a340923a4cbdbcf225797ad7462b684f9d2a5a48cc183b428acf9928b12eea43

Analysis

max time kernel
56s
max time network
149s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10/08/2024, 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Roblox Player.lnk
Size

1KB
MD5

f9272e78c3c65cd90f079662ddc39379
SHA1

a70e545475a27dda90e32670ce93c87d6107ebd4
SHA256

a340923a4cbdbcf225797ad7462b684f9d2a5a48cc183b428acf9928b12eea43
SHA512

03b39172c3095aaf54f1750900b815fd320258a8042bac014070152deb926261a35ef23242af9a3374fe1e37414f079c89027e73d6e30dabf7633b1872895cb3

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{364E3C91-574D-11EF-81CE-7667FF076EE4} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1876	chrome.exe
1876	chrome.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe
Token: SeShutdownPrivilege	1876	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2816	iexplore.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2816	iexplore.exe
2816	iexplore.exe
2736	IEXPLORE.EXE
2736	IEXPLORE.EXE
2736	IEXPLORE.EXE
2736	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 2736	2816	iexplore.exe	33
PID 2816 wrote to memory of 2736	2816	iexplore.exe	33
PID 2816 wrote to memory of 2736	2816	iexplore.exe	33
PID 2816 wrote to memory of 2736	2816	iexplore.exe	33
PID 1876 wrote to memory of 2572	1876	chrome.exe	36
PID 1876 wrote to memory of 2572	1876	chrome.exe	36
PID 1876 wrote to memory of 2572	1876	chrome.exe	36
PID 1876 wrote to memory of 2356	1876	chrome.exe	38
PID 1876 wrote to memory of 2356	1876	chrome.exe	38
PID 1876 wrote to memory of 2356	1876	chrome.exe	38
PID 1876 wrote to memory of 2356	1876	chrome.exe	38
PID 1876 wrote to memory of 2356	1876	chrome.exe	38
PID 1876 wrote to memory of 2356	1876	chrome.exe	38
PID 1876 wrote to memory of 2356	1876	chrome.exe	38
PID 1876 wrote to memory of 2356	1876	chrome.exe	38
PID 1876 wrote to memory of 2356	1876	chrome.exe	38
PID 1876 wrote to memory of 2356	1876	chrome.exe	38
PID 1876 wrote to memory of 2356	1876	chrome.exe	38
PID 1876 wrote to memory of 2356	1876	chrome.exe	38
PID 1876 wrote to memory of 2356	1876	chrome.exe	38
PID 1876 wrote to memory of 2356	1876	chrome.exe	38
PID 1876 wrote to memory of 2356	1876	chrome.exe	38
PID 1876 wrote to memory of 2356	1876	chrome.exe	38
PID 1876 wrote to memory of 2356	1876	chrome.exe	38
PID 1876 wrote to memory of 2356	1876	chrome.exe	38
PID 1876 wrote to memory of 2356	1876	chrome.exe	38
PID 1876 wrote to memory of 2356	1876	chrome.exe	38
PID 1876 wrote to memory of 2356	1876	chrome.exe	38
PID 1876 wrote to memory of 2356	1876	chrome.exe	38
PID 1876 wrote to memory of 2356	1876	chrome.exe	38
PID 1876 wrote to memory of 2356	1876	chrome.exe	38
PID 1876 wrote to memory of 2356	1876	chrome.exe	38
PID 1876 wrote to memory of 2356	1876	chrome.exe	38
PID 1876 wrote to memory of 2356	1876	chrome.exe	38
PID 1876 wrote to memory of 2356	1876	chrome.exe	38
PID 1876 wrote to memory of 2356	1876	chrome.exe	38
PID 1876 wrote to memory of 2356	1876	chrome.exe	38
PID 1876 wrote to memory of 2356	1876	chrome.exe	38
PID 1876 wrote to memory of 2356	1876	chrome.exe	38
PID 1876 wrote to memory of 2356	1876	chrome.exe	38
PID 1876 wrote to memory of 2356	1876	chrome.exe	38
PID 1876 wrote to memory of 2356	1876	chrome.exe	38
PID 1876 wrote to memory of 2356	1876	chrome.exe	38
PID 1876 wrote to memory of 2356	1876	chrome.exe	38
PID 1876 wrote to memory of 2356	1876	chrome.exe	38
PID 1876 wrote to memory of 2356	1876	chrome.exe	38
PID 1876 wrote to memory of 780	1876	chrome.exe	39
PID 1876 wrote to memory of 780	1876	chrome.exe	39
PID 1876 wrote to memory of 780	1876	chrome.exe	39
PID 1876 wrote to memory of 2432	1876	chrome.exe	40
PID 1876 wrote to memory of 2432	1876	chrome.exe	40
PID 1876 wrote to memory of 2432	1876	chrome.exe	40
PID 1876 wrote to memory of 2432	1876	chrome.exe	40
PID 1876 wrote to memory of 2432	1876	chrome.exe	40
PID 1876 wrote to memory of 2432	1876	chrome.exe	40
PID 1876 wrote to memory of 2432	1876	chrome.exe	40
PID 1876 wrote to memory of 2432	1876	chrome.exe	40
PID 1876 wrote to memory of 2432	1876	chrome.exe	40
PID 1876 wrote to memory of 2432	1876	chrome.exe	40
PID 1876 wrote to memory of 2432	1876	chrome.exe	40
PID 1876 wrote to memory of 2432	1876	chrome.exe	40
PID 1876 wrote to memory of 2432	1876	chrome.exe	40
PID 1876 wrote to memory of 2432	1876	chrome.exe	40
PID 1876 wrote to memory of 2432	1876	chrome.exe	40

