diamondfox | hxxps://github[.]com/infohtreasure/SEO-Backlink-Panzer/raw/refs/heads/main/SEO%20Backlink%20Panzer/SEO%20Backlink%20Panzer/bin/Debug/SEO%20Backlink%20Panzer[.]exe

Analysis

max time kernel
68s
max time network
75s
platform
windows11-21h2_x64
resource
win11-20250314-en
resource tags

arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
submitted
19/03/2025, 19:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/infohtreasure/SEO-Backlink-Panzer/raw/refs/heads/main/SEO%20Backlink%20Panzer/SEO%20Backlink%20Panzer/bin/Debug/SEO%20Backlink%20Panzer.exe

Score

10^/10

diamondfox botnet defense_evasion discovery infostealer stealer

Malware Config

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox
Diamondfox family
diamondfox

DiamondFox payload 2 IoCs

Detects DiamondFox payload in file/memory.

infostealer

resource	yara_rule
behavioral1/files/0x001900000002b45a-40.dat	diamondfox
behavioral1/memory/5736-87-0x0000000000300000-0x0000000000DF2000-memory.dmp	diamondfox

Downloads MZ/PE file 1 IoCs

flow	pid	Process
5	6068	chrome.exe

Executes dropped EXE 2 IoCs

pid	Process
5736	SEO Backlink Panzer.exe
2168	SEO Backlink Panzer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
5	raw.githubusercontent.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\SEO Backlink Panzer.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4920	5736	WerFault.exe	90
1880	2168	WerFault.exe	99

