b8f39714d41e009f75efb183c37100f2cbabb71784bbd243be881ac5b42d86fd

Analysis

max time kernel
140s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
17/09/2023, 17:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

oalinst.exe
Size

790KB
MD5

694f54bd227916b89fc3eb1db53f0685
SHA1

21fdc367291bbef14dac27925cae698d3928eead
SHA256

b8f39714d41e009f75efb183c37100f2cbabb71784bbd243be881ac5b42d86fd
SHA512

55bc0de75a7f27f11eb8f4ee8c9934dfe1acd044d8b7b2151c506bdcbead3ab179df7023f699c9139c77541bbc4b1c0657e93c34a6bc4309b665c6cb7636a7e5
SSDEEP

12288:0s1yfEcpPzdv+t4cRIy3ze3SUN0PXGTjiqRy2p3kwzjGHTkV:NwfLrvi4cRIyDe3SUNaXy+WypoGHgV

Score

6^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 17 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File created	C:\Windows\SysWOW64\wrap_oal.new	oalinst.exe
File created	C:\Windows\system32\wrap_oal.new	oalinst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\SysWOW64\OpenAL32.new	oalinst.exe
File created	C:\Windows\system32\OpenAL32.new	oalinst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\tmpED1F.tmp	oalinst.exe
File opened for modification	C:\Windows\SysWOW64\tmpED30.tmp	oalinst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\OpenAL\oalinst.exe	oalinst.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133394457904745049"	chrome.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1141987721-3945596982-3297311814-1000\{C04A69CB-F7F2-45A7-B81D-1D75C600963C}	chrome.exe

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
4372	vlc.exe
3100	WINWORD.EXE
3100	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4676	mspaint.exe
4676	mspaint.exe
4088	mspaint.exe
4088	mspaint.exe
3476	chrome.exe
3476	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4372	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe
Token: SeShutdownPrivilege	3476	chrome.exe
Token: SeCreatePagefilePrivilege	3476	chrome.exe

