ddbbf34580df55639d25c93409532171c3d4230a7609d5909e1bff1f29979cb0

max time kernel
168s
max time network
176s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
24-05-2023 15:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df4brk2-5f3486a6-6e7e-42e1-a5b1-1b419ef75c9a.mp4
Size

165KB
MD5

f5eafcc303576a4344588304f9a0cabd
SHA1

dedec3c11406d0356d9c5ea487f39306b95e29d5
SHA256

ddbbf34580df55639d25c93409532171c3d4230a7609d5909e1bff1f29979cb0
SHA512

502d52cc58fd3d65f4f71e1f220be45a235710a3dc1dd6514c39dff348395e1cc63672b7030b540eb172d50cc5e0be8882080552b981daef2b2df00eaba6c459
SSDEEP

3072:2YOSb2U5+6v3Bzq0OCj91PMYi0BsRFBlgo1NaCPl/VhfvAgedFSrK:MSY6v3B2yR1UYzsRFbgouO/jKFQK

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\F:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133294216724621736"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
2120	chrome.exe
2120	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4360	unregmp2.exe
Token: SeCreatePagefilePrivilege	4360	unregmp2.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 3540	2112	wmplayer.exe	66
PID 2112 wrote to memory of 3540	2112	wmplayer.exe	66
PID 2112 wrote to memory of 3540	2112	wmplayer.exe	66
PID 2112 wrote to memory of 4184	2112	wmplayer.exe	67
PID 2112 wrote to memory of 4184	2112	wmplayer.exe	67
PID 2112 wrote to memory of 4184	2112	wmplayer.exe	67
PID 4184 wrote to memory of 4360	4184	unregmp2.exe	68
PID 4184 wrote to memory of 4360	4184	unregmp2.exe	68
PID 4836 wrote to memory of 2916	4836	chrome.exe	71
PID 4836 wrote to memory of 2916	4836	chrome.exe	71
PID 4836 wrote to memory of 4392	4836	chrome.exe	74
PID 4836 wrote to memory of 4392	4836	chrome.exe	74
PID 4836 wrote to memory of 4392	4836	chrome.exe	74
PID 4836 wrote to memory of 4392	4836	chrome.exe	74
PID 4836 wrote to memory of 4392	4836	chrome.exe	74
PID 4836 wrote to memory of 4392	4836	chrome.exe	74
PID 4836 wrote to memory of 4392	4836	chrome.exe	74
PID 4836 wrote to memory of 4392	4836	chrome.exe	74
PID 4836 wrote to memory of 4392	4836	chrome.exe	74
PID 4836 wrote to memory of 4392	4836	chrome.exe	74
PID 4836 wrote to memory of 4392	4836	chrome.exe	74
PID 4836 wrote to memory of 4392	4836	chrome.exe	74
PID 4836 wrote to memory of 4392	4836	chrome.exe	74
PID 4836 wrote to memory of 4392	4836	chrome.exe	74
PID 4836 wrote to memory of 4392	4836	chrome.exe	74
PID 4836 wrote to memory of 4392	4836	chrome.exe	74
PID 4836 wrote to memory of 4392	4836	chrome.exe	74
PID 4836 wrote to memory of 4392	4836	chrome.exe	74
PID 4836 wrote to memory of 4392	4836	chrome.exe	74
PID 4836 wrote to memory of 4392	4836	chrome.exe	74
PID 4836 wrote to memory of 4392	4836	chrome.exe	74
PID 4836 wrote to memory of 4392	4836	chrome.exe	74
PID 4836 wrote to memory of 4392	4836	chrome.exe	74
PID 4836 wrote to memory of 4392	4836	chrome.exe	74
PID 4836 wrote to memory of 4392	4836	chrome.exe	74
PID 4836 wrote to memory of 4392	4836	chrome.exe	74
PID 4836 wrote to memory of 4392	4836	chrome.exe	74
PID 4836 wrote to memory of 4392	4836	chrome.exe	74
PID 4836 wrote to memory of 4392	4836	chrome.exe	74
PID 4836 wrote to memory of 4392	4836	chrome.exe	74
PID 4836 wrote to memory of 4392	4836	chrome.exe	74
PID 4836 wrote to memory of 4392	4836	chrome.exe	74
PID 4836 wrote to memory of 4392	4836	chrome.exe	74
PID 4836 wrote to memory of 4392	4836	chrome.exe	74
PID 4836 wrote to memory of 4392	4836	chrome.exe	74
PID 4836 wrote to memory of 4392	4836	chrome.exe	74
PID 4836 wrote to memory of 4392	4836	chrome.exe	74
PID 4836 wrote to memory of 4392	4836	chrome.exe	74
PID 4836 wrote to memory of 1680	4836	chrome.exe	73
PID 4836 wrote to memory of 1680	4836	chrome.exe	73
PID 4836 wrote to memory of 3652	4836	chrome.exe	75
PID 4836 wrote to memory of 3652	4836	chrome.exe	75
PID 4836 wrote to memory of 3652	4836	chrome.exe	75
PID 4836 wrote to memory of 3652	4836	chrome.exe	75
PID 4836 wrote to memory of 3652	4836	chrome.exe	75
PID 4836 wrote to memory of 3652	4836	chrome.exe	75
PID 4836 wrote to memory of 3652	4836	chrome.exe	75
PID 4836 wrote to memory of 3652	4836	chrome.exe	75
PID 4836 wrote to memory of 3652	4836	chrome.exe	75
PID 4836 wrote to memory of 3652	4836	chrome.exe	75
PID 4836 wrote to memory of 3652	4836	chrome.exe	75
PID 4836 wrote to memory of 3652	4836	chrome.exe	75
PID 4836 wrote to memory of 3652	4836	chrome.exe	75
PID 4836 wrote to memory of 3652	4836	chrome.exe	75

