6acce147ca1ccc0e4616d2c7fed73659ea02cd83ce11da71df99a1ad36234f57

Analysis

max time kernel
36s
max time network
38s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
24-05-2024 23:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

drw_trial_installer.947914a10722851.exe
Size

2.5MB
MD5

c90d8cca094f99d58aaed9391d0436dc
SHA1

f93c6496f521e2f9332a9da0f0f374b90f09f7de
SHA256

6acce147ca1ccc0e4616d2c7fed73659ea02cd83ce11da71df99a1ad36234f57
SHA512

3f9d486e06f27d33f32e0a6bf4d5f977ac41cf42e3ec3090bb747e8eec157c1ae1ff1ae84d10d73e0abed7eec79d626adce88314b5d48141439b2ce7531c941a
SSDEEP

49152:0/18U67vjsddEhjFGNS9LXQOjOQKK6bxM1vehddPa46JFUxkVxq6ZBcMucAtY:3U67vYUhjjV5OdbOUhDPWTUq9cMPOY

Score

6^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 8 IoCs

Processes:

EDownloader.exeInfoForSetup.exeInfoForSetup.exeAliyunWrapExe.ExeInfoForSetup.exeInfoForSetup.exeInfoForSetup.exeInfoForSetup.exe

pid	process
4772	EDownloader.exe
4052	InfoForSetup.exe
3600	InfoForSetup.exe
4264	AliyunWrapExe.Exe
660	InfoForSetup.exe
4440	InfoForSetup.exe
4720	InfoForSetup.exe
4656	InfoForSetup.exe

Loads dropped DLL 7 IoCs

Processes:

InfoForSetup.exeInfoForSetup.exeAliyunWrapExe.ExeInfoForSetup.exeInfoForSetup.exeInfoForSetup.exeInfoForSetup.exe

pid	process
4052	InfoForSetup.exe
3600	InfoForSetup.exe
4264	AliyunWrapExe.Exe
660	InfoForSetup.exe
4440	InfoForSetup.exe
4720	InfoForSetup.exe
4656	InfoForSetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133610685028945481"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

2888 chrome.exe
2888 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exe

pid process

2888 chrome.exe
2888 chrome.exe
2888 chrome.exe
2888 chrome.exe
2888 chrome.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe
Token: SeShutdownPrivilege	2888	chrome.exe
Token: SeCreatePagefilePrivilege	2888	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

chrome.exe

pid	process
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe
2888	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

