a0109b2dbaa9d58fa022090d798d800fa5edbc429a04c10e83bd833890d4cb89

Resubmissions

10-09-2024 14:24

240910-rq6rvsyhka 10

10-09-2024 14:24

240910-rqptcaxdqm 10

Analysis

max time kernel
948s
max time network
859s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
10-09-2024 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Hollow.nova7.4.exe
Size

18.4MB
MD5

0eccd228c2645b50e28cc82d81d59fbd
SHA1

81f33dad7cf167c36630da3f4ba249f482523fb4
SHA256

a0109b2dbaa9d58fa022090d798d800fa5edbc429a04c10e83bd833890d4cb89
SHA512

d71faf3c32402756776361e01ef8f84c57e87c4a1845aec0cf67806be5ae520e1f0721e45925677beaba08c9138ac04aaeaca1e37d1b61ab59004b822e74a3e3
SSDEEP

393216:qqPnLFXlr9QpDOETgs77fGaQgzxTvEu4SVjNL6q:/PLFXN9QoE7gWicdxr

Score

7^/10

discovery upx

Malware Config

Signatures

Loads dropped DLL 7 IoCs

pid	Process
1260	Hollow.nova7.4.exe
1260	Hollow.nova7.4.exe
1260	Hollow.nova7.4.exe
1260	Hollow.nova7.4.exe
1260	Hollow.nova7.4.exe
1260	Hollow.nova7.4.exe
1260	Hollow.nova7.4.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1260-165-0x000007FEF5D80000-0x000007FEF61EE000-memory.dmp	upx
behavioral1/files/0x000500000001c86c-164.dat	upx