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\df4brk2-5f3486a6-6e7e-42e1-a5b1-1b419ef75c9a.mp4"
1⤵
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\df4brk2-5f3486a6-6e7e-42e1-a5b1-1b419ef75c9a.mp4"
  2⤵
  PID:3540
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4184
- - C:\Windows\System32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:4360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fff681e9758,0x7fff681e9768,0x7fff681e9778
  2⤵
  PID:2916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1852 --field-trial-handle=1744,i,11161194124974526034,13163010564979156288,131072 /prefetch:8
  2⤵
  PID:1680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=1744,i,11161194124974526034,13163010564979156288,131072 /prefetch:2
  2⤵
  PID:4392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2112 --field-trial-handle=1744,i,11161194124974526034,13163010564979156288,131072 /prefetch:8
  2⤵
  PID:3652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3008 --field-trial-handle=1744,i,11161194124974526034,13163010564979156288,131072 /prefetch:1
  2⤵
  PID:704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2968 --field-trial-handle=1744,i,11161194124974526034,13163010564979156288,131072 /prefetch:1
  2⤵
  PID:3372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3572 --field-trial-handle=1744,i,11161194124974526034,13163010564979156288,131072 /prefetch:1
  2⤵
  PID:5104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4572 --field-trial-handle=1744,i,11161194124974526034,13163010564979156288,131072 /prefetch:8
  2⤵
  PID:4072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4556 --field-trial-handle=1744,i,11161194124974526034,13163010564979156288,131072 /prefetch:8
  2⤵
  PID:3376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4712 --field-trial-handle=1744,i,11161194124974526034,13163010564979156288,131072 /prefetch:1
  2⤵
  PID:1360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 --field-trial-handle=1744,i,11161194124974526034,13163010564979156288,131072 /prefetch:8
  2⤵
  PID:3924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 --field-trial-handle=1744,i,11161194124974526034,13163010564979156288,131072 /prefetch:8
  2⤵
  PID:2204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5060 --field-trial-handle=1744,i,11161194124974526034,13163010564979156288,131072 /prefetch:1
  2⤵
  PID:1760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4372 --field-trial-handle=1744,i,11161194124974526034,13163010564979156288,131072 /prefetch:8
  2⤵
  PID:4116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3252 --field-trial-handle=1744,i,11161194124974526034,13163010564979156288,131072 /prefetch:8
  2⤵
  PID:1424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3248 --field-trial-handle=1744,i,11161194124974526034,13163010564979156288,131072 /prefetch:8
  2⤵
  PID:2160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4488 --field-trial-handle=1744,i,11161194124974526034,13163010564979156288,131072 /prefetch:1
  2⤵
  PID:3920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4628 --field-trial-handle=1744,i,11161194124974526034,13163010564979156288,131072 /prefetch:1
  2⤵
  PID:1404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5500 --field-trial-handle=1744,i,11161194124974526034,13163010564979156288,131072 /prefetch:1
  2⤵
  PID:1996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5272 --field-trial-handle=1744,i,11161194124974526034,13163010564979156288,131072 /prefetch:1
  2⤵
  PID:2572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1568 --field-trial-handle=1744,i,11161194124974526034,13163010564979156288,131072 /prefetch:8
  2⤵
  PID:652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=5520 --field-trial-handle=1744,i,11161194124974526034,13163010564979156288,131072 /prefetch:1
  2⤵
  PID:2076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 --field-trial-handle=1744,i,11161194124974526034,13163010564979156288,131072 /prefetch:8
  2⤵
  PID:2192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3304 --field-trial-handle=1744,i,11161194124974526034,13163010564979156288,131072 /prefetch:8
  2⤵
  PID:4112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5316 --field-trial-handle=1744,i,11161194124974526034,13163010564979156288,131072 /prefetch:8
  2⤵
  PID:4332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=1508 --field-trial-handle=1744,i,11161194124974526034,13163010564979156288,131072 /prefetch:1
  2⤵
  PID:788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3148 --field-trial-handle=1744,i,11161194124974526034,13163010564979156288,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2120

