b24f27751c89eea68e10c983ceea31369d24e6e12e87d29afd893beeffa95e7e

Resubmissions

21-11-2024 15:48

241121-s8wv2sxpgr 10

21-11-2024 15:46

241121-s7pqcatkcx 6

21-11-2024 15:36

241121-s2barstjgv 10

Analysis

max time kernel
72s
max time network
74s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
21-11-2024 15:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Documentazione per monitorare la violazione del copyright.zip
Size

156.6MB
MD5

9cdfa7ac2837ce2da978f588d5191566
SHA1

d1b9e0a767ceac5d210b2c009d7b4a06ca0aff6f
SHA256

b24f27751c89eea68e10c983ceea31369d24e6e12e87d29afd893beeffa95e7e
SHA512

d4158b05173beaff62c6b6a0c926a07a13ba5151dbcd698a04b2a13cbd73556cfda3191fcdd41c26b1c663b379c27e1a0e5bc59d449e95a48cb2facb9a0c23ac
SSDEEP

3145728:haUzI7PHmFJiW4Ls9zIVsgrTAWvgGNQ3PEoWBqKOoTJtZFijjdd43r8J5zE0tV7I:hBFJiBA938zBOa6jJd43rK5zRV73I/

Score

10^/10

discovery persistence

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Documentazione per monitorare la violazione del copyright.exe

description pid process target process

PID 1960 created 2764 1960 Documentazione per monitorare la violazione del copyright.exe sihost.exe
Executes dropped EXE 2 IoCs

Processes:

Documentazione per monitorare la violazione del copyright.exeDocumentazione per monitorare la violazione del copyright.exe

pid process

3392 Documentazione per monitorare la violazione del copyright.exe
1960 Documentazione per monitorare la violazione del copyright.exe
Loads dropped DLL 1 IoCs

Processes:

Documentazione per monitorare la violazione del copyright.exe

pid process

3392 Documentazione per monitorare la violazione del copyright.exe

description	pid	process	target process
PID 1960 created 2764	1960	Documentazione per monitorare la violazione del copyright.exe	sihost.exe

pid	process
3392	Documentazione per monitorare la violazione del copyright.exe
1960	Documentazione per monitorare la violazione del copyright.exe

pid	process
3392	Documentazione per monitorare la violazione del copyright.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\*UpdaterCisco = "rundll32.exe C:\\Users\\Admin\\Documents\\AvivaUpdate_0001.dll,EntryPoint"	reg.exe

Drops file in Windows directory 4 IoCs

Processes:

chrome.exesetup.exesetup.exe

description	ioc	process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

668 1960 WerFault.exe Documentazione per monitorare la violazione del copyright.exe

pid	pid_target	process	target process
668	1960	WerFault.exe	Documentazione per monitorare la violazione del copyright.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

reg.exeDocumentazione per monitorare la violazione del copyright.exeDocumentazione per monitorare la violazione del copyright.exesvchost.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Documentazione per monitorare la violazione del copyright.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Documentazione per monitorare la violazione del copyright.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133766779083808969"	chrome.exe

Modifies registry class 4 IoCs

Processes:

BackgroundTransferHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

Documentazione per monitorare la violazione del copyright.exesvchost.exechrome.exe

pid	process
1960	Documentazione per monitorare la violazione del copyright.exe
1960	Documentazione per monitorare la violazione del copyright.exe
1960	Documentazione per monitorare la violazione del copyright.exe
1960	Documentazione per monitorare la violazione del copyright.exe
4528	svchost.exe
4528	svchost.exe
4528	svchost.exe
4528	svchost.exe
1636	chrome.exe
1636	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

1636 chrome.exe
1636 chrome.exe
1636 chrome.exe
1636 chrome.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