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Roblox Player.lnk"
1⤵
PID:1952

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2816 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6ce9758,0x7fef6ce9768,0x7fef6ce9778
  2⤵
  PID:2572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 --field-trial-handle=1192,i,4675856555697678832,16790739781834829598,131072 /prefetch:2
  2⤵
  PID:2356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1524 --field-trial-handle=1192,i,4675856555697678832,16790739781834829598,131072 /prefetch:8
  2⤵
  PID:780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1628 --field-trial-handle=1192,i,4675856555697678832,16790739781834829598,131072 /prefetch:8
  2⤵
  PID:2432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2264 --field-trial-handle=1192,i,4675856555697678832,16790739781834829598,131072 /prefetch:1
  2⤵
  PID:1844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2324 --field-trial-handle=1192,i,4675856555697678832,16790739781834829598,131072 /prefetch:1
  2⤵
  PID:2208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2608 --field-trial-handle=1192,i,4675856555697678832,16790739781834829598,131072 /prefetch:2
  2⤵
  PID:1452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3188 --field-trial-handle=1192,i,4675856555697678832,16790739781834829598,131072 /prefetch:1
  2⤵
  PID:1620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3660 --field-trial-handle=1192,i,4675856555697678832,16790739781834829598,131072 /prefetch:8
  2⤵
  PID:1816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3720 --field-trial-handle=1192,i,4675856555697678832,16790739781834829598,131072 /prefetch:1
  2⤵
  PID:612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=2140 --field-trial-handle=1192,i,4675856555697678832,16790739781834829598,131072 /prefetch:1
  2⤵
  PID:2856

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
26c5db6c1d9b414e2a96be3946aadbe1

SHA1
02457584d06fd177108aab897cd32a49dc77c1a3

SHA256
d4053c8340f1f2f1c01c5733415a8d88d860aa9278a2b1c9778e5edf5e25c34d

SHA512
8d7ac947e136d5d34e835b46240335ba922d4989799183cd9a5a23db863ae683812a049c01939e49d097f72ee75dc4525440fa3111732de10d80c3af6abdd841

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9438f23420bbd647e5aca1776bc885cd

SHA1
e3726899148cbfc6fe2f79143444494c6f89561e

SHA256
370c0d1151c829375624d873ad5e447ef9ac6019b7744b82b4f6c8370590e5f0

SHA512
bfb1bd2f786c55d7865be00b9f3fe9603abea373a4454aa4bd8d31fc421936f081ccf8a8386d0a652aa1f2010681a184dd05e7679f7e571b171a016bd333241f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b191bca2f60e8bff3627263d9caa3fac