Suspicious use of FindShellTrayWindow 31 IoCs

pid	Process
4372	vlc.exe
4372	vlc.exe
4372	vlc.exe
4372	vlc.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
4372	vlc.exe
4372	vlc.exe
4372	vlc.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe
3476	chrome.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4676	mspaint.exe
3868	OpenWith.exe
4088	mspaint.exe
4564	OpenWith.exe
4372	vlc.exe
3100	WINWORD.EXE
3100	WINWORD.EXE
3100	WINWORD.EXE
3100	WINWORD.EXE
3100	WINWORD.EXE
3100	WINWORD.EXE
3100	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3476 wrote to memory of 2468	3476	chrome.exe	95
PID 3476 wrote to memory of 2468	3476	chrome.exe	95
PID 3476 wrote to memory of 1528	3476	chrome.exe	96
PID 3476 wrote to memory of 1528	3476	chrome.exe	96
PID 3476 wrote to memory of 1528	3476	chrome.exe	96
PID 3476 wrote to memory of 1528	3476	chrome.exe	96
PID 3476 wrote to memory of 1528	3476	chrome.exe	96
PID 3476 wrote to memory of 1528	3476	chrome.exe	96
PID 3476 wrote to memory of 1528	3476	chrome.exe	96
PID 3476 wrote to memory of 1528	3476	chrome.exe	96
PID 3476 wrote to memory of 1528	3476	chrome.exe	96
PID 3476 wrote to memory of 1528	3476	chrome.exe	96
PID 3476 wrote to memory of 1528	3476	chrome.exe	96
PID 3476 wrote to memory of 1528	3476	chrome.exe	96
PID 3476 wrote to memory of 1528	3476	chrome.exe	96
PID 3476 wrote to memory of 1528	3476	chrome.exe	96
PID 3476 wrote to memory of 1528	3476	chrome.exe	96
PID 3476 wrote to memory of 1528	3476	chrome.exe	96
PID 3476 wrote to memory of 1528	3476	chrome.exe	96
PID 3476 wrote to memory of 1528	3476	chrome.exe	96
PID 3476 wrote to memory of 1528	3476	chrome.exe	96
PID 3476 wrote to memory of 1528	3476	chrome.exe	96
PID 3476 wrote to memory of 1528	3476	chrome.exe	96
PID 3476 wrote to memory of 1528	3476	chrome.exe	96
PID 3476 wrote to memory of 1528	3476	chrome.exe	96
PID 3476 wrote to memory of 1528	3476	chrome.exe	96
PID 3476 wrote to memory of 1528	3476	chrome.exe	96
PID 3476 wrote to memory of 1528	3476	chrome.exe	96
PID 3476 wrote to memory of 1528	3476	chrome.exe	96
PID 3476 wrote to memory of 1528	3476	chrome.exe	96
PID 3476 wrote to memory of 1528	3476	chrome.exe	96
PID 3476 wrote to memory of 1528	3476	chrome.exe	96
PID 3476 wrote to memory of 1528	3476	chrome.exe	96
PID 3476 wrote to memory of 1528	3476	chrome.exe	96
PID 3476 wrote to memory of 1528	3476	chrome.exe	96
PID 3476 wrote to memory of 1528	3476	chrome.exe	96
PID 3476 wrote to memory of 1528	3476	chrome.exe	96
PID 3476 wrote to memory of 1528	3476	chrome.exe	96
PID 3476 wrote to memory of 1528	3476	chrome.exe	96
PID 3476 wrote to memory of 1528	3476	chrome.exe	96
PID 3476 wrote to memory of 3904	3476	chrome.exe	97
PID 3476 wrote to memory of 3904	3476	chrome.exe	97
PID 3476 wrote to memory of 1536	3476	chrome.exe	98
PID 3476 wrote to memory of 1536	3476	chrome.exe	98
PID 3476 wrote to memory of 1536	3476	chrome.exe	98
PID 3476 wrote to memory of 1536	3476	chrome.exe	98
PID 3476 wrote to memory of 1536	3476	chrome.exe	98
PID 3476 wrote to memory of 1536	3476	chrome.exe	98
PID 3476 wrote to memory of 1536	3476	chrome.exe	98
PID 3476 wrote to memory of 1536	3476	chrome.exe	98
PID 3476 wrote to memory of 1536	3476	chrome.exe	98
PID 3476 wrote to memory of 1536	3476	chrome.exe	98
PID 3476 wrote to memory of 1536	3476	chrome.exe	98
PID 3476 wrote to memory of 1536	3476	chrome.exe	98
PID 3476 wrote to memory of 1536	3476	chrome.exe	98
PID 3476 wrote to memory of 1536	3476	chrome.exe	98
PID 3476 wrote to memory of 1536	3476	chrome.exe	98
PID 3476 wrote to memory of 1536	3476	chrome.exe	98
PID 3476 wrote to memory of 1536	3476	chrome.exe	98
PID 3476 wrote to memory of 1536	3476	chrome.exe	98
PID 3476 wrote to memory of 1536	3476	chrome.exe	98
PID 3476 wrote to memory of 1536	3476	chrome.exe	98
PID 3476 wrote to memory of 1536	3476	chrome.exe	98
PID 3476 wrote to memory of 1536	3476	chrome.exe	98

C:\Users\Admin\AppData\Local\Temp\oalinst.exe
"C:\Users\Admin\AppData\Local\Temp\oalinst.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
PID:3188

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\JoinConvertTo.jpe" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4676

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:4532

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3868

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\JoinConvertTo.jpe" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4088

