deb41cc8958cc50c40cf80e9a4fab93d8386f5434ba72eda040f3e18b5b3820c

Analysis

max time kernel
33s
max time network
32s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/03/2025, 15:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vapev4.exe
Size

5.2MB
MD5

6b9b6812b8e6d61602667f0c992666e1
SHA1

37bfd6870570bf5a505c2f04eb2b9fea38a5b04b
SHA256

deb41cc8958cc50c40cf80e9a4fab93d8386f5434ba72eda040f3e18b5b3820c
SHA512

d76b11b978350ab440dfa26c66e1e1c21323f26e757ee6753d44961fc5fe6a64662f7c48a68c7e0b2090467fba71fc9345477aa726521cb75afb854c79a9cf6b
SSDEEP

98304:ym9tIN6GN8Uqs9jveeV30sLVDTJNJ3PijqD/HZc/8gcEnniAF:ymru6GNa2jfSwJNxij0/HZQ8gBnF

Score

7^/10

discovery vmprotect

Malware Config

Signatures

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/2272-5-0x000000013FED0000-0x000000014075A000-memory.dmp	vmprotect
behavioral1/memory/2272-7-0x000000013FED0000-0x000000014075A000-memory.dmp	vmprotect

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
18	discord.com
15	discord.com
16	discord.com
17	discord.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d096ae01f39fdb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2C0107B1-0BE6-11F0-93CA-E62D5E492327} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\discord.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage\discord.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ec350865d4f47640baa2a908a0fa60cd000000000200000000001066000000010000200000000622dfca779e030dc6a4b5e00d6a0c6f3cee4a520dce970fcb8385eb1d3a282a000000000e8000000002000020000000381d676faa5375106b77c3307038b76461d70e7b9f13f1a45a2c84388b6678bb900000002344e9c35862a1cd18294d9d9a9a54285eae255022707661cdaf09afc3022bffb2808c0bed1cd02a1e0ead39afb9eddc58ef2728a23bc5b1442b52fc2c7cc081c8ff52ab3eb14686c54be606a74bc003712d0dcb460b17ba6995b0ebbff4eaab25071871c3bab8e5a6f6c2240aa648fe942be5d0b5f757f1f36e5a912e0671d42bd78c5f6d3c718ca3d6f0803debd27c40000000499ae154d69f2e33d5516311d90fa40d7759fe732cbe3ab060833d669b237b3ad659f4a41e6c997b88bca4ba40184aff29e5b435857f9149d61325b72dc54520	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ec350865d4f47640baa2a908a0fa60cd0000000002000000000010660000000100002000000047bd810fbe7171d58f6ca20dad9b17ab23c1b4fe97b69451dd7b8073d3a059d0000000000e800000000200002000000040e0dcb35b17dd7bbfc8d55e35b7522da284829faa439a8d87cf4f4b6462813920000000bbdd8bacc64998604f63c58aa8a987bb7cf3e60f1bbb55d6a3c39b683cc0906b4000000029d4807e74db35f91d023ac22780f0fc0e7d0a74d328f7802452757d0309ea3b8e6a2c1f84e3228bb793a2e560d1ccc6e05cfffab7be39bd5699284b7b3ed685	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2272	vapev4.exe
2800	chrome.exe
2800	chrome.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2800	chrome.exe
Token: SeShutdownPrivilege	2800	chrome.exe
Token: SeShutdownPrivilege	2800	chrome.exe
Token: SeShutdownPrivilege	2800	chrome.exe
Token: SeShutdownPrivilege	2800	chrome.exe
Token: SeShutdownPrivilege	2800	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
1668	iexplore.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe
2800	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1668	iexplore.exe
1668	iexplore.exe
2892	IEXPLORE.EXE
2892	IEXPLORE.EXE
2892	IEXPLORE.EXE
2892	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 1668	2272	vapev4.exe	29