SHA1
c280218baf12a1436e93cab4a8514783aed49216

SHA256
37754dda9e564c5df3118be450381b398951a3b9b8ba528ce5047b8628dbec0b

SHA512
a2f85f8c02122dc8ada9a40ab9971630e0c7eaa86db41055e5ccd7d839bb0ad9f11b793b850ad1932dc02d6d9fbe073d9020309d56435192a237944f7d9e7d53

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
49a148dbb25b2874aa8e5a59ee9c7115

SHA1
95ad8d3f71e682a113bbf47dba34d517f7f44daa

SHA256
2d9b3e3c6aed3d65a4a4d652445ff1645c5cbb56d83cb3a18eb664f5e1aa2217

SHA512
e5405f5c93fe81743b6397f3aa0145a6e6f7fea41c559c7bb6b731325d3b71e40d0f7c0d0f89b99edcffa81e1406771c4645d0ff9715a0b633fe6268e23c3bd0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7e7ada2a1bb3d3f8c6052c2226135b30

SHA1
815691bf40902fd54a797f0ab951e649ba7f7a91

SHA256
748e26e6f15cb440816db022f300473f9487928cdc7c7d8e5d3041573f8516da

SHA512
81aed45ca6b2aa5dbb9382516e00a7ad44a294b9b148d70577a50a1528be6daacf0e9a5b1cb8a9eb8e80cd7c3f54b0d091b0654ab817845f200f2a3761e8d52c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
394cf8e4abd8d57534fbef42c8a6cdc2

SHA1
a2fa72e7c2dce290523c12fef66de03b1ae83bed

SHA256
6d8b2a9a45f9bd55930b1bc26b9c3ad5038bdc92516fc1d2277303a5715a048b

SHA512
341be5b838d91d8331210ed9b881d0851411ebbd5df3fe615f373f67476a1845be380972849f43fed04975c66a08910758fd2a99fc68e2c9db7dba8f233be723

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c3fdd9b5c8a61d74efb259e75f986ee

SHA1
08d8b080ff72c5fec14e139dade43f91c405393d

SHA256
3fed935838535e210b74c6465f50f5fe9dc3100814e30dcd3f6a696d6d25402c

SHA512
e8d2f7d87cd969ec8978dadb1cec624ca82aa72e159631efd00379995cd365ad891657c08d170d288c7fb4349dccb304a28938a6313701316cf740b96f6f3045

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
23adf14b2f81faba99a4767092b43f12

SHA1
2e0019a96b5f9fa7b0c65602781b9cc7dbf1d2d5

SHA256
5bc0cb1adfee3c5fe940b5af3da8b6d8ef5c72d335f957507bdb53c5488fc72f

SHA512
fad75cacd1db4bdabba24d39325deddffe8d5ebb0696582a07004c07e6d9b4b73a442decbd570eeb02d5b0fae81cbac1bbb3cb758367f3f81769c0a3601a3e35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
19552a8a6a35efb2e07e1008ec73d54d

SHA1
6f6f126acd45202194f779afee76e9208b218fd2

SHA256
85903349b9e3a6177e761110ab7ead5626a9be778fc2cc814a120a7432f20b47

SHA512
614c5d5bd3065cbaa4402ed2000ca50892d92beeefd3dc82ab5ca1706162c45b04661b8c920a4bfa27bea28533d001aab980f5901c0da9fe12b7fa28f98d42e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
771a23d6c374f60811d9a79c516fa925

SHA1
c05235fb171585c2d74c10cc3f53398e4b0914a7

SHA256
2e4a6f2b72d94425735e2296ce2be0b8d354213aa81b0c1dffc09b8cd4f25bc9

SHA512
463e30c3b138e578dd08fa555f5d6bcd034389ef3f2738d94614823a234839e526e1019e1091e0a60f16cdbcafaaf7807bc8052c2c9db3640cfcc92805a6a846

