shurk | b4b2d99b069c4ef7f184813ce08daa1f97066dcd0b8fed316605c7c6ef02dde5

Analysis

max time kernel
77s
max time network
149s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26-10-2024 22:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AIMr-main (1).zip
Size

21.6MB
MD5

f358922119f3728f8ebbb5818db1e1d9
SHA1

93b68506d6cb131749fca2f5407d5f5450137059
SHA256

b4b2d99b069c4ef7f184813ce08daa1f97066dcd0b8fed316605c7c6ef02dde5
SHA512

09e5bee1031bd33b0de9d7d7ab586ce8faa34ea2d19698de2e724738c656d7efe17a9a9a6149f2f652a902c560dbe1b5a444aa6a069a8d948d54fec5ee91848f
SSDEEP

393216:36qDFKCYkk3GlKJYOlD4r4KRd1FTJ8gU/tH4OMz9jD0YwmqshJRC6/uWS:36qhKCYAgJpiPTuxi9wmqszRv/I

Score

10^/10

shurk discovery infostealer

Malware Config

Signatures

Shurk
Shurk is an infostealer, written in C++ which appeared in 2021.
infostealer shurk
Shurk family
shurk
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\py_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\py_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\py_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\py_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\py_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.py	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2292	7zFM.exe
2292	7zFM.exe
2292	7zFM.exe
2744	chrome.exe
2744	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2292	7zFM.exe
2704	rundll32.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

description	pid	Process
Token: SeRestorePrivilege	2292	7zFM.exe
Token: 35	2292	7zFM.exe
Token: SeSecurityPrivilege	2292	7zFM.exe
Token: SeSecurityPrivilege	2292	7zFM.exe
Token: SeSecurityPrivilege	2292	7zFM.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
2292	7zFM.exe
2292	7zFM.exe
2292	7zFM.exe
2292	7zFM.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2764	AcroRd32.exe
2764	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2704	2292	7zFM.exe	30
PID 2292 wrote to memory of 2704	2292	7zFM.exe	30
PID 2292 wrote to memory of 2704	2292	7zFM.exe	30
PID 2292 wrote to memory of 2672	2292	7zFM.exe	31
PID 2292 wrote to memory of 2672	2292	7zFM.exe	31
PID 2292 wrote to memory of 2672	2292	7zFM.exe	31
PID 2672 wrote to memory of 2764	2672	rundll32.exe	32
PID 2672 wrote to memory of 2764	2672	rundll32.exe	32
PID 2672 wrote to memory of 2764	2672	rundll32.exe	32
PID 2672 wrote to memory of 2764	2672	rundll32.exe	32
PID 2744 wrote to memory of 1776	2744	chrome.exe	35
PID 2744 wrote to memory of 1776	2744	chrome.exe	35
PID 2744 wrote to memory of 1776	2744	chrome.exe	35
PID 2744 wrote to memory of 1632	2744	chrome.exe	37
PID 2744 wrote to memory of 1632	2744	chrome.exe	37
PID 2744 wrote to memory of 1632	2744	chrome.exe	37
PID 2744 wrote to memory of 1632	2744	chrome.exe	37
PID 2744 wrote to memory of 1632	2744	chrome.exe	37
PID 2744 wrote to memory of 1632	2744	chrome.exe	37
PID 2744 wrote to memory of 1632	2744	chrome.exe	37
PID 2744 wrote to memory of 1632	2744	chrome.exe	37
PID 2744 wrote to memory of 1632	2744	chrome.exe	37
PID 2744 wrote to memory of 1632	2744	chrome.exe	37
PID 2744 wrote to memory of 1632	2744	chrome.exe	37
PID 2744 wrote to memory of 1632	2744	chrome.exe	37
PID 2744 wrote to memory of 1632	2744	chrome.exe	37
PID 2744 wrote to memory of 1632	2744	chrome.exe	37
PID 2744 wrote to memory of 1632	2744	chrome.exe	37
PID 2744 wrote to memory of 1632	2744	chrome.exe	37
PID 2744 wrote to memory of 1632	2744	chrome.exe	37
PID 2744 wrote to memory of 1632	2744	chrome.exe	37
PID 2744 wrote to memory of 1632	2744	chrome.exe	37
PID 2744 wrote to memory of 1632	2744	chrome.exe	37
PID 2744 wrote to memory of 1632	2744	chrome.exe	37
PID 2744 wrote to memory of 1632	2744	chrome.exe	37
PID 2744 wrote to memory of 1632	2744	chrome.exe	37
PID 2744 wrote to memory of 1632	2744	chrome.exe	37
PID 2744 wrote to memory of 1632	2744	chrome.exe	37
PID 2744 wrote to memory of 1632	2744	chrome.exe	37
PID 2744 wrote to memory of 1632	2744	chrome.exe	37
PID 2744 wrote to memory of 1632	2744	chrome.exe	37
PID 2744 wrote to memory of 1632	2744	chrome.exe	37
PID 2744 wrote to memory of 1632	2744	chrome.exe	37
PID 2744 wrote to memory of 1632	2744	chrome.exe	37
PID 2744 wrote to memory of 1632	2744	chrome.exe	37
PID 2744 wrote to memory of 1632	2744	chrome.exe	37
PID 2744 wrote to memory of 1632	2744	chrome.exe	37
PID 2744 wrote to memory of 1632	2744	chrome.exe	37
PID 2744 wrote to memory of 1632	2744	chrome.exe	37
PID 2744 wrote to memory of 1632	2744	chrome.exe	37
PID 2744 wrote to memory of 1632	2744	chrome.exe	37
PID 2744 wrote to memory of 1632	2744	chrome.exe	37
PID 2744 wrote to memory of 2712	2744	chrome.exe	38
PID 2744 wrote to memory of 2712	2744	chrome.exe	38
PID 2744 wrote to memory of 2712	2744	chrome.exe	38
PID 2744 wrote to memory of 2960	2744	chrome.exe	39
PID 2744 wrote to memory of 2960	2744	chrome.exe	39
PID 2744 wrote to memory of 2960	2744	chrome.exe	39
PID 2744 wrote to memory of 2960	2744	chrome.exe	39
PID 2744 wrote to memory of 2960	2744	chrome.exe	39
PID 2744 wrote to memory of 2960	2744	chrome.exe	39
PID 2744 wrote to memory of 2960	2744	chrome.exe	39
PID 2744 wrote to memory of 2960	2744	chrome.exe	39
PID 2744 wrote to memory of 2960	2744	chrome.exe	39

