c6e6cdba209f899e5087f1a1a4babc759414b4a687b60ba4bce62b6b37e8e82b

Analysis

max time kernel
1199s
max time network
1106s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
12/07/2024, 05:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rufus-4.5p.exe
Size

1.4MB
MD5

129e5bbf63d8299d027186eafe92754a
SHA1

c50bd94af6af186edc536ec6ff83bdd233586618
SHA256

c6e6cdba209f899e5087f1a1a4babc759414b4a687b60ba4bce62b6b37e8e82b
SHA512

a87a4b44ec3ce37a0da546a805f688bd3a68b52d662a294b8193717f383938f99fa68e50dddf9f012aad7b51e98fd017f6b757ca15332d79a2bb6b882c379a05
SSDEEP

24576:K9+dyknYGIOeicfIgMFbnMt0t6Hmx5N2MJJMex8R00nea7jNqeveiWRKreZMIlEE:K9+dpYGD6HeMet6HmjZMD6KeChVW5ZDB

Score

7^/10

evasion trojan upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3800-0-0x00007FF7091B0000-0x00007FF7095CF000-memory.dmp	upx
behavioral1/memory/3800-57-0x00007FF7091B0000-0x00007FF7095CF000-memory.dmp	upx
behavioral1/memory/3800-93-0x00007FF7091B0000-0x00007FF7095CF000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rufus-4.5p.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	rufus-4.5p.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	rufus-4.5p.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	rufus-4.5p.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	rufus-4.5p.exe

Checks SCSI registry key(s) 3 TTPs 15 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	rufus-4.5p.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	rufus-4.5p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	rufus-4.5p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000	rufus-4.5p.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters	rufus-4.5p.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	rufus-4.5p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	rufus-4.5p.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	rufus-4.5p.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	rufus-4.5p.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Service	rufus-4.5p.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	rufus-4.5p.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133652369846567780"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1772	chrome.exe
1772	chrome.exe
1056	chrome.exe
1056	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3800	rufus-4.5p.exe
Token: SeLoadDriverPrivilege	3800	rufus-4.5p.exe
Token: SeLoadDriverPrivilege	3800	rufus-4.5p.exe
Token: SeLoadDriverPrivilege	3800	rufus-4.5p.exe
Token: SeLoadDriverPrivilege	3800	rufus-4.5p.exe
Token: SeLoadDriverPrivilege	3800	rufus-4.5p.exe
Token: SeLoadDriverPrivilege	3800	rufus-4.5p.exe
Token: SeLoadDriverPrivilege	3800	rufus-4.5p.exe
Token: SeLoadDriverPrivilege	3800	rufus-4.5p.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe
Token: SeCreatePagefilePrivilege	1772	chrome.exe
Token: SeShutdownPrivilege	1772	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
3800	rufus-4.5p.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe
1772	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 644	1772	chrome.exe	79
PID 1772 wrote to memory of 644	1772	chrome.exe	79
PID 1772 wrote to memory of 1352	1772	chrome.exe	81
PID 1772 wrote to memory of 1352	1772	chrome.exe	81
PID 1772 wrote to memory of 1352	1772	chrome.exe	81
PID 1772 wrote to memory of 1352	1772	chrome.exe	81
PID 1772 wrote to memory of 1352	1772	chrome.exe	81
PID 1772 wrote to memory of 1352	1772	chrome.exe	81
PID 1772 wrote to memory of 1352	1772	chrome.exe	81
PID 1772 wrote to memory of 1352	1772	chrome.exe	81
PID 1772 wrote to memory of 1352	1772	chrome.exe	81
PID 1772 wrote to memory of 1352	1772	chrome.exe	81
PID 1772 wrote to memory of 1352	1772	chrome.exe	81
PID 1772 wrote to memory of 1352	1772	chrome.exe	81
PID 1772 wrote to memory of 1352	1772	chrome.exe	81
PID 1772 wrote to memory of 1352	1772	chrome.exe	81
PID 1772 wrote to memory of 1352	1772	chrome.exe	81
PID 1772 wrote to memory of 1352	1772	chrome.exe	81
PID 1772 wrote to memory of 1352	1772	chrome.exe	81
PID 1772 wrote to memory of 1352	1772	chrome.exe	81
PID 1772 wrote to memory of 1352	1772	chrome.exe	81
PID 1772 wrote to memory of 1352	1772	chrome.exe	81
PID 1772 wrote to memory of 1352	1772	chrome.exe	81
PID 1772 wrote to memory of 1352	1772	chrome.exe	81
PID 1772 wrote to memory of 1352	1772	chrome.exe	81
PID 1772 wrote to memory of 1352	1772	chrome.exe	81
PID 1772 wrote to memory of 1352	1772	chrome.exe	81
PID 1772 wrote to memory of 1352	1772	chrome.exe	81
PID 1772 wrote to memory of 1352	1772	chrome.exe	81
PID 1772 wrote to memory of 1352	1772	chrome.exe	81
PID 1772 wrote to memory of 1352	1772	chrome.exe	81
PID 1772 wrote to memory of 1352	1772	chrome.exe	81
PID 1772 wrote to memory of 1352	1772	chrome.exe	81
PID 1772 wrote to memory of 1352	1772	chrome.exe	81
PID 1772 wrote to memory of 1352	1772	chrome.exe	81
PID 1772 wrote to memory of 1352	1772	chrome.exe	81
PID 1772 wrote to memory of 1352	1772	chrome.exe	81
PID 1772 wrote to memory of 1352	1772	chrome.exe	81
PID 1772 wrote to memory of 1352	1772	chrome.exe	81
PID 1772 wrote to memory of 1352	1772	chrome.exe	81
PID 1772 wrote to memory of 696	1772	chrome.exe	82
PID 1772 wrote to memory of 696	1772	chrome.exe	82
PID 1772 wrote to memory of 660	1772	chrome.exe	83
PID 1772 wrote to memory of 660	1772	chrome.exe	83
PID 1772 wrote to memory of 660	1772	chrome.exe	83
PID 1772 wrote to memory of 660	1772	chrome.exe	83
PID 1772 wrote to memory of 660	1772	chrome.exe	83
PID 1772 wrote to memory of 660	1772	chrome.exe	83
PID 1772 wrote to memory of 660	1772	chrome.exe	83
PID 1772 wrote to memory of 660	1772	chrome.exe	83
PID 1772 wrote to memory of 660	1772	chrome.exe	83
PID 1772 wrote to memory of 660	1772	chrome.exe	83
PID 1772 wrote to memory of 660	1772	chrome.exe	83
PID 1772 wrote to memory of 660	1772	chrome.exe	83
PID 1772 wrote to memory of 660	1772	chrome.exe	83
PID 1772 wrote to memory of 660	1772	chrome.exe	83
PID 1772 wrote to memory of 660	1772	chrome.exe	83
PID 1772 wrote to memory of 660	1772	chrome.exe	83
PID 1772 wrote to memory of 660	1772	chrome.exe	83
PID 1772 wrote to memory of 660	1772	chrome.exe	83
PID 1772 wrote to memory of 660	1772	chrome.exe	83
PID 1772 wrote to memory of 660	1772	chrome.exe	83
PID 1772 wrote to memory of 660	1772	chrome.exe	83
PID 1772 wrote to memory of 660	1772	chrome.exe	83

