2cf71d098c608c56e07f4655855a886c3102553f648df88458df616b26fd612f

Resubmissions

01-09-2024 19:55

240901-yncjka1bqa 7

01-09-2024 19:51

240901-yk6m8szepp 7

Analysis

max time kernel
335s
max time network
1123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01-09-2024 19:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dxwebsetup.exe
Size

288KB
MD5

2cbd6ad183914a0c554f0739069e77d7
SHA1

7bf35f2afca666078db35ca95130beb2e3782212
SHA256

2cf71d098c608c56e07f4655855a886c3102553f648df88458df616b26fd612f
SHA512

ff1af2d2a883865f2412dddcd68006d1907a719fe833319c833f897c93ee750bac494c0991170dc1cf726b3f0406707daa361d06568cd610eeb4ed1d9c0fbb10
SSDEEP

6144:kWK8fc2liXmrLxcdRDLiH1vVRGVOhMp421/7YQV:VcvgLARDI1KIOzO0

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1808	dxwsetup.exe

Loads dropped DLL 5 IoCs

pid	Process
2680	dxwebsetup.exe
1808	dxwsetup.exe
1808	dxwsetup.exe
1808	dxwsetup.exe
1808	dxwsetup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	dxwebsetup.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	dxwsetup.exe
File opened (read-only)	\??\G:	dxwsetup.exe
File opened (read-only)	\??\I:	dxwsetup.exe
File opened (read-only)	\??\M:	dxwsetup.exe
File opened (read-only)	\??\P:	dxwsetup.exe
File opened (read-only)	\??\Q:	dxwsetup.exe
File opened (read-only)	\??\Z:	dxwsetup.exe
File opened (read-only)	\??\A:	dxwsetup.exe
File opened (read-only)	\??\H:	dxwsetup.exe
File opened (read-only)	\??\J:	dxwsetup.exe
File opened (read-only)	\??\K:	dxwsetup.exe
File opened (read-only)	\??\N:	dxwsetup.exe
File opened (read-only)	\??\W:	dxwsetup.exe
File opened (read-only)	\??\Y:	dxwsetup.exe
File opened (read-only)	\??\E:	dxwsetup.exe
File opened (read-only)	\??\O:	dxwsetup.exe
File opened (read-only)	\??\U:	dxwsetup.exe
File opened (read-only)	\??\L:	dxwsetup.exe
File opened (read-only)	\??\R:	dxwsetup.exe
File opened (read-only)	\??\S:	dxwsetup.exe
File opened (read-only)	\??\T:	dxwsetup.exe
File opened (read-only)	\??\V:	dxwsetup.exe
File opened (read-only)	\??\X:	dxwsetup.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\DirectX\WebSetup\filelist.dat	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\SETB970.tmp	dxwsetup.exe
File created	C:\Windows\SysWOW64\directx\websetup\SETB970.tmp	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\dsetup.dll	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\SETB971.tmp	dxwsetup.exe
File created	C:\Windows\SysWOW64\directx\websetup\SETB971.tmp	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\dsetup32.dll	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\DirectX\WebSetup	dxwsetup.exe