7zFM.exechrome.exe

description	pid	process
Token: SeRestorePrivilege	4192	7zFM.exe
Token: 35	4192	7zFM.exe
Token: SeSecurityPrivilege	4192	7zFM.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe
Token: SeShutdownPrivilege	1636	chrome.exe
Token: SeCreatePagefilePrivilege	1636	chrome.exe

Suspicious use of FindShellTrayWindow 29 IoCs

Processes:

7zFM.exechrome.exe

pid	process
4192	7zFM.exe
4192	7zFM.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

chrome.exe

pid	process
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe
1636	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MiniSearchHost.exe

pid process

604 MiniSearchHost.exe

pid	process
604	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Documentazione per monitorare la violazione del copyright.exeDocumentazione per monitorare la violazione del copyright.execmd.exechrome.exe

description	pid	process	target process
PID 3392 wrote to memory of 1960	3392	Documentazione per monitorare la violazione del copyright.exe	Documentazione per monitorare la violazione del copyright.exe
PID 3392 wrote to memory of 1960	3392	Documentazione per monitorare la violazione del copyright.exe	Documentazione per monitorare la violazione del copyright.exe
PID 3392 wrote to memory of 1960	3392	Documentazione per monitorare la violazione del copyright.exe	Documentazione per monitorare la violazione del copyright.exe
PID 3392 wrote to memory of 1960	3392	Documentazione per monitorare la violazione del copyright.exe	Documentazione per monitorare la violazione del copyright.exe
PID 3392 wrote to memory of 1960	3392	Documentazione per monitorare la violazione del copyright.exe	Documentazione per monitorare la violazione del copyright.exe
PID 1960 wrote to memory of 4528	1960	Documentazione per monitorare la violazione del copyright.exe	svchost.exe
PID 1960 wrote to memory of 4528	1960	Documentazione per monitorare la violazione del copyright.exe	svchost.exe
PID 1960 wrote to memory of 4528	1960	Documentazione per monitorare la violazione del copyright.exe	svchost.exe
PID 1960 wrote to memory of 4528	1960	Documentazione per monitorare la violazione del copyright.exe	svchost.exe
PID 1960 wrote to memory of 4528	1960	Documentazione per monitorare la violazione del copyright.exe	svchost.exe
PID 3392 wrote to memory of 2988	3392	Documentazione per monitorare la violazione del copyright.exe	cmd.exe
PID 3392 wrote to memory of 2988	3392	Documentazione per monitorare la violazione del copyright.exe	cmd.exe
PID 3392 wrote to memory of 2988	3392	Documentazione per monitorare la violazione del copyright.exe	cmd.exe
PID 2988 wrote to memory of 4440	2988	cmd.exe	reg.exe
PID 2988 wrote to memory of 4440	2988	cmd.exe	reg.exe
PID 2988 wrote to memory of 4440	2988	cmd.exe	reg.exe
PID 1636 wrote to memory of 4152	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 4152	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 3888	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 3888	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 3888	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 3888	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 3888	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 3888	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 3888	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 3888	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 3888	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 3888	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 3888	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 3888	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 3888	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 3888	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 3888	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 3888	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 3888	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 3888	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 3888	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 3888	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 3888	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 3888	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 3888	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 3888	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 3888	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 3888	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 3888	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 3888	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 3888	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 3888	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 4260	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 4260	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2352	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2352	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2352	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2352	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2352	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2352	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2352	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2352	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2352	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2352	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2352	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2352	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2352	1636	chrome.exe	chrome.exe
PID 1636 wrote to memory of 2352	1636	chrome.exe	chrome.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2764
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4528

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Documentazione per monitorare la violazione del copyright.zip"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4192

C:\Users\Admin\Desktop\Documentazione per monitorare la violazione del copyright.exe
"C:\Users\Admin\Desktop\Documentazione per monitorare la violazione del copyright.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3392
- C:\Users\Admin\Desktop\Documentazione per monitorare la violazione del copyright.exe
  "C:\Users\Admin\Desktop\Documentazione per monitorare la violazione del copyright.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 264
    3⤵
    - Program crash
    PID:668
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\AvivaUpdate_0001.dll",EntryPoint /f & exit
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\AvivaUpdate_0001.dll",EntryPoint /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1960 -ip 1960
1⤵
PID:3856

