a7d538a401351a9768cda22b70cc7914f6e9fde53f68769ba9b01fd29e0f17bd

Analysis

max time kernel
269s
max time network
261s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
05/10/2023, 14:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

phasmophobia-sound-board-effects-12-sound-effects-ghost2-strong-attack.mp3
Size

77KB
MD5

b8719f80baa7481eac1df8873680c042
SHA1

8c8c6406876de0433d1653abc6dd99a1c0c291f1
SHA256

a7d538a401351a9768cda22b70cc7914f6e9fde53f68769ba9b01fd29e0f17bd
SHA512

fcfa99b27150493af432937c48b84ea1a87bd54d46dedb0e95a46e8af32f2ef48ff764b5fd38121aa699da5a8f27e526043d69963a96c95f28971bce888aed14
SSDEEP

1536:u0sVywYwVXyOHhkBoNBJMUcsbwZ7aZ7a11UFB2v:u0shYYCB6PMUcjaZ21Mw

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133409890332200852"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3416	chrome.exe
3416	chrome.exe
4612	chrome.exe
4612	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4196	unregmp2.exe
Token: SeCreatePagefilePrivilege	4196	unregmp2.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe
Token: SeShutdownPrivilege	3416	chrome.exe
Token: SeCreatePagefilePrivilege	3416	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe
3416	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 1736	4956	wmplayer.exe	86
PID 4956 wrote to memory of 1736	4956	wmplayer.exe	86
PID 4956 wrote to memory of 1736	4956	wmplayer.exe	86
PID 4956 wrote to memory of 3856	4956	wmplayer.exe	87
PID 4956 wrote to memory of 3856	4956	wmplayer.exe	87
PID 4956 wrote to memory of 3856	4956	wmplayer.exe	87
PID 3856 wrote to memory of 4196	3856	unregmp2.exe	88
PID 3856 wrote to memory of 4196	3856	unregmp2.exe	88
PID 3416 wrote to memory of 3100	3416	chrome.exe	102
PID 3416 wrote to memory of 3100	3416	chrome.exe	102
PID 3416 wrote to memory of 3380	3416	chrome.exe	103
PID 3416 wrote to memory of 3380	3416	chrome.exe	103
PID 3416 wrote to memory of 3380	3416	chrome.exe	103
PID 3416 wrote to memory of 3380	3416	chrome.exe	103
PID 3416 wrote to memory of 3380	3416	chrome.exe	103
PID 3416 wrote to memory of 3380	3416	chrome.exe	103
PID 3416 wrote to memory of 3380	3416	chrome.exe	103
PID 3416 wrote to memory of 3380	3416	chrome.exe	103
PID 3416 wrote to memory of 3380	3416	chrome.exe	103
PID 3416 wrote to memory of 3380	3416	chrome.exe	103
PID 3416 wrote to memory of 3380	3416	chrome.exe	103
PID 3416 wrote to memory of 3380	3416	chrome.exe	103
PID 3416 wrote to memory of 3380	3416	chrome.exe	103
PID 3416 wrote to memory of 3380	3416	chrome.exe	103
PID 3416 wrote to memory of 3380	3416	chrome.exe	103
PID 3416 wrote to memory of 3380	3416	chrome.exe	103
PID 3416 wrote to memory of 3380	3416	chrome.exe	103
PID 3416 wrote to memory of 3380	3416	chrome.exe	103
PID 3416 wrote to memory of 3380	3416	chrome.exe	103
PID 3416 wrote to memory of 3380	3416	chrome.exe	103
PID 3416 wrote to memory of 3380	3416	chrome.exe	103
PID 3416 wrote to memory of 3380	3416	chrome.exe	103
PID 3416 wrote to memory of 3380	3416	chrome.exe	103
PID 3416 wrote to memory of 3380	3416	chrome.exe	103
PID 3416 wrote to memory of 3380	3416	chrome.exe	103
PID 3416 wrote to memory of 3380	3416	chrome.exe	103
PID 3416 wrote to memory of 3380	3416	chrome.exe	103
PID 3416 wrote to memory of 3380	3416	chrome.exe	103
PID 3416 wrote to memory of 3380	3416	chrome.exe	103
PID 3416 wrote to memory of 3380	3416	chrome.exe	103
PID 3416 wrote to memory of 3380	3416	chrome.exe	103
PID 3416 wrote to memory of 3380	3416	chrome.exe	103
PID 3416 wrote to memory of 3380	3416	chrome.exe	103
PID 3416 wrote to memory of 3380	3416	chrome.exe	103
PID 3416 wrote to memory of 3380	3416	chrome.exe	103
PID 3416 wrote to memory of 3380	3416	chrome.exe	103
PID 3416 wrote to memory of 3380	3416	chrome.exe	103
PID 3416 wrote to memory of 3380	3416	chrome.exe	103
PID 3416 wrote to memory of 2516	3416	chrome.exe	104
PID 3416 wrote to memory of 2516	3416	chrome.exe	104
PID 3416 wrote to memory of 3048	3416	chrome.exe	105
PID 3416 wrote to memory of 3048	3416	chrome.exe	105
PID 3416 wrote to memory of 3048	3416	chrome.exe	105
PID 3416 wrote to memory of 3048	3416	chrome.exe	105
PID 3416 wrote to memory of 3048	3416	chrome.exe	105
PID 3416 wrote to memory of 3048	3416	chrome.exe	105
PID 3416 wrote to memory of 3048	3416	chrome.exe	105
PID 3416 wrote to memory of 3048	3416	chrome.exe	105
PID 3416 wrote to memory of 3048	3416	chrome.exe	105
PID 3416 wrote to memory of 3048	3416	chrome.exe	105
PID 3416 wrote to memory of 3048	3416	chrome.exe	105
PID 3416 wrote to memory of 3048	3416	chrome.exe	105
PID 3416 wrote to memory of 3048	3416	chrome.exe	105
PID 3416 wrote to memory of 3048	3416	chrome.exe	105

