f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2024, 10:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
Size

897KB
MD5

7b1fd20c94451cc574637649feb88694
SHA1

0f93888f5dc249d84a7dc8f2dca3bf92fd90f8ab
SHA256

f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c
SHA512

51a741d5d400aeb478ef7143662ebcdbeab039d1030986e5dc2837aa54097a8d11f3fe3a1babdc6d84a65afd0ed5c68d076a56262d42021e28f09f47a11b5b6b
SSDEEP

24576:MqDEvCTbMWu7rQYlBQcBiT6rprG8a4zK:MTvC/MTQYxsWR7a4

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
1504	taskkill.exe
4276	taskkill.exe
5064	taskkill.exe
2052	taskkill.exe
1812	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133730297242295933"	chrome.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
3120	chrome.exe
3120	chrome.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe
2596	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3120	chrome.exe
3120	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1504	taskkill.exe
Token: SeDebugPrivilege	4276	taskkill.exe
Token: SeDebugPrivilege	5064	taskkill.exe
Token: SeDebugPrivilege	2052	taskkill.exe
Token: SeDebugPrivilege	1812	taskkill.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 1504	1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe	83
PID 1940 wrote to memory of 1504	1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe	83
PID 1940 wrote to memory of 1504	1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe	83
PID 1940 wrote to memory of 4276	1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe	87
PID 1940 wrote to memory of 4276	1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe	87
PID 1940 wrote to memory of 4276	1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe	87
PID 1940 wrote to memory of 5064	1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe	89
PID 1940 wrote to memory of 5064	1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe	89
PID 1940 wrote to memory of 5064	1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe	89
PID 1940 wrote to memory of 2052	1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe	92
PID 1940 wrote to memory of 2052	1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe	92
PID 1940 wrote to memory of 2052	1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe	92
PID 1940 wrote to memory of 1812	1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe	94
PID 1940 wrote to memory of 1812	1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe	94
PID 1940 wrote to memory of 1812	1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe	94
PID 1940 wrote to memory of 3120	1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe	96
PID 1940 wrote to memory of 3120	1940	f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe	96
PID 3120 wrote to memory of 3328	3120	chrome.exe	97
PID 3120 wrote to memory of 3328	3120	chrome.exe	97
PID 3120 wrote to memory of 4932	3120	chrome.exe	98
PID 3120 wrote to memory of 4932	3120	chrome.exe	98
PID 3120 wrote to memory of 4932	3120	chrome.exe	98
PID 3120 wrote to memory of 4932	3120	chrome.exe	98
PID 3120 wrote to memory of 4932	3120	chrome.exe	98
PID 3120 wrote to memory of 4932	3120	chrome.exe	98
PID 3120 wrote to memory of 4932	3120	chrome.exe	98
PID 3120 wrote to memory of 4932	3120	chrome.exe	98
PID 3120 wrote to memory of 4932	3120	chrome.exe	98
PID 3120 wrote to memory of 4932	3120	chrome.exe	98
PID 3120 wrote to memory of 4932	3120	chrome.exe	98
PID 3120 wrote to memory of 4932	3120	chrome.exe	98
PID 3120 wrote to memory of 4932	3120	chrome.exe	98
PID 3120 wrote to memory of 4932	3120	chrome.exe	98
PID 3120 wrote to memory of 4932	3120	chrome.exe	98
PID 3120 wrote to memory of 4932	3120	chrome.exe	98
PID 3120 wrote to memory of 4932	3120	chrome.exe	98
PID 3120 wrote to memory of 4932	3120	chrome.exe	98
PID 3120 wrote to memory of 4932	3120	chrome.exe	98
PID 3120 wrote to memory of 4932	3120	chrome.exe	98
PID 3120 wrote to memory of 4932	3120	chrome.exe	98
PID 3120 wrote to memory of 4932	3120	chrome.exe	98
PID 3120 wrote to memory of 4932	3120	chrome.exe	98
PID 3120 wrote to memory of 4932	3120	chrome.exe	98
PID 3120 wrote to memory of 4932	3120	chrome.exe	98
PID 3120 wrote to memory of 4932	3120	chrome.exe	98
PID 3120 wrote to memory of 4932	3120	chrome.exe	98
PID 3120 wrote to memory of 4932	3120	chrome.exe	98
PID 3120 wrote to memory of 4932	3120	chrome.exe	98
PID 3120 wrote to memory of 4932	3120	chrome.exe	98
PID 3120 wrote to memory of 2156	3120	chrome.exe	99
PID 3120 wrote to memory of 2156	3120	chrome.exe	99
PID 3120 wrote to memory of 3760	3120	chrome.exe	100
PID 3120 wrote to memory of 3760	3120	chrome.exe	100
PID 3120 wrote to memory of 3760	3120	chrome.exe	100
PID 3120 wrote to memory of 3760	3120	chrome.exe	100
PID 3120 wrote to memory of 3760	3120	chrome.exe	100
PID 3120 wrote to memory of 3760	3120	chrome.exe	100
PID 3120 wrote to memory of 3760	3120	chrome.exe	100
PID 3120 wrote to memory of 3760	3120	chrome.exe	100
PID 3120 wrote to memory of 3760	3120	chrome.exe	100
PID 3120 wrote to memory of 3760	3120	chrome.exe	100
PID 3120 wrote to memory of 3760	3120	chrome.exe	100
PID 3120 wrote to memory of 3760	3120	chrome.exe	100
PID 3120 wrote to memory of 3760	3120	chrome.exe	100