PID 2272 wrote to memory of 1668	2272	vapev4.exe	29
PID 2272 wrote to memory of 1668	2272	vapev4.exe	29
PID 1668 wrote to memory of 2892	1668	iexplore.exe	30
PID 1668 wrote to memory of 2892	1668	iexplore.exe	30
PID 1668 wrote to memory of 2892	1668	iexplore.exe	30
PID 1668 wrote to memory of 2892	1668	iexplore.exe	30
PID 2800 wrote to memory of 2820	2800	chrome.exe	33
PID 2800 wrote to memory of 2820	2800	chrome.exe	33
PID 2800 wrote to memory of 2820	2800	chrome.exe	33
PID 2800 wrote to memory of 1876	2800	chrome.exe	35
PID 2800 wrote to memory of 1876	2800	chrome.exe	35
PID 2800 wrote to memory of 1876	2800	chrome.exe	35
PID 2800 wrote to memory of 1876	2800	chrome.exe	35
PID 2800 wrote to memory of 1876	2800	chrome.exe	35
PID 2800 wrote to memory of 1876	2800	chrome.exe	35
PID 2800 wrote to memory of 1876	2800	chrome.exe	35
PID 2800 wrote to memory of 1876	2800	chrome.exe	35
PID 2800 wrote to memory of 1876	2800	chrome.exe	35
PID 2800 wrote to memory of 1876	2800	chrome.exe	35
PID 2800 wrote to memory of 1876	2800	chrome.exe	35
PID 2800 wrote to memory of 1876	2800	chrome.exe	35
PID 2800 wrote to memory of 1876	2800	chrome.exe	35
PID 2800 wrote to memory of 1876	2800	chrome.exe	35
PID 2800 wrote to memory of 1876	2800	chrome.exe	35
PID 2800 wrote to memory of 1876	2800	chrome.exe	35
PID 2800 wrote to memory of 1876	2800	chrome.exe	35
PID 2800 wrote to memory of 1876	2800	chrome.exe	35
PID 2800 wrote to memory of 1876	2800	chrome.exe	35
PID 2800 wrote to memory of 1876	2800	chrome.exe	35
PID 2800 wrote to memory of 1876	2800	chrome.exe	35
PID 2800 wrote to memory of 1876	2800	chrome.exe	35
PID 2800 wrote to memory of 1876	2800	chrome.exe	35
PID 2800 wrote to memory of 1876	2800	chrome.exe	35
PID 2800 wrote to memory of 1876	2800	chrome.exe	35
PID 2800 wrote to memory of 1876	2800	chrome.exe	35
PID 2800 wrote to memory of 1876	2800	chrome.exe	35
PID 2800 wrote to memory of 1876	2800	chrome.exe	35
PID 2800 wrote to memory of 1876	2800	chrome.exe	35
PID 2800 wrote to memory of 1876	2800	chrome.exe	35
PID 2800 wrote to memory of 1876	2800	chrome.exe	35
PID 2800 wrote to memory of 1876	2800	chrome.exe	35
PID 2800 wrote to memory of 1876	2800	chrome.exe	35
PID 2800 wrote to memory of 1876	2800	chrome.exe	35
PID 2800 wrote to memory of 1876	2800	chrome.exe	35
PID 2800 wrote to memory of 1876	2800	chrome.exe	35
PID 2800 wrote to memory of 1876	2800	chrome.exe	35
PID 2800 wrote to memory of 1876	2800	chrome.exe	35
PID 2800 wrote to memory of 1876	2800	chrome.exe	35
PID 2800 wrote to memory of 1028	2800	chrome.exe	36
PID 2800 wrote to memory of 1028	2800	chrome.exe	36
PID 2800 wrote to memory of 1028	2800	chrome.exe	36
PID 2800 wrote to memory of 2472	2800	chrome.exe	37
PID 2800 wrote to memory of 2472	2800	chrome.exe	37
PID 2800 wrote to memory of 2472	2800	chrome.exe	37
PID 2800 wrote to memory of 2472	2800	chrome.exe	37
PID 2800 wrote to memory of 2472	2800	chrome.exe	37
PID 2800 wrote to memory of 2472	2800	chrome.exe	37
PID 2800 wrote to memory of 2472	2800	chrome.exe	37
PID 2800 wrote to memory of 2472	2800	chrome.exe	37
PID 2800 wrote to memory of 2472	2800	chrome.exe	37
PID 2800 wrote to memory of 2472	2800	chrome.exe	37
PID 2800 wrote to memory of 2472	2800	chrome.exe	37
PID 2800 wrote to memory of 2472	2800	chrome.exe	37