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\phasmophobia-sound-board-effects-12-sound-effects-ghost2-strong-attack.mp3"
1⤵
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\phasmophobia-sound-board-effects-12-sound-effects-ghost2-strong-attack.mp3"
  2⤵
  PID:1736
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3856
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:4196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcd12a9758,0x7ffcd12a9768,0x7ffcd12a9778
  2⤵
  PID:3100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1744 --field-trial-handle=1900,i,17840883590791643095,17724792701907830569,131072 /prefetch:2
  2⤵
  PID:3380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1900,i,17840883590791643095,17724792701907830569,131072 /prefetch:8
  2⤵
  PID:2516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2248 --field-trial-handle=1900,i,17840883590791643095,17724792701907830569,131072 /prefetch:8
  2⤵
  PID:3048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2980 --field-trial-handle=1900,i,17840883590791643095,17724792701907830569,131072 /prefetch:1
  2⤵
  PID:3784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2956 --field-trial-handle=1900,i,17840883590791643095,17724792701907830569,131072 /prefetch:1
  2⤵
  PID:3728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4604 --field-trial-handle=1900,i,17840883590791643095,17724792701907830569,131072 /prefetch:1
  2⤵
  PID:1112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4944 --field-trial-handle=1900,i,17840883590791643095,17724792701907830569,131072 /prefetch:8
  2⤵
  PID:4944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4584 --field-trial-handle=1900,i,17840883590791643095,17724792701907830569,131072 /prefetch:8
  2⤵
  PID:4332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 --field-trial-handle=1900,i,17840883590791643095,17724792701907830569,131072 /prefetch:8
  2⤵
  PID:4568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5228 --field-trial-handle=1900,i,17840883590791643095,17724792701907830569,131072 /prefetch:8
  2⤵
  PID:3632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 --field-trial-handle=1900,i,17840883590791643095,17724792701907830569,131072 /prefetch:8
  2⤵
  PID:4324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5172 --field-trial-handle=1900,i,17840883590791643095,17724792701907830569,131072 /prefetch:1
  2⤵
  PID:3956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 --field-trial-handle=1900,i,17840883590791643095,17724792701907830569,131072 /prefetch:8
  2⤵
  PID:2744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4088 --field-trial-handle=1900,i,17840883590791643095,17724792701907830569,131072 /prefetch:8
  2⤵
  PID:4512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2956 --field-trial-handle=1900,i,17840883590791643095,17724792701907830569,131072 /prefetch:8
  2⤵
  PID:2512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5680 --field-trial-handle=1900,i,17840883590791643095,17724792701907830569,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4612

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3696

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x514 0x500
1⤵
PID:4912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\48a3f51d-daac-4065-a18c-57b0f301e2ea.tmp

Filesize
6KB

MD5
41b208fc7ee96863497f52b81338ef73

SHA1
8371bf8ba27d3105df9e4bb8aa17df1dec5dae36

SHA256
fdfb6f8178baf4d94aafdf6134d1b797e17328bcd375b4a45d064cb2f815e29f

SHA512
13ab63be22c6b4b81f6d05916a8e1938c45d5dd8479d37e6617b4e1caf3059b8156b146ba8895d6eedeefa4512e0a6b9e3b1f80831b532f9de1fb1528f530958