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\AIMr-main (1).zip"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\7zO4F8D98C6\AIMr.py
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2704
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\7zO4F800507\AIMr.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\7zO4F800507\AIMr.py"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5569758,0x7fef5569768,0x7fef5569778
  2⤵
  PID:1776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1140 --field-trial-handle=1376,i,3196351745957214123,11388532991152330742,131072 /prefetch:2
  2⤵
  PID:1632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1472 --field-trial-handle=1376,i,3196351745957214123,11388532991152330742,131072 /prefetch:8
  2⤵
  PID:2712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1608 --field-trial-handle=1376,i,3196351745957214123,11388532991152330742,131072 /prefetch:8
  2⤵
  PID:2960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2232 --field-trial-handle=1376,i,3196351745957214123,11388532991152330742,131072 /prefetch:1
  2⤵
  PID:2824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2240 --field-trial-handle=1376,i,3196351745957214123,11388532991152330742,131072 /prefetch:1
  2⤵
  PID:404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1144 --field-trial-handle=1376,i,3196351745957214123,11388532991152330742,131072 /prefetch:2
  2⤵
  PID:884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1384 --field-trial-handle=1376,i,3196351745957214123,11388532991152330742,131072 /prefetch:1
  2⤵
  PID:336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3472 --field-trial-handle=1376,i,3196351745957214123,11388532991152330742,131072 /prefetch:8
  2⤵
  PID:2204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3588 --field-trial-handle=1376,i,3196351745957214123,11388532991152330742,131072 /prefetch:8
  2⤵
  PID:2848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3484 --field-trial-handle=1376,i,3196351745957214123,11388532991152330742,131072 /prefetch:8
  2⤵
  PID:2768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2812 --field-trial-handle=1376,i,3196351745957214123,11388532991152330742,131072 /prefetch:1
  2⤵
  PID:2756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2572 --field-trial-handle=1376,i,3196351745957214123,11388532991152330742,131072 /prefetch:1
  2⤵
  PID:1604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2640 --field-trial-handle=1376,i,3196351745957214123,11388532991152330742,131072 /prefetch:8
  2⤵
  PID:1904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3776 --field-trial-handle=1376,i,3196351745957214123,11388532991152330742,131072 /prefetch:1
  2⤵
  PID:1744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3872 --field-trial-handle=1376,i,3196351745957214123,11388532991152330742,131072 /prefetch:1
  2⤵
  PID:2224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=2580 --field-trial-handle=1376,i,3196351745957214123,11388532991152330742,131072 /prefetch:1
  2⤵
  PID:1752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=2284 --field-trial-handle=1376,i,3196351745957214123,11388532991152330742,131072 /prefetch:1
  2⤵
  PID:1104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2808 --field-trial-handle=1376,i,3196351745957214123,11388532991152330742,131072 /prefetch:8
  2⤵
  PID:640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4052 --field-trial-handle=1376,i,3196351745957214123,11388532991152330742,131072 /prefetch:8
  2⤵
  PID:1740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=3724 --field-trial-handle=1376,i,3196351745957214123,11388532991152330742,131072 /prefetch:1
  2⤵
  PID:2696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=3920 --field-trial-handle=1376,i,3196351745957214123,11388532991152330742,131072 /prefetch:1
  2⤵
  PID:2720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=2216 --field-trial-handle=1376,i,3196351745957214123,11388532991152330742,131072 /prefetch:1
  2⤵
  PID:2184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=1768 --field-trial-handle=1376,i,3196351745957214123,11388532991152330742,131072 /prefetch:1
  2⤵
  PID:2964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=3000 --field-trial-handle=1376,i,3196351745957214123,11388532991152330742,131072 /prefetch:1
  2⤵
  PID:2224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3884 --field-trial-handle=1376,i,3196351745957214123,11388532991152330742,131072 /prefetch:8
  2⤵
  PID:2420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3808 --field-trial-handle=1376,i,3196351745957214123,11388532991152330742,131072 /prefetch:8
  2⤵
  PID:2568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4236 --field-trial-handle=1376,i,3196351745957214123,11388532991152330742,131072 /prefetch:8
  2⤵
  PID:2352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1592 --field-trial-handle=1376,i,3196351745957214123,11388532991152330742,131072 /prefetch:8
  2⤵
  PID:2424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4172 --field-trial-handle=1376,i,3196351745957214123,11388532991152330742,131072 /prefetch:8
  2⤵
  PID:3048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=536 --field-trial-handle=1376,i,3196351745957214123,11388532991152330742,131072 /prefetch:8
  2⤵
  PID:2764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2484 --field-trial-handle=1376,i,3196351745957214123,11388532991152330742,131072 /prefetch:8
  2⤵
  PID:1948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2780 --field-trial-handle=1376,i,3196351745957214123,11388532991152330742,131072 /prefetch:8
  2⤵
  PID:1536

