63c4bb88c34923db9788828192dade8d7850736d9a681c3dc9f6a90ae05c2d3f

Resubmissions

15/06/2024, 16:17

240615-trpk3szhrk 1

15/06/2024, 16:14

240615-tpvpbawgre 1

15/06/2024, 16:11

240615-tmyceswgmc 3

15/06/2024, 16:07

240615-tk2l3awfrh 1

Analysis

max time kernel
150s
max time network
144s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
15/06/2024, 16:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ghost.bat
Size

28B
MD5

0aea348c791992cc0a5124925ebcb4f5
SHA1

cd2c331b3f72c8a681b76f59dfe09b825f36caf4
SHA256

63c4bb88c34923db9788828192dade8d7850736d9a681c3dc9f6a90ae05c2d3f
SHA512

bb08ce72a106e1cbc90b148a64826f0a9c502197f1fe0cbc250eb7f5e0b7f118d964fadcf44e2d408f584343a417890a75d8813662006f265a816ce793bad64e

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133629417580738056"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
10068	chrome.exe
10068	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
10068	chrome.exe
10068	chrome.exe
10068	chrome.exe
10068	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	10068	chrome.exe
Token: SeCreatePagefilePrivilege	10068	chrome.exe
Token: SeShutdownPrivilege	10068	chrome.exe
Token: SeCreatePagefilePrivilege	10068	chrome.exe
Token: SeShutdownPrivilege	10068	chrome.exe
Token: SeCreatePagefilePrivilege	10068	chrome.exe
Token: SeShutdownPrivilege	10068	chrome.exe
Token: SeCreatePagefilePrivilege	10068	chrome.exe
Token: SeShutdownPrivilege	10068	chrome.exe
Token: SeCreatePagefilePrivilege	10068	chrome.exe
Token: SeShutdownPrivilege	10068	chrome.exe
Token: SeCreatePagefilePrivilege	10068	chrome.exe
Token: SeShutdownPrivilege	10068	chrome.exe
Token: SeCreatePagefilePrivilege	10068	chrome.exe
Token: SeShutdownPrivilege	10068	chrome.exe
Token: SeCreatePagefilePrivilege	10068	chrome.exe
Token: SeShutdownPrivilege	10068	chrome.exe
Token: SeCreatePagefilePrivilege	10068	chrome.exe
Token: SeShutdownPrivilege	10068	chrome.exe
Token: SeCreatePagefilePrivilege	10068	chrome.exe
Token: SeShutdownPrivilege	10068	chrome.exe
Token: SeCreatePagefilePrivilege	10068	chrome.exe
Token: SeShutdownPrivilege	10068	chrome.exe
Token: SeCreatePagefilePrivilege	10068	chrome.exe
Token: SeShutdownPrivilege	10068	chrome.exe
Token: SeCreatePagefilePrivilege	10068	chrome.exe
Token: SeShutdownPrivilege	10068	chrome.exe
Token: SeCreatePagefilePrivilege	10068	chrome.exe
Token: SeShutdownPrivilege	10068	chrome.exe
Token: SeCreatePagefilePrivilege	10068	chrome.exe
Token: SeShutdownPrivilege	10068	chrome.exe
Token: SeCreatePagefilePrivilege	10068	chrome.exe
Token: SeShutdownPrivilege	10068	chrome.exe
Token: SeCreatePagefilePrivilege	10068	chrome.exe
Token: SeShutdownPrivilege	10068	chrome.exe
Token: SeCreatePagefilePrivilege	10068	chrome.exe
Token: SeShutdownPrivilege	10068	chrome.exe
Token: SeCreatePagefilePrivilege	10068	chrome.exe
Token: SeShutdownPrivilege	10068	chrome.exe
Token: SeCreatePagefilePrivilege	10068	chrome.exe
Token: SeShutdownPrivilege	10068	chrome.exe
Token: SeCreatePagefilePrivilege	10068	chrome.exe
Token: SeShutdownPrivilege	10068	chrome.exe
Token: SeCreatePagefilePrivilege	10068	chrome.exe
Token: SeShutdownPrivilege	10068	chrome.exe
Token: SeCreatePagefilePrivilege	10068	chrome.exe
Token: SeShutdownPrivilege	10068	chrome.exe
Token: SeCreatePagefilePrivilege	10068	chrome.exe
Token: SeShutdownPrivilege	10068	chrome.exe
Token: SeCreatePagefilePrivilege	10068	chrome.exe
Token: SeShutdownPrivilege	10068	chrome.exe
Token: SeCreatePagefilePrivilege	10068	chrome.exe
Token: SeShutdownPrivilege	10068	chrome.exe
Token: SeCreatePagefilePrivilege	10068	chrome.exe
Token: SeShutdownPrivilege	10068	chrome.exe
Token: SeCreatePagefilePrivilege	10068	chrome.exe
Token: SeShutdownPrivilege	10068	chrome.exe
Token: SeCreatePagefilePrivilege	10068	chrome.exe
Token: SeShutdownPrivilege	10068	chrome.exe
Token: SeCreatePagefilePrivilege	10068	chrome.exe
Token: SeShutdownPrivilege	10068	chrome.exe
Token: SeCreatePagefilePrivilege	10068	chrome.exe
Token: SeShutdownPrivilege	10068	chrome.exe
Token: SeCreatePagefilePrivilege	10068	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
10068	chrome.exe
10068	chrome.exe
10068	chrome.exe
10068	chrome.exe
10068	chrome.exe
10068	chrome.exe
10068	chrome.exe
10068	chrome.exe
10068	chrome.exe
10068	chrome.exe
10068	chrome.exe
10068	chrome.exe
10068	chrome.exe
10068	chrome.exe
10068	chrome.exe
10068	chrome.exe
10068	chrome.exe
10068	chrome.exe
10068	chrome.exe
10068	chrome.exe
10068	chrome.exe
10068	chrome.exe
10068	chrome.exe
10068	chrome.exe
10068	chrome.exe
10068	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
10068	chrome.exe
10068	chrome.exe
10068	chrome.exe
10068	chrome.exe
10068	chrome.exe
10068	chrome.exe
10068	chrome.exe
10068	chrome.exe
10068	chrome.exe
10068	chrome.exe
10068	chrome.exe
10068	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 4332	4588	cmd.exe	78
PID 4588 wrote to memory of 4332	4588	cmd.exe	78
PID 4588 wrote to memory of 3140	4588	cmd.exe	79
PID 4588 wrote to memory of 3140	4588	cmd.exe	79
PID 4588 wrote to memory of 428	4588	cmd.exe	80
PID 4588 wrote to memory of 428	4588	cmd.exe	80
PID 4588 wrote to memory of 1576	4588	cmd.exe	81
PID 4588 wrote to memory of 1576	4588	cmd.exe	81
PID 4588 wrote to memory of 5108	4588	cmd.exe	82
PID 4588 wrote to memory of 5108	4588	cmd.exe	82
PID 4588 wrote to memory of 3624	4588	cmd.exe	83
PID 4588 wrote to memory of 3624	4588	cmd.exe	83
PID 4588 wrote to memory of 3712	4588	cmd.exe	84
PID 4588 wrote to memory of 3712	4588	cmd.exe	84
PID 4588 wrote to memory of 1720	4588	cmd.exe	85
PID 4588 wrote to memory of 1720	4588	cmd.exe	85
PID 4588 wrote to memory of 2412	4588	cmd.exe	87
PID 4588 wrote to memory of 2412	4588	cmd.exe	87
PID 4588 wrote to memory of 224	4588	cmd.exe	88
PID 4588 wrote to memory of 224	4588	cmd.exe	88
PID 4588 wrote to memory of 244	4588	cmd.exe	89
PID 4588 wrote to memory of 244	4588	cmd.exe	89
PID 4588 wrote to memory of 236	4588	cmd.exe	90
PID 4588 wrote to memory of 236	4588	cmd.exe	90
PID 4588 wrote to memory of 2132	4588	cmd.exe	91
PID 4588 wrote to memory of 2132	4588	cmd.exe	91
PID 4588 wrote to memory of 908	4588	cmd.exe	93
