a93a40597266db70576237aeb0f944358a5988ce0bd4799d2f9438ace11bbc48

Analysis

max time kernel
65s
max time network
147s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
06/08/2024, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Trixx_Spoofer_protected (1).exe
Size

3.5MB
MD5

1ebe588f34203da1d42e36a7aa7e5cd1
SHA1

5ed14541f50df5106c77dddf22326092c9d1c23f
SHA256

a93a40597266db70576237aeb0f944358a5988ce0bd4799d2f9438ace11bbc48
SHA512

2e867970d8d4e5f1ee17321f8e3f2dfc5e4e901ed859d40082e19ff8684f8ce1eb1537055cf70b36b294fecb0a2ba26af33687cd14d6ff0f99975d9f6cceadc8
SSDEEP

98304:MWzu1SEzVBy7IRcEU9+CjJ3BCsNy3Ab/EqEVgtDQ:MRj7ywg++Rdg3ArEqEg2

Score

9^/10

discovery evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Trixx_Spoofer_protected (1).exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Trixx_Spoofer_protected (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Trixx_Spoofer_protected (1).exe

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2760-0-0x000000013FC50000-0x00000001405D7000-memory.dmp	themida
behavioral1/memory/2760-2-0x000000013FC50000-0x00000001405D7000-memory.dmp	themida
behavioral1/memory/2760-4-0x000000013FC50000-0x00000001405D7000-memory.dmp	themida
behavioral1/memory/2760-5-0x000000013FC50000-0x00000001405D7000-memory.dmp	themida
behavioral1/memory/2760-3-0x000000013FC50000-0x00000001405D7000-memory.dmp	themida
behavioral1/memory/2760-6-0x000000013FC50000-0x00000001405D7000-memory.dmp	themida
behavioral1/memory/2760-7-0x000000013FC50000-0x00000001405D7000-memory.dmp	themida
behavioral1/memory/2760-9-0x000000013FC50000-0x00000001405D7000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Trixx_Spoofer_protected (1).exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2760	Trixx_Spoofer_protected (1).exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2004	chrome.exe
2004	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe
Token: SeShutdownPrivilege	2004	chrome.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe
2004	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 3064	2760	Trixx_Spoofer_protected (1).exe	31
PID 2760 wrote to memory of 3064	2760	Trixx_Spoofer_protected (1).exe	31
PID 2760 wrote to memory of 3064	2760	Trixx_Spoofer_protected (1).exe	31
PID 3064 wrote to memory of 2928	3064	cmd.exe	32
PID 3064 wrote to memory of 2928	3064	cmd.exe	32
PID 3064 wrote to memory of 2928	3064	cmd.exe	32
PID 3064 wrote to memory of 2896	3064	cmd.exe	33
PID 3064 wrote to memory of 2896	3064	cmd.exe	33
PID 3064 wrote to memory of 2896	3064	cmd.exe	33
PID 3064 wrote to memory of 2908	3064	cmd.exe	34
PID 3064 wrote to memory of 2908	3064	cmd.exe	34
PID 3064 wrote to memory of 2908	3064	cmd.exe	34
PID 2760 wrote to memory of 2892	2760	Trixx_Spoofer_protected (1).exe	35
PID 2760 wrote to memory of 2892	2760	Trixx_Spoofer_protected (1).exe	35
PID 2760 wrote to memory of 2892	2760	Trixx_Spoofer_protected (1).exe	35
PID 2004 wrote to memory of 2620	2004	chrome.exe	37
PID 2004 wrote to memory of 2620	2004	chrome.exe	37
PID 2004 wrote to memory of 2620	2004	chrome.exe	37
PID 2004 wrote to memory of 2148	2004	chrome.exe	39
PID 2004 wrote to memory of 2148	2004	chrome.exe	39
PID 2004 wrote to memory of 2148	2004	chrome.exe	39
PID 2004 wrote to memory of 2148	2004	chrome.exe	39
PID 2004 wrote to memory of 2148	2004	chrome.exe	39
PID 2004 wrote to memory of 2148	2004	chrome.exe	39
PID 2004 wrote to memory of 2148	2004	chrome.exe	39
PID 2004 wrote to memory of 2148	2004	chrome.exe	39
PID 2004 wrote to memory of 2148	2004	chrome.exe	39
PID 2004 wrote to memory of 2148	2004	chrome.exe	39
PID 2004 wrote to memory of 2148	2004	chrome.exe	39
PID 2004 wrote to memory of 2148	2004	chrome.exe	39
PID 2004 wrote to memory of 2148	2004	chrome.exe	39
PID 2004 wrote to memory of 2148	2004	chrome.exe	39
PID 2004 wrote to memory of 2148	2004	chrome.exe	39
PID 2004 wrote to memory of 2148	2004	chrome.exe	39
PID 2004 wrote to memory of 2148	2004	chrome.exe	39
PID 2004 wrote to memory of 2148	2004	chrome.exe	39
PID 2004 wrote to memory of 2148	2004	chrome.exe	39
PID 2004 wrote to memory of 2148	2004	chrome.exe	39
PID 2004 wrote to memory of 2148	2004	chrome.exe	39
PID 2004 wrote to memory of 2148	2004	chrome.exe	39
PID 2004 wrote to memory of 2148	2004	chrome.exe	39
PID 2004 wrote to memory of 2148	2004	chrome.exe	39
PID 2004 wrote to memory of 2148	2004	chrome.exe	39
PID 2004 wrote to memory of 2148	2004	chrome.exe	39
PID 2004 wrote to memory of 2148	2004	chrome.exe	39
PID 2004 wrote to memory of 2148	2004	chrome.exe	39
PID 2004 wrote to memory of 2148	2004	chrome.exe	39
PID 2004 wrote to memory of 2148	2004	chrome.exe	39
PID 2004 wrote to memory of 2148	2004	chrome.exe	39
PID 2004 wrote to memory of 2148	2004	chrome.exe	39
PID 2004 wrote to memory of 2148	2004	chrome.exe	39
PID 2004 wrote to memory of 2148	2004	chrome.exe	39
PID 2004 wrote to memory of 2148	2004	chrome.exe	39
PID 2004 wrote to memory of 2148	2004	chrome.exe	39
PID 2004 wrote to memory of 2148	2004	chrome.exe	39
PID 2004 wrote to memory of 2148	2004	chrome.exe	39
PID 2004 wrote to memory of 2148	2004	chrome.exe	39
PID 2004 wrote to memory of 3012	2004	chrome.exe	40
PID 2004 wrote to memory of 3012	2004	chrome.exe	40
PID 2004 wrote to memory of 3012	2004	chrome.exe	40
PID 2004 wrote to memory of 2400	2004	chrome.exe	41
PID 2004 wrote to memory of 2400	2004	chrome.exe	41
PID 2004 wrote to memory of 2400	2004	chrome.exe	41
PID 2004 wrote to memory of 2400	2004	chrome.exe	41