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a9dc1877d4bfb2849d96745e69198256

SHA1
f724931b8e1b69ab2a898485848785d8d1ff45ca

SHA256
15a5c0a2cf48154f05d4c77517576bb515eddf123ca879a3567e44ce99f9ec70

SHA512
01ad3764958812b67626860a27247e842c40dcd19ec106c3241da3ea04fdd1b039d463212df9f70033850f93e52a9994273886b92cd0e1c016ec934911674f95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
bdf37bf036fc84e59b17155f7e954c47

SHA1
6f166806802ae11397edc2fe8a80878a22ba0ca5

SHA256
3725bb53a0c22efffbe30c29f2367f1aee4b3152d99d9de890956dc378c7dcd5

SHA512
51f452598f911219e322f48a757acc8bff407e7d5817ab59e56a993ed96184781c28d5a894d625e4036a784edc5e99c4dabe4e5e5bc1e495e18a99cd4d55df0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT~RFf77f3b2.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
2c2fc920833cedce99e40e1db00a21c3

SHA1
54a7fcbbad7986a4bab55a7e2ce83c943ee065d6

SHA256
b2edf9a230d3ddfe9fcb7adb53a0ffb70688824bbd6bdb9d43e51273a22eefdd

SHA512
665489658e8ccfc39c25342b7136b8f73f4f292bc4a4561eabe3dfc39aacfd8e3227ff759bff6814b392334a28ea88a0891088912956ab8e8b73dc282d990dcc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
07e937235d1ddce0cb67a6e70908c8ac

SHA1
4c9b85841748399d7b2b4b35e2eb9ab5ddc83507

SHA256
af6932696c17cfc8ffc44a32b1eec7a2c0f05121c35df9197496d980408149c5

SHA512
e1d6cb68a66ecc4299079a34a6d1d157c6156decd54587658fcf5060e21f7e421a5f76dc74e2ca86cdfce24cd035bae592329aa229ff71ac1f56c1a31764daa2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
527B

MD5
d99cf84fd3b9e35d96bdfc03c2b9ff23

SHA1
823989778f40a8766fd2593c0a26544c1d03deb1

SHA256
f5d9a8324fed472064dd7c991d3ec24dfdf921db4612b657deaca4e472bc4f06

SHA512
4c95847e593cd14906858cea61b84399c77c569de036e7dfa5b5c812ecc5801dc67fb3fb0ffdb0a1f9519065b2ba0c94ac494e8ab3ceab44ca564caeb1bd48ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
79a2fc5b3be89498063501232061bb07