EDownloader.exe

pid process

4772 EDownloader.exe
4772 EDownloader.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

drw_trial_installer.947914a10722851.exeEDownloader.exeInfoForSetup.exechrome.exe

description	pid	process	target process
PID 1260 wrote to memory of 4772	1260	drw_trial_installer.947914a10722851.exe	EDownloader.exe
PID 1260 wrote to memory of 4772	1260	drw_trial_installer.947914a10722851.exe	EDownloader.exe
PID 1260 wrote to memory of 4772	1260	drw_trial_installer.947914a10722851.exe	EDownloader.exe
PID 4772 wrote to memory of 4052	4772	EDownloader.exe	InfoForSetup.exe
PID 4772 wrote to memory of 4052	4772	EDownloader.exe	InfoForSetup.exe
PID 4772 wrote to memory of 4052	4772	EDownloader.exe	InfoForSetup.exe
PID 4772 wrote to memory of 3600	4772	EDownloader.exe	InfoForSetup.exe
PID 4772 wrote to memory of 3600	4772	EDownloader.exe	InfoForSetup.exe
PID 4772 wrote to memory of 3600	4772	EDownloader.exe	InfoForSetup.exe
PID 3600 wrote to memory of 4264	3600	InfoForSetup.exe	AliyunWrapExe.Exe
PID 3600 wrote to memory of 4264	3600	InfoForSetup.exe	AliyunWrapExe.Exe
PID 3600 wrote to memory of 4264	3600	InfoForSetup.exe	AliyunWrapExe.Exe
PID 4772 wrote to memory of 660	4772	EDownloader.exe	InfoForSetup.exe
PID 4772 wrote to memory of 660	4772	EDownloader.exe	InfoForSetup.exe
PID 4772 wrote to memory of 660	4772	EDownloader.exe	InfoForSetup.exe
PID 4772 wrote to memory of 4440	4772	EDownloader.exe	InfoForSetup.exe
PID 4772 wrote to memory of 4440	4772	EDownloader.exe	InfoForSetup.exe
PID 4772 wrote to memory of 4440	4772	EDownloader.exe	InfoForSetup.exe
PID 4772 wrote to memory of 4720	4772	EDownloader.exe	InfoForSetup.exe
PID 4772 wrote to memory of 4720	4772	EDownloader.exe	InfoForSetup.exe
PID 4772 wrote to memory of 4720	4772	EDownloader.exe	InfoForSetup.exe
PID 4772 wrote to memory of 4656	4772	EDownloader.exe	InfoForSetup.exe
PID 4772 wrote to memory of 4656	4772	EDownloader.exe	InfoForSetup.exe
PID 4772 wrote to memory of 4656	4772	EDownloader.exe	InfoForSetup.exe
PID 2888 wrote to memory of 2488	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 2488	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 4900	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 4900	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 4900	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 4900	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 4900	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 4900	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 4900	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 4900	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 4900	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 4900	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 4900	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 4900	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 4900	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 4900	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 4900	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 4900	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 4900	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 4900	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 4900	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 4900	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 4900	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 4900	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 4900	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 4900	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 4900	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 4900	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 4900	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 4900	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 4900	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 4900	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 4900	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 4900	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 4900	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 4900	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 4900	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 4900	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 4900	2888	chrome.exe	chrome.exe
PID 2888 wrote to memory of 4900	2888	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\drw_trial_installer.947914a10722851.exe
"C:\Users\Admin\AppData\Local\Temp\drw_trial_installer.947914a10722851.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2trial\EDownloader.exe
  "C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2trial\EDownloader.exe" EXEDIR=C:\Users\Admin\AppData\Local\Temp ||| EXENAME=drw_trial_installer.947914a10722851.exe ||| DOWNLOAD_VERSION=trial ||| PRODUCT_VERSION=2.0.0 ||| INSTALL_TYPE=0
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4772
- - C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2trial\aliyun\InfoForSetup.exe
    /Uid "S-1-5-21-3699363923-1875576828-3287151903-1000"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4052
- - C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2trial\aliyun\InfoForSetup.exe
    /SendInfo Window "Web_Installer" Activity "Result_Run_Installer" Attribute "{\"Country\":\"United States\",\"Pageid\":\"947914a10722851\",\"Timezone\":\"GMT-00:00\"}"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3600
  - - C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2trial\aliyun\AliyunWrapExe.Exe
      C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2trial\aliyun\AliyunWrapExe.Exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4264
- - C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2trial\aliyun\InfoForSetup.exe
    /SendInfo Window "Home_Installer" Activity "Click_Fold_Custom"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:660
- - C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2trial\aliyun\InfoForSetup.exe
    /SendInfo Window "Home_Installer" Activity "Click_Install" Attribute "{\"Country\":\"United States\",\"Install_Path\":\"C:/Program Files/EaseUS/EaseUS Data Recovery Wizard\",\"Language\":\"English\",\"Os\":\"Microsoft Windows 10\",\"Pageid\":\"947914a10722851\",\"Timezone\":\"GMT-00:00\"}"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4440
- - C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2trial\aliyun\InfoForSetup.exe
    /SendInfo Window "Home_Installer" Activity "Result_Download_Configurefile" Attribute "{\"CDN\":\"http://download.easeus.com/api2/index.php/Apicp/Drwdl202004/index/\",\"Elapsed\":\"2\",\"Errorinfo\":\"0\",\"PostURL\":\"http://download.easeus.com/api2/index.php/Apicp/Drwdl202004/index/?exeNumber=947914a10722851&lang=English&pcVersion=home&pid=2&tid=1&version=trial\",\"ResponseJson\":\"{\\"check\\":1,\\"msg\\":\\"\\u6210\\u529f\\",\\"data\\":{\\"pid\\":\\"2\\",\\"download\\":\\"https:\\/\\/d1.easeus.com\\/drw\\/trial\\/drw18.0.0.0_trial.exe\\",\\"download2\\":\\"https:\\/\\/d2.easeus.com\\/drw\\/trial\\/drw18.0.0.0_trial.exe\\",\\"download3\\":\\"https:\\/\\/d3.easeus.com\\/drw\\/trial\\/drw18.0.0.0_trial.exe\\",\\"version\\":\\"trial\\",\\"curNum\\":\\"18.0\\",\\"testid\\":\\"TR180_202458-05081\\",\\"url\\":[],\\"md5\\":\\"585BD9E7792F64543430AE99DC2043AC\\",\\"tj_download\\":\\"test\\",\\"referNumber\\":\\"1000000\\",\\"killSwitch\\":\\"true\\",\\"WriteLogSwitch\\":\\"false\\",\\"configid\\":\\"\\"},\\"time\\":1716594883}\",\"Result\":\"Success\"}"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4720
- - C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2trial\aliyun\InfoForSetup.exe
    /SendInfo Window "Downloading" Activity "Info_Start_Download_Program" Attribute "{\"Downloadfrom\":\"https://d1.easeus.com/drw/trial/drw18.0.0.0_trial.exe\",\"Pageid\":\"947914a10722851\",\"Testid\":\"TR180_202458-05081\",\"Version\":\"trial\",\"Versionnumber\":\"18.0\"}"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffa3b189758,0x7ffa3b189768,0x7ffa3b189778
  2⤵
  PID:2488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=480 --field-trial-handle=1776,i,15061315779394021866,2820624124190992987,131072 /prefetch:2
  2⤵
  PID:4900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1808 --field-trial-handle=1776,i,15061315779394021866,2820624124190992987,131072 /prefetch:8
  2⤵
  PID:932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1352 --field-trial-handle=1776,i,15061315779394021866,2820624124190992987,131072 /prefetch:8
  2⤵
  PID:1036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2920 --field-trial-handle=1776,i,15061315779394021866,2820624124190992987,131072 /prefetch:1
  2⤵
  PID:3576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2928 --field-trial-handle=1776,i,15061315779394021866,2820624124190992987,131072 /prefetch:1
  2⤵
  PID:4332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4412 --field-trial-handle=1776,i,15061315779394021866,2820624124190992987,131072 /prefetch:1
  2⤵
  PID:3600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4608 --field-trial-handle=1776,i,15061315779394021866,2820624124190992987,131072 /prefetch:8
  2⤵
  PID:852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4600 --field-trial-handle=1776,i,15061315779394021866,2820624124190992987,131072 /prefetch:8
  2⤵
  PID:1576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 --field-trial-handle=1776,i,15061315779394021866,2820624124190992987,131072 /prefetch:8
  2⤵
  PID:3496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4848 --field-trial-handle=1776,i,15061315779394021866,2820624124190992987,131072 /prefetch:8
  2⤵
  PID:1752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4668 --field-trial-handle=1776,i,15061315779394021866,2820624124190992987,131072 /prefetch:8
  2⤵
  PID:2748
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:4556
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x7ff6b7857688,0x7ff6b7857698,0x7ff6b78576a8
    3⤵
    PID:4996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5408 --field-trial-handle=1776,i,15061315779394021866,2820624124190992987,131072 /prefetch:1
  2⤵
  PID:2332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5092 --field-trial-handle=1776,i,15061315779394021866,2820624124190992987,131072 /prefetch:1
  2⤵
  PID:4352