C:\Users\Admin\AppData\Local\Temp\f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe
"C:\Users\Admin\AppData\Local\Temp\f122a40e41a241f9ffe9f65ce486d993e6dec0d6eec3548e728343970059bf9c.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM chrome.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1504
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM msedge.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4276
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM firefox.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5064
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM opera.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2052
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM brave.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3120
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa47a9cc40,0x7ffa47a9cc4c,0x7ffa47a9cc58
    3⤵
    PID:3328
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2020,i,16255736330044168712,7209146821279407764,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2016 /prefetch:2
    3⤵
    PID:4932
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1912,i,16255736330044168712,7209146821279407764,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2044 /prefetch:3
    3⤵
    PID:2156
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2248,i,16255736330044168712,7209146821279407764,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2264 /prefetch:8
    3⤵
    PID:3760
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3168,i,16255736330044168712,7209146821279407764,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3188 /prefetch:1
    3⤵
    PID:4088
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3192,i,16255736330044168712,7209146821279407764,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3236 /prefetch:1
    3⤵
    PID:2400
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4676,i,16255736330044168712,7209146821279407764,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4684 /prefetch:8
    3⤵
    PID:4688
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3720,i,16255736330044168712,7209146821279407764,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4740 /prefetch:8
    3⤵
    PID:1052
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4744,i,16255736330044168712,7209146821279407764,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4780 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2596

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
c277b21dfd597edf3c54c0318b4c8477

SHA1
747a06b57abc8d09f08de20d53c009ad831f0984

SHA256
a0ef891bc4ddbdc6a7191264cdeb8ef8dee319866869e95c1d9421d3cd8772bb

SHA512
2cfd89a1e3da692c9382c13295a2cb9bee9c7a90d8ec99ef24a8d19cb229b4763f5c5a3d7d63657566c94b97c2919ed210419b3a3d362ddcefeecd596adecaf6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
68aa3b6de15d1cae5cdb343155fddced

SHA1
775565e91e885c5e3144c2cb4a5b59942b6bc3bc

SHA256
3f7d8a543499a053328e182e2a7c3b26aac28a260dc24e990e42b0d96c37a955

SHA512
0a9c5d8c0f72f006c79df91f19bba1900725086f251707e4ba96278679f5eac9694b9bc22439da5af905b5124e5356820753b37b36fbf48ce501aeba9e3213b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
2003d51059a67422aceb6ff4687fb0d6

SHA1
6811e36fffd09bab8561fd55f0d1c3119b10e450

SHA256
e39828fd7556e64f35b01c5fd043f36010a7b9a3dc90be6f0a875ffba109b482

SHA512
050a8d7bf4584a5f68b5bb1f134aebe5659e26a5dc13a2ae4b00deaec04712d8e99e8df6b1703ead89e7f1f13bfefdf28cfd92bebcc7a15fa44a346f0bf7b5f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
17296dc0b1c5b7a7bbcade6b03debe3c