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
210KB

MD5
48d2860dd3168b6f06a4f27c6791bcaa

SHA1
f5f803efed91cd45a36c3d6acdffaaf0e863bf8c

SHA256
04d7bf7a6586ef00516bdb3f7b96c65e0b9c6b940f4b145121ed00f6116bbb77

SHA512
172da615b5b97a0c17f80ddd8d7406e278cd26afd1eb45a052cde0cb55b92febe49773b1e02cf9e9adca2f34abbaa6d7b83eaad4e08c828ef4bf26f23b95584e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
2d3eab977b3913ee3df793fceea9d19f

SHA1
d386be9012babce7eaf9c3bdd8753cfbea42ca80

SHA256
f5d9666ac3d09f93f5f8a1d710acb97acceca81c1d8131b4269c45ac85b8990a

SHA512
23165090aeb2157334c6eaf5ad0995d0d666dc78a43a59daa814863a599fbbf2c8eceba5dd941543f0143d487ee35fb5af043681f90f2e8aaa07455b78313fb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
361B

MD5
453e95b4defd67c309aae80e7d8f5030

SHA1
62485c62e67365ca62aa046641d0f96b43e9f735

SHA256
8ddd4e3f2b43a55c370f11632e551da6e27b70f7bb4f2f6ec72143bcd22fbe74

SHA512
47353ff4f2ed17f332bd646fa5f4eef99d8631119d1ccc47e1f32a0863a470c61c7e602bc223dbf918fbef73d8975a53be1f46be33f8cb62abd09767b13a9043

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e22a847c4f6c664f8bee7548a03f9bc8

SHA1
17d5e5697923e96041b4ae0995c93de9e82ae6e5

SHA256
15c7cb974b82d082701803a8945b55922193e20a79b8d6c6c9cb7a597807501b

SHA512
490491c031676e77ddfd82c06046a05bceef1f78222b0e1d4b78a38081a45616ba01527344e1aa48523c1b2e0fb6145d5a8b931ce8ba80f3090728daef274fe6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
152c0945c90b83ce00e4311cda55ee8f

SHA1
899fd6850063d63c3a78c2e65bf2034ab5cc3f36

SHA256
4bdcab04806c600c8ef8140bd0214ce6a3ac66b3d40c7d4e3f5db35e35a61635

SHA512
4ace343bdc8dd08dc9e0cd1548bd8bd3aa9602fc7295d8f5f2e0a6bbda0b748ed5642926d952a35b8cffccbc3773b76b3606b91542f75aff7f8c337d83af621d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8f7f6e730fa62a605a43ab901bd008dc

SHA1
d6a69bf1d8c2eed2c2584e87a550aa9c3b3102d4

SHA256
1759690dc33efbab130aa5cf4dfcb777e21ada0a93f9ce6a02d89dab5fb11cee

SHA512
aab3d1dbd4d0484476b72b146fe54e5295e922c4f5fbe1b29022ca1426129c989059c317b0701ee4b243b68170aed4aef188f8cf835208f50f5912ce081acfac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
1c54d6d114ae392cb3ba2f821f8359b0

SHA1
79d34ca070f00e9c6a01a85044b7ea5e4ee54ac4

SHA256
48013a232a521a817aec562808ff166882fdfda32c7139e60f1310c89d53a6e2

SHA512
6b2ee199d282f504023a2f4176eb59975a27f9e71c5be5c552767a8c09e90629a5ca75dbd7ff79a57ee150a62429a39338e3ba2a90cb02c3e09984593ee693d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab18FE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar19BF.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFE70CB275DB93754F.TMP

Filesize
16KB

MD5
433fd95288980ae4bddb6bc7571a0c46

SHA1
84c52925021d9b6c48c532e0eea1c3546459df6a

SHA256
5ff988f4c84f3d49ba57c8161433a29ecde4c1f1e50c841dcdb73b8110515156

SHA512
740a6f6db1917b2cd228925648f67d0b9278b77804355900037c89da61b72296e2aba7bce3a48b8a82472a1dbcd9309eb792f368d60feeeba93b23b90554eef6

Download Submit