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4564

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\InstallUndo.wav"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdcfdd9758,0x7ffdcfdd9768,0x7ffdcfdd9778
  2⤵
  PID:2468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1748 --field-trial-handle=1812,i,17703908401548881309,9610897082035333426,131072 /prefetch:2
  2⤵
  PID:1528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1812,i,17703908401548881309,9610897082035333426,131072 /prefetch:8
  2⤵
  PID:3904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2264 --field-trial-handle=1812,i,17703908401548881309,9610897082035333426,131072 /prefetch:8
  2⤵
  PID:1536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2864 --field-trial-handle=1812,i,17703908401548881309,9610897082035333426,131072 /prefetch:1
  2⤵
  PID:4488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2916 --field-trial-handle=1812,i,17703908401548881309,9610897082035333426,131072 /prefetch:1
  2⤵
  PID:1896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4600 --field-trial-handle=1812,i,17703908401548881309,9610897082035333426,131072 /prefetch:1
  2⤵
  PID:4168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4792 --field-trial-handle=1812,i,17703908401548881309,9610897082035333426,131072 /prefetch:8
  2⤵
  PID:3948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4928 --field-trial-handle=1812,i,17703908401548881309,9610897082035333426,131072 /prefetch:8
  2⤵
  PID:2828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4792 --field-trial-handle=1812,i,17703908401548881309,9610897082035333426,131072 /prefetch:1
  2⤵
  PID:4136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5036 --field-trial-handle=1812,i,17703908401548881309,9610897082035333426,131072 /prefetch:1
  2⤵
  PID:4000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4772 --field-trial-handle=1812,i,17703908401548881309,9610897082035333426,131072 /prefetch:1
  2⤵
  PID:8
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4032 --field-trial-handle=1812,i,17703908401548881309,9610897082035333426,131072 /prefetch:8
  2⤵
  PID:4936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 --field-trial-handle=1812,i,17703908401548881309,9610897082035333426,131072 /prefetch:8
  2⤵
  - Modifies registry class
  PID:1260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5044 --field-trial-handle=1812,i,17703908401548881309,9610897082035333426,131072 /prefetch:8
  2⤵
  PID:3452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3444 --field-trial-handle=1812,i,17703908401548881309,9610897082035333426,131072 /prefetch:8
  2⤵
  PID:3872

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4172

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\RenameDeny.js"
1⤵
PID:2808

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:224

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\Are.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
542a8cf6df3e4de990f13dec71af34b8

SHA1
4680f130eac0da7a3822ba7668be8852b442b327

SHA256
e95d5c13f331f0991da32ff997dffedade5b0ae18f18bc6b36e6d6d0f9682883

SHA512
665e7b7db3d73dd3caf055e97b7899755a371d92990175f9c8c8ad9f7746d825c0a30a6c07e34504b44a4965cee995444f7b30491c91d107b636c438b22a135d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
13730db4a5f97016dfb770f3db353bff

SHA1
8fef01954db3ff91074449ecf0ea6d4994d31bff

SHA256
e407acd276e3920b43f1549ad58025bf10b4b3b47e69c299b749dd159c3a7bc5

SHA512
301e873674854ee35512a82fb373881a1198feddd48949da6777c526c315034f6b4604663d2922303adf3d4ad43239f29ce04818abe758630fcca0942e4b537b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
a1442ac0ab7900044072631742e6a3ef

SHA1
8aa808ac28f7c69b9a356545ac98cf53568d0070

SHA256
92bb77711c2cd1a427f0adb9883cfb8423240b4f17fef07e6559cbe0cb9310cd

SHA512
e94ac1f64df05d5e3569a22b609ad81bb4e42f89598143096ce41a5b74f6526bd73b22ea72d8a3ab90bfb29fa33306a80c4161947f8209234e9682a197b173ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
98b16e0fe3173370d2fcbca511f4deba

SHA1
9e1e9ae2e93a85f6bb8fa7808e3b51df3e117244

SHA256
665dc5ecc0dda26404908d62410ebc6f7c4dcd48a9d5f358b63c01357ec90035

SHA512
f79d10247d6704b54b4ceb52a4887f38531243837103c288c22cc7dec1c2cc7101aa9387edf049a1bbc6f2a8a99fbe0d84126140911eff2ebd2620c5f1c3d295

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
5954df350fa90a8bb6ea6558368fe27f

SHA1
7a2eb31b8e1e7c01e41da9d8d2574772a9f2b2ed

SHA256
45009834a34bf148c3d1fecdb849ddf25e6e09eadd3c2cf3e7db1c12964a4bfd

SHA512
e00757a48065ec70f421235bb922451220825d4c23e92dad35177f37bccafebd6ef4f6a80f3bbfd2361da7a6f93aae8e2a6b397ebe320fb8dc1a39b41a632d03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
36f5841838f3ee7305f873c122e9c1b0

SHA1
97493564ba72f5d39db6659274460a913aecae11

SHA256
9dff6b262f8d894fbc533ee3e4c4d78be683541281a40071efa746ee93c554ee

SHA512
93a38cba88e9a44e37b558cdfba0a7497daa8ae4f3d24fab30744b94dcd977024389ca3528accc0929a5ad8c6c519f0590f54b37af63e8fc60d394949831e857

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
292822dad8b2c1f2d457ff1bef174dca