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3820

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\2bc735517e41482fa1f08636888cd807 /t 4420 /p 4772
1⤵
PID:4388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\8f2a2a22-4200-460a-9b8d-b3a379c570e6.tmp

Filesize
277KB

MD5
48c806d089266f064ff13ab43f7cdde0

SHA1
784bf5615c6f14c9322862de0f30d2a77f8dde1d

SHA256
7a3d56ef810fc859b9fcccbd3fb2104ed3ed05ac9ede7d0c7622ed742898086a

SHA512
a7273b3d02c44bfb3b663fd3d9b3eed58542d574bad8882c8e1b7b25379366dfc8d2fd75bf7369828aa92a7b2ce4571996ce2703cbc8483d8ef59f54961b5b8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\89383459-f673-4e1b-802d-625c0a3f6953.tmp

Filesize
6KB

MD5
c541d05d3e36a24294efec88344ad848

SHA1
01cea72cbed89d488890740feb6a8a9c8087acd3

SHA256
94bacc14af0b5c642f49785978e0faeb7439bfef02293f7fea7184dae0e629d6

SHA512
862a9a331eaf9809599f7d7a4ea5c974a54311e38affc6eab82d3bb9052bdb28d30803e8ed6a4def197f8a01901a223d7e5e340693951a456846680cd7fdf63a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
8f87f33c81ae4d85f5adc527170b1051