PID 4588 wrote to memory of 908	4588	cmd.exe	93
PID 4588 wrote to memory of 4800	4588	cmd.exe	94
PID 4588 wrote to memory of 4800	4588	cmd.exe	94
PID 4588 wrote to memory of 4428	4588	cmd.exe	96
PID 4588 wrote to memory of 4428	4588	cmd.exe	96
PID 4588 wrote to memory of 2644	4588	cmd.exe	97
PID 4588 wrote to memory of 2644	4588	cmd.exe	97
PID 4588 wrote to memory of 3740	4588	cmd.exe	98
PID 4588 wrote to memory of 3740	4588	cmd.exe	98
PID 4588 wrote to memory of 4596	4588	cmd.exe	100
PID 4588 wrote to memory of 4596	4588	cmd.exe	100
PID 4588 wrote to memory of 2356	4588	cmd.exe	103
PID 4588 wrote to memory of 2356	4588	cmd.exe	103
PID 4588 wrote to memory of 2756	4588	cmd.exe	104
PID 4588 wrote to memory of 2756	4588	cmd.exe	104
PID 4588 wrote to memory of 2088	4588	cmd.exe	106
PID 4588 wrote to memory of 2088	4588	cmd.exe	106
PID 4588 wrote to memory of 3860	4588	cmd.exe	108
PID 4588 wrote to memory of 3860	4588	cmd.exe	108
PID 4588 wrote to memory of 2264	4588	cmd.exe	109
PID 4588 wrote to memory of 2264	4588	cmd.exe	109
PID 4588 wrote to memory of 2212	4588	cmd.exe	110
PID 4588 wrote to memory of 2212	4588	cmd.exe	110
PID 4588 wrote to memory of 5080	4588	cmd.exe	111
PID 4588 wrote to memory of 5080	4588	cmd.exe	111
PID 4588 wrote to memory of 776	4588	cmd.exe	112
PID 4588 wrote to memory of 776	4588	cmd.exe	112
PID 4588 wrote to memory of 1928	4588	cmd.exe	113
PID 4588 wrote to memory of 1928	4588	cmd.exe	113
PID 4588 wrote to memory of 4488	4588	cmd.exe	114
PID 4588 wrote to memory of 4488	4588	cmd.exe	114
PID 4588 wrote to memory of 4704	4588	cmd.exe	115
PID 4588 wrote to memory of 4704	4588	cmd.exe	115
PID 4588 wrote to memory of 3188	4588	cmd.exe	118
PID 4588 wrote to memory of 3188	4588	cmd.exe	118
PID 4588 wrote to memory of 4612	4588	cmd.exe	120
PID 4588 wrote to memory of 4612	4588	cmd.exe	120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Ghost.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4332
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3140
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:428
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1576
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5108
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3624
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3712
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1720
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2412
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:224
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:244
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:236
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2132
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:908
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4800
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4428
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2644
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3740
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4596
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2356
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2756
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2088
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3860
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2264
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2212
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5080
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:776
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1928
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4488
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4704
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3188
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4612
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3096
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3848
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1808
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2060
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4636
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3440
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4692
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3320
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3728
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4064
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4552
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:616
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2860
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:420
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1288
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4820
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2684
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4236
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4904
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2336
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3500
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4240
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4564
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5104
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4676
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4116
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4920
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2180
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4308
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2728
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5012
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1076
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4392
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2544
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2908
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3316
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1884
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2256
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3148
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2360
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1580
