620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/10/2024, 01:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
Size

897KB
MD5

7c7d7c9a7c7a723469b09c037105fa5f
SHA1

e00589862116dfc518a69e80afbb72d74cc71caa
SHA256

620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7
SHA512

45e4df3d9b95104f27b17d5d9b93a2765cb2b9c7c361f48336b07aa5efd4aa6112af644b9331789190e6bdae16a39b3a606555bca0b2e559bead07b441ad601e
SSDEEP

24576:mqDEvCTbMWu7rQYlBQcBiT6rprG8a4iK:mTvC/MTQYxsWR7a4

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
1420	taskkill.exe
2168	taskkill.exe
4920	taskkill.exe
2184	taskkill.exe
3484	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133725650325515756"	chrome.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
4400	chrome.exe
4400	chrome.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4400	chrome.exe
4400	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1420	taskkill.exe
Token: SeDebugPrivilege	2168	taskkill.exe
Token: SeDebugPrivilege	4920	taskkill.exe
Token: SeDebugPrivilege	2184	taskkill.exe
Token: SeDebugPrivilege	3484	taskkill.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe
Token: SeCreatePagefilePrivilege	4400	chrome.exe
Token: SeShutdownPrivilege	4400	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
4400	chrome.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 1420	400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe	82
PID 400 wrote to memory of 1420	400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe	82
PID 400 wrote to memory of 1420	400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe	82
PID 400 wrote to memory of 2168	400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe	85
PID 400 wrote to memory of 2168	400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe	85
PID 400 wrote to memory of 2168	400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe	85
PID 400 wrote to memory of 4920	400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe	87
PID 400 wrote to memory of 4920	400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe	87
PID 400 wrote to memory of 4920	400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe	87
PID 400 wrote to memory of 2184	400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe	89
PID 400 wrote to memory of 2184	400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe	89
PID 400 wrote to memory of 2184	400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe	89
PID 400 wrote to memory of 3484	400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe	91
PID 400 wrote to memory of 3484	400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe	91
PID 400 wrote to memory of 3484	400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe	91
PID 400 wrote to memory of 4400	400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe	93
PID 400 wrote to memory of 4400	400	620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe	93
PID 4400 wrote to memory of 4256	4400	chrome.exe	94
PID 4400 wrote to memory of 4256	4400	chrome.exe	94
PID 4400 wrote to memory of 2160	4400	chrome.exe	95
PID 4400 wrote to memory of 2160	4400	chrome.exe	95
PID 4400 wrote to memory of 2160	4400	chrome.exe	95
PID 4400 wrote to memory of 2160	4400	chrome.exe	95
PID 4400 wrote to memory of 2160	4400	chrome.exe	95
PID 4400 wrote to memory of 2160	4400	chrome.exe	95
PID 4400 wrote to memory of 2160	4400	chrome.exe	95
PID 4400 wrote to memory of 2160	4400	chrome.exe	95
PID 4400 wrote to memory of 2160	4400	chrome.exe	95
PID 4400 wrote to memory of 2160	4400	chrome.exe	95
PID 4400 wrote to memory of 2160	4400	chrome.exe	95
PID 4400 wrote to memory of 2160	4400	chrome.exe	95
PID 4400 wrote to memory of 2160	4400	chrome.exe	95
PID 4400 wrote to memory of 2160	4400	chrome.exe	95
PID 4400 wrote to memory of 2160	4400	chrome.exe	95
PID 4400 wrote to memory of 2160	4400	chrome.exe	95
PID 4400 wrote to memory of 2160	4400	chrome.exe	95
PID 4400 wrote to memory of 2160	4400	chrome.exe	95
PID 4400 wrote to memory of 2160	4400	chrome.exe	95
PID 4400 wrote to memory of 2160	4400	chrome.exe	95
PID 4400 wrote to memory of 2160	4400	chrome.exe	95
PID 4400 wrote to memory of 2160	4400	chrome.exe	95
PID 4400 wrote to memory of 2160	4400	chrome.exe	95
PID 4400 wrote to memory of 2160	4400	chrome.exe	95
PID 4400 wrote to memory of 2160	4400	chrome.exe	95
PID 4400 wrote to memory of 2160	4400	chrome.exe	95
PID 4400 wrote to memory of 2160	4400	chrome.exe	95
PID 4400 wrote to memory of 2160	4400	chrome.exe	95
PID 4400 wrote to memory of 2160	4400	chrome.exe	95
PID 4400 wrote to memory of 2160	4400	chrome.exe	95
PID 4400 wrote to memory of 4364	4400	chrome.exe	96
PID 4400 wrote to memory of 4364	4400	chrome.exe	96
PID 4400 wrote to memory of 1968	4400	chrome.exe	97
PID 4400 wrote to memory of 1968	4400	chrome.exe	97
PID 4400 wrote to memory of 1968	4400	chrome.exe	97
PID 4400 wrote to memory of 1968	4400	chrome.exe	97
PID 4400 wrote to memory of 1968	4400	chrome.exe	97
PID 4400 wrote to memory of 1968	4400	chrome.exe	97
PID 4400 wrote to memory of 1968	4400	chrome.exe	97
PID 4400 wrote to memory of 1968	4400	chrome.exe	97
PID 4400 wrote to memory of 1968	4400	chrome.exe	97
PID 4400 wrote to memory of 1968	4400	chrome.exe	97
PID 4400 wrote to memory of 1968	4400	chrome.exe	97
PID 4400 wrote to memory of 1968	4400	chrome.exe	97
PID 4400 wrote to memory of 1968	4400	chrome.exe	97

