bde1e449eaaab9d9edb719d8eb4c915f57e2576abe4a227bcdfd9f8c1312437a

Resubmissions

16/05/2023, 16:19

230516-ts1dzabe96 3

16/05/2023, 13:14

230516-qgxl6aaa21 3

16/05/2023, 13:08

230516-qdfjgahh9x 3

Analysis

max time kernel
97s
max time network
97s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
16/05/2023, 16:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bleu.exe
Size

6.2MB
MD5

8d9304e583f4e09bc979a4329e1725f3
SHA1

03e07b90c49d3121f0cf321fcb702d852584220d
SHA256

bde1e449eaaab9d9edb719d8eb4c915f57e2576abe4a227bcdfd9f8c1312437a
SHA512

a03b496d5d43221051a52b960188a35cce1b6bb38535ceff9ff5ad414fd3a42c35cbcb23397c693608379e1e8b11c1a89835f5524b04716ee4760b5b171f1550
SSDEEP

196608:c1iUw7KYRI8FIIIWNSiU6+bQiyNzDbbB:c1i5HFIIp9Qh+zF

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133287348855788055"	chrome.exe

Modifies system certificate store 2 TTPs 5 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Bleu.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Bleu.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Bleu.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\SystemCertificates\CA\Certificates\151682F5218C0A511C28F4060A73B9CA78CE9A53	Bleu.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\SystemCertificates\CA\Certificates\151682F5218C0A511C28F4060A73B9CA78CE9A53\Blob = 030000000100000014000000151682f5218c0a511c28f4060a73b9ca78ce9a531400000001000000140000007c4296aede4b483bfa92f89e8ccf6d8ba972379504000000010000001000000029f1c1b26d92e893b6e6852ab708cce10f00000001000000200000005aef843ffcf2ec7055f504a162f229f8391c370ff3a6163d2db3f3d604d622be19000000010000001000000070d4f0bec2078234214bd651643b02405c0000000100000004000000800100001800000001000000100000002fe1f70bb05d7c92335bc5e05b984da62000000001000000640400003082046030820248a0030201020210079e492886376fd40848c23fc631e463300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f742058323076301006072a8648ce3d020106052b8104002203620004cd9bd59f80830aec094af3164a3e5ccf77acde67050d1d07b6dc16fb5a8b14dbe27160c4ba459511898eea06dff72a161ca4b9c5c532e003e01e8218388bd745d80a6a6ee60077fb02517d22d80a6e9a5b77dff0fa41ec39dc75ca68070c1feaa381e53081e2300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604147c4296aede4b483bfa92f89e8ccf6d8ba9723795301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b050003820201001b7f252b907a0876007718e1c32e8a364c417ebf174be330d75b0c7e9c96986f7bb068c02444cce2f2fcd1eadbd29f01f9174d0c9d55fda5ad6dd22f3f4b72c02eae73c7251657c23e15ade031d10a84846c6278423122461aed7a40bf9716814477ca6c7b5d215c07f2119121bfe12fc2ef6efd0520e4b4f779f32dbb372af0c6b1acac51f51fb35a1e66ce580718387f71a93c83bad7bc829e9a760f9eb029fdcbf38907481bfeab932e14210d5faf8eb754ab5d0ed45b4c71d092ea3da3369b7c1fe03b55b9d85353cc8366bb4adc810600188bf4b3d748b11341b9c4b69ecf2c778e42200b807e9fc5ab48dbbc6f048d6c4629020d708a1df11273b64624429e2a1718e3acc798c272cc6d2d766ddd2c2b2696a5cf21081be5da2fcbef9f7393aef8365f478f9728ceabe29826988bfdee28322229ed4c9509c420fa07e1862c44f68147c0e46232ed1dd83c488896c35e91b6af7b59a4eee3869cc78858ca282a66559b8580b91dd8402bc91c133ca9ebde99c21640f6f5a4ae2a256c52bac7044cb432bbfc385ca00c617b57ec774e50cfaf06a20f378ce10ed2d32f1abd9c713ecce1f8d1a8a3bd04f619c0f986aff50e1aaa956befca47714b631c4d96db55230a9d0f8175a0e640f56446036ecefa6a7d06eca4340674da53d8b9b8c6237da9f82a2da482a62e2d11cae6cd31587985e6721ca79fd34cd066d0a7bb	Bleu.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1368	chrome.exe
1368	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeDebugPrivilege	1748	Bleu.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: 33	4276	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4276	AUDIODG.EXE
