a3198464998b05b72bfd3833a7daa407f01eb27e60bc5320ce61914909bf2c71

Resubmissions

21/07/2024, 23:50

240721-3vvqyatcqq 10

Analysis

max time kernel
83s
max time network
152s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21/07/2024, 23:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

release/main/cheat.exe
Size

4.1MB
MD5

a20e247d5dbab2a84b718801dec0025e
SHA1

04d6c781da09b237068b1ed7054003a14833ea3b
SHA256

74c5383e22aa8ae4e9941fd5d431c80b617f583e4158647c807d5d6188d7cced
SHA512

ec9728e9344563a74c2a906f3b289c6383bc2f564cf722170f3d3fdbfd433790b4811c7f3e8d3e9de5b16b4618ed8244eb055bf01e1ffc49fd5ad477af73011c
SSDEEP

98304:IdlAOJ6MIcGcPJt4IEKNILJpCHFBPmjE2K/pu9mfhVlNNFQ:yqOYJcBP/4TKNItpCTmjERRu9enNI

Score

9^/10

evasion persistence themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	cheat.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\frAQBc8Wsa1xVPfv\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\frAQBc8Wsa1xVPfv"	cheat.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cheat.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cheat.exe

Themida packer 9 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/1800-0-0x000000013F780000-0x000000014023A000-memory.dmp	themida
behavioral1/memory/1800-3-0x000000013F780000-0x000000014023A000-memory.dmp	themida
behavioral1/memory/1800-4-0x000000013F780000-0x000000014023A000-memory.dmp	themida
behavioral1/memory/1800-2-0x000000013F780000-0x000000014023A000-memory.dmp	themida
behavioral1/memory/1800-5-0x000000013F780000-0x000000014023A000-memory.dmp	themida
behavioral1/memory/1800-6-0x000000013F780000-0x000000014023A000-memory.dmp	themida
behavioral1/memory/1800-7-0x000000013F780000-0x000000014023A000-memory.dmp	themida
behavioral1/memory/1800-8-0x000000013F780000-0x000000014023A000-memory.dmp	themida
behavioral1/memory/1800-11-0x000000013F780000-0x000000014023A000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cheat.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1800	cheat.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2928	chrome.exe
2928	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2600	taskmgr.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
1800	cheat.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	1800	cheat.exe
Token: SeDebugPrivilege	2600	taskmgr.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2600	taskmgr.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 2208	1800	cheat.exe	28
PID 1800 wrote to memory of 2208	1800	cheat.exe	28
PID 1800 wrote to memory of 2208	1800	cheat.exe	28
PID 2928 wrote to memory of 2932	2928	chrome.exe	36
PID 2928 wrote to memory of 2932	2928	chrome.exe	36
PID 2928 wrote to memory of 2932	2928	chrome.exe	36
PID 2928 wrote to memory of 1508	2928	chrome.exe	38
PID 2928 wrote to memory of 1508	2928	chrome.exe	38
PID 2928 wrote to memory of 1508	2928	chrome.exe	38
PID 2928 wrote to memory of 1508	2928	chrome.exe	38
PID 2928 wrote to memory of 1508	2928	chrome.exe	38
PID 2928 wrote to memory of 1508	2928	chrome.exe	38
PID 2928 wrote to memory of 1508	2928	chrome.exe	38
PID 2928 wrote to memory of 1508	2928	chrome.exe	38
PID 2928 wrote to memory of 1508	2928	chrome.exe	38
PID 2928 wrote to memory of 1508	2928	chrome.exe	38
PID 2928 wrote to memory of 1508	2928	chrome.exe	38
PID 2928 wrote to memory of 1508	2928	chrome.exe	38
PID 2928 wrote to memory of 1508	2928	chrome.exe	38
PID 2928 wrote to memory of 1508	2928	chrome.exe	38
PID 2928 wrote to memory of 1508	2928	chrome.exe	38
PID 2928 wrote to memory of 1508	2928	chrome.exe	38
PID 2928 wrote to memory of 1508	2928	chrome.exe	38
PID 2928 wrote to memory of 1508	2928	chrome.exe	38
PID 2928 wrote to memory of 1508	2928	chrome.exe	38
PID 2928 wrote to memory of 1508	2928	chrome.exe	38
PID 2928 wrote to memory of 1508	2928	chrome.exe	38
PID 2928 wrote to memory of 1508	2928	chrome.exe	38
PID 2928 wrote to memory of 1508	2928	chrome.exe	38
PID 2928 wrote to memory of 1508	2928	chrome.exe	38
PID 2928 wrote to memory of 1508	2928	chrome.exe	38
PID 2928 wrote to memory of 1508	2928	chrome.exe	38
PID 2928 wrote to memory of 1508	2928	chrome.exe	38
PID 2928 wrote to memory of 1508	2928	chrome.exe	38
PID 2928 wrote to memory of 1508	2928	chrome.exe	38
PID 2928 wrote to memory of 1508	2928	chrome.exe	38
PID 2928 wrote to memory of 1508	2928	chrome.exe	38
PID 2928 wrote to memory of 1508	2928	chrome.exe	38
PID 2928 wrote to memory of 1508	2928	chrome.exe	38
PID 2928 wrote to memory of 1508	2928	chrome.exe	38
PID 2928 wrote to memory of 1508	2928	chrome.exe	38
PID 2928 wrote to memory of 1508	2928	chrome.exe	38
PID 2928 wrote to memory of 1508	2928	chrome.exe	38
PID 2928 wrote to memory of 1508	2928	chrome.exe	38
PID 2928 wrote to memory of 1508	2928	chrome.exe	38
PID 2928 wrote to memory of 1752	2928	chrome.exe	39
PID 2928 wrote to memory of 1752	2928	chrome.exe	39
PID 2928 wrote to memory of 1752	2928	chrome.exe	39
PID 2928 wrote to memory of 1208	2928	chrome.exe	40
PID 2928 wrote to memory of 1208	2928	chrome.exe	40
PID 2928 wrote to memory of 1208	2928	chrome.exe	40
PID 2928 wrote to memory of 1208	2928	chrome.exe	40
PID 2928 wrote to memory of 1208	2928	chrome.exe	40
PID 2928 wrote to memory of 1208	2928	chrome.exe	40
PID 2928 wrote to memory of 1208	2928	chrome.exe	40
PID 2928 wrote to memory of 1208	2928	chrome.exe	40
PID 2928 wrote to memory of 1208	2928	chrome.exe	40
PID 2928 wrote to memory of 1208	2928	chrome.exe	40
PID 2928 wrote to memory of 1208	2928	chrome.exe	40
PID 2928 wrote to memory of 1208	2928	chrome.exe	40
PID 2928 wrote to memory of 1208	2928	chrome.exe	40
PID 2928 wrote to memory of 1208	2928	chrome.exe	40
PID 2928 wrote to memory of 1208	2928	chrome.exe	40
PID 2928 wrote to memory of 1208	2928	chrome.exe	40