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4868

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3b4
1⤵
PID:520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000030

Filesize
20KB

MD5
39307e27138b106e53f1a4af27d63094

SHA1
9c2fbfb3f19bf72a282a101d1c802c287dbb5fab

SHA256
07c09b206faa8934e6b12c518a4f834d8bd5b2bbe92a07a4f169173ab620b464

SHA512
8e48c468cceab8dfb296c62c2fcf4e82adde92fc06e3b14418a4cc08dea5712aaa7f61eb5421b9d5fbc0803b1b8f2b05a344a2e3db7831212af9e2579972bc52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
e296b4ddb270432d6ed5b5df7bed72b5

SHA1
d0dfc7755bfb9a86d8991b95825c0e91be3df7b6

SHA256
4051c305919f55d8f8a45e3c7493378bc19db09ed761623462b4099ffff1adc2

SHA512
249a04e18d77b6e56ffa7f94e15a62487550cc7cf9446b03d510d454c3dffa2bf796e67e273596898db57d00b73deda62eefa7f5c9f03fcc9c5d3f307715bc89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
ef8d3c009e7ccec6d22e5386f090ca42

SHA1
d4d722b4b4211c29a890c9209d85f068a1cb7137

SHA256
bc80e68203ffc7d8a66e3cfab5d79fff29804b29b6a512e4e2718d8146260666

SHA512
d1c8f043d4a1a3fe3fc1ade6f25adc7835ca81125226ffe13ac7adaa7befc4e06a5f235184270b000a9c8178f63e2dfc72233fadcfb0efd705fe544d727bbd4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
c6e9b6ffc1ee04111e149f180a67d74d

SHA1
bac1281f6721bb53889a42ef325ff43bcea5c880

SHA256
7ad5e0d8b4d91b2f9f00e386adff21b04f76a8fcf62669555886cf5af01b171d

SHA512
93769dd38f82be27082cbb51b349adb6d246c74286568db7876b526c24712f66a85bfc3205a30e6e92d2c9a1277d8aa249fe650c421f82ca4f2e96bd0ed79c86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_grandcanyonshuttles.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_grandcanyonshuttles.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
972c685de462cf5cb10eea1ef1d54804

SHA1
9f55bc0859df294a00c8a67e82d1a9b1b81f7b52

SHA256
e6b990cf6268af949859d7f67760acce285810fb5d1c63b6ed589e59c1258bdd

SHA512
ffdb53d590fc9b65921b8f2e8b681e639eb24c1055575c4c05ea5c0e1006e8ea9ee7158f260b02c679d45413920fa69a69fc4fb02da223739a2d8898415e9bd6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
89c0a99bcbbd4b210f11b1bd5cb26e5d

SHA1
22ae72b4f20d2bdc779a96de6e1e054c3f629a53

SHA256
8ac6c1e46fd1d6ce3590b6ec095a6226ae122b97350a3256bb45286ab6c11151

SHA512
70b8a95be74c5de5d0794356e0df159da29d208405f2b90c4d4591af585ed297c3208a37d937852c98c3ccdced4c4f4f0a48be4726f75f959efbbaffaa5acb33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
7b13c7be3929af8c0dbb0fde002a0613