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
90f545154c606770197e0237b88f336a

SHA1
18b54d90fd1e6a74f23793e342d815fca2d715a5

SHA256
eeb7bea895bbc9d1738db86b1e80cabec38ee06c83c467c2aa22cc5bcf2e5a89

SHA512
d5a029c3892c0807c73a5f38b94130b6cf2a8234d8fea56c334a162c6c24053304766144eaebe5e50655081993d96eccc25b1933ea23a035fe044aa5a243a42a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
c9b53accf28feebcc9ebb5c7b2f21f2e

SHA1
b4b100af91b57b22961ff01ed1d66770f5a6821a

SHA256
5df5d43ef17742e17a362ca7bad3f898fb65ea671c1f6d239bc3a4a8971fe693

SHA512
29520cacdd9b96a5aea7b9a0389c91dfa956419f9abb1eded0c2344e8111b3de7d71370a18504b2f6ad019e703ce4184da1718e7ad2b6819de31309dd09b0e42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
b535586c4e1db6cae1d3f6bf8ea24003

SHA1
f6459e7606d645a121d1fe17cad56ff32a8fa13b

SHA256
4b79e596269cbf1044a8be2cca152f6047c91e3905049ad4035d65fcf1f6e03d

SHA512
4097d8d8f961079299b2a30f5be7e00ce490170020467e9d4875eeef3cc197a9c341b668d2ab672725fb0ecdaf50b8459f3828920271ba4721a0cb152f46db7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
a9cd722cbe36d6e61e6645d82fec074e

SHA1
5b7c40925c34027ada8452fd1d65875c43c2b907

SHA256
20cbdd3b5546ec482c3a756794d1b8582e417a28ee41d5b6865da5727b1db7bc

SHA512
841690292b7df66b9b8fb95dd6193691382ade476627c7cb0b8723a417d6e6b075b159472bee433cf1d3c2723f0cd87d100a991a9668d46f3bc217a93f2ae689

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
706B

MD5
3c31232b856bce9b41adb6b795c44150

SHA1
705e9cb9e1ea8996d77987f1ce8f1a173abcb1f1

SHA256
9169e7199303735f504a832a3d0ab457626445625953dcabfadad344b2ceb3e5

SHA512
ca9ef6ba9fc7a00042cc34f3576c585bd0abb7fb244fbbee1185d11d947a0dace24d8ef7274a37c7ef7fa239bef420e449ddd7689bc2182d1d22948b37407932

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
706B

MD5
f289c143a071bafc0e819007f6c33264

SHA1
73187a64f4046573ee74094ce43e617a1204317e

SHA256
0f8eea2cce4f1b173880208920044d9c9b0c0731777d35c8910ef3b5b8c03c8f

SHA512
f507d3ecc9b581e569b365b41e8805307b022df359b125b87ec1dad3766c5b9fc51cb4f3e5d1f4a8f6b7720f60ccc2a6c581519a47a74e567e9a621ef98ad0c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
706B

MD5
2018cfd98ad18be4f7146266a5816b61

SHA1
1771970b68fd7169cc103fcfcae720d118c2ff51

SHA256
6955eb57eb3f9e05b0fd4be9be56cd88a5237214f0cb410433073f489106cbf4

SHA512
85dae95ced10c4ccd9bfad470e57e5f6fef50cfb5ce1808e4a853f09813be0dc3f31dd931508df7992c0ce2a4871c6835cdbcc7d474acec5ac5e9d4aa85c2f03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
17854c643c195d47453182fe91904a26

SHA1
280d8dd151fac12305cda8f884cb5d844dd20e3b

SHA256
a7f60bf7601189bb82984c767a396fbeb1cfa38e7686feea7295f27406f38314

SHA512
6cf0425a8ab52fb4f49c1308615fb784cf239d3a53dc8fad94c22f1bd92bb70c0823f7789379b5a592242fa59f48c5df25ae97232bd138698bf5b1bc1ba6214a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
fc287baefa99acce803412f4f22129ce

SHA1
fb432d3d50b8554044deb967d20a55267a6d6b72

SHA256
399907365c69a8c106863585f84b0be32773aa85feaa3e03eac11babb8f183b4

SHA512
833a26dd023b918b5dd5a974d48cf666c42437922a20f63420f0216d190668a4e55d6dc07bfb846fb9123582af5f51f51f9c03253672fc63f2e18fd2fcc962f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c0e2c56e2231c10a14432c2666b50d8e