C:\Users\Admin\AppData\Local\Temp\release\main\cheat.exe
"C:\Users\Admin\AppData\Local\Temp\release\main\cheat.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Sets service image path in registry
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1800 -s 868
  2⤵
  PID:2208

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2960

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5b29758,0x7fef5b29768,0x7fef5b29778
  2⤵
  PID:2932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1188 --field-trial-handle=1252,i,1676652096803544299,18327849304624683295,131072 /prefetch:2
  2⤵
  PID:1508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 --field-trial-handle=1252,i,1676652096803544299,18327849304624683295,131072 /prefetch:8
  2⤵
  PID:1752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1620 --field-trial-handle=1252,i,1676652096803544299,18327849304624683295,131072 /prefetch:8
  2⤵
  PID:1208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2292 --field-trial-handle=1252,i,1676652096803544299,18327849304624683295,131072 /prefetch:1
  2⤵
  PID:2476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2300 --field-trial-handle=1252,i,1676652096803544299,18327849304624683295,131072 /prefetch:1
  2⤵
  PID:1644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1268 --field-trial-handle=1252,i,1676652096803544299,18327849304624683295,131072 /prefetch:2
  2⤵
  PID:1620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1468 --field-trial-handle=1252,i,1676652096803544299,18327849304624683295,131072 /prefetch:1
  2⤵
  PID:896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3668 --field-trial-handle=1252,i,1676652096803544299,18327849304624683295,131072 /prefetch:8
  2⤵
  PID:2196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3728 --field-trial-handle=1252,i,1676652096803544299,18327849304624683295,131072 /prefetch:1
  2⤵
  PID:2956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=2448 --field-trial-handle=1252,i,1676652096803544299,18327849304624683295,131072 /prefetch:1
  2⤵
  PID:1924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=1560 --field-trial-handle=1252,i,1676652096803544299,18327849304624683295,131072 /prefetch:1
  2⤵
  PID:1444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1120 --field-trial-handle=1252,i,1676652096803544299,18327849304624683295,131072 /prefetch:8
  2⤵
  PID:2280

