metasploit | hxxps://ufile[.]io/neyrxg83

Analysis

max time kernel
300s
max time network
294s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15-09-2024 13:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://ufile.io/neyrxg83

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

147.185.221.22:8080

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Downloads MZ/PE file
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payleeq.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133708798641939493"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-523280732-2327480845-3730041215-1000\{096A8B2E-E41D-48B9-8AEA-5B75AB736455}	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3088	chrome.exe
3088	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe
Token: SeShutdownPrivilege	3088	chrome.exe
Token: SeCreatePagefilePrivilege	3088	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe
3088	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3088 wrote to memory of 3880	3088	chrome.exe	83
PID 3088 wrote to memory of 3880	3088	chrome.exe	83
PID 3088 wrote to memory of 4628	3088	chrome.exe	84
PID 3088 wrote to memory of 4628	3088	chrome.exe	84
PID 3088 wrote to memory of 4628	3088	chrome.exe	84
PID 3088 wrote to memory of 4628	3088	chrome.exe	84
PID 3088 wrote to memory of 4628	3088	chrome.exe	84
PID 3088 wrote to memory of 4628	3088	chrome.exe	84
PID 3088 wrote to memory of 4628	3088	chrome.exe	84
PID 3088 wrote to memory of 4628	3088	chrome.exe	84
PID 3088 wrote to memory of 4628	3088	chrome.exe	84
PID 3088 wrote to memory of 4628	3088	chrome.exe	84
PID 3088 wrote to memory of 4628	3088	chrome.exe	84
PID 3088 wrote to memory of 4628	3088	chrome.exe	84
PID 3088 wrote to memory of 4628	3088	chrome.exe	84
PID 3088 wrote to memory of 4628	3088	chrome.exe	84
PID 3088 wrote to memory of 4628	3088	chrome.exe	84
PID 3088 wrote to memory of 4628	3088	chrome.exe	84
PID 3088 wrote to memory of 4628	3088	chrome.exe	84
PID 3088 wrote to memory of 4628	3088	chrome.exe	84
PID 3088 wrote to memory of 4628	3088	chrome.exe	84
PID 3088 wrote to memory of 4628	3088	chrome.exe	84
PID 3088 wrote to memory of 4628	3088	chrome.exe	84
PID 3088 wrote to memory of 4628	3088	chrome.exe	84
PID 3088 wrote to memory of 4628	3088	chrome.exe	84
PID 3088 wrote to memory of 4628	3088	chrome.exe	84
PID 3088 wrote to memory of 4628	3088	chrome.exe	84
PID 3088 wrote to memory of 4628	3088	chrome.exe	84
PID 3088 wrote to memory of 4628	3088	chrome.exe	84
PID 3088 wrote to memory of 4628	3088	chrome.exe	84
PID 3088 wrote to memory of 4628	3088	chrome.exe	84
PID 3088 wrote to memory of 4628	3088	chrome.exe	84
PID 3088 wrote to memory of 4200	3088	chrome.exe	85
PID 3088 wrote to memory of 4200	3088	chrome.exe	85
PID 3088 wrote to memory of 1064	3088	chrome.exe	86
PID 3088 wrote to memory of 1064	3088	chrome.exe	86
PID 3088 wrote to memory of 1064	3088	chrome.exe	86
PID 3088 wrote to memory of 1064	3088	chrome.exe	86
PID 3088 wrote to memory of 1064	3088	chrome.exe	86
PID 3088 wrote to memory of 1064	3088	chrome.exe	86
PID 3088 wrote to memory of 1064	3088	chrome.exe	86
PID 3088 wrote to memory of 1064	3088	chrome.exe	86
PID 3088 wrote to memory of 1064	3088	chrome.exe	86
PID 3088 wrote to memory of 1064	3088	chrome.exe	86
PID 3088 wrote to memory of 1064	3088	chrome.exe	86
PID 3088 wrote to memory of 1064	3088	chrome.exe	86
PID 3088 wrote to memory of 1064	3088	chrome.exe	86
PID 3088 wrote to memory of 1064	3088	chrome.exe	86
PID 3088 wrote to memory of 1064	3088	chrome.exe	86
PID 3088 wrote to memory of 1064	3088	chrome.exe	86
PID 3088 wrote to memory of 1064	3088	chrome.exe	86
PID 3088 wrote to memory of 1064	3088	chrome.exe	86
PID 3088 wrote to memory of 1064	3088	chrome.exe	86
PID 3088 wrote to memory of 1064	3088	chrome.exe	86
PID 3088 wrote to memory of 1064	3088	chrome.exe	86
PID 3088 wrote to memory of 1064	3088	chrome.exe	86
PID 3088 wrote to memory of 1064	3088	chrome.exe	86
PID 3088 wrote to memory of 1064	3088	chrome.exe	86
PID 3088 wrote to memory of 1064	3088	chrome.exe	86
PID 3088 wrote to memory of 1064	3088	chrome.exe	86
PID 3088 wrote to memory of 1064	3088	chrome.exe	86
PID 3088 wrote to memory of 1064	3088	chrome.exe	86
PID 3088 wrote to memory of 1064	3088	chrome.exe	86
PID 3088 wrote to memory of 1064	3088	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://ufile.io/neyrxg83
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9fec9cc40,0x7ff9fec9cc4c,0x7ff9fec9cc58
  2⤵
  PID:3880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1844,i,12822289460592011886,12863714784110761976,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1836 /prefetch:2
  2⤵
  PID:4628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2132,i,12822289460592011886,12863714784110761976,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2144 /prefetch:3
  2⤵
  PID:4200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2244,i,12822289460592011886,12863714784110761976,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2512 /prefetch:8
  2⤵
  PID:1064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,12822289460592011886,12863714784110761976,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:2368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3120,i,12822289460592011886,12863714784110761976,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:3252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4468,i,12822289460592011886,12863714784110761976,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4488 /prefetch:1
  2⤵
  PID:4340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4628,i,12822289460592011886,12863714784110761976,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4660 /prefetch:1
  2⤵
  PID:996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4404,i,12822289460592011886,12863714784110761976,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4476 /prefetch:1
  2⤵
  PID:3692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4784,i,12822289460592011886,12863714784110761976,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4616,i,12822289460592011886,12863714784110761976,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5116 /prefetch:8
  2⤵
  PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5384,i,12822289460592011886,12863714784110761976,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5352 /prefetch:8
  2⤵
  - Modifies registry class
  PID:1376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5680,i,12822289460592011886,12863714784110761976,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5544 /prefetch:8
  2⤵
  PID:2692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5520,i,12822289460592011886,12863714784110761976,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5836,i,12822289460592011886,12863714784110761976,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5820 /prefetch:8
  2⤵
  PID:4052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5816,i,12822289460592011886,12863714784110761976,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5976 /prefetch:8
  2⤵
  PID:1684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4744,i,12822289460592011886,12863714784110761976,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5000 /prefetch:1
  2⤵
  PID:4968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6128,i,12822289460592011886,12863714784110761976,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6192 /prefetch:8
  2⤵
  PID:2552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5716,i,12822289460592011886,12863714784110761976,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5556 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3832