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Saved Games\Microsoft Games\desktop.ini	solitaire.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry class 8 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\GameStats\{8669ECE8-D1C3-4345-8310-E60F6D44FDAF}\LastPlayed = "0"	solitaire.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\GameStats\{8669ECE8-D1C3-4345-8310-E60F6D44FDAF}	solitaire.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings	solitaire.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software	solitaire.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft	solitaire.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows	solitaire.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX	solitaire.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\GameStats	solitaire.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2440	solitaire.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe
Token: SeShutdownPrivilege	2984	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 1260	3016	Hollow.nova7.4.exe	30
PID 3016 wrote to memory of 1260	3016	Hollow.nova7.4.exe	30
PID 3016 wrote to memory of 1260	3016	Hollow.nova7.4.exe	30
PID 2984 wrote to memory of 2816	2984	chrome.exe	37
PID 2984 wrote to memory of 2816	2984	chrome.exe	37
PID 2984 wrote to memory of 2816	2984	chrome.exe	37
PID 2984 wrote to memory of 2660	2984	chrome.exe	39
PID 2984 wrote to memory of 2660	2984	chrome.exe	39
PID 2984 wrote to memory of 2660	2984	chrome.exe	39
PID 2984 wrote to memory of 2660	2984	chrome.exe	39
PID 2984 wrote to memory of 2660	2984	chrome.exe	39
PID 2984 wrote to memory of 2660	2984	chrome.exe	39
PID 2984 wrote to memory of 2660	2984	chrome.exe	39
PID 2984 wrote to memory of 2660	2984	chrome.exe	39
PID 2984 wrote to memory of 2660	2984	chrome.exe	39
PID 2984 wrote to memory of 2660	2984	chrome.exe	39
PID 2984 wrote to memory of 2660	2984	chrome.exe	39
PID 2984 wrote to memory of 2660	2984	chrome.exe	39
PID 2984 wrote to memory of 2660	2984	chrome.exe	39
PID 2984 wrote to memory of 2660	2984	chrome.exe	39
PID 2984 wrote to memory of 2660	2984	chrome.exe	39
PID 2984 wrote to memory of 2660	2984	chrome.exe	39
PID 2984 wrote to memory of 2660	2984	chrome.exe	39
PID 2984 wrote to memory of 2660	2984	chrome.exe	39
PID 2984 wrote to memory of 2660	2984	chrome.exe	39
PID 2984 wrote to memory of 2660	2984	chrome.exe	39
PID 2984 wrote to memory of 2660	2984	chrome.exe	39
PID 2984 wrote to memory of 2660	2984	chrome.exe	39
PID 2984 wrote to memory of 2660	2984	chrome.exe	39
PID 2984 wrote to memory of 2660	2984	chrome.exe	39
PID 2984 wrote to memory of 2660	2984	chrome.exe	39
PID 2984 wrote to memory of 2660	2984	chrome.exe	39
PID 2984 wrote to memory of 2660	2984	chrome.exe	39
PID 2984 wrote to memory of 2660	2984	chrome.exe	39
PID 2984 wrote to memory of 2660	2984	chrome.exe	39
PID 2984 wrote to memory of 2660	2984	chrome.exe	39
PID 2984 wrote to memory of 2660	2984	chrome.exe	39
PID 2984 wrote to memory of 2660	2984	chrome.exe	39
PID 2984 wrote to memory of 2660	2984	chrome.exe	39
PID 2984 wrote to memory of 2660	2984	chrome.exe	39
PID 2984 wrote to memory of 2660	2984	chrome.exe	39
PID 2984 wrote to memory of 2660	2984	chrome.exe	39
PID 2984 wrote to memory of 2660	2984	chrome.exe	39
PID 2984 wrote to memory of 2660	2984	chrome.exe	39
PID 2984 wrote to memory of 2660	2984	chrome.exe	39
PID 2984 wrote to memory of 2184	2984	chrome.exe	40
PID 2984 wrote to memory of 2184	2984	chrome.exe	40
PID 2984 wrote to memory of 2184	2984	chrome.exe	40
PID 2984 wrote to memory of 1808	2984	chrome.exe	41
PID 2984 wrote to memory of 1808	2984	chrome.exe	41
PID 2984 wrote to memory of 1808	2984	chrome.exe	41
PID 2984 wrote to memory of 1808	2984	chrome.exe	41
PID 2984 wrote to memory of 1808	2984	chrome.exe	41
PID 2984 wrote to memory of 1808	2984	chrome.exe	41
PID 2984 wrote to memory of 1808	2984	chrome.exe	41
PID 2984 wrote to memory of 1808	2984	chrome.exe	41
PID 2984 wrote to memory of 1808	2984	chrome.exe	41
PID 2984 wrote to memory of 1808	2984	chrome.exe	41
PID 2984 wrote to memory of 1808	2984	chrome.exe	41
PID 2984 wrote to memory of 1808	2984	chrome.exe	41
PID 2984 wrote to memory of 1808	2984	chrome.exe	41
PID 2984 wrote to memory of 1808	2984	chrome.exe	41
PID 2984 wrote to memory of 1808	2984	chrome.exe	41
PID 2984 wrote to memory of 1808	2984	chrome.exe	41

C:\Users\Admin\AppData\Local\Temp\Hollow.nova7.4.exe
"C:\Users\Admin\AppData\Local\Temp\Hollow.nova7.4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\Hollow.nova7.4.exe
  "C:\Users\Admin\AppData\Local\Temp\Hollow.nova7.4.exe"
  2⤵
  - Loads dropped DLL
  PID:1260

