de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/10/2024, 01:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
Size

897KB
MD5

a8beb4b800d6a4cde9a47ff2e97d209a
SHA1

378f551dd21ca9be7126b569d804dd66b99e0055
SHA256

de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf
SHA512

b6d033ed8462a9ca84d517c4a133259c3f7967bb297ba2b6709d412524dfcf556e184fca39f56ba835a1c531b5f46a30b5035085c267d001de31f485013365d2
SSDEEP

24576:IqDEvCTbMWu7rQYlBQcBiT6rprG8a4rK:ITvC/MTQYxsWR7a4

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
4396	taskkill.exe
2688	taskkill.exe
1128	taskkill.exe
2900	taskkill.exe
2496	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133726516659383678"	chrome.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
1692	chrome.exe
1692	chrome.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1692	chrome.exe
1692	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4396	taskkill.exe
Token: SeDebugPrivilege	2688	taskkill.exe
Token: SeDebugPrivilege	1128	taskkill.exe
Token: SeDebugPrivilege	2900	taskkill.exe
Token: SeDebugPrivilege	2496	taskkill.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 4396	5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe	83
PID 5020 wrote to memory of 4396	5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe	83
PID 5020 wrote to memory of 4396	5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe	83
PID 5020 wrote to memory of 2688	5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe	86
PID 5020 wrote to memory of 2688	5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe	86
PID 5020 wrote to memory of 2688	5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe	86
PID 5020 wrote to memory of 1128	5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe	88
PID 5020 wrote to memory of 1128	5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe	88
PID 5020 wrote to memory of 1128	5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe	88
PID 5020 wrote to memory of 2900	5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe	90
PID 5020 wrote to memory of 2900	5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe	90
PID 5020 wrote to memory of 2900	5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe	90
PID 5020 wrote to memory of 2496	5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe	92
PID 5020 wrote to memory of 2496	5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe	92
PID 5020 wrote to memory of 2496	5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe	92
PID 5020 wrote to memory of 1692	5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe	94
PID 5020 wrote to memory of 1692	5020	de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe	94
PID 1692 wrote to memory of 2708	1692	chrome.exe	95
PID 1692 wrote to memory of 2708	1692	chrome.exe	95
PID 1692 wrote to memory of 5028	1692	chrome.exe	96
PID 1692 wrote to memory of 5028	1692	chrome.exe	96
PID 1692 wrote to memory of 5028	1692	chrome.exe	96
PID 1692 wrote to memory of 5028	1692	chrome.exe	96
PID 1692 wrote to memory of 5028	1692	chrome.exe	96
PID 1692 wrote to memory of 5028	1692	chrome.exe	96
PID 1692 wrote to memory of 5028	1692	chrome.exe	96
PID 1692 wrote to memory of 5028	1692	chrome.exe	96
PID 1692 wrote to memory of 5028	1692	chrome.exe	96
PID 1692 wrote to memory of 5028	1692	chrome.exe	96
PID 1692 wrote to memory of 5028	1692	chrome.exe	96
PID 1692 wrote to memory of 5028	1692	chrome.exe	96
PID 1692 wrote to memory of 5028	1692	chrome.exe	96
PID 1692 wrote to memory of 5028	1692	chrome.exe	96
PID 1692 wrote to memory of 5028	1692	chrome.exe	96
PID 1692 wrote to memory of 5028	1692	chrome.exe	96
PID 1692 wrote to memory of 5028	1692	chrome.exe	96
PID 1692 wrote to memory of 5028	1692	chrome.exe	96
PID 1692 wrote to memory of 5028	1692	chrome.exe	96
PID 1692 wrote to memory of 5028	1692	chrome.exe	96
PID 1692 wrote to memory of 5028	1692	chrome.exe	96
PID 1692 wrote to memory of 5028	1692	chrome.exe	96
PID 1692 wrote to memory of 5028	1692	chrome.exe	96
PID 1692 wrote to memory of 5028	1692	chrome.exe	96
PID 1692 wrote to memory of 5028	1692	chrome.exe	96
PID 1692 wrote to memory of 5028	1692	chrome.exe	96
PID 1692 wrote to memory of 5028	1692	chrome.exe	96
PID 1692 wrote to memory of 5028	1692	chrome.exe	96
PID 1692 wrote to memory of 5028	1692	chrome.exe	96
PID 1692 wrote to memory of 5028	1692	chrome.exe	96
PID 1692 wrote to memory of 3676	1692	chrome.exe	97
PID 1692 wrote to memory of 3676	1692	chrome.exe	97
PID 1692 wrote to memory of 3792	1692	chrome.exe	98
PID 1692 wrote to memory of 3792	1692	chrome.exe	98
PID 1692 wrote to memory of 3792	1692	chrome.exe	98
PID 1692 wrote to memory of 3792	1692	chrome.exe	98
PID 1692 wrote to memory of 3792	1692	chrome.exe	98
PID 1692 wrote to memory of 3792	1692	chrome.exe	98
PID 1692 wrote to memory of 3792	1692	chrome.exe	98
PID 1692 wrote to memory of 3792	1692	chrome.exe	98
PID 1692 wrote to memory of 3792	1692	chrome.exe	98
PID 1692 wrote to memory of 3792	1692	chrome.exe	98
PID 1692 wrote to memory of 3792	1692	chrome.exe	98
PID 1692 wrote to memory of 3792	1692	chrome.exe	98
PID 1692 wrote to memory of 3792	1692	chrome.exe	98