SHA1
bdcd4332c11bdbe53cb457a819737cb7834c1f46

SHA256
b34c913e3921fb600908253dcb0531a7bb3dcef601710838c6db8ef06a4bc25d

SHA512
80a5e78feda2862d6d9e2981c2d61036fa351456d1b3805c7878c1eb84b859b7737a5188a5f71d4e5b53c0ffdc5e7551228714b7fa570e70cbe7cca2f9e24b38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
b17a2daf1e333a0b0ac4096e4b8ffb1c

SHA1
bb0c9120fd9f90cce2da23beebcbc2f537ef0681

SHA256
d6e14994213bc65d45e5d1e6782f43c3c34ca54fc90d2a57c2fcbce099a4f218

SHA512
ef4fca7bcd6b9f54181ad27ac55b45647a9a2cf6a0c5e5fc5c6433d09fd8253fe25fe26513aa67368ec09d0dc2cb0cc67cca254bd667bc96922c1269fa6511ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
f0f4aca9ac5429c8dc2c4c604833943f

SHA1
442a7ac7e7c3ef045e2f0cf718bb0954bd830add

SHA256
713517aaa66d9820cba7299defe239b558ab5ed3eeab02019be252674f27391a

SHA512
1340eef141432ed4bbf7f974cfe67223c3247d20c37dbf28bc8665cb01f765c0d6bc20cf86d9b817ca0b6c71fd4da88023acc087ca2ddcd69b3c1e157590e813

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
da3937180c887f8c7b0f3bc749c4b7e2

SHA1
975910ae7e2c90fb6814ecc7043c7aec92182996

SHA256
3c5ee6c95afa638f718cafbd657f45411a1fc608c915b9804f8cf6562f0454bf

SHA512
e5b57f89666febf9dea497332a3c4321f60efa313200822641e185f34823cd59d6ad3c3de2c24ae81c614e2f298b0c723a89b809b6d72799c563740d62bf08f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e25e55a8cc626ad6ffcc67ccd35302b3

SHA1
b8eb3db93ce58154f8bde2b57e0aef5aa57be02f

SHA256
4d0890740faf6b94ae768e509fed79e2316338a1200c233c51ae9012c41e5ad6

SHA512
9427e134bc09d7aa50cd08c86f737fb1e5af3687dd25010f652554344623beb43fb21cc28a56548bc3b9c2d974f5c82b2bbe92738c366eb97458e6b7d46c302a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
12KB

MD5
e1cbf15de7e1568fb8c2ad183e7866ee

SHA1
f8e3f9226d0fa113205daffa8d31f80ccfdc7cd0

SHA256
4061d38190c96f54b5633700fc82b5fbb8fd01e6a6557dd2b06c5d30e0a2cbed

SHA512
ce09598fb03407370a28977795360545a14b0592e1c5f9b907a56d3f02c2b77acca762500d2d4f30f0b27eddb4ec96ab97aa440e7db2870478c956e107ac5e6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
277KB

MD5
f324f72a3a86b4ebe6932fd671306c1b

SHA1
c855104f8ae9a355ad554f99f8425e0faf208c08

SHA256
f693a68e936fccf31fdbc0212443ab2008d0ad058c0cfa541ceba9ccbdc6167a

SHA512
4d776a9b5cd5d3c7530667588702c6196e455f3652c1f4ef1029bedce946f12d79cb1a96b41967b49c77c574d67e7ef6880b5eef0e29ec07eb8eef732142b7fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2trial\EDownloader.exe

Filesize
1.2MB

MD5
8a250a75859fe52116e706a640e6d77c

SHA1
473c36d9d80173636faeeb0ae4ae9e047e4e9d8b

SHA256
823ab6955052ef34218559b53d4f15224b5a850b532672fa33a7634dc74981dc

SHA512
4b519b1de8f6647a5cbbda11084d096e8bbfe8f694f4fda0e0f244b477f3f15c143254b044b046302ac79b136377894027d9baa2d4ba67ed38f5a55f480a44b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2trial\EasyLog.log

Filesize
1KB

MD5
224a74e5401adb1067de7394957eed21

SHA1
edbc0abacf9f5ac0415fdbe69da3fa03b5496433

SHA256
e6e0b8eae7e251c80f1b0eafab5657f451b61e256097833ae8a633c365c8d169

SHA512
decda3c74b886ba7444fce306a633e81f2c827aea337b7313773bf196703e36015380fe7980f39227d3fb6ac41d4b32682ebe034935446dc9b0b9c55367aeafc