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5019758,0x7fef5019768,0x7fef5019778
  2⤵
  PID:2816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1172 --field-trial-handle=1128,i,11632353682298589277,17722299126671824038,131072 /prefetch:2
  2⤵
  PID:2660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1460 --field-trial-handle=1128,i,11632353682298589277,17722299126671824038,131072 /prefetch:8
  2⤵
  PID:2184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1612 --field-trial-handle=1128,i,11632353682298589277,17722299126671824038,131072 /prefetch:8
  2⤵
  PID:1808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1608 --field-trial-handle=1128,i,11632353682298589277,17722299126671824038,131072 /prefetch:1
  2⤵
  PID:1796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2284 --field-trial-handle=1128,i,11632353682298589277,17722299126671824038,131072 /prefetch:1
  2⤵
  PID:2132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1592 --field-trial-handle=1128,i,11632353682298589277,17722299126671824038,131072 /prefetch:2
  2⤵
  PID:1676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1564 --field-trial-handle=1128,i,11632353682298589277,17722299126671824038,131072 /prefetch:1
  2⤵
  PID:1104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3656 --field-trial-handle=1128,i,11632353682298589277,17722299126671824038,131072 /prefetch:8
  2⤵
  PID:984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3892 --field-trial-handle=1128,i,11632353682298589277,17722299126671824038,131072 /prefetch:1
  2⤵
  PID:2756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3924 --field-trial-handle=1128,i,11632353682298589277,17722299126671824038,131072 /prefetch:1
  2⤵
  PID:2940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3424 --field-trial-handle=1128,i,11632353682298589277,17722299126671824038,131072 /prefetch:1
  2⤵
  PID:2740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2932 --field-trial-handle=1128,i,11632353682298589277,17722299126671824038,131072 /prefetch:1
  2⤵
  PID:2396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4084 --field-trial-handle=1128,i,11632353682298589277,17722299126671824038,131072 /prefetch:8
  2⤵
  PID:1764

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1984

C:\Program Files\Microsoft Games\solitaire\solitaire.exe
"C:\Program Files\Microsoft Games\solitaire\solitaire.exe"
1⤵
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\72371758-b980-4e31-89b0-6c46a914456c.tmp

Filesize
322KB

MD5
3d38256bb4eeb94c7b3e4f0272ea3035

SHA1
0f95658447f5142ae07a78eb8fc79601e2a8b926

SHA256
35716b7e4601fbffb408e55d18db2fa31767c388aaceeefea2394314cff8f402

SHA512
ae12244ae146bd26d008b303f8547ee071038cfd6aff598a72e6bcab6f22726bce32996349b6da4e96154b09b5cab16c905af448959ca6619c04c31510638ca6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
6440e5b4ea3156744e4a29d42c8a2bd7

SHA1
da7b625fdca100cadf355ded3e112a57f8d25866

SHA256
c06f6986514f9e2a2853949c3809aa06a2d39594470ed4ffc77b5a9552565fb7

SHA512
960de88d405bccc917ad98c1cc04b9a3cb2daddd7a53ab5934e27e3bb2b1638dfa81688239db0910b53af711521a998a788ffabcdcaecf36caa0df2a31582d7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\5ef847b0-e6e1-49de-843e-4c556d22c5a2.tmp

Filesize
4KB

MD5
a299f95cae6846a2b288b7d13b4ad459

SHA1
640dd202dc7b3ca716565a328011b30f39d88b31

SHA256
42215bf73c5d4d8a79a31dc9a0cc8a6852981a729e8fcce77f74fc85423a0c31

SHA512
cd5de2528947c3b1721d1804986cd3a94d40422a2419da2ef679fdbaff367381ecc24affd531703e04f4f25e957fb26aeb7816ce7bc3e4e383b56f4883a5cd0e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
441KB

MD5
4604e676a0a7d18770853919e24ec465

SHA1
415ef3b2ca0851e00ebaf0d6c9f6213c561ac98f

SHA256
a075b01d9b015c616511a9e87da77da3d9881621db32f584e4606ddabf1c1100

SHA512
3d89c21f20772a8bebdb70b29c42fca2f6bffcda49dff9d5644f3f3910b7c710a5c20154a7af5134c9c7a8624a1251b5e56ced9351d87463f31bed8188eb0774

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
829B

MD5
31c827bce51785c9bcfb6963ddda7d63

SHA1
594a98a064489093c038e9d3fe9816c538f6bd32

SHA256
7d5aca5be3931c642f2950f4c364221db786e00998b1832fd7452ca3f5cfd6cc

SHA512
4251786ae8851b7a7bb5fe62cdbc3c27f7318954a0236be24a1fc6ad73ed8384bde70bf18b81a8f1c184401dd49ca3dea05f783fe60c662378f5e5cd04c55d51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
633B