C:\Users\Admin\AppData\Local\Temp\Trixx_Spoofer_protected (1).exe
"C:\Users\Admin\AppData\Local\Temp\Trixx_Spoofer_protected (1).exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Trixx_Spoofer_protected (1).exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Trixx_Spoofer_protected (1).exe" MD5
    3⤵
    PID:2928
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:2896
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:2908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7049758,0x7fef7049768,0x7fef7049778
  2⤵
  PID:2620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1156 --field-trial-handle=1220,i,523855715515180663,7664481961664812000,131072 /prefetch:2
  2⤵
  PID:2148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1524 --field-trial-handle=1220,i,523855715515180663,7664481961664812000,131072 /prefetch:8
  2⤵
  PID:3012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1548 --field-trial-handle=1220,i,523855715515180663,7664481961664812000,131072 /prefetch:8
  2⤵
  PID:2400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2280 --field-trial-handle=1220,i,523855715515180663,7664481961664812000,131072 /prefetch:1
  2⤵
  PID:1504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2288 --field-trial-handle=1220,i,523855715515180663,7664481961664812000,131072 /prefetch:1
  2⤵
  PID:312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1156 --field-trial-handle=1220,i,523855715515180663,7664481961664812000,131072 /prefetch:2
  2⤵
  PID:916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1332 --field-trial-handle=1220,i,523855715515180663,7664481961664812000,131072 /prefetch:1
  2⤵
  PID:764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3964 --field-trial-handle=1220,i,523855715515180663,7664481961664812000,131072 /prefetch:1
  2⤵
  PID:1824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 --field-trial-handle=1220,i,523855715515180663,7664481961664812000,131072 /prefetch:8
  2⤵
  PID:2748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=2512 --field-trial-handle=1220,i,523855715515180663,7664481961664812000,131072 /prefetch:1
  2⤵
  PID:2416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3820 --field-trial-handle=1220,i,523855715515180663,7664481961664812000,131072 /prefetch:1
  2⤵
  PID:2632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2988 --field-trial-handle=1220,i,523855715515180663,7664481961664812000,131072 /prefetch:1
  2⤵
  PID:1712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2304 --field-trial-handle=1220,i,523855715515180663,7664481961664812000,131072 /prefetch:1
  2⤵
  PID:2576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2360 --field-trial-handle=1220,i,523855715515180663,7664481961664812000,131072 /prefetch:1
  2⤵
  PID:264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3796 --field-trial-handle=1220,i,523855715515180663,7664481961664812000,131072 /prefetch:8
  2⤵
  PID:1564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=1144 --field-trial-handle=1220,i,523855715515180663,7664481961664812000,131072 /prefetch:1
  2⤵
  PID:2752

