cryptolocker | d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

Analysis

max time kernel
110s
max time network
110s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
08-01-2025 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CryptoLocker.exe
Size

338KB
MD5

04fb36199787f2e3e2135611a38321eb
SHA1

65559245709fe98052eb284577f1fd61c01ad20d
SHA256

d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9
SHA512

533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444
SSDEEP

6144:sWmw0EuCN0pLWgTO3x5N22vWvLRKKAX5l++SybIvC:sWkEuCaNT85I2vCMX5l+ZRv

Score

10^/10

cryptolocker discovery persistence ransomware

Malware Config

Signatures

CryptoLocker
Ransomware family with multiple variants.
ransomware cryptolocker
Cryptolocker family
cryptolocker

Deletes itself 1 IoCs

pid	Process
3352	{34184A33-0407-212E-3320-09040709E2C2}.exe

Executes dropped EXE 2 IoCs

pid	Process
3352	{34184A33-0407-212E-3320-09040709E2C2}.exe
2448	{34184A33-0407-212E-3320-09040709E2C2}.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe"	{34184A33-0407-212E-3320-09040709E2C2}.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34184A33-0407-212E-3320-09040709E2C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34184A33-0407-212E-3320-09040709E2C2}.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133808287647273911"	chrome.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2840	chrome.exe
2840	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
928	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
928	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 3352	5040	CryptoLocker.exe	78
PID 5040 wrote to memory of 3352	5040	CryptoLocker.exe	78
PID 5040 wrote to memory of 3352	5040	CryptoLocker.exe	78
PID 3352 wrote to memory of 2448	3352	{34184A33-0407-212E-3320-09040709E2C2}.exe	79
PID 3352 wrote to memory of 2448	3352	{34184A33-0407-212E-3320-09040709E2C2}.exe	79
PID 3352 wrote to memory of 2448	3352	{34184A33-0407-212E-3320-09040709E2C2}.exe	79
PID 2840 wrote to memory of 4216	2840	chrome.exe	83
PID 2840 wrote to memory of 4216	2840	chrome.exe	83
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 5044	2840	chrome.exe	84
PID 2840 wrote to memory of 2248	2840	chrome.exe	85
PID 2840 wrote to memory of 2248	2840	chrome.exe	85
PID 2840 wrote to memory of 1820	2840	chrome.exe	86
PID 2840 wrote to memory of 1820	2840	chrome.exe	86
PID 2840 wrote to memory of 1820	2840	chrome.exe	86
PID 2840 wrote to memory of 1820	2840	chrome.exe	86
PID 2840 wrote to memory of 1820	2840	chrome.exe	86
PID 2840 wrote to memory of 1820	2840	chrome.exe	86
PID 2840 wrote to memory of 1820	2840	chrome.exe	86
PID 2840 wrote to memory of 1820	2840	chrome.exe	86
PID 2840 wrote to memory of 1820	2840	chrome.exe	86
PID 2840 wrote to memory of 1820	2840	chrome.exe	86
PID 2840 wrote to memory of 1820	2840	chrome.exe	86
PID 2840 wrote to memory of 1820	2840	chrome.exe	86
PID 2840 wrote to memory of 1820	2840	chrome.exe	86
PID 2840 wrote to memory of 1820	2840	chrome.exe	86
PID 2840 wrote to memory of 1820	2840	chrome.exe	86
PID 2840 wrote to memory of 1820	2840	chrome.exe	86
PID 2840 wrote to memory of 1820	2840	chrome.exe	86
PID 2840 wrote to memory of 1820	2840	chrome.exe	86
PID 2840 wrote to memory of 1820	2840	chrome.exe	86
PID 2840 wrote to memory of 1820	2840	chrome.exe	86
PID 2840 wrote to memory of 1820	2840	chrome.exe	86
PID 2840 wrote to memory of 1820	2840	chrome.exe	86
PID 2840 wrote to memory of 1820	2840	chrome.exe	86
PID 2840 wrote to memory of 1820	2840	chrome.exe	86