C:\Users\Admin\AppData\Local\Temp\vapev4.exe
"C:\Users\Admin\AppData\Local\Temp\vapev4.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://discord.gg/xerafree
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1668 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5bf9758,0x7fef5bf9768,0x7fef5bf9778
  2⤵
  PID:2820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1156 --field-trial-handle=1316,i,17436131534678461643,10559077375954559237,131072 /prefetch:2
  2⤵
  PID:1876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1556 --field-trial-handle=1316,i,17436131534678461643,10559077375954559237,131072 /prefetch:8
  2⤵
  PID:1028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1336 --field-trial-handle=1316,i,17436131534678461643,10559077375954559237,131072 /prefetch:8
  2⤵
  PID:2472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2304 --field-trial-handle=1316,i,17436131534678461643,10559077375954559237,131072 /prefetch:1
  2⤵
  PID:2912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2360 --field-trial-handle=1316,i,17436131534678461643,10559077375954559237,131072 /prefetch:1
  2⤵
  PID:2908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1128 --field-trial-handle=1316,i,17436131534678461643,10559077375954559237,131072 /prefetch:2
  2⤵
  PID:1784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1368 --field-trial-handle=1316,i,17436131534678461643,10559077375954559237,131072 /prefetch:1
  2⤵
  PID:2884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3472 --field-trial-handle=1316,i,17436131534678461643,10559077375954559237,131072 /prefetch:8
  2⤵
  PID:2392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3588 --field-trial-handle=1316,i,17436131534678461643,10559077375954559237,131072 /prefetch:8
  2⤵
  PID:2276

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a0ea73362e6d1e67462b34af5e85852c

SHA1
05d591f7d5490302989cf6d531bc65a575b5afd0

SHA256
4b62628fc3756778670b9b6bd3ffe01a74a6d9e16d9c964822e5047fc645a69c

SHA512
4fea5e4d1e9f22bb1aadba1d434dad4879bcea94195e4de8443711ef06c51c821b05662015a21fd99de8668a3c991d239f584068a53bbea47eb95daff2ff8a41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d43e7a3914a9a04199e77f1ef63d50fa

SHA1
93b658e19e53849aa30d16a5b85158ea8119f379

SHA256
d66cac60c512620b07332bb7079d4925290bd43c8d57a822df0908dd6cb85c0e

SHA512
ae7d7c2c352d20b2236e56b7334d5666719cbd5c6594f8dbbda48ec40a43349dc51844b4e63042e358bc75495aae970a4db10a0be13d2b857a2b8f9b138345fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
95fc9e776434ee1afa9af77235ad7eef

SHA1
ab0629e5da4ed8edcd1219d786f98c6bf100d6e6

SHA256
ce93d861273d3b000ee687602269c2caac476a6eb3ff4c1f6c78635ec273c4ec

SHA512
f4dc8e0b62fc5b477c6dad150d67a4b3f59ddb4d7b94759409f9642f54c6c0574b81fa67557aadacd47311ea416ab3f114e7d70c30e99789277f40275f2a4a64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8ad2bea18e319642411bf462043d63fc

SHA1
31222deb1f303267415dbddcf9a170c886a9f379

SHA256
39bb111bda0ccae3f11003f632baf5fe3cbfe976699440d575e91a0a81a44a6f

SHA512
be072c111da9b37c778385b3f839a4c666ad9862485969109fc276f68425972d34763bd8243758b8e6bc1faaf7a080ab8c8b9258e13d3118752d09f607f4598e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
caf5d52b95b7c11070c8f0c4b2dfc8fe

SHA1
21dd913c7b0b2b607142818766f2139dc1bc53c0

SHA256
20de1a7bb57f028472f510620c8e3bbb651a440e1aa5c7bf2fc493dbdbf214d5

SHA512
82eb28094d82660e1481bdf45fdee6a0f23e24d50df4e936c5d974173d0a7e1e483e4d15392afd20a08c3c75f129c471e62265c7be714f7e15e41387b8e82ba8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
49cf7c6daf66c7b2eac810040fecc621

SHA1
06084d317814ecb8ee4014919ef82b80a945b85d

SHA256
9573bd9018cf7f81bd4faa4c8e4ebdf5b60087d4536b79c4ae7b231b24524fce

SHA512
2003e5dad94f0906673a8b926754b0785004a3d1b8e244f6d3ce2d2b3b91776d0167c2bf774e96e45ee6c5b4bb3fc57916a3fa6b89ca6a9a4b7419360fc4dcd2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c0476e363dc84e1ea19b9d86b3cd405d