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe
Token: SeShutdownPrivilege	1368	chrome.exe
Token: SeCreatePagefilePrivilege	1368	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe
1368	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1748	Bleu.exe
1748	Bleu.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 3984	1368	chrome.exe	68
PID 1368 wrote to memory of 3984	1368	chrome.exe	68
PID 1368 wrote to memory of 4340	1368	chrome.exe	71
PID 1368 wrote to memory of 4340	1368	chrome.exe	71
PID 1368 wrote to memory of 4340	1368	chrome.exe	71
PID 1368 wrote to memory of 4340	1368	chrome.exe	71
PID 1368 wrote to memory of 4340	1368	chrome.exe	71
PID 1368 wrote to memory of 4340	1368	chrome.exe	71
PID 1368 wrote to memory of 4340	1368	chrome.exe	71
PID 1368 wrote to memory of 4340	1368	chrome.exe	71
PID 1368 wrote to memory of 4340	1368	chrome.exe	71
PID 1368 wrote to memory of 4340	1368	chrome.exe	71
PID 1368 wrote to memory of 4340	1368	chrome.exe	71
PID 1368 wrote to memory of 4340	1368	chrome.exe	71
PID 1368 wrote to memory of 4340	1368	chrome.exe	71
PID 1368 wrote to memory of 4340	1368	chrome.exe	71
PID 1368 wrote to memory of 4340	1368	chrome.exe	71
PID 1368 wrote to memory of 4340	1368	chrome.exe	71
PID 1368 wrote to memory of 4340	1368	chrome.exe	71
PID 1368 wrote to memory of 4340	1368	chrome.exe	71
PID 1368 wrote to memory of 4340	1368	chrome.exe	71
PID 1368 wrote to memory of 4340	1368	chrome.exe	71
PID 1368 wrote to memory of 4340	1368	chrome.exe	71
PID 1368 wrote to memory of 4340	1368	chrome.exe	71
PID 1368 wrote to memory of 4340	1368	chrome.exe	71
PID 1368 wrote to memory of 4340	1368	chrome.exe	71
PID 1368 wrote to memory of 4340	1368	chrome.exe	71
PID 1368 wrote to memory of 4340	1368	chrome.exe	71
PID 1368 wrote to memory of 4340	1368	chrome.exe	71
PID 1368 wrote to memory of 4340	1368	chrome.exe	71
PID 1368 wrote to memory of 4340	1368	chrome.exe	71
PID 1368 wrote to memory of 4340	1368	chrome.exe	71
PID 1368 wrote to memory of 4340	1368	chrome.exe	71
PID 1368 wrote to memory of 4340	1368	chrome.exe	71
PID 1368 wrote to memory of 4340	1368	chrome.exe	71
PID 1368 wrote to memory of 4340	1368	chrome.exe	71
PID 1368 wrote to memory of 4340	1368	chrome.exe	71
PID 1368 wrote to memory of 4340	1368	chrome.exe	71
PID 1368 wrote to memory of 4340	1368	chrome.exe	71
PID 1368 wrote to memory of 4340	1368	chrome.exe	71
PID 1368 wrote to memory of 984	1368	chrome.exe	70
PID 1368 wrote to memory of 984	1368	chrome.exe	70
PID 1368 wrote to memory of 4368	1368	chrome.exe	72
PID 1368 wrote to memory of 4368	1368	chrome.exe	72
PID 1368 wrote to memory of 4368	1368	chrome.exe	72
PID 1368 wrote to memory of 4368	1368	chrome.exe	72
PID 1368 wrote to memory of 4368	1368	chrome.exe	72
PID 1368 wrote to memory of 4368	1368	chrome.exe	72
PID 1368 wrote to memory of 4368	1368	chrome.exe	72
PID 1368 wrote to memory of 4368	1368	chrome.exe	72
PID 1368 wrote to memory of 4368	1368	chrome.exe	72
PID 1368 wrote to memory of 4368	1368	chrome.exe	72
PID 1368 wrote to memory of 4368	1368	chrome.exe	72
PID 1368 wrote to memory of 4368	1368	chrome.exe	72
PID 1368 wrote to memory of 4368	1368	chrome.exe	72
PID 1368 wrote to memory of 4368	1368	chrome.exe	72
PID 1368 wrote to memory of 4368	1368	chrome.exe	72
PID 1368 wrote to memory of 4368	1368	chrome.exe	72
PID 1368 wrote to memory of 4368	1368	chrome.exe	72
PID 1368 wrote to memory of 4368	1368	chrome.exe	72
PID 1368 wrote to memory of 4368	1368	chrome.exe	72
PID 1368 wrote to memory of 4368	1368	chrome.exe	72
PID 1368 wrote to memory of 4368	1368	chrome.exe	72
PID 1368 wrote to memory of 4368	1368	chrome.exe	72