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
209KB

MD5
3e552d017d45f8fd93b94cfc86f842f2

SHA1
dbeebe83854328e2575ff67259e3fb6704b17a47

SHA256
27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6

SHA512
e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000002

Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\caa8fea897e385bd_0

Filesize
335KB

MD5
6512a7cc55e109524b32c02c05ad678e

SHA1
44a10467fab1bea28495987282afe59b5d19591d

SHA256
fc11dbc4cba4e5b159bb6af7c1960aa76778dd9beab0fdd7e0bf35461134d8d6

SHA512
ce054320287fb86bc0ff4c02d2e6d721fa7a86dce71c6c347d51f1b66f393968754245e23d8aabfc7ea7ab2157a86c0d9c8e1074dc1e4ae1723738f5dec7c682

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\ea9b8918ad020319_0

Filesize
289B

MD5
fc9ecf18b6b9bc6035e6c9b9324a9dbd

SHA1
7ef6addd59acfb7214e5d916bf046f241ecca915

SHA256
6c31d3ec560da81a9f30ebacc215be95a9abeba885d4b76d290a316f97e7a67d

SHA512
4b5ad07b3d9695792d6bbb61e203b59f626896fdaffc2f02c1529a1fe9373cb81c9af3734ea058c1f4757ffe844e7464f9c659c48353936d72738e0ae4149a57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
361B

MD5
02ca5addd1655d59cfffceb2f0319537

SHA1
9f927601d2cb40040a111621aad7d92c992cbffb

SHA256
369d04e576367af76ee8bd3ecdedef1603587894a900c0bfe4107b6e836f4d16

SHA512
f83dc4a9cc46c7b721e7053f23b2cb913969d9b82f8155d4dc162d60cca8b3fb334a2e98499f217efcb933e416c1790ee1940d0aaa001ffbdc101cef0955be45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
361B

MD5
3dbeb2f4b54591a072db96328f3629d2

SHA1
db21106725facc85e82b192443ec495a66a68345

SHA256
97e0e705a2be28453d97b40704e4c3c482893469e59d1520bc1ea32fcd3ff574

SHA512
00dae7a9d7a1cd01b9c8f04d8c79226ee95ee42fba218e7507ac86b525a294a490732e01568360a00065168cd259774193d17262216b8a26a1744f3c69876faf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
3e7f447cac60403174d2295f6bf7f1cd

SHA1
39b3296f3c1ab0a31c09824aee19748886f5b908

SHA256
ce67069f6f9e1aec23e0f45244d120e045a0bc3a058205fa2bb3dd8b0c3f3297

SHA512
292838d100ac981e937f7dc23c7638233618e7dab1df26f10074303c1b414d548bcbe07f8f4f82afd51986a8036019d7b04c48db18b26903dc00c371f94a2c0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6a6a5b5ffb71f4382556720c809f1f37

SHA1
57d3e04462f403e265ab52c6b60bfd020383c462

SHA256
c7f59d6f13fe4fcf5a1d7e6ec9ed8373447f0a331d957e047d6554c1176facff

SHA512
4703547c59b80cc41e0020cece7dad56ce45800836e4769ae5ff20afb0ef5bf42931fac87afbfbab1fff7aa51532ad3fb52f89679c6f43e1d207a952ad4182af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
db042b982a82a2e1b9df4429b8a95d1f

SHA1
97b8beac86b8881beead113a2aaeafdef41a0817

SHA256
87eb0a4219080b4664bbe72acf75de21e9391651e8c5350521ff1918a533cd8b

SHA512
66c81bcadc2910e3ac7e92ba3426c495c0fd44b327eda15a6de48b6852b368fbe4c46b876899203be71d2c1c1c6843b2549d6fb83798455c35898e2dcee855b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
310KB

MD5
d1131c2dbad521e3a17f35a9db73a0fb

SHA1
3c38a8bc48524c74a1c029cc5900472577bd99fb

SHA256
579951cc05e966485780bc5afde0d1db4f2ada3576cc3ec996faadbfbf7be8ca

SHA512
b565e1279c173905887df9224aabf625bf0a913230f53a7c6f0154992abfe8c4709d7c90e48f7906a79ccd402a03692c77a16ed45c8fceb9c67e84bd425ef160

Download Submit
memory/2760-0-0x000000013FC50000-0x00000001405D7000-memory.dmp

Filesize
9.5MB

Download
memory/2760-9-0x000000013FC50000-0x00000001405D7000-memory.dmp

Filesize
9.5MB

Download
memory/2760-7-0x000000013FC50000-0x00000001405D7000-memory.dmp

Filesize
9.5MB

Download
memory/2760-6-0x000000013FC50000-0x00000001405D7000-memory.dmp

Filesize
9.5MB

Download
memory/2760-3-0x000000013FC50000-0x00000001405D7000-memory.dmp

Filesize
9.5MB

Download
memory/2760-5-0x000000013FC50000-0x00000001405D7000-memory.dmp

Filesize
9.5MB

Download
memory/2760-4-0x000000013FC50000-0x00000001405D7000-memory.dmp

Filesize
9.5MB

Download
memory/2760-2-0x000000013FC50000-0x00000001405D7000-memory.dmp

Filesize
9.5MB

Download
memory/2760-1-0x0000000077800000-0x0000000077802000-memory.dmp

Filesize
8KB

Download