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1156
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4156
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:836
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3424
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3060
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2340
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1236
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3628
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:992
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1284
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:448
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2532
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1148
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3156
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3204
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:72
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4480
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:924
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2172
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3180
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2976
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:400
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1204
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6296
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6488
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6532
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6540
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6548
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6556
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6564
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6572
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7972
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7984
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8000
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8008
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8016
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8024
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8032
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8040
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8056
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8428
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8444
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8468
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8476
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8484
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8492
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8500
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8508
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8516
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8524
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8532
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8540
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8548
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8556
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8564
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8572
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8580
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8588
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8596
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8604
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8612
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8620
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8628
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:8952
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9336
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9500
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9524
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9552
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:9568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:10068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x108,0x10c,0x110,0xe8,0x114,0x7ff947edab58,0x7ff947edab68,0x7ff947edab78
  2⤵
  PID:2572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1516 --field-trial-handle=1772,i,17997296102057507029,17357717074679471356,131072 /prefetch:2
  2⤵
  PID:8108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1772,i,17997296102057507029,17357717074679471356,131072 /prefetch:8
  2⤵
  PID:8840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2200 --field-trial-handle=1772,i,17997296102057507029,17357717074679471356,131072 /prefetch:8
  2⤵
  PID:8148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1772,i,17997296102057507029,17357717074679471356,131072 /prefetch:1
  2⤵
  PID:8204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3124 --field-trial-handle=1772,i,17997296102057507029,17357717074679471356,131072 /prefetch:1
  2⤵
  PID:7520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4260 --field-trial-handle=1772,i,17997296102057507029,17357717074679471356,131072 /prefetch:1
  2⤵
  PID:8164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4388 --field-trial-handle=1772,i,17997296102057507029,17357717074679471356,131072 /prefetch:8
  2⤵
  PID:8128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4424 --field-trial-handle=1772,i,17997296102057507029,17357717074679471356,131072 /prefetch:8
  2⤵
  PID:9492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4496 --field-trial-handle=1772,i,17997296102057507029,17357717074679471356,131072 /prefetch:8
  2⤵
  PID:5668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4492 --field-trial-handle=1772,i,17997296102057507029,17357717074679471356,131072 /prefetch:8
  2⤵
  PID:9848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 --field-trial-handle=1772,i,17997296102057507029,17357717074679471356,131072 /prefetch:8
  2⤵
  PID:7316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4456 --field-trial-handle=1772,i,17997296102057507029,17357717074679471356,131072 /prefetch:1
  2⤵
  PID:8536