C:\Users\Admin\AppData\Local\Temp\de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe
"C:\Users\Admin\AppData\Local\Temp\de5ea189b27a5f40f9f16f8330129358ec780b6f8b17a854b5e4711f73c64ccf.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM chrome.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4396
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM msedge.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2688
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM firefox.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1128
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM opera.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2900
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM brave.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffcc811cc40,0x7ffcc811cc4c,0x7ffcc811cc58
    3⤵
    PID:2708
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1940,i,3531777999517672831,14464407932134060377,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1936 /prefetch:2
    3⤵
    PID:5028
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1924,i,3531777999517672831,14464407932134060377,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1976 /prefetch:3
    3⤵
    PID:3676
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2240,i,3531777999517672831,14464407932134060377,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2256 /prefetch:8
    3⤵
    PID:3792
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,3531777999517672831,14464407932134060377,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3148 /prefetch:1
    3⤵
    PID:4616
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,3531777999517672831,14464407932134060377,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3176 /prefetch:1
    3⤵
    PID:3708
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4696,i,3531777999517672831,14464407932134060377,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4708 /prefetch:8
    3⤵
    PID:3644
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4788,i,3531777999517672831,14464407932134060377,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4800 /prefetch:8
    3⤵
    PID:3892
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5028,i,3531777999517672831,14464407932134060377,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5044 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4608

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
e01cc47699a23878cd90241873f0187c

SHA1
1d4a46147d8bd2b95b7817e29409d403e36a0bf5

SHA256
d53de3b23703fd20d820d839f4abea2812e46fbd829c976bdc691c2f56a02b09

SHA512
5463516d16b0c7b28c87ff88df195b9f4892bd96c8e561bf1ede6ce28eda942e8fa03273b198f74d0958b491b245bb79a05031d9fb900bf5f32da962ba02b4fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
2a83a1d1f173a2b67aed6adfdd2be8ff

SHA1
58d597ad11d45712012ecc0e0e7c7b99d13d0249

SHA256
b16cc4a3a55fdde3c9f56a851443f29f45ef590a348db8327802235d8879d8b3

SHA512
79a2ec9238a5728a41330ea36430a92bccf90db79986f3fb3e9aeb554571d798ed381d41d9a4736ebdb87203e538be4bf6dd504d388edc41db5831066e168fec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
8c7b3c77d089efee5e6419c851ffa9ed

SHA1
0fb3dbd335a5dc9383dd2c9e895ab82a5bbade31

SHA256
a94e191cb13c008956add7d7981c3665d77db41a455cd38c3ec9924294f951d4

SHA512
ab17d316a57869e5a27546f24168ed97b743f2c57b4132a5c42cc42f010bd8e93ecd8dc6b0d00b781c6538d53f88e5afc82f1a0c0c01b7206e57616576b6b0c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
9723ef3e888c778767a4ab74002264cc

SHA1
9ab6f544804e3089c568a2d1e9effa48975edccb

SHA256
8973fead6e020b11849274843d1cb870f5579a3f3a3db28e2d2a3db6a1291baa

SHA512
88395d8a31a3ef56c0b9a003141cd12df5ca2c3cd0eb8319369ca6135ec9bfed370d4373b1f8497992bc132c6da40bfbdb01deb8f80b075a17f25ba0f02f5e35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
72600ce29af8e6204f3499eefcd325af

SHA1
2e52679e2f3fce580a99ebee8ada70e1f12010d9

SHA256
e84083e4ea3f6d7fe6750529e16b3f9488f6cdfd6dc2b4b57f6d0d917aac225c

SHA512
f31974a49e93cb15a5cc8c44463266da338f4210ef7fb3ef841928ee254519d5bbd205a841e08d3e759cab77a1d773087ddff220b8b0a8de10503e11d250ebe6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
abf241d700d500989113ea37ff0c55e5