C:\Users\Admin\AppData\Local\Temp\CryptoLocker.exe
"C:\Users\Admin\AppData\Local\Temp\CryptoLocker.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
  "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\AppData\Local\Temp\CryptoLocker.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3352
- - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
    "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w00000238
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc4ba2cc40,0x7ffc4ba2cc4c,0x7ffc4ba2cc58
  2⤵
  PID:4216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1792,i,7183354109300717436,6356791900502976342,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1788 /prefetch:2
  2⤵
  PID:5044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2036,i,7183354109300717436,6356791900502976342,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2100 /prefetch:3
  2⤵
  PID:2248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2180,i,7183354109300717436,6356791900502976342,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2196 /prefetch:8
  2⤵
  PID:1820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,7183354109300717436,6356791900502976342,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3344,i,7183354109300717436,6356791900502976342,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:1576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3564,i,7183354109300717436,6356791900502976342,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3568 /prefetch:1
  2⤵
  PID:648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4768,i,7183354109300717436,6356791900502976342,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4780 /prefetch:8
  2⤵
  PID:3904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4932,i,7183354109300717436,6356791900502976342,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4952 /prefetch:8
  2⤵
  PID:3772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4956,i,7183354109300717436,6356791900502976342,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5092 /prefetch:8
  2⤵
  PID:1000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4772,i,7183354109300717436,6356791900502976342,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4960 /prefetch:8
  2⤵
  PID:2000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5012,i,7183354109300717436,6356791900502976342,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  PID:3552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4256,i,7183354109300717436,6356791900502976342,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5056 /prefetch:8
  2⤵
  PID:1340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4612,i,7183354109300717436,6356791900502976342,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4548 /prefetch:2
  2⤵
  PID:1232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5192,i,7183354109300717436,6356791900502976342,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4300 /prefetch:1
  2⤵
  PID:3524

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2796

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:2932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2828

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:4716

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:4200

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
6c6c45078744dd2c986b84d0ede5386a

SHA1
cb15bf663a09d02429f96bd627fdb08552b92c12

SHA256
5271ac7d69b74553a440e63adac77db3724ef9540a992fab48d001bfbe379d68

SHA512
cd38804785acd7eb46020236391032ec6ea548f110a7a43631ba52e8cfab65fd1be29bb891f866a2755992a33bed7196ca78e739d61d4ec41b443d1fdb30545b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
758b28afd1800135ad22288a20522b87

SHA1
b0a0adc504f122fdf3c1315214a9699aaf2c0828

SHA256
1ac677393e410f0af1a5592e2dad24ba2991142a96e611c624434b298eee90fe

SHA512
fd7388366cc5b7c4f39f12287cc748d8ef337d097b91ca91490b4257bc846e062970cab2d3037084971eec0e7281a2dd54a4cb67f2b16847882cfd2b0b82cc95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\468c7054-fa39-4d8a-9b21-70ed25efe134.tmp

Filesize
2KB

MD5
dd79b74453975eaef948ed10f8ea98d3

SHA1
36166b611db3a96ed46925034bf076f9214422f6

SHA256
0f488164c38348c00de3f3f102ff17baee0a0655981c5ef0ac8ae0b00b6856e4

SHA512
a254a63690b65df73c086e6ccc89fe723d3b5b04005370ef60694e3489aa4090e8e8b72b24ad87c1250a1592c2b67f45956b2cf8e5d534a7230c288dbdc055ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
7136b075370349a1874402f20c0aad39

SHA1
a2ff548fd7cb8514281d88ea64427880dea6df8c

SHA256
42d27a25f968f779c57edc0bd38afc2dbb544d4f9ac5474faa79459ed3f7b09e

SHA512
bc9a0adf3f260458951574ccf5dfe6a87d9e6d35b3f3e239b6ee89693c77d20f7f8bc13685b816445d677adb84b58639b94298dd0fd259aebf00889b328832f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a0c9034548c66d2f0d3de53dd1b1d303

SHA1
8e72db371a638235625d85918d1e50937aea2f43

SHA256
5a018324ef3af1106a8326f8541540c878fda537b46f285224f10e76ff96ecbd

SHA512
3df38e0dc69fe00ee0f07718b3e0dbaf318ec006858a48e06cca5bbfc23b1ef68f333cb4f0ce5a8d98ecdb4cf5c0f574685d04b0afa394b988c9e80739f20e57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cfb818a91dd7f26b2001769fae98e32c

SHA1
fee8ee9344a5b326e4c4dcda8574818eb24652ef

SHA256
045d8cf59ad52d1f0fd48313eb074901f6cf609bdcf5941abe285a54f45ba0a4

SHA512
5ddd3d42fa177c5a89bcac470a0f552ed32e8b616f59d7de2d772544ab3af235f10490cefcc3152313e0b8302334916ea60fffffa8aec383e963c471e9dcb0c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
862fb253b2c189a529bd2539e026b679