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:7372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
203KB

MD5
99916ce0720ed460e59d3fbd24d55be2

SHA1
d6bb9106eb65e3b84bfe03d872c931fb27f5a3db

SHA256
07118bf4bbc3ba87d75cbc11ddf427219a14d518436d7f3886d75301f897edaf

SHA512
8d3d52e57806d1850b57bffee12c1a8d9e1a1edcf871b2395df5c889991a183a8d652a0636d5452068f5ef78d37e08ce10b2b2f4e05c3e3c0f2f2230310418a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
812424a1e8a1307a16535b6e296f0374

SHA1
3aa1e8ab6fb38cc2b288fac571ceced7086b312f

SHA256
eb33ea7e87b3f79a477bb2468e97504175dd97e8ee0eb80e7a77c0d45e7bb78d

SHA512
2797ab8ba0800d4030a3ffc56486f8079ea5017b952b3666915c00fdd1b2c7ad172919d74b60e02c3595629545ad11560bf6997a39f38e62b8b073210866378c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
8a6ce86ae23a41dec74f1be1c7e114ae

SHA1
7420e4d99df9672f0e8288740fb348703fb6e194

SHA256
e20da40fdeef91da5e8d2fc6b5879664d7198db44229921c6987d8ae74860144

SHA512
5b5970627c48a6eade78c8e418353bd53ed5dae075c1e5175e8cd57c80c36d5a21e26257f4d84ad98388494501d79a80bac96f7fb909d5fcbff66cf914f27a0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
9f30239f7f8d217c68f0bcd79e43d2ae

SHA1
1cd02f8197ace0134fde0a3a1c05eb7fda7c3b98

SHA256
cc509e546bc6fbd1f7075c91ee66e596bdef0d1ce2c8421884c80932d89fcfa2

SHA512
5d0ad6afafbf5866ba8ae4d1726521d0f648a400d246256422cc43c18d591afdecaef63b2dc5f45d12371f816896336f70fb6ae9a986690642b3208ef11618b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
20d276966b7c70479260ad30061ab3cd