SHA1
6fd0cb1afa68ab71956166ad09e99beb5a62935f

SHA256
016ee743023fc499e60b92420ed2883c8219de8af913d785e7e792666d43543a

SHA512
43efd78822e9df92fdff8f1e1d760f1b020ce1cc92b9d4185409064a06940b5a0d68809db87543656dc1318ce74d887c242d4a148e11d8b395276b23e974bba6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
68b789f3b53b2c48455ac6fccbd1379a

SHA1
5f4c7c51cd938b9e98c82d31d430d5e1b020ae6a

SHA256
f6cc30b364522dc2bd7580f42e3c20ff3303d2ecf2cfc209c1236011ada6c908

SHA512
e6580f0eda08fcc0731ec64e3e0f9d2d257ffc6d9c4cd439dcfbe30732698fa65b5d38c37fcbab80f7c6dae409e9102c4c984a7d8fa622685d01cd0e92065801

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
bc5a8aa846ff49cd0a3bcc7b01129db5

SHA1
c35c02bed90f7cb23a56bb91e4cdba0618b91312

SHA256
1ee3dd20d060d9fd696d5f0d5a41b82f55b987fc75dce559df59d4230861b3bc

SHA512
5d1a4fd661f7c9f444256e3f44199648dc986b1852bfc52a5babdd8979ab15a7adbfd6287b65f3c67297e4f53534c00fa3103693294940ac999d0e900f2bb9a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
08c3c44244f6e353e617130783650e4e

SHA1
7f261852f91ef98909d6f17b0bc72e0b4ba2acd1

SHA256
16ce711678efc30d0923ce56e90c23e408d8c2f670b3c49ffd5e966962b894dd

SHA512
6dd94983a2a8a8979f843b0659d1f23ba110a1cde444ada0603e31afec0ab4e1a4c5a4a8f8988f94bfaefd9e5c3a63423097cb42c10864ac78514f49f01fe10c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a316d9e75d38c88a6001a26e42b69975

SHA1
878293fe81c8c2d5d018053547d846068363f385

SHA256
fc4d35a8b3e5aaaeae7f4430edf92e3b22872837a994e6ea8bb70440de1a8ee9

SHA512
0e0ba3a5bc4bcfd5b0cc944f6660c219a1c26e4874a9774e7cbda39311d5068f2e587125657d5b4f238cb8a925a26b8529cacef833cd2a250fe764606fb05d1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bc1c36815cd85621996cc07f6b038ef6

SHA1
ddd18266c5764be95fca2fe00e6b9e664c5a9d3e

SHA256
aaea3ad282aa6579da667e3c4ac4a09d5c69acfe2103903b288799ef29247579

SHA512
65d971a5328e385ca628b0007f1f70892c231d728d5331c4bdb1eb5942cd31de4674e5d706f5053112a6bc9c473059b4a4926786a4e3fe8714ca8bb3d484da3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5510ef58390657481636089260e0bb3b

SHA1
1b0d7e2f212627a91cbb607db50be41cc73202f2

SHA256
2af5f49a66dfa9e558e53520e1b1b6ee3218d296d4b633e0ac424851f7baabbe

SHA512
8e346c0617f7b9c0fb9eb1fee87af72172e132f1edeb9d2a36ac95102a4d3ff2a456e70d282dbc1a64b4ac8dc2de96a2196b7a88e8705ce6c56b82dc61da3e8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
ddb1343359d92a4af68ace558b2c39b8

SHA1
e390529afd43b34abb098aac144b440e1b9e11dd

SHA256
ce5258d9e7cb775e5a1d846ed6406028276b414e8c6bf724574b2d33606530a7

SHA512
852c27806cb2c339c2e32ced33b0166fb765b1cd61d953bf445746f09909cac85ae143225fdd31c41b6995ee10f237d66387c28e0176d122ab11f167bbb0ca3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
212KB

MD5
c39af0b01c5054bf424750931445cc84

SHA1
c51c76249995b80a0027cc95d012b85259f98d34

SHA256
2dad64454bbe22da5f471c277953beba1911253deb1b9c9699757f65b2b751f2

SHA512
af04aaa82ee33f5e024ca5c2e1b66452b92fdc838755e02affe91dd141ce9f4780d5887d5214ce952285951d9344450cb95cf728352b1892f58514771a7bd2a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
212KB

MD5
d15159f641c66d3337d675e8f69bf2b2

SHA1
ff8b8fef366e1a217ab0b432bace286568bf5bba

SHA256
60082d328ab837800653ddd6ca02598a8550604969b62007ab5938f11aca40d1

SHA512
b2d7061bb49750eb2365da8fe163cb80276c6ac820f566556e80eb0367808c6f5af476a17ba93f8ad5c3b4a045ef1ce19213a5b6d290737ccacbe0489c7aa795

Download Submit