C:\Users\Admin\AppData\Local\Temp\620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe
"C:\Users\Admin\AppData\Local\Temp\620bf5c9f2ac5611b4e9c2a62229e3d45bae79ff23f68b491bc65e1a56bfd0f7.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:400
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM chrome.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1420
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM msedge.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2168
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM firefox.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4920
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM opera.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2184
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM brave.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4400
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffdfab0cc40,0x7ffdfab0cc4c,0x7ffdfab0cc58
    3⤵
    PID:4256
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2076,i,14314968885230340546,15985789702276783149,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2072 /prefetch:2
    3⤵
    PID:2160
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1552,i,14314968885230340546,15985789702276783149,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2060 /prefetch:3
    3⤵
    PID:4364
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2284,i,14314968885230340546,15985789702276783149,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2468 /prefetch:8
    3⤵
    PID:1968
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,14314968885230340546,15985789702276783149,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3164 /prefetch:1
    3⤵
    PID:1208
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,14314968885230340546,15985789702276783149,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3200 /prefetch:1
    3⤵
    PID:5080
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4640,i,14314968885230340546,15985789702276783149,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4656 /prefetch:8
    3⤵
    PID:4496
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4820,i,14314968885230340546,15985789702276783149,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4828 /prefetch:8
    3⤵
    PID:2032
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4940,i,14314968885230340546,15985789702276783149,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=728 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3112

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\7ff2ca7b-776a-4104-8ebb-0d807294c570.tmp

Filesize
212KB

MD5
273fa050f5bd0d5e18956f11286bf0d8

SHA1
8ee01b764e51ec9c7d69b889678fe8d73f3e34c0

SHA256
ba4b7ada9209a4a0220c13f9bc69c6ed1da09577282c0051e86608c5957eba1f

SHA512
cb86e18233a8ec85065180542da438476d0b39e0640faad1ab4d468d8e1eb8557fddba0c1bde4efedf9dacc4a1fdb808da72b6c40c5262e7374973c67f577040

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\90cad988-559f-44ce-b980-51b1e054c5c7.tmp

Filesize
9KB

MD5
cf87d8d66fa014f734e2515e61e01bb6

SHA1
6f7a7e1121bfb5e1b362b5ede8a5656e93675e8e

SHA256
f94168ea355e27fad9067f9b9d157bacb2286aade83f94acdf65591faabd7ef9

SHA512
47c04681a3e7fa703fface9521114b8c506a16c0a73ea8ba8c27be27236cbb257089259df3b35ef986c6e902fab73f43c46d93cbe106358dd176729d454c5d17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
36dc5e426b93667a060600292ed3f227

SHA1
6bed40bedcc8a563706f25b7562324cd548f1f22

SHA256
6d5625d851469126a9b1f217121628e5741d11280763a0376371a1ae6af62742

SHA512
0754f3e52202bfedc7a1fb0dc87d0c294a9043b034f15e83d08fadc1601141f22feda4bb56ba1662c6f50eae0f600fbe097c77fa45db8d46c545e0a0943ec3a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
ed8c75439c961c9bae1ba924a91267e2

SHA1
97c05178835cb4f0e2098a8a7fd88734d9526a33

SHA256
02e927ba077a08ed423adcfb64e905daf14a3ca6082766bfd54ba6132388f248

SHA512
26962e6f5c0c9013bd270354eaef315abd8ff0006168b81ee5486a87b64ce356d16656dfd78159dd9fcde9999129daeac9086986550447693fc64c6406bf6b9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
cb799274c0ad7596242809f046407ddf