SHA1
4464a155ea629706cae12dc752d12e59025f9823

SHA256
64c7d305f12d36dced692780bdeebf565778cc18b3b172c61269da88ed5bb0cc

SHA512
3985bda5041049c3bf3ae8e6e4df9447444c36695f50b19316c2dd7bd94d444308abcf77e2dd4d31f933dd196f7b32950db6f44b27ea2c70d9c51658bb04e68a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
103KB

MD5
1a63ba064a3398667196f705dd2ea9c1

SHA1
43bd48197d889dd8a2f77b4253fbfe9311af4c2a

SHA256
6f491ee9ef1361865d61dd766ab02a7c7868c8cef9098e53731f13690295980a

SHA512
d54ae0f87dcb65941c98e79d1173e179a3c33bb5d857228e9065082ba05522d68c9d35743187e335630bd781192bad8eed45e82ee9da1a0270acebe534cf7394

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
202KB

MD5
75a9a93d17fda233f849df23d74a01ec

SHA1
5f32e6dd25fba19877f8dda12140dc47d959da95

SHA256
81108d7132fc3548f94a5e96a143ced5dad1fe23bbf015fe6c1c0b6953d69da4

SHA512
49b31ace2bd46c50965553e555f3b5aa3bd63a0ec37245a61ca34b0d0744a1df6d273e4b7455d9acf3bacede88c4048bb4ccab658580959f3a9701f31c6065b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
202KB

MD5
5a7e0b57bc0f059e410ecb5a67f33a65

SHA1
66c11e5b2a3a0fc056c457919d77550be4cf11a0

SHA256
795d48c0f376c674b04cd2e4747631f27b15efd7f0f54c0b14c7dcdcce09d634

SHA512
a2923b1baec7884e2544b3c4d9a4e36c892d11ce3e389dc108f0fb42a2595e59cb4d88c878186f8b354fc415203570dd87db39c3bd09a51ee69bfb910f05d0c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
202B

MD5
add56ec49f8f478e84a934606effef1c

SHA1
1262ae87ef755e40752740df90d21352d5fc81ec

SHA256
22e509cf2b7202fc6b04c3d9a1b137477f11471d58a48c1f9514f89450217327

SHA512
c095f193d221696f3b087c3f224a559ad0efe4852a5392c8a3ab03f80183beec2a8327892aa481c85f1bf8165b76a029555f250e0dd5f396c823feacff4c06f1