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Filesize
230B

MD5
f0d04085cab25c8dd964233cf5ff7654

SHA1
fcbfb46d3a4a21cf119797e8c978d270d7203c67

SHA256
c0e600606bbadaecfcc8634648785dd93861487c95a36fe9f459e4e9d94ea00f

SHA512
f19c22a5ff478a8e8ba4225d60b68ec47d7ede8a5e31bb86c3d20b27cbe64dde65168c2a276e6ce81fe937b29c7a7be72c9347e48fd29f97392cd43319c6a3ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2b4c0c7e2465fca94d6d8e9adf17ed0b

SHA1
6dfc60220646d081927bf2a750cb275984bb9ed0

SHA256
8402c39bb3899bbc0314aa30011133e1e2f262c1c3c137fb8b180dbfbd942402

SHA512
622e67b09169fd81fa9f54b693fb36a12819362478b770655dd7876512e70dcb0efecbb6b184fbeab49a62405ec520728f8f673465c047c1f782ac5e086de37c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0df6998ab6568acf5289526950697e88

SHA1
5b8b795bddec4629527659798404f0551338cdeb

SHA256
82bfe7ae87c5138664008b2c9212a91855406f91f229a87b7a4f7bd82c565f2f

SHA512
bcdfbcc5fbe4ed0f90516b532545e0a1c60c796a2ffce79fe89602ddc675c7d7d928d7dbc1ac709f7743a4e74087d8c7f4bd81e8551228f1290ecec16ae5f49d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000002

Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
fa8cef8ab2ff67f46008e86a9a571239

SHA1
02a508db29d963ce805c26a2bab9c9c4dabd2cf9

SHA256
fee40575dbae6a3226cbe8d9d8614a208d21a32dba1bb6162bc942fc828dc0c9

SHA512
44f8c6dfffc145ea880818658bb12fbc2f92722da0c2dd8fc9f009231f97e3ed9edffd441f75ed94a7d7224576c42bb6c99a56d6081782c1462780e8a3039ab2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a2c2f65ac7e4f853a6615769dfa1e1a2

SHA1
246a5bc55e4c0dc6167c01d9de49cace0c2bfb6a

SHA256
43273c836f9a23bb9af5679268e5b19d9720edaa4767cce5bfa37e75eb0d34fa

SHA512
91e2eac8405046b226f683d04b1b75d1d768a6e68daf77e56b43c92efe7494d3896a5892b7f588f5acc0faf852428e8911a62c9e6b34356e385255c35b11dbf8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
ed0094cfdcd31ed4483ad4d04cde6e2f

SHA1
eec52597b3107b99f0ca48758dfd1352d68ff7d9

SHA256
b2ba9dd9bef91ed118e8870fd71ae8cc3b53cfd8d4676feecf430aa9c72fe832

SHA512
3fbdb78a114e322c6a8ec53dd5edbaddd75cffe85be0e9201e7ed78c132a220d1737a032594df14f421d8283e506fa936679a1c8bb29b06b962577f49b1fd2ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b18340282c78958ac440f0c0cfd875b3

SHA1
457a7dab8338d857f8cb0c960f91641460109473

SHA256
c8652453055f6f6c3799d6ade61cc49b2fd0ce46dbcefb00a56701fd3071f19d

SHA512
fd4bbc4edf457103b836d6fda7462d63899fb848ca831482c68079a0eea877ccd552da36283e6e0dfd9de2705f179b438f09fc554f095f55e487e388ea5911d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
b56df930096bcfc0b60ed480c34ef9d5