C:\Users\Admin\AppData\Local\Temp\Bleu.exe
"C:\Users\Admin\AppData\Local\Temp\Bleu.exe"
1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffc52719758,0x7ffc52719768,0x7ffc52719778
  2⤵
  PID:3984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1852 --field-trial-handle=1808,i,15007781140151192650,12144275587594257949,131072 /prefetch:8
  2⤵
  PID:984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1808,i,15007781140151192650,12144275587594257949,131072 /prefetch:2
  2⤵
  PID:4340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1640 --field-trial-handle=1808,i,15007781140151192650,12144275587594257949,131072 /prefetch:8
  2⤵
  PID:4368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3088 --field-trial-handle=1808,i,15007781140151192650,12144275587594257949,131072 /prefetch:1
  2⤵
  PID:3732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3100 --field-trial-handle=1808,i,15007781140151192650,12144275587594257949,131072 /prefetch:1
  2⤵
  PID:3508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4400 --field-trial-handle=1808,i,15007781140151192650,12144275587594257949,131072 /prefetch:1
  2⤵
  PID:4828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4564 --field-trial-handle=1808,i,15007781140151192650,12144275587594257949,131072 /prefetch:8
  2⤵
  PID:3268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4680 --field-trial-handle=1808,i,15007781140151192650,12144275587594257949,131072 /prefetch:8
  2⤵
  PID:5040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4680 --field-trial-handle=1808,i,15007781140151192650,12144275587594257949,131072 /prefetch:8
  2⤵
  PID:5056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4880 --field-trial-handle=1808,i,15007781140151192650,12144275587594257949,131072 /prefetch:1
  2⤵
  PID:776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 --field-trial-handle=1808,i,15007781140151192650,12144275587594257949,131072 /prefetch:8
  2⤵
  PID:4856
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:2480
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x7ff73d857688,0x7ff73d857698,0x7ff73d8576a8
    3⤵
    PID:168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 --field-trial-handle=1808,i,15007781140151192650,12144275587594257949,131072 /prefetch:8
  2⤵
  PID:2140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5236 --field-trial-handle=1808,i,15007781140151192650,12144275587594257949,131072 /prefetch:1
  2⤵
  PID:2584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3176 --field-trial-handle=1808,i,15007781140151192650,12144275587594257949,131072 /prefetch:8
  2⤵
  PID:3632

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3396

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3c4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\SetupMetrics\20230516182126.pma

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000010

Filesize
37KB

MD5
519005befdbc6eedc73862996b59a9f7

SHA1
e9bad4dc75c55f583747dbc4abd80a95d5796528

SHA256
603abe3532b1cc1eb1c3da44f3679804dd463d07d4430d55c630aba986b17c44

SHA512
b210b12a78c6134d66b14f46f924ebc95328c10f92bfed22a361b2554eca21ee7892f7d9718ae7415074d753026682903beba2bd40b35a4eeb60bf186dcdf589

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
e30b533e947874da78a3997a22cf4d8a