Download Submit
memory/3100-277-0x00007FFDAD750000-0x00007FFDAD760000-memory.dmp

Filesize
64KB

Download
memory/3100-295-0x00007FFDED6D0000-0x00007FFDED8C5000-memory.dmp

Filesize
2.0MB

Download
memory/3100-335-0x00007FFDED6D0000-0x00007FFDED8C5000-memory.dmp

Filesize
2.0MB

Download
memory/3100-334-0x00007FFDAD750000-0x00007FFDAD760000-memory.dmp

Filesize
64KB

Download
memory/3100-333-0x00007FFDED6D0000-0x00007FFDED8C5000-memory.dmp

Filesize
2.0MB

Download
memory/3100-330-0x00007FFDAD750000-0x00007FFDAD760000-memory.dmp

Filesize
64KB

Download
memory/3100-332-0x00007FFDAD750000-0x00007FFDAD760000-memory.dmp

Filesize
64KB

Download
memory/3100-331-0x00007FFDAD750000-0x00007FFDAD760000-memory.dmp

Filesize
64KB

Download
memory/3100-329-0x00007FFDED6D0000-0x00007FFDED8C5000-memory.dmp

Filesize
2.0MB

Download
memory/3100-328-0x00007FFDED6D0000-0x00007FFDED8C5000-memory.dmp

Filesize
2.0MB

Download
memory/3100-324-0x00007FFDED6D0000-0x00007FFDED8C5000-memory.dmp

Filesize
2.0MB

Download
memory/3100-323-0x00007FFDED6D0000-0x00007FFDED8C5000-memory.dmp

Filesize
2.0MB

Download
memory/3100-312-0x00007FFDED6D0000-0x00007FFDED8C5000-memory.dmp

Filesize
2.0MB

Download
memory/3100-274-0x00007FFDAD750000-0x00007FFDAD760000-memory.dmp

Filesize
64KB

Download
memory/3100-275-0x00007FFDED6D0000-0x00007FFDED8C5000-memory.dmp

Filesize
2.0MB

Download
memory/3100-276-0x00007FFDAD750000-0x00007FFDAD760000-memory.dmp

Filesize
64KB

Download
memory/3100-294-0x00007FFDAB2B0000-0x00007FFDAB2C0000-memory.dmp

Filesize
64KB

Download
memory/3100-278-0x00007FFDED6D0000-0x00007FFDED8C5000-memory.dmp

Filesize
2.0MB

Download
memory/3100-279-0x00007FFDED6D0000-0x00007FFDED8C5000-memory.dmp

Filesize
2.0MB

Download
memory/3100-280-0x00007FFDAD750000-0x00007FFDAD760000-memory.dmp

Filesize
64KB

Download
memory/3100-281-0x00007FFDED6D0000-0x00007FFDED8C5000-memory.dmp

Filesize
2.0MB

Download
memory/3100-282-0x00007FFDAD750000-0x00007FFDAD760000-memory.dmp

Filesize
64KB

Download
memory/3100-283-0x00007FFDED6D0000-0x00007FFDED8C5000-memory.dmp

Filesize
2.0MB

Download
memory/3100-284-0x00007FFDED6D0000-0x00007FFDED8C5000-memory.dmp

Filesize
2.0MB

Download
memory/3100-285-0x00007FFDED6D0000-0x00007FFDED8C5000-memory.dmp

Filesize
2.0MB

Download
memory/3100-286-0x00007FFDED6D0000-0x00007FFDED8C5000-memory.dmp

Filesize
2.0MB

Download
memory/3100-287-0x00007FFDED6D0000-0x00007FFDED8C5000-memory.dmp

Filesize
2.0MB

Download
memory/3100-289-0x00007FFDAB2B0000-0x00007FFDAB2C0000-memory.dmp

Filesize
64KB

Download
memory/3100-290-0x00007FFDED6D0000-0x00007FFDED8C5000-memory.dmp

Filesize
2.0MB

Download
memory/3100-288-0x00007FFDED6D0000-0x00007FFDED8C5000-memory.dmp

Filesize
2.0MB

Download
memory/3100-291-0x00007FFDED6D0000-0x00007FFDED8C5000-memory.dmp

Filesize
2.0MB

Download
memory/3100-292-0x00007FFDED6D0000-0x00007FFDED8C5000-memory.dmp

Filesize
2.0MB

Download
memory/3100-293-0x00007FFDED6D0000-0x00007FFDED8C5000-memory.dmp

Filesize
2.0MB

Download
memory/4372-54-0x00007FF79B4C0000-0x00007FF79B5B8000-memory.dmp

Filesize
992KB

Download
memory/4372-58-0x00007FFDCCFA0000-0x00007FFDCD0B2000-memory.dmp

Filesize
1.1MB

Download
memory/4372-57-0x00007FFDCD980000-0x00007FFDCEA2B000-memory.dmp

Filesize
16.7MB

Download
memory/4372-56-0x00007FFDCEC30000-0x00007FFDCEEE4000-memory.dmp

Filesize
2.7MB

Download
memory/4372-55-0x00007FFDDF040000-0x00007FFDDF074000-memory.dmp

Filesize
208KB

Download
memory/4532-37-0x000001D07EE20000-0x000001D07EE21000-memory.dmp

Filesize
4KB

Download
memory/4532-21-0x000001D07A180000-0x000001D07A190000-memory.dmp

Filesize
64KB

Download
memory/4532-38-0x000001D07EE20000-0x000001D07EE21000-memory.dmp

Filesize
4KB

Download
memory/4532-39-0x000001D07EE30000-0x000001D07EE31000-memory.dmp

Filesize
4KB

Download
memory/4532-40-0x000001D07EE30000-0x000001D07EE31000-memory.dmp

Filesize
4KB

Download
memory/4532-36-0x000001D07ED90000-0x000001D07ED91000-memory.dmp

Filesize
4KB

Download
memory/4532-34-0x000001D07ED90000-0x000001D07ED91000-memory.dmp

Filesize
4KB

Download
memory/4532-32-0x000001D07ED10000-0x000001D07ED11000-memory.dmp

Filesize
4KB

Download
memory/4532-25-0x000001D07A1C0000-0x000001D07A1D0000-memory.dmp

Filesize
64KB

Download