SHA1
9fa04db81fc1372b57b886442eb236040b2fcf0a

SHA256
58475f3da11c66369d33ebe64dad941ddfa2aabfc139f7dfc9c91f68a8c1831b

SHA512
d95ec9315204a8077d59289cee182e399f7f40b7e6c1abc0bd3513b9adf9cba4df02e889fab0fb1d9082b724181e98ed1dbd2704b93c0ee4f15bca813ecd8eab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
264caa4e503f388380996514c3646b90

SHA1
7af055479e87e229e5be8c554d7ff9803c68755f

SHA256
c4d0f286e84ba2e9cbb8395a13e5d0f60285e96dd1e8542dedc48adba37f5b86

SHA512
6bea16ab58186451b14b99480a9e64d46c28393dd7663c4827b8c799dcdb7add400c066173ab8b0467e94614119543a552720b59461fffbd242c0db3c97539ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
67bc44a919e719c4a6916ab5c0998091

SHA1
4a6fa0637b6ca71e5878f0c712818e86fd390e3a

SHA256
28be8b1f21c3e86ca4141992fd36e457f1a2f4c09c1a2c000d2ee9694c4e8648

SHA512
b3a9bda830529ba5e48a415fb785b5a50a0310a8c867d6b3d5677cba8f4c9c6382a174bc43d7151307e946af7e68d14738614de6cab39b9510c9ad04e0f2688b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
0c41f8b1aa1ebd2fba7d3c76691b92c2

SHA1
19eee9a40733f155e6b969379c673d1e62bac6cf

SHA256
e1f43b3b5b72f31d4cfe57034363d4b31a66e7de0de2bf66a7110237df55fec9

SHA512
260432810c9ad4abfd24f85d4694bb7ba181aa9df7fb0c577ebb6a4f80f09551bf67f03e3677be15acded8b66954b1d8a0758c806e2aae33be6ad6919bb11ec9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0fce89139c386b9a286f0d1bd21eb8b9

SHA1
19630b6e0e0653e95d78c2d780a15c2c3830d25c

SHA256
8bdcafc5e7751277bed3438f7280de29c854d481a8c3bf1d47722ab0adc113aa

SHA512
ca06d38e85d0d483f80988b2b211f46e92b0dca722110b32e688050d7241d52006c0bcc797b0a48aac3d161638fd01cd46fd7bc0898f4dddaed7d67697ae9a74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
a50fa2e5c3118c7cfcff64e37588d0ea

SHA1
ec17c91d258829a6991cc2f019bc8d8d123e87a9

SHA256
c4c98d4ec9b91b000155b119644c50b17b3b9e595a976e43ad001f57b10e25e4

SHA512
d4fd803d8fb792d8d89a69f9ac6b1fc5e4a5562ec2ed94a3ae21aa8c20b051c6d9f0eab8e4f81e699f09d1b316030078df412207effd6fb2e75700968909d6a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2001.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2042.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/1800-0-0x000000013F780000-0x000000014023A000-memory.dmp

Filesize
10.7MB

Download
memory/1800-5-0x000000013F780000-0x000000014023A000-memory.dmp

Filesize
10.7MB

Download
memory/1800-2-0x000000013F780000-0x000000014023A000-memory.dmp

Filesize
10.7MB

Download
memory/1800-4-0x000000013F780000-0x000000014023A000-memory.dmp

Filesize
10.7MB

Download
memory/1800-3-0x000000013F780000-0x000000014023A000-memory.dmp

Filesize
10.7MB

Download
memory/1800-1-0x0000000077900000-0x0000000077902000-memory.dmp

Filesize
8KB

Download
memory/1800-11-0x000000013F780000-0x000000014023A000-memory.dmp

Filesize
10.7MB

Download
memory/1800-8-0x000000013F780000-0x000000014023A000-memory.dmp

Filesize
10.7MB

Download
memory/1800-7-0x000000013F780000-0x000000014023A000-memory.dmp

Filesize
10.7MB

Download
memory/1800-6-0x000000013F780000-0x000000014023A000-memory.dmp

Filesize
10.7MB

Download
memory/2600-13-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2600-12-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download