C:\Users\Admin\AppData\Local\Temp\rufus-4.5p.exe
"C:\Users\Admin\AppData\Local\Temp\rufus-4.5p.exe"
1⤵
- Checks whether UAC is enabled
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3800

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:4872

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:4016

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:1416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff8cf9b9758,0x7ff8cf9b9768,0x7ff8cf9b9778
  2⤵
  PID:644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1532 --field-trial-handle=1768,i,3869821357449549633,10035585542478727055,131072 /prefetch:2
  2⤵
  PID:1352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1832 --field-trial-handle=1768,i,3869821357449549633,10035585542478727055,131072 /prefetch:8
  2⤵
  PID:696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2088 --field-trial-handle=1768,i,3869821357449549633,10035585542478727055,131072 /prefetch:8
  2⤵
  PID:660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2844 --field-trial-handle=1768,i,3869821357449549633,10035585542478727055,131072 /prefetch:1
  2⤵
  PID:1976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2852 --field-trial-handle=1768,i,3869821357449549633,10035585542478727055,131072 /prefetch:1
  2⤵
  PID:504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4444 --field-trial-handle=1768,i,3869821357449549633,10035585542478727055,131072 /prefetch:1
  2⤵
  PID:4720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4884 --field-trial-handle=1768,i,3869821357449549633,10035585542478727055,131072 /prefetch:8
  2⤵
  PID:4912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4984 --field-trial-handle=1768,i,3869821357449549633,10035585542478727055,131072 /prefetch:8
  2⤵
  PID:3576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4600 --field-trial-handle=1768,i,3869821357449549633,10035585542478727055,131072 /prefetch:8
  2⤵
  PID:2300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4936 --field-trial-handle=1768,i,3869821357449549633,10035585542478727055,131072 /prefetch:1
  2⤵
  PID:5104
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:3972
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x7ff6946e7688,0x7ff6946e7698,0x7ff6946e76a8
    3⤵
    PID:2136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5656 --field-trial-handle=1768,i,3869821357449549633,10035585542478727055,131072 /prefetch:8
  2⤵
  PID:2296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3240 --field-trial-handle=1768,i,3869821357449549633,10035585542478727055,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1056

