hxxps://dropmefiles[.]com/5TihO

Analysis

max time kernel
266s
max time network
274s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23/12/2022, 12:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://dropmefiles.com/5TihO

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2296	ChromeRecovery.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4336_1735048942\manifest.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4336_1735048942\manifest.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4336_1735048942\_metadata\verified_contents.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4336_1735048942\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4336_1735048942\ChromeRecoveryCRX.crx	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4336_1735048942\ChromeRecovery.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4336_1735048942\ChromeRecovery.exe	elevation_service.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4644	vlc.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
4036	chrome.exe
4036	chrome.exe
2768	chrome.exe
2768	chrome.exe
4680	chrome.exe
4680	chrome.exe
4940	chrome.exe
4940	chrome.exe
3092	chrome.exe
3092	chrome.exe
4604	chrome.exe
4604	chrome.exe
1268	chrome.exe
1268	chrome.exe
1268	chrome.exe
1268	chrome.exe
912	chrome.exe
912	chrome.exe
4432	chrome.exe
4432	chrome.exe
1312	chrome.exe
1312	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4644	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	4720	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4720	AUDIODG.EXE
Token: 33	4644	vlc.exe
Token: SeIncBasePriorityPrivilege	4644	vlc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe

Suspicious use of SendNotifyMessage 29 IoCs

pid	Process
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
2768	chrome.exe
4644	vlc.exe
4644	vlc.exe
4644	vlc.exe
4644	vlc.exe
4644	vlc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4644	vlc.exe
4644	vlc.exe
4644	vlc.exe
4644	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 3676	2768	chrome.exe	82
PID 2768 wrote to memory of 3676	2768	chrome.exe	82
PID 2768 wrote to memory of 3952	2768	chrome.exe	86
PID 2768 wrote to memory of 3952	2768	chrome.exe	86
PID 2768 wrote to memory of 3952	2768	chrome.exe	86
PID 2768 wrote to memory of 3952	2768	chrome.exe	86
PID 2768 wrote to memory of 3952	2768	chrome.exe	86
PID 2768 wrote to memory of 3952	2768	chrome.exe	86
PID 2768 wrote to memory of 3952	2768	chrome.exe	86
PID 2768 wrote to memory of 3952	2768	chrome.exe	86
PID 2768 wrote to memory of 3952	2768	chrome.exe	86
PID 2768 wrote to memory of 3952	2768	chrome.exe	86
PID 2768 wrote to memory of 3952	2768	chrome.exe	86
PID 2768 wrote to memory of 3952	2768	chrome.exe	86
PID 2768 wrote to memory of 3952	2768	chrome.exe	86
PID 2768 wrote to memory of 3952	2768	chrome.exe	86
PID 2768 wrote to memory of 3952	2768	chrome.exe	86
PID 2768 wrote to memory of 3952	2768	chrome.exe	86
PID 2768 wrote to memory of 3952	2768	chrome.exe	86
PID 2768 wrote to memory of 3952	2768	chrome.exe	86
PID 2768 wrote to memory of 3952	2768	chrome.exe	86
PID 2768 wrote to memory of 3952	2768	chrome.exe	86
PID 2768 wrote to memory of 3952	2768	chrome.exe	86
PID 2768 wrote to memory of 3952	2768	chrome.exe	86
PID 2768 wrote to memory of 3952	2768	chrome.exe	86
PID 2768 wrote to memory of 3952	2768	chrome.exe	86
PID 2768 wrote to memory of 3952	2768	chrome.exe	86
PID 2768 wrote to memory of 3952	2768	chrome.exe	86
PID 2768 wrote to memory of 3952	2768	chrome.exe	86
PID 2768 wrote to memory of 3952	2768	chrome.exe	86
PID 2768 wrote to memory of 3952	2768	chrome.exe	86
PID 2768 wrote to memory of 3952	2768	chrome.exe	86
PID 2768 wrote to memory of 3952	2768	chrome.exe	86
PID 2768 wrote to memory of 3952	2768	chrome.exe	86
PID 2768 wrote to memory of 3952	2768	chrome.exe	86
PID 2768 wrote to memory of 3952	2768	chrome.exe	86
PID 2768 wrote to memory of 3952	2768	chrome.exe	86
PID 2768 wrote to memory of 3952	2768	chrome.exe	86
PID 2768 wrote to memory of 3952	2768	chrome.exe	86
PID 2768 wrote to memory of 3952	2768	chrome.exe	86
PID 2768 wrote to memory of 3952	2768	chrome.exe	86
PID 2768 wrote to memory of 3952	2768	chrome.exe	86
PID 2768 wrote to memory of 4036	2768	chrome.exe	87
PID 2768 wrote to memory of 4036	2768	chrome.exe	87
PID 2768 wrote to memory of 116	2768	chrome.exe	88
PID 2768 wrote to memory of 116	2768	chrome.exe	88
PID 2768 wrote to memory of 116	2768	chrome.exe	88
PID 2768 wrote to memory of 116	2768	chrome.exe	88
PID 2768 wrote to memory of 116	2768	chrome.exe	88
PID 2768 wrote to memory of 116	2768	chrome.exe	88
PID 2768 wrote to memory of 116	2768	chrome.exe	88
PID 2768 wrote to memory of 116	2768	chrome.exe	88
PID 2768 wrote to memory of 116	2768	chrome.exe	88
PID 2768 wrote to memory of 116	2768	chrome.exe	88
PID 2768 wrote to memory of 116	2768	chrome.exe	88
PID 2768 wrote to memory of 116	2768	chrome.exe	88
PID 2768 wrote to memory of 116	2768	chrome.exe	88
PID 2768 wrote to memory of 116	2768	chrome.exe	88
PID 2768 wrote to memory of 116	2768	chrome.exe	88
PID 2768 wrote to memory of 116	2768	chrome.exe	88
PID 2768 wrote to memory of 116	2768	chrome.exe	88
PID 2768 wrote to memory of 116	2768	chrome.exe	88
PID 2768 wrote to memory of 116	2768	chrome.exe	88
PID 2768 wrote to memory of 116	2768	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://dropmefiles.com/5TihO
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8b4274f50,0x7ff8b4274f60,0x7ff8b4274f70
  2⤵
  PID:3676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1632,12877149610910159981,17821369380370003230,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1636 /prefetch:2
  2⤵
  PID:3952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1632,12877149610910159981,17821369380370003230,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2024 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1632,12877149610910159981,17821369380370003230,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2288 /prefetch:8
  2⤵
  PID:116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,12877149610910159981,17821369380370003230,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3056 /prefetch:1
  2⤵
  PID:3812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,12877149610910159981,17821369380370003230,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3076 /prefetch:1
  2⤵
  PID:4468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,12877149610910159981,17821369380370003230,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4296 /prefetch:8
  2⤵
  PID:4072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,12877149610910159981,17821369380370003230,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4564 /prefetch:1
  2⤵
  PID:4084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,12877149610910159981,17821369380370003230,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4692 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,12877149610910159981,17821369380370003230,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4576 /prefetch:1
  2⤵
  PID:4740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,12877149610910159981,17821369380370003230,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
  2⤵
  PID:3992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,12877149610910159981,17821369380370003230,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6300 /prefetch:8
  2⤵
  PID:4312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,12877149610910159981,17821369380370003230,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6380 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,12877149610910159981,17821369380370003230,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6372 /prefetch:8
  2⤵
  PID:4132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,12877149610910159981,17821369380370003230,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5364 /prefetch:8
  2⤵
  PID:1948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,12877149610910159981,17821369380370003230,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6432 /prefetch:8
  2⤵
  PID:3396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,12877149610910159981,17821369380370003230,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
  2⤵
  PID:3144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,12877149610910159981,17821369380370003230,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,12877149610910159981,17821369380370003230,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5552 /prefetch:8
  2⤵
  PID:3380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,12877149610910159981,17821369380370003230,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6456 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,12877149610910159981,17821369380370003230,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=896 /prefetch:8
  2⤵
  PID:3808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,12877149610910159981,17821369380370003230,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
  2⤵
  PID:5040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1632,12877149610910159981,17821369380370003230,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=972 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,12877149610910159981,17821369380370003230,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5476 /prefetch:8
  2⤵
  PID:3628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,12877149610910159981,17821369380370003230,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2424 /prefetch:8
  2⤵
  PID:4464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,12877149610910159981,17821369380370003230,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1632,12877149610910159981,17821369380370003230,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3812 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,12877149610910159981,17821369380370003230,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1312
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\AT61_Ventstvorka Rolik2_v5.mp4"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,12877149610910159981,17821369380370003230,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
  2⤵
  PID:2648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,12877149610910159981,17821369380370003230,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=916 /prefetch:8
  2⤵
  PID:1536