SHA1
161215560bc6a4604034bb2d1e322e3ac6ae29d2

SHA256
dc3bc26a5becff22c3f0695dc990722e24fb372cf2d86a953690145bb62b178b

SHA512
105abdfcf61587f50fecc392b7b1c0048b2b9c59e81248f133e972a562a5d648d9747c57adec9e1abb1e9180c035c2d9564707ef89a20832342ba3cf93c4c703

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
c30ba9023926250611e80f9f3ead1bd8

SHA1
da67d7f065f5d8e2281f969be2433e68c8a15919

SHA256
db9fb2d4ca139d8ccc252f395ebfe8aae7ddf2c3011d6257ffba2d3367b8cee2

SHA512
f33caa1097e79a67f59dc1a46942f983f52167714c598ed14c788e4a80c49ec48cd5593a60b89fda971b684acf55123d519dc02de6e335907841cc2ba24e314b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
089371735f2a0a1d305a318a8383491e

SHA1
ed6b88c656534ebdb5d2f01f25d60de80839a3e6

SHA256
e478889e15a01d51cea300b235493e6619e4b7fbb3386c1a0bee34a50028b1ec

SHA512
90b7159043865cc9996196322ce56777fc2e25be8ed8e7d8d101bbdd41cdf4329957037e882d1e0a15f09b12e003695dba7797c6157a4e955788dde5a1eeaf74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ef3a7c076eba8228e6e2000d1aee050e

SHA1
17633fd465638673111521ecbf7dd850e0e7a665

SHA256
7999eb6b09b4290d5f93357a3032bdefd712dd0eccb619fe8321e49bd8f69e6f

SHA512
d7ce05f16ae6163c531d29b765a599ead0a649bdc01bfc380fd61fb884834843482e5744af466f38fc3f44088ef657bed4dde5d82282c7fcfcef3015570f2c51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
515a0f9a95a90f086b74941fa8d29c0b

SHA1
abe7ef4651ab98f81fc204e41c647cdc102bd13b

SHA256
1254d5529592a884af78e8f088839b8df9776b1272d353a5e9c51f72923e98cc

SHA512
a4b9c4e93aeb87f1c768a296c29adec1ae7f167ae0219be1cf91460cb482b344a3b155956e4d391d056a380b9d49704818e94e08f7ee9cbc921e06b65d6ff2b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
62a679ee3fc281cd6807fac4b7c025ee

SHA1
db45ce304fade767bc6b6ac77694ebf49ad1a44c

SHA256
f5925fd4425a3cfe22c7786eebd2482659c64d1e6af5e30785fa976f267b5f1c

SHA512
181488a717d5c8ba556c280827a03de51fe23f9fd857066a9ced837a08526c178936ede1d7b53e56b8e6faf7a2f042edda20164291641fb51cd049a64bd5203c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
977016c13653de95b811d4a91367ec84

SHA1
aa5fe62baf993382aff8a686a7263369df266577

SHA256
6ee097259f67bcb7962762cbf13f476e8184e68aa2cd9ab01facb2d10362bafc

SHA512
09a721c6eae8446a975eac5ceba6f48979acc64cee20a46d2864b096105b0dd0ba8c440c5821ee5aa419edbc0a7eff31838cc9ef2a40c775b9b5457e865076b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
8b3dee1a2b2db0125813233e60eb870c

SHA1
4f1eac3a8a9a8f1f4bda07fc6319cc6ae4da5ab6

SHA256
e3e32a9870950921ab65b12df1499987326bc4846b7130167c17bca403c268d5

SHA512
f3ec1e86a28c364773fd422177640b61a07131a004f44720dfa059216d275c9f03b04a66fe681c7057048e991ce009e86ea9a4cf9dc0c92d3fc6edbd0db3ed42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
212KB

MD5
3d67ed05a1663f855b8e2ba53ea6d922

SHA1
15bdc1099c2f169dd470427fc85c3d185911a49b

SHA256
186cec1b122fa4eb508585f20ea4fc0ec81a0c7647c467bad5a075fa1b8dd20e

SHA512
3ceb54d41ab63dce722626a0a9f348730374f5997f1160d6ec6839b11f3a79816d14e4ecbaa39e9ef0fd6ed57edf888e12f31db62106ad1353689c50235f1fee

Download Submit