MD5
0374ca248df6e65230056e7d85a5835f

SHA1
c0ef0f95ebc6f10ddd6e651d11d5dfa97da5b19d

SHA256
1fa6d4e09791f121ec28c68ca24526f00371fbf7df81679ca71510134c6aa129

SHA512
1dde6c1f03cea62d9cb5e0acfcdf10ce86c567760b3e8459fdffe749880db5db0c2d48446ac98cfffe4777382f326ffd571d1a282127e7c4a931e18ac0d5cba8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
7845c35795bcd5292efe7427e89a0626

SHA1
5231d5f91d75636828e6860feb83b5386972a4a4

SHA256
5fab897b72316deef4b698455715c1f08f35eaf290029e51cc2858512f0a5cee

SHA512
2e1b35978990b5390d3383c47a8ba4bc66cc8897f02a563e9032c1a2ca6be0f97ba4afeaf6e6f919028113da9fc3e448b5e15dac7bf301c70cc099dfb87539df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
bb399a0bb0211d8c918a075637e3b96e

SHA1
f0c312a6cf309fbd1a0fa69b40c812dc5eb5863b

SHA256
7dc8d67cb7f1dad82893794fbb60dc6ef9e97419627c2a45d30fa8bc3cbd6e46

SHA512
41c81f5777ae7528927bb35443403359d48147b41080027498621c3bed29dba5be50b1d8daa8357ba46d73a1bea3deeb1811c2fe4b672abf07574e74e5c644cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Extension Rules\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Extension State\MANIFEST-000002

Filesize
50B

MD5
22bf0e81636b1b45051b138f48b3d148

SHA1
56755d203579ab356e5620ce7e85519ad69d614a

SHA256
e292f241daafc3df90f3e2d339c61c6e2787a0d0739aac764e1ea9bb8544ee97

SHA512
a4cf1f5c74e0df85dda8750be9070e24e19b8be15c6f22f0c234ef8423ef9ca3db22ba9ef777d64c33e8fd49fada6fcca26c1a14ba18e8472370533a1c65d8d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Preferences

Filesize
1KB

MD5
9c8c3162e74762f7e7483ec7133476b4

SHA1
fc33433bb0d40142912b7ceae6c8dd04dec6ccd6

SHA256
857b5c0cb71ea01626e25a1b8c7451b5aa33883641428e782518adad158ba17e

SHA512
3501dde3c25b1add3619322f2ff8c6a9f80864c722c4c562cc5aa0077e315f3caab4ec4a1941f6c1f28fcc01649bbf899f6aef8f00310d8d399f971cbe4736d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Site Characteristics Database\000002.dbtmp

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Site Characteristics Database\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Site Characteristics Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
322KB

MD5
3326800a4f100320438550d2820b8d90

SHA1
65cb2efe4aa710b450bca8668de635aeff82ad6f

SHA256
4db89af926c76cb09c0aef09e9b29314d5b49b81571ff81fa2f4789c7f72bf60

SHA512
95bed6af8cc4d0b9e347a3ccfaee37a0ac6947139632ae7898ed1492ff5b816526a283d307b516ab161f7987e39992e232e08d21d88da7771ef26996d6d0e6eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
322KB

MD5
e47a8510413f34d61211bdfc03dc950a

SHA1
5592317186c7e8196be0e466e08d926a348644db

SHA256
0db6fb01964886bf71bce7edd28a238559bee45df0476116603a2e664c0c8e57

SHA512
e5fc47238427c7c1d2426c2508578eb1c7387d2787390854a3f25a3c2fbe71b2dcc03bf5365a5f911580913be1413ff10dfe77158f49813c1c73d00e929a2f17

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI30162\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
2b36752a5157359da1c0e646ee9bec45

SHA1
708aeb7e945c9c709109cea359cb31bd7ac64889

SHA256
3e3eb284937b572d1d70ce27be77b5e02eb73704c8b50feb5eb933db1facd2fc

SHA512
fc56080362506e3f38f1b3eb9d3193cdb9e576613c2e672f0fe9df203862f8a0f31938fa48b4ff7115dfe6016fa1fd5c5422fdc1913df63b3fde5f478a8417a1

