1b2b66111e72d44950222dde66f31b9b86f89bc59382c89d

SHA512
dbd5fbb27f7f7d6fa3efdb3acb121e7b97df72c01951eec2697e70f697567ec0735b785f65bd05ba8a2e88738508ecd71d490254fc0e350d41a66b5be3d54a4c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
240B

MD5
2b9c11f9e531b2a5dd2658722afc7294

SHA1
a2796edfd84e827c5e5165fac2a98d2491805911

SHA256
ac7e33f9b4fcf3677a38f80d87f0e9b1cebca3b9682cdddbfa478ab65ce6a77a

SHA512
757ac1ba7ef86e91c7217366dd8de70dd4faa9d6baaca1b0e6de32e2b769a4d4bcf82714185c6a18312a1823c9089277bcf141ba81c1e24141f3576f219dbfb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
703df80a0b7e639c2a08acaa0b56a8c7

SHA1
11dbfc499fc3719c85f07deb659e2c4bc4d3de74

SHA256
86976d1be3b386d8667207ef6e11c65f4b7e1614fc9881c0a16ef0190fab5842

SHA512
9dd34263542318c5bae65bcd0b65baba2567c80985aef5d789c28cf05a4f625f1e2132abd09134348da2a1205bbdaef1b34ec9ef6aa8165da8074f14235c884c

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
47KB

MD5
825237535c11ac8b38d3227a9b0d68e4

SHA1
afb3d9a122d1f9c5149148ead8fdeabc8f065648

SHA256
d139cf9992044e972e139f409f80f7c944ae0e03541fc3fb85f0e78a1ca03440

SHA512
6d9a7953149d979985f470746f0f53d637e85aaaef6d50b0ee2a4af5654677784b13064caab49f51ac1e9497af13b66c36954f10b7def7ecc8f66e57e1970419

Download Submit
C:\Users\Admin\Documents\read_me.txt

Filesize
211B

MD5
555181e356e52cf25787d4028f1e7388

SHA1
780812b54aa7483f05c2088184f7418a335c2312

SHA256
c7c665cf92588d092af5b0878503c49fb7cceb0a523b43edd819d26aabb84072

SHA512
5bacd730843c8b3e5c09c6bdaea0e03c04f498ead9b9844afb05a61c0a52c8af63ebcd9dddad33ddab93c6a18223e9b89e04eb6faaee9684c204c6599c9e4317

Download Submit
memory/1284-0-0x00000000003A0000-0x00000000003B2000-memory.dmp

Filesize
72KB

Download
memory/1284-1-0x00007FFFD41B3000-0x00007FFFD41B5000-memory.dmp

Filesize
8KB

Download
memory/2368-440-0x00007FFFD41B0000-0x00007FFFD4C71000-memory.dmp

Filesize
10.8MB

Download
memory/2368-14-0x00007FFFD41B0000-0x00007FFFD4C71000-memory.dmp

Filesize
10.8MB

Download