SHA1
ec227beba468247fca022fa94c4272f2b91658bb

SHA256
88410880e61813dc511cb7124a82589762713f9e023245713d814795593c0dad

SHA512
2e70eca2e18d8a28d4a76659b69344f30c8ed1fcc13dac9de2c6f7afe5b0b5685ddc418c3990fba613a75bac97a8ceb5e647ab51864ebefe63b20b3e39feeea3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
237288bfbe8c4fb2f70d691d890484cb

SHA1
e97b9a3ab2805ebf5edbf31369c6f6e0b7cfbd47

SHA256
d96c16b8aff93a6d9c494640f4d079267459dfaae4bfe500a4ed69c610b83270

SHA512
eab5daee942612b698658caff9da250b69f3eabe350272648324c93391a17a5fe72789f00beaa07e8cb88c5b9337fdc40c2365278f36d992ec998361f2e28408

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
a95289eb691fbfecb0a828de1323969a

SHA1
24f46f84517ebbc488e36112df8e6b23f41639f0

SHA256
cc99b0496b9049fc0b4a7060766a7fe479ee80ba0c96ddf37457c61bcb877713

SHA512
5059456874c303ded8be9d01287bc0ed6f7c39adab5ed7a40f127440c2d4850417c596c80cfa9798907e81d5d9f2e8c4d119d79377960b426562b5609d4ac1d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\temp-index

Filesize
72B

MD5
d4631a335e9ca1aed51b03470fb2b2c5

SHA1
2bf7e8ce8b2ce8bf84a9f136f3c3e868dcf88dbd

SHA256
71be53a99adad818a6fc16e2338a0396f8b4ba04197a15d0b847546cce0656f8

SHA512
9822556b1954368fd51002f8a0c64be774be7a55278b81edd0d9c113c7c902b3a7d7c6947460c0f21901f790a971c9e5495ed4fc395988712f1ccf8fa96b3bac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
5e50e8dfe61df5ba8f315667b7f5b458

SHA1
2170657452ae169d7c3857faad8ae6e50c1f5ad2

SHA256
2374bdab4d345809c3320c7d7db775968333cb3d2323c7500fee793b0bc5635a

SHA512
28ab154180fd759f8980ac13af78023cdf58df6f8d48b63224e0d447557d432828bd20978f62e626924315ec77f5d3ce8585757a3f0b8409a1d6a25edb26847e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
16856f8fcb1f57a1234bd4a31c044817

SHA1
2b98a873768e1889643f5dc3f2cf7a286d2e3be8

SHA256
9da727ebf79a8ee7086e7bac5b97db682546127534691c3e357f61fac86e0067

SHA512
8d968d978bc28b431632d8dcfdf36daaaafc69d67f038ce86ca70bd40206fc1125d87c75067cfd7c3ecad89d21dc7e2e794c9777b7f9f53f73366b1c1ba389a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
d19ba24cd24f9f41cfd5ebdf56064c0b

SHA1
bd612e06979cf8712a51f77b71b09b3fba0538fc

SHA256
66b9b9b445ee17260dcbe40e41529ea0c3dc25d3522f9f9bd8c616fa1b5b1761

SHA512
eb562bec94aa4308a45eabd65b0df300dae52fcc1722193ce923a70ad3926a222f6e676fe07cbe166b3c0d3f131c7927afc9d1b9a20f80a71f7c5918a88f791c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
8377b4f69f1304e68299b7826bb95cc6

SHA1
0f9288475f7e8a89ac9007f231ea3079276b305b

SHA256
4b3a8d93bdc5dfb7f9ca186bf01af23a2e5b9850436dc68bfc0721c9cac177b9

SHA512
80ed00c9118ed1582c19e36fb06f6df2ef66978d6f8e59f157629257d62414f8dac25e016016215df6843debe3022694b1bde700e7733e3f9859a41c0045b379

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\d9ac3d75-2242-422b-82e0-3c5685b6b160.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2840_362253736\46571982-c899-4249-a95b-fa51a66dc90f.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2840_362253736\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

Filesize
338KB

MD5
04fb36199787f2e3e2135611a38321eb

SHA1
65559245709fe98052eb284577f1fd61c01ad20d

SHA256
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

SHA512
533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

Download Submit