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SEO Backlink Panzer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SEO Backlink Panzer.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133868855354389500"	chrome.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\SEO Backlink Panzer.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe
Token: SeShutdownPrivilege	3768	chrome.exe
Token: SeCreatePagefilePrivilege	3768	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe
3768	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3768 wrote to memory of 2744	3768	chrome.exe	78
PID 3768 wrote to memory of 2744	3768	chrome.exe	78
PID 3768 wrote to memory of 828	3768	chrome.exe	79
PID 3768 wrote to memory of 828	3768	chrome.exe	79
PID 3768 wrote to memory of 6068	3768	chrome.exe	80
PID 3768 wrote to memory of 6068	3768	chrome.exe	80
PID 3768 wrote to memory of 828	3768	chrome.exe	79
PID 3768 wrote to memory of 828	3768	chrome.exe	79
PID 3768 wrote to memory of 828	3768	chrome.exe	79
PID 3768 wrote to memory of 828	3768	chrome.exe	79
PID 3768 wrote to memory of 828	3768	chrome.exe	79
PID 3768 wrote to memory of 828	3768	chrome.exe	79
PID 3768 wrote to memory of 828	3768	chrome.exe	79
PID 3768 wrote to memory of 828	3768	chrome.exe	79
PID 3768 wrote to memory of 828	3768	chrome.exe	79
PID 3768 wrote to memory of 828	3768	chrome.exe	79
PID 3768 wrote to memory of 828	3768	chrome.exe	79
PID 3768 wrote to memory of 828	3768	chrome.exe	79
PID 3768 wrote to memory of 828	3768	chrome.exe	79
PID 3768 wrote to memory of 828	3768	chrome.exe	79
PID 3768 wrote to memory of 828	3768	chrome.exe	79
PID 3768 wrote to memory of 828	3768	chrome.exe	79
PID 3768 wrote to memory of 828	3768	chrome.exe	79
PID 3768 wrote to memory of 828	3768	chrome.exe	79
PID 3768 wrote to memory of 828	3768	chrome.exe	79
PID 3768 wrote to memory of 828	3768	chrome.exe	79
PID 3768 wrote to memory of 828	3768	chrome.exe	79
PID 3768 wrote to memory of 828	3768	chrome.exe	79
PID 3768 wrote to memory of 828	3768	chrome.exe	79
PID 3768 wrote to memory of 828	3768	chrome.exe	79
PID 3768 wrote to memory of 828	3768	chrome.exe	79
PID 3768 wrote to memory of 828	3768	chrome.exe	79
PID 3768 wrote to memory of 828	3768	chrome.exe	79
PID 3768 wrote to memory of 828	3768	chrome.exe	79
PID 3768 wrote to memory of 5868	3768	chrome.exe	81
PID 3768 wrote to memory of 5868	3768	chrome.exe	81
PID 3768 wrote to memory of 5868	3768	chrome.exe	81
PID 3768 wrote to memory of 5868	3768	chrome.exe	81
PID 3768 wrote to memory of 5868	3768	chrome.exe	81
PID 3768 wrote to memory of 5868	3768	chrome.exe	81
PID 3768 wrote to memory of 5868	3768	chrome.exe	81
PID 3768 wrote to memory of 5868	3768	chrome.exe	81
PID 3768 wrote to memory of 5868	3768	chrome.exe	81
PID 3768 wrote to memory of 5868	3768	chrome.exe	81
PID 3768 wrote to memory of 5868	3768	chrome.exe	81
PID 3768 wrote to memory of 5868	3768	chrome.exe	81
PID 3768 wrote to memory of 5868	3768	chrome.exe	81
PID 3768 wrote to memory of 5868	3768	chrome.exe	81
PID 3768 wrote to memory of 5868	3768	chrome.exe	81
PID 3768 wrote to memory of 5868	3768	chrome.exe	81
PID 3768 wrote to memory of 5868	3768	chrome.exe	81
PID 3768 wrote to memory of 5868	3768	chrome.exe	81
PID 3768 wrote to memory of 5868	3768	chrome.exe	81
PID 3768 wrote to memory of 5868	3768	chrome.exe	81
PID 3768 wrote to memory of 5868	3768	chrome.exe	81
PID 3768 wrote to memory of 5868	3768	chrome.exe	81
PID 3768 wrote to memory of 5868	3768	chrome.exe	81
PID 3768 wrote to memory of 5868	3768	chrome.exe	81
PID 3768 wrote to memory of 5868	3768	chrome.exe	81
PID 3768 wrote to memory of 5868	3768	chrome.exe	81
PID 3768 wrote to memory of 5868	3768	chrome.exe	81
PID 3768 wrote to memory of 5868	3768	chrome.exe	81
PID 3768 wrote to memory of 5868	3768	chrome.exe	81
PID 3768 wrote to memory of 5868	3768	chrome.exe	81

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/infohtreasure/SEO-Backlink-Panzer/raw/refs/heads/main/SEO%20Backlink%20Panzer/SEO%20Backlink%20Panzer/bin/Debug/SEO%20Backlink%20Panzer.exe
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff29bcdcf8,0x7fff29bcdd04,0x7fff29bcdd10
  2⤵
  PID:2744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1964,i,3833976783668256743,5287186148854906036,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1952 /prefetch:2
  2⤵
  PID:828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2072,i,3833976783668256743,5287186148854906036,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2156 /prefetch:11
  2⤵
  - Downloads MZ/PE file
  PID:6068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2344,i,3833976783668256743,5287186148854906036,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2428 /prefetch:13
  2⤵
  PID:5868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,3833976783668256743,5287186148854906036,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3120 /prefetch:1
  2⤵
  PID:1016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,3833976783668256743,5287186148854906036,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:6088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4160,i,3833976783668256743,5287186148854906036,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4172 /prefetch:9
  2⤵
  PID:2988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5504,i,3833976783668256743,5287186148854906036,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5520 /prefetch:14
  2⤵
  PID:2416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5732,i,3833976783668256743,5287186148854906036,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5536 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:1876
- C:\Users\Admin\Downloads\SEO Backlink Panzer.exe
  "C:\Users\Admin\Downloads\SEO Backlink Panzer.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5736
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5736 -s 1100
    3⤵
    - Program crash
    PID:4920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=212,i,3833976783668256743,5287186148854906036,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5904 /prefetch:14
  2⤵
  PID:2788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5584,i,3833976783668256743,5287186148854906036,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5852 /prefetch:14
  2⤵
  PID:784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5528,i,3833976783668256743,5287186148854906036,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5968 /prefetch:14
  2⤵
  PID:2716
- C:\Users\Admin\Downloads\SEO Backlink Panzer.exe
  "C:\Users\Admin\Downloads\SEO Backlink Panzer.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2168
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 1072
    3⤵
    - Program crash
    PID:1880