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI30162\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI30162\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
3589557535bba7641da3d76eefb0c73d

SHA1
6f63107c2212300c7cd1573059c08b43e5bd9b95

SHA256
642b01bb93d2cb529acf56070d65aae3202fd0b48d19fd40ec6763b627bcbee6

SHA512
7aedf3cf686b416f8b419f8af1d57675096ab2c2378c5a006f6ecbf2fe1ad701f28b7be8f08c9083230cf4d15d463371e92a6032178cd6c139d60b26fbd49b06

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI30162\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
774aa9f9318880cb4ad3bf6f464da556

SHA1
3a5c07cf35009c98eb033e1cbde1900135d1abf8

SHA256
ba9fbd3a21879614c050c86a74ad2fffc0362266d6fa7be0ef359de393136346

SHA512
f7b57afb9810e3390d27a5469572fb29f0f1726f599403a180e685466237dff5dec4fdce40105ef1bb057e012d546308213e7cec73e0d7d3c5815eec8189a75d

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI30162\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
b9a20c9223d3e3d3a0c359f001ce1046

SHA1
9710b9a8c393ba00c254cf693c7c37990c447cc8

SHA256
00d9a7353be0a54c17e4862b86196a8b2bc6a007899fa2fbe61afd9765548068

SHA512
a7d5611c0b3b53da6cac61e0374d54d27e6e8a1af90ef66cd7e1b052f906c8b3f6087f4c6de0db3ae0b099df7689ecde6c815a954b728d36d9d3b5d002ccf18e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI30162\python310.dll

Filesize
1.4MB

MD5
69d4f13fbaeee9b551c2d9a4a94d4458

SHA1
69540d8dfc0ee299a7ff6585018c7db0662aa629

SHA256
801317463bd116e603878c7c106093ba7db2bece11e691793e93065223fc7046

SHA512
8e632f141daf44bc470f8ee677c6f0fdcbcacbfce1472d928576bf7b9f91d6b76639d18e386d5e1c97e538a8fe19dd2d22ea47ae1acf138a0925e3c6dd156378

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI30162\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
memory/1260-165-0x000007FEF5D80000-0x000007FEF61EE000-memory.dmp

Filesize
4.4MB

Download
memory/2440-582-0x0000000000360000-0x000000000036A000-memory.dmp

Filesize
40KB

Download
memory/2440-617-0x0000000002020000-0x000000000202A000-memory.dmp

Filesize
40KB

Download
memory/2440-616-0x0000000002020000-0x000000000202A000-memory.dmp

Filesize
40KB

Download
memory/2440-624-0x0000000002020000-0x000000000202A000-memory.dmp

Filesize
40KB

Download
memory/2440-615-0x0000000002020000-0x000000000202A000-memory.dmp

Filesize
40KB

Download
memory/2440-599-0x0000000000360000-0x000000000036A000-memory.dmp

Filesize
40KB

Download
memory/2440-600-0x0000000000360000-0x000000000036A000-memory.dmp

Filesize
40KB

Download
memory/2440-598-0x0000000000360000-0x000000000036A000-memory.dmp

Filesize
40KB

Download
memory/2440-597-0x0000000000360000-0x000000000036A000-memory.dmp

Filesize
40KB

Download
memory/2440-596-0x0000000000360000-0x000000000036A000-memory.dmp

Filesize
40KB

Download
memory/2440-595-0x0000000000360000-0x000000000036A000-memory.dmp

Filesize
40KB

Download
memory/2440-583-0x0000000000360000-0x000000000036A000-memory.dmp

Filesize
40KB

Download
memory/2440-584-0x0000000000360000-0x000000000036A000-memory.dmp

Filesize
40KB

Download
memory/2440-585-0x0000000000360000-0x000000000036A000-memory.dmp

Filesize
40KB

Download
memory/2440-586-0x0000000000360000-0x000000000036A000-memory.dmp

Filesize
40KB

Download
memory/2440-587-0x0000000000360000-0x000000000036A000-memory.dmp

Filesize
40KB

Download