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3940

C:\Users\Admin\Desktop\Payleeq.exe
"C:\Users\Admin\Desktop\Payleeq.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2536

C:\Users\Admin\Desktop\Payleeq.exe
"C:\Users\Admin\Desktop\Payleeq.exe"
1⤵
PID:3652

C:\Users\Admin\Desktop\Payleeq.exe
"C:\Users\Admin\Desktop\Payleeq.exe"
1⤵
PID:4180

C:\Users\Admin\Desktop\Payleeq.exe
"C:\Users\Admin\Desktop\Payleeq.exe"
1⤵
PID:4960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\041e0047-d439-4f52-b74d-ee58668e0eb6.tmp

Filesize
9KB

MD5
ec5973f1ec77463bfcb04fba41c59896

SHA1
50d4c5325dddd55c95fef9f49f941092ad825feb

SHA256
894e936b1211cab3ae0818644e2db4cc1b7d87056bd2f77d060821b1fbeb0a23

SHA512
8dbf642b4fd732d11246194b73800e5273887567d908355bda7cc946ebba8b986a8ec869849ce6db23ece3b748d1bebed13274f7ec69cab8a1fb102c3d6dcbf7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
9d9b6613046f90ea39505c88a0bb42b8

SHA1
e778543dbf7555011b3fa9a2f7ebdb36f17c7043

SHA256
f508d6e3fce76d073b94203a40d2be90f1d33e4f45e16a75f4f960f1c58b67cb

SHA512
84b0a2fd240b1f250051b4b09d7d482f1f4a5bc45a194781d9f7bf89ad9c99d7f7dce75f302dc03bf50961b4d292ac9abc1054a6626e1b244cba00dadc43f957

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000009

Filesize
212KB

MD5
08ec57068db9971e917b9046f90d0e49

SHA1
28b80d73a861f88735d89e301fa98f2ae502e94b

SHA256
7a68efe41e5d8408eed6e9d91a7b7b965a3062e4e28eeffeefb8cdba6391f4d1

SHA512
b154142173145122bc49ddd7f9530149100f6f3c5fd2f2e7503b13f7b160147b8b876344f6faae5e8616208c51311633df4c578802ac5d34c005bb154e9057cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
576B