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:1848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5736 -ip 5736
1⤵
PID:5808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2168 -ip 2168
1⤵
PID:5944

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:5688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
414B

MD5
3dbc124da47d745f90c8448163ac9cb1

SHA1
7fc1ca92096f858487d38f9ef3a31d9db893b3d8

SHA256
22239f729b670de7470125d743f8b74e83c2c33db4f69603f14f3ec4b6d1084a

SHA512
78d3fafe6f873bc03e2a7adcb6c983f1aac167e0104df411b4db5e903642dae33c437076e37417ce3785315ad4fc050ff3940bf7eb9326fe81c48fffdedb5294

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
851f381a7a147a34542a5257170250a0

SHA1
105653eab32bb80e31cdd5f5bde84e8ad522dfe7

SHA256
41c2ed03b26e910d909fc173f944f6c65e37a28f0725627679d7dfed8cbee6e9

SHA512
7dfee3501df7d43cee56223ce5bce778331dd3bdbb04a74f618cf64d45aff94233ea397212a7b321bbd81e9a1c321811d376e96dfb7707b8314db86104e45b16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1a077e41bf231985c5478bbbe9a38685

SHA1
dd711f894bc1d2541fcb3a8c347ebb85f2882ae3

SHA256
7ef25d798ef222c7f00a886759d91571c636b7e608587b48ad35c8f7c3004511

SHA512
03d0c1c2751dda1eaa37b4bb083027453bf426c4536da8fe43104ad3397c997ad097bf3399ad8a051c9a033f785da8236a47bffd5f4510d8b5131ac356a258ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
cbd968b52063db4df1c6050cd637db3e

SHA1
0e232406252aac55d8e7456429c605964c422343

SHA256
dd1bd96dcc3aee8838f5ade07f7f7aeda86136c2d7490b6de6d706a5041775f0

SHA512
b492e66bf0170aa1a8c3ea6d9e2b6372f8d85fffb1843144cbb322c690f6d9ee04237c6a8530fcece7323f90e5316978a72282d3bd15448897566ac5a2c0a0fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
049123b782022622224f318056842354

SHA1
a412982afd05cb84eab8db678cfdafe912d6099b

SHA256
6983dd15e495c101dc6b77019a96ea40d9f47a24d606de2d893f9708c41202ef

SHA512
2c45eac0e382ef0a6fdfd423e6efb67400ec945fcd8a8d3c972bde8100bfccfd3fe594f69ba49ae1d84ee97a1fc29bad21bd52088bfef418551485d1548fca6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
6e293669ee49df8dd6cdce4cd4ad9403

SHA1
34be441a0069b222d01d71b733487107753ee1e5

SHA256
288fe61bd27f95953a109e189cd7b09b0940c7081e7f69c9ab9bbedfb704e5f7

SHA512
548a252202c32474251e7bd38374aa78113e111da75fea55cb9d50c01fc9edc40d5fae4751cc1b9990e47f1a312f566cf94198860ba3a262fdda049035e2d81d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5cf0a1.TMP