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
b8d58546b8b92f6a18fb1e339f7ffbef

SHA1
2b04d7571171e770c3816b1cace924f82ab5c7ed

SHA256
51cf23b9bae14a52ad0eb44bdaeb32f6ca9ad5ca599de04b3cf74f5c3ea4b51a

SHA512
924018d9dab54d38da44071e0e21d5665a3926174a16954a7b3643636eace16a7496e1700c156cfa2949ff3aa76a1b675f930a7d98dd477d64acd5160685de37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
0d9538ddad4f5007e285306ca97e896b

SHA1
676afd0b2e60a67f482b0b5b4d7b92c2b07d41bc

SHA256
dbb542136db870a1d2af8fb0c7dea8cd6b447108fc193a3d3133e6a0fd2cd408

SHA512
54b38d2073678719d823a20aa2f2728d445302d58acd92c37c123430e660606e3a52ca980b0c407d455d9e5211a5511a7d93c8533d41dc2ef1eb6c2798f331d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
d594aab9261f44841332e0b4a3450c64

SHA1
427b3e41077f10f755be62a8af17f1da5b97eeb8

SHA256
5ee6122e07c816f071afdb58ab5759d160ef9f8790e045e30a32f22a1d2cea0f

SHA512
f7ee4a5d7ddbb241f454199db757d6313296267f4103dfdf98fbf53e766a1148d60a77db23280402ac6ff1420cb9ad14a8d20c9658c60a09e2262623bc2b9cd2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
974b761a9a0702a78f96afdd07ec72fd

SHA1
260f43c7fdbcedfb6394cd0d615a44e9d8e98f95

SHA256
cb9a152867a453fe2bc57af624e4ede181d96bf85f8a2f46a9398026453bbf38

SHA512
da89d0f529e0cbb5ee0833764a88e5de8c787c365a9afbadb4c87b92992c379520a0458be49843f8648d467a698d12165b62bd9b0140392546402ec7e6d15b7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
a86efa8dec0f98fb5f5cd5b6582e63d7

SHA1
0092133507aed9ce19dbf3d469bca5e9f5fd2309

SHA256
a7ca73ff4443e16b809a63307b811c0bf84215723d1f1ae7931cdafd2d574e82

SHA512
f246c3253ec745a2699d85b0b02fb88b318765f89c245aa9f43c57cab645574dc5851eb7cf55bd038ce7d333960204b74abf376dd85666e062906df661fea0ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
c4d5c5080248fd794769ccb650085c06

SHA1
40c1d0ec2631336d21992441dc83308c5a890bfc

SHA256
c24c2d4b477a4badcf6addb904a1b7f9c794b7c4d4086cd89ae18e159e5a688a

SHA512
54615b0eb04ca95e1dfc917fbc074b14a0073e4e0402e381773033b3cbed031a34f72d496e41f1fa521393bfff56ea989068525849abadd3035556a9e8306436

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f22a0f3fc69eae6fa9f3332ae7bd59ab

SHA1
6017db56f3583540fc16d9ff79001ef6eb6860c7

SHA256
8b43955d0e86015a9e40442316f2ac484ef285bd37809056a6e77e44d91ba42c

SHA512
06005c54ab6453367147f137352a0446ba0c2fa53cfe9c48c8ad6a004dfd63a240423abcae502101887c99f58ccf378058473fc43becf46694778a02028bdf55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
569f16680d504b1e8f4b2ce4cfb447e3

SHA1
93328ae3d8b8b4f813859d2da288af208679f940

SHA256
0c808b44602d2aee752bd480f769d88d0aae3288282a1a07a335ee69845fe107

SHA512
e3f14a69e5271e62115ddd29d0003b10f8dd774fdd30915b44a2d2e1aa058cd64f60e236fcc1e0794b4e4510c311ae98a4492e6245de26f4d9612ec95a9d4636

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
428f91bfa8f945de5ef1fbd4e379cc66

SHA1
1147589e4b2a42045bb820deae3b457544be98aa

SHA256
cca2e491de88499d907fc2ba1cc4c8546f9c73d2bc05af130f94965b939f17c4

SHA512
0ea27915d4b8bb4f3d7b699bc32686b3892042ed8f5e34252bee6dcca182fccf521800d38301602eddc3d6a27eb62c9a9975f0b8e174e02010b6f4226623f8eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
fdb34a6c63e7ed547c3d11dc8bce20fb