SHA1
d2564da765f657a71ffaf2d0ada406def1137e62

SHA256
0724123a1eb7976a7b8075b9b7ce26ccf828c78409046fb02c82d7740ff87029

SHA512
d765ecbd25006ab5412443498937435342157b1e5cef91f8beecf08b98a58340da3f153adbaf7cac273763c76b4a3d3226b6dd5aa9847f0895f7fa9ec2f594dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
b13c476263e3e53411f2d73562220f9a

SHA1
d6e2d20ecf2c609827d26f9acc785908d88bab3b

SHA256
824339db594a8512d701880d682fc2df888c89c1a032cfa00a5dc8ee35d1ace8

SHA512
5eec0268abd7848e608e3bf69ecfc6fb52ab1dbd828fbc49fcb25df8b6d3dad77c1c530fd2fc3ae4202e28c5ff342ddc2620f26bc9948bb652e98a91d13b0883

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e4ee6636b2f599ccb78379113a9e0943

SHA1
6626dbee22a752c2f1558b78f3d24b84dab05460

SHA256
a5c4bbfb03a42ac21da67d7885f6610a0d527b5397b141c1c1dd20442d9724e3

SHA512
aa8c05fe9b2d2f8fcc90199850cbcdd78a3e9d0dffd0a2d3293d6cafa0007dff9f279b7061ff93b8e35fe2ce1e782d42e8614adb90e1b85e2f00ec675adb3bce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
0011bb23e380357dafc8292c5e35043d

SHA1
0cb68ce7f79832e0d3d42d8384a693f60a35ae0f

SHA256
4ca70809dd44645e5da9b7e6c5ced9842040d0ea52fd8f7dff6c412674237f78

SHA512
ce9301637a9f2d9872700524ae670ffc82f5a2d56e6d2e4cf0f11fee41aeb90fa701c89bb8d6215edd6b55d38442737fc8b40e56a9f9d97f8d178f3b4143b716

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
72KB

MD5
bd0fb41b9ae9a3727e9e450336b342fa

SHA1
2d8328c1cc9a5f60dbac397f03b23f6cd4c58f13

SHA256
0b2194362c7b356fa01ba1a630f6e63d3fb5d1e84e5ddea864c1b716c49ccaa3

SHA512
812c39f8d53272b12de9d1d114213fcf7b58e0b7210d5d64465be8c0b579873140fba704ea4001b631668269442f1c1673750c231ff747dedfe193ad8d240a36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
152KB

MD5
984b7fa053f4d8831404d7528f92afad

SHA1
067c4db1130fc8172fcaa36b1d8c3768b47dce95

SHA256
d65f2cebf19c34af8a2278e1ea491e04de87399316e4341c591a6c1c63ce12fe

SHA512
56c0926d36dc6b83d8307fd23c7025264e95e6a22c75128093f7bd3ed40b36402ab4faec4a8181b97d5d3c19ce8a3b55906241e59698b031cbe60f63f39cf5ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
memory/1748-121-0x0000000005540000-0x0000000005550000-memory.dmp

Filesize
64KB

Download
memory/1748-128-0x0000000005540000-0x0000000005550000-memory.dmp

Filesize
64KB

Download
memory/1748-127-0x0000000005540000-0x0000000005550000-memory.dmp

Filesize
64KB

Download
memory/1748-126-0x0000000005540000-0x0000000005550000-memory.dmp

Filesize
64KB

Download
memory/1748-123-0x0000000005540000-0x0000000005550000-memory.dmp

Filesize
64KB

Download
memory/1748-122-0x0000000005540000-0x0000000005550000-memory.dmp

Filesize
64KB

Download
memory/1748-117-0x0000000000410000-0x0000000000A50000-memory.dmp

Filesize
6.2MB

Download
memory/1748-120-0x0000000005290000-0x000000000529A000-memory.dmp

Filesize
40KB

Download
memory/1748-119-0x0000000005330000-0x00000000053C2000-memory.dmp

Filesize
584KB

Download
memory/1748-118-0x0000000005830000-0x0000000005D2E000-memory.dmp

Filesize
5.0MB

Download