SHA1
57832bdc73cbba6045202825cf036bd788ab9810

SHA256
27f0499c7896ada1cb0678389874f41b3eafffb81b4c277a984795fed6896e51

SHA512
4ec5e3f398cc7043eb3bc38296553079acdbabcda62ce85312e9e15c2d8b453dd9578e31212757ea8afde85138a9417cd4dcd7e83b2610a70a449346ca964202

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
250ad534e8603add0ca89e992550aa23

SHA1
bbf93c69d8d3ca4270c8e0b02bc3694bb7b1276a

SHA256
d87affa10d5f130acb6bf9a322facee9d6e5b02e51ab8713568cf55b7eee0afd

SHA512
8d4880fa1144510c8a28538ee24ff4aa93e9038af888653c881784b5037bb810ddb86852afcf3a02aa7afac90095dd78bafc0a09d82b0bd56e104baf629ae203

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
95095f510d82d15b310bac62b0c472f1

SHA1
e7f3f078b54b545a260028d2abbec74de678086e

SHA256
4e10921c434914dd16c3d313d79cd7fe620eb32ffb3015dc222da88b7fb23f69

SHA512
f2e164c21d93214e5c7c6a327b0a36caa8c8452d7999152cb60aa5d6ec866eccca9d95d4a13b9b68c211beee408b8d89446a07b5cdafd5b057ce0f05c38b8f65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0cd65e9a2d24e3942488ad1c71824c81

SHA1
df1fd9e4d5a18c6117e6c94b805ee2a2874f5613

SHA256
7651f1873f3bc278d475b3ccdb8d0499a3fb9e90b49a3fda035c6905f2ae61c4

SHA512
f6c20992760da5d8799c8fd00f22d352d3a861f7de9c73e47cde42e08785ded0ab159ad1e2fe6198bf7460e4e9c71c6f20f4e433468c586b127c1ce8e06790d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
21db2bf53f26b9957dcd202e40ca7017

SHA1
9704356bb7f56e163ae080cdde03ffd243fed06e

SHA256
1b68ba1d427e92e0da05b9f2d22dae3533e8afdbf2b6c080a0a97c07dbf13461

SHA512
29e0f961cd2c51deda1ddc02b62db5868b07cc7fe202cf268b1a1922151ca23a0f5574432c0dd227d348ee678442e04392c0e905cd4fead4822c04aff27bfb83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
f84587dfdb643d02bbac21e1229c988e

SHA1
a8ca934455090d5f8d71cb85e32fb5b0681ef27b

SHA256
d27f1c6467a50ef8ba24959fcee51f99f36ae35c25922609f3a1676b758bcb44

SHA512
69dcd11e77fdd48e5caf07d14dc40db523f5e45d34813c7f5a263c44ebcb730895567e79abf2ee0a2a84ae2facd1830a60c4413422a9255f1c71a81cbdc70bee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
6ae3480252cb790701c48977999d4d29

SHA1
b4f85dc06c2debdcd2dbed9779ffc2a4b2407ef0

SHA256
e46e94519e70bae5d40032a17e4d363910e56a5741dc87d3e2a2abd7e57ccc58

SHA512
b39dbd446ebf03965d1bbc94b0b0e938acae8a6c36b032ffeb522f6479c220dcf725c1cf035a1f978d3b315cdb85b25f6349d4ed434f1b39e651c47e3876beed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
6e59ace6481eab7745f787cd823e9b37

SHA1
60878605a79d32b5248238794b01dded7f28d0ba

SHA256
6a6c0c4be7e13567f05df23dbda02f55679cccb48b50fa2dd81444a56c473231

SHA512
07b48370b8cfe378d22d7a170aee9e8182e9f8d6adbf92a0a385c2a568de3d9b85cebc18fd2416c9879e164ad932bd6429ead43317d8ed117f249d073b467d5e

Download Submit