SHA1
43045a0086984139f9e687b2490bf9b5cf9bc3c3

SHA256
bfec565d63efba460fcf2eea09bb18c3246da0c0f70150ac2d2c888dbdc4fa83

SHA512
4800dc0d73f46dd44bd5654f237528c7c558c2fedba5e2144522f899cdf3c508ba875c6af1816e20b30c6aa43bbad4089cfa98b4bee8817195c47f1223a594b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
12KB

MD5
0fcdfa66f7875a13107ab83db3b48e4c

SHA1
230956acfc34edf6b4ed197e2fdf7e958d8c8d78

SHA256
a509835112d7708384bd34c2424c0543d57be9196a01b9bea37af02bc6f8bb14

SHA512
fa1dfc4a43afbd689ae180e461f63cc77fb28f4626a85597b61746902a6156584c67e3ed47d9685efb47e54782d4505dbddf83c0e68dacaeb07c782a85dcebb3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
287KB

MD5
d9da59a7c8a6cd2655f38352c2a739a6

SHA1
575e0ea3857950fbb7a311028f60158ae2d1322c

SHA256
e16632107e31c9e466b546d1fb5ee528363a8dd7b847321930bb16f8e5a899ed

SHA512
54776d3d72314f1571359ebeb8eb986f934ca4b052c8ff16a1b565766335c64fac9a8ef6f6d07fc4b243bcf18034e7330a169a6dd18f07f3dc6e32820d492857

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
287KB

MD5
9aabe745c69478c597cb310823268247

SHA1
e82436aa2924d1209e79ad37e75078fbdaee564d

SHA256
aee21a8b49cb6dd3085c44d15fd88da291d404d3bc81a4bbd52960275cd17d0d

SHA512
a0522f85412ac82ee5bf348aae51b9fc6b14de400c81bddc14990c972bc1eec88cdd5761fb380e23cfd00ab861137f8125489892343e02c68416b50cf3ab858d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
93KB

MD5
47301d8b45e18cd2c35b225071f245af

SHA1
9a1fd128b70c14f73134330004ac9433a7dc71c4

SHA256
6c9fd7ee76f3c737707777486075c87e13668a61b2b5999363256dc564a70cb3

SHA512
d78095c0207c19cd775684aec461120d906bd2647a26adc58cd902b75a7926233852707b4945040e59c121db579bc0277246f750d82751ea420f97b2f301a49c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5850da.TMP

Filesize
93KB

MD5
c99c0bdb0f6a620e3a59433bab7257a3

SHA1
b4cca70f0fb632518b503e0463a7dd129a9106b3

SHA256
e2572115aed6d99a171bee08b18e36065cdc3ae737d17858d37145cc30265dae

SHA512
3322c2526e663fed669c9d86214847efbe9b598eb2dc6a60a88b741cc85986bdce335f3d0ca06bb5e80e02280880ee92f285afecef8c5006c4e400a1dbc94e12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\rufus.ini

Filesize
41B

MD5
de052bd15d7cab5d0d81563e870ee832

SHA1
a516a30645ce18eb348177d3a2e6a41a85c1ef84

SHA256
84b67ac777432f6c2ca202ec3265cab3704015f7337466b10440a5b24ebcaac1

SHA512
d0aa7bc9b5fb8e30652fb1e0f958ef455f43c618cb457a9b4b79a2152adf144d29a77cbe6ebe02ff32f471656664600d0567268600c1dd3fa528c224899d48ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\rufus.ini

Filesize
70B

MD5
53799e568e3575548c2cbc03495be2ac

SHA1
8ed9152c5bb82b2f5a5bb4dfcb224258bafe92e7

SHA256
e0ca2ea1bedeac394dfe31e4269b35006651ac1b0beb21e1b8ec741ef1a7e041

SHA512
3d86c28ba46ad515fa1201d8cf3ce326287e5e248a4ed25cf129f3af0ea628c775650bf835e0eaccc033f89306a115cb392b498d073eb21ca7378baa617d69b7

Download Submit
memory/3800-0-0x00007FF7091B0000-0x00007FF7095CF000-memory.dmp

Filesize
4.1MB

Download
memory/3800-93-0x00007FF7091B0000-0x00007FF7095CF000-memory.dmp

Filesize
4.1MB

Download
memory/3800-57-0x00007FF7091B0000-0x00007FF7095CF000-memory.dmp

Filesize
4.1MB

Download