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:604

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc76a4cc40,0x7ffc76a4cc4c,0x7ffc76a4cc58
  2⤵
  PID:4152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1768,i,18181912969067794654,15275026106438877500,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1760 /prefetch:2
  2⤵
  PID:3888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2008,i,18181912969067794654,15275026106438877500,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2104 /prefetch:3
  2⤵
  PID:4260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2200,i,18181912969067794654,15275026106438877500,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2112 /prefetch:8
  2⤵
  PID:2352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3052,i,18181912969067794654,15275026106438877500,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:4804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,18181912969067794654,15275026106438877500,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:4528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4452,i,18181912969067794654,15275026106438877500,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4464 /prefetch:1
  2⤵
  PID:4756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4776,i,18181912969067794654,15275026106438877500,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4780 /prefetch:8
  2⤵
  PID:820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4808,i,18181912969067794654,15275026106438877500,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4764 /prefetch:8
  2⤵
  PID:544
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:928
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff74ca64698,0x7ff74ca646a4,0x7ff74ca646b0
    3⤵
    - Drops file in Windows directory
    PID:4832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4612,i,18181912969067794654,15275026106438877500,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5048 /prefetch:1
  2⤵
  PID:2044

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\3a5bc812-0405-4e08-a1f7-8cfd57ddc2b4.tmp

Filesize
232KB

MD5
98fdcaeb43c2a3410be69d3c990b7faa

SHA1
509cbdc48cba851f90547e172df688628ec612dd

SHA256
ee0a79a01b14d8dda34e8e9737632e94c03e80b955f9bb5a0c6760c70f3a2cfb

SHA512
9c1e1e9f329a90ae918ea466f0a106e8b7edcb9baffa259fdaa908d2391dd29a75e224a4491efbfd830a127632766bbec074aeb0eeeb7df4cf30fdadaccd7bc4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
ba7b5326d2e71e9c9fc585fd7029792b

SHA1
4bd2ac62aac82df640882e0e7e4f385e2b996a9a

SHA256
5b6f18039364ffd1c44c7f00d02e30eff7ea39b5220cfa0154368fae80f0b1d2

SHA512
c16dd4c3249f6274378f8b2bcec5094b21ec3e9f577546857ee84dbb74f53b7c1f4ea252da4b8b4641b822842f168ac498658d6cb353683176cd5d6cf1e7010b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
e579aca9a74ae76669750d8879e16bf3

SHA1
0b8f462b46ec2b2dbaa728bea79d611411bae752

SHA256
6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

SHA512
df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
c09f3b45c4f5db9b2a3d6c1891a21b99

SHA1
3e8bd9f455eb67ff4338247a0d9527a47498130e

SHA256
2d305eaf6f74e0f1c1252acb5a1727507aba6ed5a6d8fa293abd02919586c31f

SHA512
9d45e6e0cdac62b3974b1f115a55fc83699d9f907fb9d9618d246fd8e0c02962d671f12f7f69aae154a7848bfd87a73e4fed6e84c483cd57155374eef69d46aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
6b5769ed3d2e132450e0c2b1d3529e00

SHA1
b90158cca5be94fff71202b0bb485104ccf855cc

SHA256
f6f476dcd9c64ccba7d3bfe55d869eadebe8d5f2ec3d542595299a8613b89207

SHA512
fa96aace8e5bcd7ebb26f71a90133e486bf680f6ec51b6e1e3d177b385ac9942d33eb6fad48934251d474fee1d38d677ffe9da5a28ba2175c53727ed112d5ea2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
e2276aafad44da1d789d7e20d535afcd