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2trial\English.ini

Filesize
3KB

MD5
514c7cfa0101eae70994afd3fa7801c3

SHA1
bd6249fe023542c5be1180b76343e4e220be7148

SHA256
a6237a06959f1bf65fc2b3e77ae509d3bca1713340227b7fbb66e28da4f84404

SHA512
d889ffd4495ec023394d1170b97bf40fad9ff202b36500fe85d6620cc08e3c42580caf6992c09817646a93d253cfece8e94b66b14e6eee5cefce3f91b5fa4919

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2trial\InitConfigure.ini

Filesize
4KB

MD5
b71a433376606884d121f5017d0b58f2

SHA1
338c2eccc9d45aea410650302dc2d6ed5c27b24d

SHA256
3833439cf03c0151a53b05e080878d39c36c28f68cbfcd2b6673a7b4acb3bc0d

SHA512
8b4ac6c2eddcc774eae8224dff2e3a618a041e0dc0241cf8f469ce53e771da28bf9836df46aeead0162172b58b67b71007dfc1bcee05d8bfde5a41f2beacd32a

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2trial\LanguageTransfor.ini

Filesize
325B

MD5
ffe692a67871185785ec705b1cc12c81

SHA1
06a12bffdff33024a7b8798bdcdcda1fd7255bcc

SHA256
373bec6e7976324ff879c2988bab772c69336d7bcb9a32386a6021568350a824

SHA512
7ecdb5a4e625370888fb3a827cb668e934e29ca764177fca04e4eb620bec2b664fe498c0e9e73288bf977006eaba9618a4dc5a169e0fc5588a0874d9e6bb6c50

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2trial\aliyun\AliyunConfig.ini

Filesize
1KB

MD5
ddee6d5863af89fb25409539a9f12258

SHA1
64babfd8c320f384255c1232daf02d3198c7d169

SHA256
68237b2c41226ff766a2a6371d0a57ec93b14457f2261942848b6f741df9ea45

SHA512
e7ac2f4a10f12b7886e2fee9d4ae65bd7304600925d765f7d27c50ea7a8a91480fb7abc98bde1b86aa55b3df4981e00a489d4a6e76de4218f988fe8b999bdbee

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2trial\aliyun\AliyunWrap.DLL

Filesize
482KB

MD5
58968e221f2522d98dbfe7574d0c44aa

SHA1
424b55216f2c832202c01363e013546380f5312a

SHA256
265170e701ec453b13249e7a4e4f401b87fae79442cce77060213ebcd03828c0

SHA512
9bba6ffbec9b6d3de7b530b056098465a54b66494db7e7ca82e8c98802fb5a1cb500f5d505387f2a33fb9a42a533d5838b1125ef14afad11285410652c6f07b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2trial\aliyun\AliyunWrapExe.exe

Filesize
107KB

MD5
f3b9a2d94682fee26fc079ba1e0fb040

SHA1
ff9e89fbcb6939095ecfa34438d9e6ebf9ad6fb4

SHA256
cdc9ee419589b8e378b030a5180b12cf4e1fc2fa132dbaf0e961adbe3c782e55

SHA512
40baa3d59eb931eeab583ecbd4526031bc8d455192d69c3f87b9220ebaab194a2922e4a3e9e36db3a587f56961c0686b81bcec8382ac02f968f31b566581bbbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2trial\aliyun\DataFile.ini

Filesize
1KB

MD5
5c3dbf72310f69f52fb8f3d69c6daabb

SHA1
96e99b0b031dabef6ab6dbe4c956e77442369cd3

SHA256
9758bc2b55f88c675339a09830abaad1589552d57163b0c063b08998d6996c6e

SHA512
2324ab473b5837bdf3cb0ae4b4d43e06a394049edcd2f3a5fd688f452fef6a2cba830b64d9a4a99021ce4d4a0d8c7696873a34eab7d1a63ac63e8edaa98a5307