MD5
c1d5a846c948b196bcb88e628c3a12f7

SHA1
2141deaccab36229b7a1ac7c9d6bed745a88d5db

SHA256
0324d41aba38b8831d6dc55d0a6c335d7fe0cd678ab81f0545075cdb6391ebc6

SHA512
56609c8f76d56071e02eff7e2d11be4827680304f75ccab6d3a55eb04664cb0791ab0e78ef4e740812c9bfb67a2ef225f66e1eb97901d35a952c26f1bd0a99e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
ad0d392560e7c317f95b6a2b32a38527

SHA1
20b1bd00ee1bc253e4cd1d690b0c376fe9d1b35c

SHA256
6cee4e008d1af99cb2b85740de29f3809387213460d37b2d672c5b2d09385210

SHA512
993305d0e503af94aa43c41673021579f70897662966a394554592a4395dbff77dec20f51a32bd2c0c44ae843dbc1cc08e31b699e9a89dad9b5624d71f25fa57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
e886a2587b6eda9c59afbac6cafd43ff

SHA1
d232dc7befce0a75c7ea2550eff056885bff56dc

SHA256
27379b53b22a92a306a4482d53119e26fee843a97ba9484d2cfd158874a2f71d

SHA512
6ad569ce4f001e37ac9390956ff6edd03f599a1c2fbd88293fa147b025ec0b71e3d2500e9f1dc6e215b4cffe5dbedd52a3b113fa04135861e29b640ab208b22a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
8621029c20d0218c1ba79fde5964459f

SHA1
466ff3e6b99e0060b52f95fca0931ea8b85e5ccf

SHA256
122158ad4c0c36474ea20f9c008d194b9080a9295c13ae991eb7ec3f4187d237

SHA512
9bc51f0e3e2c290a80b4aa9b3a3335404f7cf10854502e4f7e65735afc3e884a44d5013124fe1f03d78ab527adc393767ea13cc8da6749363f141de8f02ed95f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
37c27fc504ed1f6c02198032b60a8465

SHA1
c66bc2bda107a0f98acc24e483f676f0751fc816

SHA256
c7a637e5a0093720d9f6eeec102e5694435365ff5241176cf0ba41b6039563db

SHA512
8d22309f726d9f088ece38c0c30f45cccae7c6b71445486aea97720c364115cdd465c0956510eb021bd34bf793a462f0f75ccf99ab463bb6d39bb67468ff4aaf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
839bd68221c7e175d819ae79e87b1892

SHA1
726148fa6431b87cc9bee6913ff02ef6df052a09

SHA256
9d96014789822a850b6d12d0aff15b911392a2839144b926458004c1a7ef2a04

SHA512
2ea5413e54734e0d81e7fd1b3622a2466df11cb3c322f6dccb9a200425c593055730531f507ecfed26acd02f77b5bbdfd739af2720bc62a16db338d33f23bad0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
395570a380cb344c79a285101351afc5

SHA1
68e4a5413c7a8b5dd6b74cc541672ebc3e7ff475

SHA256
26370a7e81399b499d240c32cda261bc1b9d06393a9820e072e4cd0e72aeaabb

SHA512
40bdf6ecde03f6bc257f0bb3868346df1fdfa19c58f51e12f8ae39adf35307c2362403656587ce15d7876296ae991950bc980dee0be38a1ec1c845d436364b24

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
18236a943397d594b8b0c3dce8da0757

SHA1
05c4c32175d184363f12f8d43831c69062629707

SHA256
d57ccc66e75189c4305968b5a434aeadb9492857656bf40eae0aa2822c5829fc

SHA512
5cdd58cfc1e78562e19274428ac4c5d238774f170ac845ccfb186c8db2cebd41f81366ddfe2b2cd86efc0e43f9b56d2a5df1682a30b64c30f10a7efa1098d4c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c6ec9816ac9fbdab40bcddf7fad0366a

SHA1
ca57ed9b2921609a9dc2ae580a4f42d5a7af850d

SHA256
a020c7fbc6e1fec70b2bf8c4423ed90d7c1e8fffb013daeb56e5ce8db437a78c

SHA512
d13f81a25cb9f0bd72f40332d238e62aa8bfa97f10c2d8e981daad34af5e53f36cf3ea00060f0f606e56dc47dda46bd1e4dbff28f5cdc6a209de6ecc02a1ef49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7ddd79c18f8d16e57f50b0b3ce9d8e67