SHA1
8a5e06c0a70854a1d3ebd771ee4249eada5904ca

SHA256
b54f27b6a32259d61e739a3614220da36cc10958560ede984ab72b96f0cb32ed

SHA512
ac9887c2b9b12f717fdf56673e87c54ffb8611bb0595dec2e1e7f84e38b724a8f8aa9480ba8418e58bf299582cd936f623f157eedf039770ea6abe7dbc08aa26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
380a98fd87773cf98db7aa44cdad84f0

SHA1
74cc0cf27e840f4991c774862eb21da83e77982b

SHA256
c7c5f24fc7d7913c8efe23e3b91f7ea1f8b9feab9e48c7dbd6df98ce75f3b24a

SHA512
1ec9131fb7e413d69496f42a7b6a15935ac4a443d7cac8879bb2f99764ab2930e2def35a9c3d1c7266e952fac70e4f2f47a69d7a1474117b9b9eca74f3b17cce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d915e0ab53a465bffbecdca66aabf42f

SHA1
6394079769ef9d600286db053e3c472eeb1c8abb

SHA256
8871c9c576756423b03b06577abd319d8588b506119364568cdd410773075b27

SHA512
5bb2f16c1ed7c96a55e740f54d82d112ec9d7a7a34f684d900de6d685788ad22207eef0b1eb9893b6fa4a45ddb3545d82da49181e23c6161fdcb3f050a411838

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ed3ecfa58d23db529abc0d2417bf9899

SHA1
dfcc0781266583fc0b02257964a306971eb1c9df

SHA256
26bc5898d580a1330996ba244f65ad949e2f7444c5cc83cca2f8fdc7b917bb73

SHA512
684d104d3ebecda384bedba2235b1428ed9d820ca9ab6d434537ada9739e9be595812d843d6e4fc0fbafd00e33fe6234f11f38d7f20b28e003edbecf55a5e584

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\60ef98a6-7057-40d0-9b96-573eebca85dd.tmp

Filesize
351KB

MD5
ef347269b429ed16dbefac6cc8b30a09

SHA1
304717f18c54840e19d0bd42b9692a915d146790

SHA256
8a5ceea8ce5f055c891bbfd46620712c7390f9c70952819807cfaf25e0aa2f18

SHA512
d04f5bd65daa8c6fd80792fce421e820a0b2bdebec36635c30578765cf6d7660345e638c7d9b42055892a8e2dd7daf5b1fae7351439987516427f8cd25283390

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\yiu0yt6\imagestore.dat

Filesize
24KB

MD5
bfa25eb077ae8fcf80c6f9b1811ecd48

SHA1
cdffb2ac754ac82f7fd42b15422727ada3185f46

SHA256
aa7a1b8db93c230bdd53c944124d0700a0f72d18a14b736a357ede98ff75d910

SHA512
b6fa9f9b93431d57b625a2b0d39a2030bfedd52f101d9ce7c0b6f33e5b7af6a275c0629601849cd2092763bbf8d88f6af83720cf865ad57ba008e13167660b93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KIYAG1MM\favicon[2].ico

Filesize
23KB

MD5
ec2c34cadd4b5f4594415127380a85e6

SHA1
e7e129270da0153510ef04a148d08702b980b679

SHA256
128e20b3b15c65dd470cb9d0dc8fe10e2ff9f72fac99ee621b01a391ef6b81c7

SHA512
c1997779ff5d0f74a7fbb359606dab83439c143fbdb52025495bdc3a7cb87188085eaf12cc434cbf63b3f8da5417c8a03f2e64f751c0a63508e4412ea4e7425c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab78BA.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7998.tmp

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar78CC.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar79AD.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
memory/2272-263-0x000000013FED7000-0x000000014022D000-memory.dmp

Filesize
3.3MB

Download
memory/2272-6-0x000000013FED7000-0x000000014022D000-memory.dmp

Filesize
3.3MB

Download
memory/2272-0-0x0000000077090000-0x0000000077092000-memory.dmp

Filesize
8KB

Download
memory/2272-2-0x0000000077090000-0x0000000077092000-memory.dmp

Filesize
8KB

Download
memory/2272-7-0x000000013FED0000-0x000000014075A000-memory.dmp

Filesize
8.5MB

Download
memory/2272-4-0x0000000077090000-0x0000000077092000-memory.dmp

Filesize
8KB

Download
memory/2272-5-0x000000013FED0000-0x000000014075A000-memory.dmp

Filesize
8.5MB

Download