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2trial\aliyun\DataFile.ini

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2trial\aliyun\DataFile.ini

Filesize
808B

MD5
affb3d3b31e39fdde58d03dd1bb72d1b

SHA1
9de040f2eee158d0095572c756efbdcb36beaa58

SHA256
4a7166b9ddb8f72584337c51af20e6f6d145a8b167922f4472463cd1e46a5e69

SHA512
d669e9a198fcb48f4b0ed087eb5dd0d10eb7ac6f1cb3edecc9ea44746e455d797abb84b2c792e86ad25d75396b9baf4e2faab8dfdfa04c2febe1ed2297fbfd2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2trial\aliyun\DataFile.ini

Filesize
2KB

MD5
a6ce22635e674dd58266f738aa2f80c1

SHA1
0d1e1ce405a60938d5ad6afb649e3235d9cfa91a

SHA256
4174ec76ddcdaef40a543dbf1598be1ada42101e248d1641722e29484652a9a1

SHA512
7832535d8481e1b81b7beab3a4ab4e725a8a94008ab8f7c0b6fd8f2367b7e7da590f28cf03418f315ceb53330d552987d192ada6311a8ebe264ff5a76d772e73

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2trial\aliyun\DataFile.ini

Filesize
780B

MD5
770b9256911a57345088454429b6e9b9

SHA1
17cb66ce70af9a17811911511999b38c10ac2e95

SHA256
51c874b842b2c5b26ec0c0cbf235a26007ff3bfbf2733e7959a5b8e1df0b060d

SHA512
78d6aec14205b000d08a26e286058248c54a782e17b37ddab1dfaee128012c30ebcc80b4a3a7e4f4446c3e00a26d30457f3174c0eb49ad247c426e0728950381

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2trial\aliyun\DataFile.ini

Filesize
584B

MD5
5541f98a0affd7361252ebf3191838c8

SHA1
3d5f25682b302d980b8ea6df9fe2f64bb5566e26

SHA256
29762d30debc93347288d2e3f35168c865686aec2f4dc512e687dba44ac833b6

SHA512
b1bfd8bdee939a19e98d30435162817df561d74922fff8e787f4f94c594b0d8cd7adb7a94a42e54cb0686c098791f82a38e5f62063022081bdf9acd3a1a5133f

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2trial\aliyun\DataFile.ini

Filesize
88B

MD5
7f411750d07619f38537e7fd612b8b44

SHA1
cda241a1ce5141288582c8f0ac4850992b427bdc

SHA256
ae89726af2bd0c0218fbf63af20d4464f44dced5156364d817b6e73afc8e9f87

SHA512
35dad46325060004a66e01e10af6a3ebfd94b6751347b6ec64840c4ec03d81480fc324494ea39dded03bf2f1a1ce352b15ab518d14214c15567af17fb32f16b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2trial\aliyun\InfoForSetup.exe

Filesize
66KB

MD5
99891aaa0e15b2a514a4ff5c9ec03f4d

SHA1
faf215763908a9a6b8413c7e40293fe4be9bfe7b

SHA256
505ab42f0f376a4d8576bbec9cfdce43deabe168356dee760000319a73e72611

SHA512
36f6d66987506a938faa7503e0fa3a6cf76aa9ca6a30ea7cb7e80d058cf203eae152ef97b2329ba83bb18fc70430a2e00e9aa1f408e94b132813b4bf741697de

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2trial\aliyun\tempInfo.web

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2trial\downloader.ico

Filesize
65KB

MD5
e7ba7ed202773284c3dd85e4162c38d3

SHA1
7467da2d1455c5af1419da18feae2cb5c3558a3d

SHA256
aa4df8b6f5bc456121eafd03857098e56a4357a2bae7cdd651cafd2cfd78ac7d

SHA512
87dca3bcef8b309a501ffe3eefb5b20194dcf3b9729f024577f3d57dc025643e556c5c01797606483590e5dbd28502425c5f603a0077cc2e4561dddd0322efc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloader_easeus\2.0.0\2trial\skin.zip

Filesize
1.4MB

MD5
784c6f9b53521f4cb115532f49b67a36

SHA1
7dcd0e24b7940156fc5be4edb185a57a030b45ef

SHA256
a0951464134e2af94ecd389ea9c0f3d784bae909f60eb2f45d7764b4dbde7a73

SHA512
88851e60a1ec3974558b45e422b2a6b412a2a87603e9a1a61ba5491d2c8475c269f29164dd25ac7a3c72d0ad190437e0dc93c02c6a9f2c85ba599c89ed315f21

Download Submit