SHA1
e17a2885bf93f89e0fccd20e6b9775fd4a672100

SHA256
dac77a2a45c9cbdd12ae8b1e9c23c95131958d7d9eb1c8ab06cfcc9f1b4044c8

SHA512
76769121dac6e043cdba624af3caf6a18cc578fd4741e9cbb4a0c67efa7cc67d9dd36d3d665dcd4a62378713f6ae32def7da81146f5a14a2674edc7b8633d821

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
bcd0340e6aa56a3d29a9cb5f81b8e73a

SHA1
9493c2073f4e0e057aedddc02b5ed14177558c07

SHA256
9500ef6126edfcb58f9aa0a04ada6b8481cf0aead2481df6a7648448d17a846c

SHA512
90f439c84de5448aec7b2539db97884d5d8b779942f36fb4efa61c6d57369914ac8294ee051d4a4b2b0324116d592124624b958fc2938f23c2440bad3a0a5e89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
0067944edfdca970c6764a528ac4bda3

SHA1
4157ca1a15479485a9b4462afb7f74443e85d6a2

SHA256
1af624621b9fcf8eb3ffb9b8c1fd739250827c6fff7aa7e55d55a1b019a15ce5

SHA512
28c8b9a745fdf0b2a5d0c9f8243987affd0a2a60e1fcc315371b987ea55c89c4d0dd8ff734a166381fdcf52d22643236a8308e419130252a8ab8c6339e16ab39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
8135c4254479f83ac15f27525453ff68

SHA1
1197852a6f69aaf6d8038e17a4dc938207aed53a

SHA256
c309da604a3f4b17d31700cc4638ae7d79956ea9ffcc1daf29330349a5905134

SHA512
53c81bb64f3e6f9540aa54e0f66555ddef924f4087959ed3def29ea129092e30c84904c275c2fcef4d9e715f298e4f59f162d123f89947402c04ca74cf6fce34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
9915dec8a37af4e5a52006afc161d90e

SHA1
8ba51a1797330078dfa6fb867db076544cdb82e0

SHA256
5a2781e96581f4c5146b273c291ba155e1f444fb1ae586881a84bd971bcc4cb7

SHA512
9139d0b898755cd77724b76b727cdcaa874e6fff02b2326e9aa03576d1a62fc651e14907aae2d9211526b957e0456aa0c1e5e386d1aced2d7cf901a256b3e805

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
3f9e179993438b6b55b3da59566bd7cb

SHA1
1a913f894a9fef34d7710f91bc365b0f903435e9

SHA256
cfa3715bf03c71758d5ac5e5466cb780e2ed1c0ecfbb079cbf015776dc90190a

SHA512
04a552436b5e25276f40bc37d2b815403ba3fb3220df7f392eaae7956a128581b5f44ff31eb34de0da126a181cc6b6ae5a4fe66412c5f79ff82b3eaf088710cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
d4de16f88525b865106da2e3a1c1763d

SHA1
a7d6ccec2fb087af72faeb0f7b4cdbf3acdce387

SHA256
9cc12398896a3cb3ec8d928023ce6165d4ba128d3eff20e2ad86af39e21671a5

SHA512
ce5939ffc4dd11925adecdb76a3990a5b1069ab20080f54b818a40e6823bc8ca2331be5422e865c358eff5b60ef16076dd82687b8cfebcdf6dc9a5d464ae1ef0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
276KB

MD5
c637bc3f1eae873d344b0f8111bd0a2a

SHA1
d7122d4082d2c139a74d8955bf3f7227b18b53e6

SHA256
81e6c300c72523a7fa72b7608df5f30e70d334a7978d93415816e99757100bc7

SHA512
100318ff086f037f82180282c2ad4d8a7967ee2515c34e2ae9a0b638a47ca9ef38a326acc68b330e3d9ecbd126f5cfee61a3dd244b90e0b898655697425163d0

Download Submit