Drops file in Windows directory 39 IoCs

description	ioc	Process
File created	C:\Windows\msdownld.tmp\AS774635.tmp\dxupdate.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS775DCB.tmp	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS779657.tmp	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS77086B.tmp\dxupdate.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS7742AC.tmp	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS779657.tmp\dxupdate.cab	dxwsetup.exe
File opened for modification	C:\Windows\Logs\DirectX.log	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS7782C8.tmp\dxupdate.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS772398.tmp	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS7732F4.tmp\dxupdate.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS774635.tmp\dxupdate.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS771FA2.tmp\dxupdate.cab	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS772398.tmp\dxupdate.cab	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS7742AC.tmp\dxupdate.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS775DCB.tmp\dxupdate.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS7782C8.tmp\dxupdate.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS779657.tmp\dxupdate.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS771FA2.tmp	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS772F4C.tmp\dxupdate.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS7742AC.tmp\dxupdate.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS77086B.tmp	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS772F4C.tmp	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS772398.tmp\dxupdate.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS772F4C.tmp\dxupdate.cab	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS775DCB.tmp\dxupdate.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS77086B.tmp\dxupdate.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS771824.tmp	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS7732F4.tmp	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS7782C8.tmp	dxwsetup.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS771824.tmp\dxupdate.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS7732F4.tmp\dxupdate.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS774635.tmp	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS7759B5.tmp\dxupdate.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS7759B5.tmp\dxupdate.cab	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS7759B5.tmp	dxwsetup.exe
File opened for modification	C:\Windows\msdownld.tmp\AS771824.tmp\dxupdate.cab	dxwsetup.exe
File created	C:\Windows\msdownld.tmp\AS771FA2.tmp\dxupdate.cab	dxwsetup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxwebsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxwsetup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1808	dxwsetup.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1808	dxwsetup.exe
Token: SeRestorePrivilege	1808	dxwsetup.exe
Token: SeRestorePrivilege	1808	dxwsetup.exe
Token: SeRestorePrivilege	1808	dxwsetup.exe
Token: SeRestorePrivilege	1808	dxwsetup.exe
Token: SeRestorePrivilege	1808	dxwsetup.exe
Token: SeRestorePrivilege	1808	dxwsetup.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe
Token: SeShutdownPrivilege	1560	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1808	dxwsetup.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe
1560	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 1808	2680	dxwebsetup.exe	30
PID 2680 wrote to memory of 1808	2680	dxwebsetup.exe	30
PID 2680 wrote to memory of 1808	2680	dxwebsetup.exe	30
PID 2680 wrote to memory of 1808	2680	dxwebsetup.exe	30
PID 2680 wrote to memory of 1808	2680	dxwebsetup.exe	30
PID 2680 wrote to memory of 1808	2680	dxwebsetup.exe	30
PID 2680 wrote to memory of 1808	2680	dxwebsetup.exe	30
PID 1560 wrote to memory of 2388	1560	chrome.exe	34
PID 1560 wrote to memory of 2388	1560	chrome.exe	34
PID 1560 wrote to memory of 2388	1560	chrome.exe	34
PID 1560 wrote to memory of 2980	1560	chrome.exe	36
PID 1560 wrote to memory of 2980	1560	chrome.exe	36
PID 1560 wrote to memory of 2980	1560	chrome.exe	36
PID 1560 wrote to memory of 2980	1560	chrome.exe	36
PID 1560 wrote to memory of 2980	1560	chrome.exe	36
PID 1560 wrote to memory of 2980	1560	chrome.exe	36
PID 1560 wrote to memory of 2980	1560	chrome.exe	36
PID 1560 wrote to memory of 2980	1560	chrome.exe	36
PID 1560 wrote to memory of 2980	1560	chrome.exe	36
PID 1560 wrote to memory of 2980	1560	chrome.exe	36
PID 1560 wrote to memory of 2980	1560	chrome.exe	36
PID 1560 wrote to memory of 2980	1560	chrome.exe	36
PID 1560 wrote to memory of 2980	1560	chrome.exe	36
PID 1560 wrote to memory of 2980	1560	chrome.exe	36
PID 1560 wrote to memory of 2980	1560	chrome.exe	36
PID 1560 wrote to memory of 2980	1560	chrome.exe	36
PID 1560 wrote to memory of 2980	1560	chrome.exe	36
PID 1560 wrote to memory of 2980	1560	chrome.exe	36
PID 1560 wrote to memory of 2980	1560	chrome.exe	36
PID 1560 wrote to memory of 2980	1560	chrome.exe	36
PID 1560 wrote to memory of 2980	1560	chrome.exe	36
PID 1560 wrote to memory of 2980	1560	chrome.exe	36
PID 1560 wrote to memory of 2980	1560	chrome.exe	36
PID 1560 wrote to memory of 2980	1560	chrome.exe	36
PID 1560 wrote to memory of 2980	1560	chrome.exe	36
PID 1560 wrote to memory of 2980	1560	chrome.exe	36
PID 1560 wrote to memory of 2980	1560	chrome.exe	36
PID 1560 wrote to memory of 2980	1560	chrome.exe	36
PID 1560 wrote to memory of 2980	1560	chrome.exe	36
PID 1560 wrote to memory of 2980	1560	chrome.exe	36
PID 1560 wrote to memory of 2980	1560	chrome.exe	36
PID 1560 wrote to memory of 2980	1560	chrome.exe	36
PID 1560 wrote to memory of 2980	1560	chrome.exe	36
PID 1560 wrote to memory of 2980	1560	chrome.exe	36
PID 1560 wrote to memory of 2980	1560	chrome.exe	36
PID 1560 wrote to memory of 2980	1560	chrome.exe	36
PID 1560 wrote to memory of 2980	1560	chrome.exe	36
PID 1560 wrote to memory of 2980	1560	chrome.exe	36
PID 1560 wrote to memory of 2980	1560	chrome.exe	36
PID 1560 wrote to memory of 2732	1560	chrome.exe	37
PID 1560 wrote to memory of 2732	1560	chrome.exe	37
PID 1560 wrote to memory of 2732	1560	chrome.exe	37
PID 1560 wrote to memory of 2860	1560	chrome.exe	38
PID 1560 wrote to memory of 2860	1560	chrome.exe	38
PID 1560 wrote to memory of 2860	1560	chrome.exe	38
PID 1560 wrote to memory of 2860	1560	chrome.exe	38
PID 1560 wrote to memory of 2860	1560	chrome.exe	38
PID 1560 wrote to memory of 2860	1560	chrome.exe	38
PID 1560 wrote to memory of 2860	1560	chrome.exe	38
PID 1560 wrote to memory of 2860	1560	chrome.exe	38
PID 1560 wrote to memory of 2860	1560	chrome.exe	38
PID 1560 wrote to memory of 2860	1560	chrome.exe	38
PID 1560 wrote to memory of 2860	1560	chrome.exe	38
PID 1560 wrote to memory of 2860	1560	chrome.exe	38