Filesize
48B

MD5
b1b6e6e62e1de22c0e0a706f16696c9b

SHA1
8f26ae6f05b19816c01ff9fcfad28dea0534f273

SHA256
85728858f9e020a9f7a7774366776d2df82ad709d14cea36119a2f1c9885e26f

SHA512
6148d94fa8a380d81d5f75c5c3fa2499784243581ffdaae8acc51d57df8086f4589c41275518ddf12736553c808abe738b6149bec7ae4cf57064e77e8dd0d136

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
e22797435d8ec689b69b6d82dc962926

SHA1
0df54d3575a73bc629940892c2deda53a30f7dca

SHA256
13c5e2c073237ec9e23ef4e99353aa06a6971b298a5217e301d2a770fc261cce

SHA512
48ff314877f1e48b8fe6b2ab42981d496105a48c4460c154310ad5bde0ea8555bb74657f796314a824d779f1508e2ae35ea287071bc39adcacdf88eefc4d2426

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
edc6ef8935cfdfe6a4fc7a81757c46d4

SHA1
e9b2ad80b94363d5a62c72327169abe80a62831e

SHA256
1910970052e36b3e91f6223443ce6cc63ff13c1cd329c7cb8786ff7efc763c8d

SHA512
0e7ef2f6cbef29e33f2d95f45446de0fbafd64c1588dde76f7a4ebdf2c8e962cdd2eac51d9410cfb63c3e2d502049c0fea7d00db200c35e0f54df86fad9657e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
7a7fa706e4c3a51ac913d89394df1629

SHA1
c1484a0a3cfe9966708e72e35baeed205a37dd05

SHA256
4f905b7cea7fc9f94f3a17df2d7b4e90f8bfa9a628e5c36a0abac9c75cbd8da3

SHA512
93e60b4c18a4b914acfc247010de84d37b166a22216e69ae3434c6cd177f3bc67de4a97a25c613997b0128b5f2b87358e50c561c590666faaac43b5a033de214

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\8cba12af-f277-466a-ad1b-5c2f46fe3ba9.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\Downloads\SEO Backlink Panzer.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 871174.crdownload

Filesize
10.9MB

MD5
ed835a9838e911e8e31d1860f11869e7

SHA1
413a09db0efd34c3cea48d41efbcde49f4d9dcae

SHA256
76f3526d5deb882171cf15a4103c2c8e831ec12c59e6f00852b898f7a641d0d0

SHA512
916756996232b75a6e4d292585021ba3f93e6f8609e34439f73796b3c4f50bc4369e518b97f5947a76d64532c8946e991aa45e2ef74b59c86973cee09cf7ce52

Download Submit
memory/2168-131-0x0000000074580000-0x000000007462B000-memory.dmp

Filesize
684KB

Download
memory/2168-130-0x0000000074580000-0x000000007462B000-memory.dmp

Filesize
684KB

Download
memory/2168-129-0x0000000005990000-0x0000000005CE7000-memory.dmp

Filesize
3.3MB

Download
memory/2168-128-0x0000000074580000-0x000000007462B000-memory.dmp

Filesize
684KB

Download
memory/5736-86-0x00000000745BE000-0x00000000745BF000-memory.dmp

Filesize
4KB

Download
memory/5736-98-0x00000000745B0000-0x0000000074D61000-memory.dmp

Filesize
7.7MB

Download
memory/5736-95-0x00000000058E0000-0x00000000058EA000-memory.dmp

Filesize
40KB

Download
memory/5736-94-0x00000000745B0000-0x0000000074D61000-memory.dmp

Filesize
7.7MB

Download
memory/5736-90-0x0000000005A10000-0x0000000005D67000-memory.dmp

Filesize
3.3MB

Download
memory/5736-89-0x0000000005970000-0x0000000005A02000-memory.dmp

Filesize
584KB

Download
memory/5736-88-0x0000000005F20000-0x00000000064C6000-memory.dmp

Filesize
5.6MB

Download
memory/5736-87-0x0000000000300000-0x0000000000DF2000-memory.dmp

Filesize
10.9MB

Download