SHA1
dddb03845312ef87ebf9902bb2825f3649401f03

SHA256
588d4fa1156201f51d455586260bb42a33fbc80d6db15eacbd7b57075c918aca

SHA512
fcd0d772bae5957da1d0bcd52b5eba4744d8a0e00516827a0314667f5a9e5d11392fd65d52e3e4f96b01c7fec2fe55e90fb6c78a377f68880b7fc71ff927d68a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
aca586cc929eceabc4e5f04bbb7fa61b

SHA1
3cb7aee82a2305cb981c92b07e03a7f488a4769a

SHA256
2ff5df540a25a844fd7855fe73955d51b56d8e81d3ca5f7fbba2a804ab2d189b

SHA512
0e455324f1cdccc07091518613047e18706a579bcfab4f7b977b7a360fb3c0e21e7b42bcfc3b8908315c901403261fe243beaadc83d7d0ec594fb58c18b5fffc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
88df51837ad0b85a8cbfc661fb55ba19

SHA1
c69b1673e2cc070eab391bc4afc79d79b13c5ce7

SHA256
545d42a7422f56593946686c226c3500b9439047af466b5e7f24800b9c467e37

SHA512
caba2db14604d20921c1c6416e23fb08184991b73d19bf5d5c68c63676cc5b047e4f4965bfa8ae566cd53f9818099951665e594adca1d8746914c84e0f2cb3cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d95d3314982b346857afc15ba6bb1bd9

SHA1
62b30f7ae186fbdde2c9e4c914ed20b425e11799

SHA256
f540e4c6c8bf695668d6e5580544b986e829a4e09ccf0a893e3f6b75a7bf9163

SHA512
46c9f5c399f15496e7c69dbf6bd9d65df8a08cfc399e14257077af2ad79458b32dd9c8d2976b496230129d70bb61d657f3bc943cb2b2d392e4f208384679d7ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
636a993eed25e65fd67ae60e4d246f37

SHA1
4871d7c77f0d6b40b6cb92cb9fafe27a40fa1f17

SHA256
5c19cfc4ad97b66a29f312a31988d151d83b5cb5983113e8312b9912fa7ec7ab

SHA512
57e406d98d07084c7a1e2a81dea869a599297705d30de32540e0b5a84dc3955371d60f1aa963b6f41af7c3ecd62be0611c638eb78bf9514c2e37d424eb1bca38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
e8db76021629954d79f0267d1274ae1d

SHA1
90e543abea9ab61b10c982b18ec09688205468dd

SHA256
01b4bf609a59001e2eff653cb577f05fc3c6bc2dd1bc60ec76c36ff3334f1c09

SHA512
76bcc66819a7e3832cba80386df48c5a1fdeb8a506fd8ca49bc751a124be960e82ba907fb200e463a33f916b2e067536728576cd032fa40ad824a1f6ffebccea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
036ebe492301d820e083d43f6ab33a64

SHA1
711b5b331f5c2f4bfe97a0e04df2cbe98073c182

SHA256
7e4ecc73f52e9f4dca5fc4da873e9272203424e143c3baa1f21ebdb33d026816

SHA512
e5b4132871784af7abcf5f6e95c30dcda67d2dfaac15e9f46d676a82493c75b87261bc7c954b70e401217bdd0a475eea83e11e1ba3c6379b39522dc597680989

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
72KB

MD5
ce7c27082cef30b2eef0b6c70ae2aff0

SHA1
b805f23c19d0fc5290f3e94ec11e8c9eb476835c

SHA256
d50feb6dfe456781665c4fc176d75620ff8e43a7c1aca0c6cd7e7092e5f9c3c0

SHA512
20708cde852f80c2c9a61f67f3eeb0a941822726333b5932873e94919ef6cda7e0bcb6e17b26ec06a46d953ef673d14882fa6869d6881bb2e2426198714fda89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
154KB

MD5
f20ca99bfe1d92e126a11175b719c915

SHA1
d3f2316eb5a8cb529a0a251b67ffe06fc1f2d062

SHA256
6b46b42461f1af3cf2aef6b769c8bdfd75ed6179b0bb74764e08f808d4871d71

SHA512
7b9e878261ae05f1716ec55888a2139ad5b2673d09cee360efabcd46dea3498fbc07aa56dd0084d1d30c1198a49805371973c7cb214ff498008da6889129d748