C:\Users\Admin\AppData\Local\Temp\dxwebsetup.exe
"C:\Users\Admin\AppData\Local\Temp\dxwebsetup.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6ad9758,0x7fef6ad9768,0x7fef6ad9778
  2⤵
  PID:2388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1136 --field-trial-handle=1368,i,11906331752675910732,18035518520432180870,131072 /prefetch:2
  2⤵
  PID:2980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1376 --field-trial-handle=1368,i,11906331752675910732,18035518520432180870,131072 /prefetch:8
  2⤵
  PID:2732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1584 --field-trial-handle=1368,i,11906331752675910732,18035518520432180870,131072 /prefetch:8
  2⤵
  PID:2860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2344 --field-trial-handle=1368,i,11906331752675910732,18035518520432180870,131072 /prefetch:1
  2⤵
  PID:2672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2364 --field-trial-handle=1368,i,11906331752675910732,18035518520432180870,131072 /prefetch:1
  2⤵
  PID:3060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1392 --field-trial-handle=1368,i,11906331752675910732,18035518520432180870,131072 /prefetch:2
  2⤵
  PID:2936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1384 --field-trial-handle=1368,i,11906331752675910732,18035518520432180870,131072 /prefetch:1
  2⤵
  PID:1268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3872 --field-trial-handle=1368,i,11906331752675910732,18035518520432180870,131072 /prefetch:8
  2⤵
  PID:1588

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
828B

MD5
2fd869729f61a82d21144762eb7fbd03

SHA1
773139b9ac22562606342db4d75915d080241a36

SHA256
d215b72e63e9992df712df3c43b6353126497167ce7468a169fc8c37503408e2

SHA512
f97f2be9da2b1e073cce19e66848a9d641acda3b3579254287edf112f0bdc11387e7f4ced20a3cf6b8733ee993d4e7139f87be448dbb8be0e6b1b8390dc623d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
632B

MD5
ebd070a1330a6f63c7e0fe5ef0f7774a

SHA1
b306902b9ada9da4b6e0fcbebf646fa58e607f74

SHA256
d7efadad9beff66a3438095512533488d0ea51a5b3b02307ab25eee86e6f07bf

SHA512
1c83a966a29d6e2f6167b3161323295f6eecb870499cbf61ab4a808a69f1888e308bf22cb88c780fef403bfb71e2dad19aefa70af380932da3c715ef356b47aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
c7b7bddb0bd1a6f4fa2e8489d354e7e1

SHA1
e0c6fcf27bf5906ae7fc9bbdffca590ac4f3b424

SHA256
a84d5d11f9e93887248e94ae39d3d581264448d5d8665b1d2e46f178f27c7e25

SHA512
22604276e5a16547ae953d265abe50b868e322e8b892a34a4e724963c4c19cb805bf11f25010f334bd305d23a38fdac951961ac60d9ca9e72f319ca9012d683d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
5064cfe5415765ca6d085ef5de9ccaab