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4132

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:4336
- C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4336_1735048942\ChromeRecovery.exe
  "C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4336_1735048942\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={b0b44e97-93fe-45a2-9250-dd5d9322696f} --system
  2⤵
  - Executes dropped EXE
  PID:2296

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x518 0x52c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4336_1735048942\ChromeRecovery.exe

Filesize
253KB

MD5
49ac3c96d270702a27b4895e4ce1f42a

SHA1
55b90405f1e1b72143c64113e8bc65608dd3fd76

SHA256
82aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f

SHA512
b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\1.3.36.141\Recovery.crx3

Filesize
141KB

MD5
ea1c1ffd3ea54d1fb117bfdbb3569c60

SHA1
10958b0f690ae8f5240e1528b1ccffff28a33272

SHA256
7c3a6a7d16ac44c3200f572a764bce7d8fa84b9572dd028b15c59bdccbc0a77d

SHA512
6c30728cac9eac53f0b27b7dbe2222da83225c3b63617d6b271a6cfedf18e8f0a8dffa1053e1cbc4c5e16625f4bbc0d03aa306a946c9d72faa4ceb779f8ffcaf

Download Submit
C:\Users\Admin\Downloads\AT61_Ventstvorka Rolik2_v5.mp4

Filesize
443.3MB

MD5
09ab60051bd4e8c02e2d29619c0031c0

SHA1
aeac58b72c924e5dc186ef33c6e06797f8937606

SHA256
05497b20d0994b1268e675a7685c8543febf648e45ce74463b77592972c04012

SHA512
d02619ba27a3f00bc3af4e932ec3b2b749199d68e0cc6a0002eaee1cfde316d413f0ba11b5ae5960e34c0d7edcbd333e770074be5a38144d7932b858af8f9785

Download Submit