SHA1
ad85fc36fc7f51de8776f6ac0486628379aa0805

SHA256
2cf3c6b5d837b6927f669195f1289210a6e4533a2fc1bed68c87f77e87d385d3

SHA512
14c84881ee5193a54575545acc84fa35d5a19365f39df2c9ae64f699282bbdc32e2bd0fe6081ef858c6662956d0cbeb9b2782f179e5192e4bb703c6394153e21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d2464cea035a7c15b43820653a822358

SHA1
f533abe3afc1b97f7b078e24e011eb4b73a1566c

SHA256
717894e305fcbd64a2d72cd3e8422e1c3755de94c0ccb3f31917cbbc5f16cc73

SHA512
795ea14306c7bf338fcc07455d64a9200a6b130ed6251bf31d7e39655fd43928b8c424efea32c0154d52d4ed4c4282f9685e80c05e0d632ae58b11051f82b4fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
135b83b27c2c2f209df32c30352e8c71

SHA1
42db3d1c567761a85819a3d9bacda4e619b9aee1

SHA256
bf1ac8014260f8ae8815876223d7bdff717cd081ee991158789419ee374247db

SHA512
dd8a029c7041569efd99279940237c0d0e885e9b90a367046b162f8d9b7f8d136c4e22ab55f8046676a6706f573051a9fb4d22ff9eb706291daa71dc63d77091

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8395de00fcfaf724cda0c383f0e7db8a

SHA1
c11cf45c501544fedcd45695b4c50a7ef520f2ef

SHA256
27bf5240cd7d1c5ca7792db24f8ddf1f80e60477168f5b63b58c0da1aa239ce6

SHA512
1321ffacadf6de32c5d17948062c50e21d3dcabf6b1209a49c25a560a3735713e65d51e06d68c4e7a2e668bd3c435e5ac88071d5186213a683b8ac1a90632132

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e3572998488bd6b632ef1bc7e4531b2e

SHA1
33cdb4696cac1e0d2bbdc06cb89fff26d0ee9814

SHA256
21316f326e558fcb203a4dfb43ea9bab5e6433c13e6f2c03df5b0de8e1a11406

SHA512
a46faf41f648bfcf4e86bde566b6c2a602b30976ffe287928ec9b05cfa3b2a6ee5e817a754465d76f11aa0a25de6955da9a556a1b41d82440838e6eb79191aaf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
aed4cfe0c28c72652b4f71ab36f87ce0

SHA1
c0d724abead989e36d44584f27dd588aabdc4882

SHA256
b045bc0e92475e11c6498e45685fab48f65d31b22b1e0252f03e05cdb9797f1b

SHA512
272c1f5dd2e4b6223378551568c0a2a73c1e8b2c163848b34261fb95efcf2ebd0e3e4de866aa94707f41afeb49f6bc042a0a5a42bca508d1230b38c5fc4305ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
45e31e7aeaf447427241cf2d029c0b43

SHA1
b17d0f6a352b68076ce99e297064b6a139c1b76e

SHA256
f6940ced86789227ebaf5627ad7554555fc22eaf037f9fff739f2bdde104104b

SHA512
e80ffcd3f7e7cb1c347e1ea006629d4ecb609c7fbfdd6eddb533ca961005aa30cc059fa3332288a27434e0ed737b006816c3b0c651b964d34409775aae4c15b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
472fae66be7fbcf424dcde4aeb909bf6

SHA1
dc9d1593c0a5e409b68b25f2a788b73f19131ef0

SHA256
bc7935b8210694780c10e781dc50014caa2b4a995a2ab8dc6994b5ad8837ab05

SHA512
3369c92278f083f9163459f300c2041b91f85b1eb801891cce467e52d19e6819d05dda9da39bf7f14ded8dd5113795e6d201a67fc1a4132cfbf991b2dffb3216

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
08028c8bb4e21c0b9204ff287e32e0fb

SHA1
b6177446536319def2152065e4ce5538d5dd62c1

SHA256
05e00ac64e93deaa7c014185208a9d8211cf19bee7dd77bfc1609d6196ef87aa

SHA512
58977bca287faf1e7635371d0ef382d7e972a293c87c2f5d42113d8028eb258c636a0aa8ddede75583e67111e1ce94cff7a5ba9090e3a399c1921627dcfcb40e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
96bfe5f13fb181f35902f4446bba2cfb