SHA1
30b4292da2cc0b8c930e668a2e4838b93f37fcd3

SHA256
d3e54c2eb1e5c323a9be3054a868f09626425fc56faed8262a57e971b674bbd1

SHA512
1e104985284e86e2a23706d9c1633ad20b292f2bacaf6f13ba11afbc0459fea3ef43d9fe577866c2b146c853f3873528bba28e019ff8365b5e38f3a7ac817a4c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFAC.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup.dll

Filesize
93KB

MD5
984cad22fa542a08c5d22941b888d8dc

SHA1
3e3522e7f3af329f2235b0f0850d664d5377b3cd

SHA256
57bc22850bb8e0bcc511a9b54cd3da18eec61f3088940c07d63b9b74e7fe2308

SHA512
8ef171218b331f0591a4b2a5e68dcbae98f5891518ce877f1d8d1769c59c0f4ddae43cc43da6606975078f889c832f0666484db9e047782e7a0ae4a2d41f5bef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup32.dll

Filesize
1.5MB

MD5
a5412a144f63d639b47fcc1ba68cb029

SHA1
81bd5f1c99b22c0266f3f59959dfb4ea023be47e

SHA256
8a011da043a4b81e2b3d41a332e0ff23a65d546bd7636e8bc74885e8746927d6

SHA512
2679a4cb690e8d709cb5e57b59315d22f69f91efa6c4ee841943751c882b0c0457fd4a3376ac3832c757c6dfaffb7d844909c5665b86a95339af586097ee0405

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.cif

Filesize
56KB

MD5
7b1fbe9f5f43b2261234b78fe115cf8e

SHA1
dd0f256ae38b4c4771e1d1ec001627017b7bb741

SHA256
762ff640013db2bd4109d7df43a867303093815751129bd1e33f16bf02e52cce

SHA512
d21935a9867c0f2f7084917c79fbb1da885a1bfd4793cf669ff4da8c777b3a201857250bfb7c2b616625a8d3573c68395d210446d2c284b41cf09cc7cbb07885

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.inf

Filesize
477B

MD5
ad8982eaa02c7ad4d7cdcbc248caa941

SHA1
4ccd8e038d73a5361d754c7598ed238fc040d16b

SHA256
d63c35e9b43eb0f28ffc28f61c9c9a306da9c9de3386770a7eb19faa44dbfc00

SHA512
5c805d78bafff06c36b5df6286709ddf2d36808280f92e62dc4c285edd9176195a764d5cf0bb000da53ca8bbf66ddd61d852e4259e3113f6529e2d7bdbdd6e28

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFCE.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Logs\DirectX.log

Filesize
2KB

MD5
9c229577ed26ce6f1005d113254fbb91

SHA1
e026e9bdfe75c116e599ef6be30b669d5335d0b7

SHA256
459ebf422bbfcac3a1918812ead8cad732c274bd5ae302f53fd696d835743e01

SHA512
95345b9ce339a81c14121f3b0becc1656087c93d1161e05525c16eefcce8d97a50002fa79459b593c091effe1a1c1a6d15879c402c04381fcb75a5970d32ef41

Download Submit
C:\Windows\SysWOW64\directx\websetup\filelist.dat

Filesize
111B

MD5
d6f81567baaf05b557d9bc6c348cb5f1

SHA1
0c840165fcd34d996c85b6b44b00c7206bf772b6

SHA256
e60413bec64775bf1933ef4f9673c8bcfbe0ce71e950fd589bbd14c0f9a00359

SHA512
09b84cc9199592821d7de38cbe24332097b276bb25b6d09f7dcdc3a6b17369ee944a6f8120f13ea6a5c15eb759a90d7ce29cc845a5c0680ff2fa53e2623171e2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

Filesize
515KB

MD5
ac3a5f7be8cd13a863b50ab5fe00b71c

SHA1
eee417cd92e263b84dd3b5dcc2b4b463fe6e84d9

SHA256
8f5e89298e3dc2e22d47515900c37cca4ee121c5ba06a6d962d40ad6e1a595da

SHA512
c8bbe791373dad681f0ac9f5ab538119bde685d4f901f5db085c73163fc2e868972b2de60e72ccd44f745f1fd88fcde2e27f32302d8cbd3c1f43e6e657c79fba

Download Submit