SHA1
71d34594800cf01a276fe52b734cb59c01c34f4d

SHA256
398e3dabd5bfa900b11cf1be6219157110918d56726f0ce344fd5f9a60c56894

SHA512
9f99f25089d39f273f00a8907766e504c6771a0ba343ce1eef560afe860623e637ea68b896e68df602a8bad48382b2f71abc1a3544eac040e5d9e79aa21fb602

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
da97c447261850994b99350d5933a015

SHA1
5a8acfd33105a131a4be143852baa32bddc9675d

SHA256
8612b4c9ad0eaad43c707922765bfd6d2b7f754c5b608f06e014f4ae3eda10be

SHA512
76e1caa252301468fa8b262c03f5451bda11c65f69a153ae7ea4d53ce1a6e452b1502be7c99abc37858c78422bb2adb87be1d3ea79ab4d8fde0e4c0b47729177

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
525a8457c5f73602653876475efabbfb

SHA1
64b769f4bdcc1e05a8dce4b811691a011acffe3e

SHA256
ecb485084989a1e6dd99b4be689e4c76d2f486583bba50173e79d58a4046787b

SHA512
7a4322748f061621ebd649f7be4bbb34fe7105cd4b520c255cd81c858ffaa76b43d7c988c571ff3a8f3d50785ac8f49b0402e101ffc4c6e2f983b94a7f7cc0dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
8c7b9fe7ef43c0f19f4347670ed55e9c

SHA1
e1be11c1ee14bf2a0a82315507fe694907fab008

SHA256
626997d04c108bf754adf326c7a87a1ba0891fcc100ceb1bf06c7554def7402b

SHA512
9fbdaf1109155bdb21b91dfd37fcba0d7979e11a64832e8c9d65a9d3b3773ec9e3f9ae7fb0985e3be521fb340c6776cfaa097ff18d551175a951d1f165a7630b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\9bfa7896-1f7a-47f8-bc0b-4afa77473b22.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\Desktop\Documentazione per monitorare la violazione del copyright.exe

Filesize
6.1MB

MD5
4864a55cff27f686023456a22371e790

SHA1
6ed30c0371fe167d38411bfa6d720fcdcacc4f4c

SHA256
08c7fb6067acc8ac207d28ab616c9ea5bc0d394956455d6a3eecb73f8010f7a2

SHA512
4bd3a16435cca6ce7a7aa829eb967619a8b7c02598474e634442cffc55935870d54d844a04496bf9c7e8c29c40fae59ac6eb39c8550c091d06a28211491d0bfb

Download Submit
\??\pipe\crashpad_1636_IGZEZQTALRHLONGG

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1960-19-0x0000000000F80000-0x0000000001380000-memory.dmp

Filesize
4.0MB

Download
memory/1960-21-0x00007FFC97E00000-0x00007FFC98009000-memory.dmp

Filesize
2.0MB

Download
memory/1960-23-0x0000000075E80000-0x00000000760D2000-memory.dmp

Filesize
2.3MB

Download
memory/1960-20-0x0000000000F80000-0x0000000001380000-memory.dmp

Filesize
4.0MB

Download
memory/1960-18-0x0000000000A30000-0x0000000000AB1000-memory.dmp

Filesize
516KB

Download
memory/1960-13-0x0000000000A30000-0x0000000000AB1000-memory.dmp

Filesize
516KB

Download
memory/3392-10-0x0000000010000000-0x0000000011000000-memory.dmp

Filesize
16.0MB

Download
memory/4528-27-0x00007FFC97E00000-0x00007FFC98009000-memory.dmp

Filesize
2.0MB

Download
memory/4528-26-0x0000000001550000-0x0000000001950000-memory.dmp

Filesize
4.0MB

Download
memory/4528-24-0x0000000000EC0000-0x0000000000ECA000-memory.dmp

Filesize
40KB

Download
memory/4528-29-0x0000000075E80000-0x00000000760D2000-memory.dmp

Filesize
2.3MB

Download