SHA1
71a20a9e1070189c53ff40df55ba1d7ca58e845f

SHA256
70f5337c833ef3940f9276b20e911105fd42bf3c53952e6c5bdd87ba047bae08

SHA512
a6b75c1b71fad917107d72f0a0ec8ff0bae209fd306a168c70e960fd8a73098d5ea2826fbbd3addbfccdc51e1c18fc1fd3c716ddfa6fd747320e118478e50e84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
48a8985c88bc56c412335f00581f18e6

SHA1
ad7e4cec38494cc616133c61ee45a2c7f0f7254a

SHA256
22ee8b81712ad5eec260743df2667086a87563f53e7ad9fdcf5cb77d14888d80

SHA512
ddc6ad95e30ceb8f90fb0f19672a85a7ef8ea1b79581ea5ef9cd13631c5fac8b3b58a91db8c0f3c3408193037c25a476313ebcd532b9f3e8874983a971517496

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ccb9e919a658520144e2271b2e797d5d

SHA1
1bcbf9347400dc65a107bfaedb722c9120d0d9c0

SHA256
44fbc49b7fbbc1028c22a94650d7d335f4107fb13c874ed765968142d5a66bc4

SHA512
f55990818fe2e82fb5dbcccaf306d322916b1eaa5e3ddd8c94287c8e5df87209b086e778da55800b823f0e527b949aecbab24b4085b9ca612fa74c82609c4d85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a63f6fdd5422f9075c221b58f1035f30

SHA1
0279506acef0dcd8aea8708031c2b4a74eacee72

SHA256
8e515b247c7f4baa754d7600cd746e29ba4829ff6a71a9b5dd1d01d0c785b973

SHA512
b4efc13e479868f8577f863b46b62442f9db9318fde06fabee4bfbd8a0ebb40a587222151fcf6ccf0032357fa6117e26c95d50704c378de1ee2097105cc876ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8479c8f8fe04b9f546f86986c3576d7f

SHA1
567c5f127ff1b5f23b4d91491fd949045797973c

SHA256
cf60cdee2c183ccbdaf30da1c8dc7143e47306dbc2d6f6cc6ad907f5a6006593

SHA512
3d983e13d877024e9f4791c6cc083d1a5a7c76cd99b451b005ee6c88ae1bc950245bf3dee5d12092458798f70ecdb0949f76e1375dff1ae0739ba8158e1f966c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c0dc7bb907c82c86072b7048d2572f57

SHA1
8dbadd31cb01921930668defbca71820e6199268

SHA256
79470b8c8352159766b68d73481f6e0297ce85094af61706fb9076bd314e55ce

SHA512
f6f2671712b6cf0c85534300e298c74ed9552467737b67d6f3c080d5da874778703915815af358e691e335d8f8d3dda58442d5d09a3227c84d72b862fd6c3029

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
2d64e96f0a95de0482a98afc693d793e

SHA1
d7012861997cecdf93759ca16dc586f734477848

SHA256
22990a82bd65afbcd3e6a92d8070b0d800b5054ad569029c66821279f935c7c9

SHA512
ff722d871a61a95894128699bab0ea2002b1677b352e2cb9d70c1557487b068dbd1467d22d4bcc575c65a92e8c906916e33f4a0f0c79c9adccf1ac5375b96c14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
1954a6f1ce1391b39b79d67f5d23b100

SHA1
346150e5752491e3b20260ab9083688520f39cd4

SHA256
00f61bcbbccd4eafd97a32cf70b1eb3c28f9324df8ad130ce0ff69c11bea4dae

SHA512
2d7c98c62b3491f9bd96329dec625b64e9a3aec251c61576c2996fba385c58ade7586ba57e97436d77fa5fe81419e567510c5f33e4320932a9e1d47c46406944

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
42993b4ef370cc4aa039ed5eb126bb05

SHA1
729c6542418bbe10e085f67f6b6a33779d02d720

SHA256
7544ea0eb73c0b0fcb29d325a8ae8c433504fb1c4e3f768c57fb51431ac03e8f

SHA512
3cb26801809495e410924fade905d84868aacfef7c81c084c700f3837b445eddc5e9c41c89ad742cbfa1936c323c006a1e7336f52adb12b7ff76c95ac87b12aa

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 724500.crdownload

Filesize
72KB

MD5
60283d93d8c46de35fae9964d853cecc

SHA1
43b3d800f795d4b51001aae29726c29f19821a45

SHA256
1e1c9ccd9c77bb4e180a6250155aa84cf48256329c7df8bc3232c9803d5dfab8

SHA512
bff6931f39c5ecf23f146b8f4126f6d0f59e1889361d8f78b194b2198caac4a1d6cb143b301edd9b7bc60be9c745cc6efbac4393527ffff1653093066ae9a44f

Download Submit
memory/2536-166-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download