SHA1
635a3a2ff81aa526c25942d2a7d472ff42c98baf

SHA256
9a3a5f93f0fa3bd45434e658a9ec0b81209ad2607ea9b4dc9b61a5bd780a6723

SHA512
29d39f0897213611ec2ce93ea99d2ab079dab782f9eabd0d2160478a75b96b670ec225b5f2218f0dec5993ff8008a47d86fbc19bea7834dc4cdb8821415ec048

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a57a0c05fb865d29210dc81fc988308a

SHA1
40a9c00862febadbe03697073f72014038ed6745

SHA256
6c8d9268d81c9607859b2d5e859e20b608292087793737736814a2e6d0bbf5f5

SHA512
3a351b2dfcad14fc5f78b9f8b15ae2d7438a6e0676b234110878caaed19a409f826f88800e8f7d3f6ebcdbe51873fa422f7c3c5db0fe5f377798f7c277fd58c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
27f2434f53294b96f4b6dd0c45d7f34a

SHA1
70b014794f0c547d9a7284e635b017754ca29c4d

SHA256
293db9a21d9fa3fb37f4b4c62f2e08cb2d09d9de6521fe034cae5826741e38d1

SHA512
8288b6dcfeb85cf870bea466ade83320d68f0bad9f716c7aa15c7aa67bbb17292e5358f43145af071a40e68567198fab593cc8e917a50b132a23eb32cf890f7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
953a783d26bf00b4757ac79ad6c6078c

SHA1
e776c30470a3a1bed3a60f011731c0b7de32e3e6

SHA256
6704baf035ea9d25b05f0a38832fefdf75ee0c638eb4f580e7056967d244dc10

SHA512
d39c5581cdaf5d157b6566804303b310d6adf9d97b94ab0681b49f0d49cd02fa2f3b7170c9d7be5f6ac47d1ccc2e89d9493dd70fd9b5ed1cff8367cbc75e79a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a479b88eb9e854173eb2415f6b14fce0

SHA1
3dddf6122f6f979bd6ab7c185268c1f15cd1cc92

SHA256
ba65e7c4d71ea9002ab88f9242e087c8df9d66722875fbc7f12f9cf1216dd47d

SHA512
983ca81fba5c8fc5a4837647981f9497fe0cc99a218ec174e3b616a88c624cbfddd020bda2d0e4fbff5968f7a9055946723cf1a06b7ab2fee9fd00011add368e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
331KB

MD5
c0b896c2f608d4419e001a2f1b18ed05

SHA1
7af61a3e90f2686ce084e245acf0639aca94312c

SHA256
db14690f2eb6ee488b66bf87a01f51fa41929d05ac514b01937c2a97e8b8e8d5

SHA512
688540ad5946e01ec2e1342de95c9cdfd9dac2c7caeb2c168442d55513ebab6f151c7844d3794454d1ea16ced670ad56d7d42af662f69d028a9e93935cefdb0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
76KB

MD5
8c091a582338593f63196afd3a83d00b

SHA1
ba836074d2d1f29505701042702bbef45286606e

SHA256
275aa540830c36f4246b706a814667704d4260a825cafb67c47310d07d28b21f

SHA512
e72084ed967d75edfa6c877aa71a7345d48c204f638ce7eff1b39010cbe7669aaa2af5d1f866898555a35b11b59fca882a89fbb165d8e206c1f3c83cbd258906

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4F800507\AIMr.py

Filesize
9KB

MD5
59f08c92b759ada1d447387b7b71e5d6

SHA1
394ba0d955bd7e4e37f093a5bbfda9e5fe28cc59

SHA256
bfb4a9e7c1d5ec07d4248e2ce522d271dba26b6300139c7fcd6c3d0107251552

SHA512
ab3286c359872d3c2ad6aa7efdb541ca57a50f55f95d57f9624c5a359f841d8056e01d8a139fc7afbd47a4eea514602c6af466d13590d2dec78bfa4886008235

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9713.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9736.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 486598.crdownload

Filesize
10.8MB

MD5
5cf0f54ccadcc665bd29f0c5070fd5e7

SHA1
1d8ec5907eb4cf457812f767091e6719d30e7b19

SHA256
03aa457629e7bd540d95e903c6eed22f3cad4b2ce6e149493da5fb97e259a0ae

SHA512
fdfc4c758ef24fb0b1d4b14e9e7345ea3f0b284a0de71337d3e3ecbb207325fd40b94d5a3d448f5647556042fb77daceb97938e7d6511b1ddbba351838e6382d

Download Submit