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
154KB

MD5
5d1606e477fb9376c23a4c7c64efe699

SHA1
4ec9f55ff7aded2926a41b59bd5ec3425c4ac540

SHA256
62b5fca3a570d5d0b97cead2b3bb470003a5221468ba466f6c067e0374724b6e

SHA512
0c8f89e71602a4e17b34a4ed4b58322eff549e65e6ddb6061a7ed4fb77a3a4611ca89d2b8d7e60093a0b7e1a044a621981ba008719df9dbe8f7c23a2599186ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
154KB

MD5
bf9ef3d96e9ff5d245cf6e1344824b90

SHA1
67a10c0d61001507111dc0c5a8721b4f959a8e74

SHA256
dca7d93cd309562fe6125fd4a43700f0c827e99c1ebdeb97512691ee4a1dd559

SHA512
6e219011c74a32e7f88a35e562e9fa9bc9409bbcbfc71231597b6f29c8939385cb961a9155a61c2c29920f81132114139bb384be4e6572e1477953ce81749cf7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
154KB

MD5
d48e614bb394618bd64bd7b2961541b7

SHA1
9b2874b320071c5b5743480db4e6336b98c819ec

SHA256
824beeb4075d15a5dffc408fef35a70e0d3aeec6a9ff0e6f2ed320a3d89a386d

SHA512
aced3b23f0bdad7e2723ae52f9b146dae0556a0cffe575541b9f71cf262f4f7081d3a83984c8a55e26715d5d6495a3ab34f1e559dfa00b633605e08478db775b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
159KB

MD5
ba6a2f01a5d6525b15b2905ed900eb02

SHA1
641fb32b2a67cd15930bd98e90ccf2a919ecab7d

SHA256
b2f9633576d7817353d31e3c517c8890b88a1da38efab34dfcbadd08dc202b9b

SHA512
c98d4edc4d8c0619d3bce3b123c90b090bd456bd47c79635b8eae218a4c2169561694e223e09d3ebbbcb8238417cb5158ed6edb0bdafa2d44322d79671911bef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
101KB

MD5
7df1f6b549949a621c965849fea7ca4a

SHA1
e07ae35b45bc7ea67f68cc2331c7029186802e19

SHA256
db0dd653d73fcc03619cf3c2d338ce9e4344a2964b8fd5e7bfdd6e636a5755be

SHA512
7477089de5aaf49600c0b57201b2105d00f65338aa64aa616c83ba446180b2f665312df288ee8f4c3de30b9ab5d4a5347e2fde7a9b938c70f336f24674ffed06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57c767.TMP

Filesize
93KB

MD5
00a0a749a7e08a8be17cec722d3b4a14

SHA1
00d9e7853f8a2426a44d1e28214afa3b80be4017

SHA256
a183577717b6800f0a39dcf4bb70280d9f9d6ccbe9eb74309d2a1d990e3f03e0

SHA512
6e0b8a1bdf6107d8b5c5d2568e1be12d11351edd1ff7ab5d0d3995314743ac0da3241eaf8601a8cc2742b4f2567d1757bdf451b1ea2dafce447ae123f0b494ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
256KB

MD5
c1f92b19d23bd7a1ff0977a4c69e1378

SHA1
f0d3ec52325e8171fa0c954df155ae6517b9b71e

SHA256
51de6c922bf0eab19abbf190666c5fcb983a6364845360174bb98acccd89f0fb

SHA512
6cabb2af0234ab34b372af9debb0146d4e8162565a78afab205043413b667151d1083143a2fec9a8572e000e85b625f6d3d971fffbead5b71a4dc89cf6a805c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
076038a18158e0a889f9dcc901450544

SHA1
d15def95b3719761d5261ac0e76f16339d7539e8

SHA256
e4e289797692203890ce6b0172bab5631abb19f2e6a829747a054c28b3672ae5

SHA512
52625531b0c15b886c9c747ebb0741f3f572f44541efcd0040d46b65a5607585f8e77c8e7fa96599dff3968942964572d8d45eeff709360519a9de35bf745884

Download Submit