SHA1
146256044b2b38a056ae81cc72b643ad64ab8514

SHA256
9c705eb65d4da028f78d632e9b932500e6fedbe59316aca3dec3708577824713

SHA512
4ba1d07457123f4798f846496dca0ed3845b2b91cdd918d0fa8c1770f242816350501ec06c3d2d9d43829af0897d9fa01c052d7794d175fe450ebabb0d19608d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
864c122da76b12d8a0c1ddc33878085b

SHA1
0daca53396e2fbae06204f7b2140bb4e31e66320

SHA256
00581f8159173b8d66bc6c6d4fbbe692440c1c727a5dd3714940cd563d41c25e

SHA512
078f783017236b3e289f3e75e9cdfaa58557cbe97e77953d0401cf0edb7e15f23e289b77c0e561615b9cf631eae84ceb9b6c906db1b9c76629c97afe9bc9469d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
b3cec5c3031882dc21175ce4a2713864

SHA1
ffdfad3032df2186f08a8066f69ae5ab3acefe17

SHA256
362dc55bbc5ea6176dc36e69411e115c7722baead6b833e9b99f829672b52f68

SHA512
80b11aed9381ad6a3c7c04bdc4b3e845f018442755542cb6091a492d907957e69bfd60a476a07e8eb80c5eed549493292795d42fd36da80e60b260820ab2b06a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
202KB

MD5
3a0adc5fd936a65b9cf772e3be9010a3

SHA1
18026f6da8d3f4cf4f9f2abf6a132d4ac0a234b4

SHA256
248bef34dd4c5ab40da96cf4c8e6278d2ede1b6283e9604ae4fbf40048b77d76

SHA512
ffbdafdc7ccda9e18f7243bc73769e3aa5b4064dfa461e54444543b19876af853e8bdd3dfeda77b0b3109ca32e54bcdc2411fa5dfc667ce5bfd0b81f6caa0877

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
101KB

MD5
f6085f3bdb67f3085603e797e2111815

SHA1
4c0655215a5104601be12a4e27e3796c35f05d2e

SHA256
19ad5ed239ec00ec401a4b3eed6d0bf217b2ee651dc52b886a584a7aaf6bef1e

SHA512
1eac8d995e3cd68179502476d834c4bae46fa5ccb422d3aebfdfee01806c3355307c50976f12950cd53753de65043a998f3c795137e587107d32c5a0ae11fe9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
102KB

MD5
9c3ef8efba71572c71be49d930070f15

SHA1
d1fd98f85efdb1e361c038086409af3fa57d82ef

SHA256
47f765ad11427babdb6717c5f456b067fd43172595e2cd183f4455d901e8ed1e

SHA512
db4f6102db2216359a94352be408125043d55ef21d28f2e4bb60ad09d23cea7e9aadac5b15971ef43cb6c192d474bb891211f515ef1ec219eb6568955faf62d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5829ca.TMP

Filesize
97KB

MD5
54b2c9ce30837654fb7726d0e3922812

SHA1
b907fb7d5d8d3e46046d5641a571b40d6b95364e

SHA256
332f8a7be3027a6cf638564a2ada1b4379f84510df489a9f68b5bbcc5a862331

SHA512
f29f119af0972c0ed3ca54927a87ae89fabfa4b9d027259e33cae084369e2e0c31166b0a38d1b997b6bfae0107a544648d4e425f34ffb5df6ee4cb91d421aa27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
256KB

MD5
9c481a94abc7eee23cd5234262e60077

SHA1
2873225e708fb5461ac60c3613fe12112423f0f0

SHA256
681c9665d741ca6ed709cdd79d070ff7f4fdf158e02342f7d47e90a6d962b061

SHA512
0579499b5f01649f7e5e3afad07b4c7924d30fbc56dd12b37d9ad46bdefe35fcb6371694c1eff6c42d56c21b1de4c4f40531b27cd32eca1bdf51c6cac41fe668

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
72a0318422c4377a3c4c0bdf2b748801

SHA1
f40308764aa98a8a9fe2ebbda0a998bf9bc0acc9

SHA256
bc400d50d67728b9d7b0f1b8a3d3dc7648205db0626401b6aa6979f70c4d707a

SHA512
4cc026970dd6257ecb0a6e51d022e8dfcc2b593d7c16cbe73029cc18cbab6be5add5cb07eb99352e54e6524831d58a49cc9cc4ad08a0778992608bc1509c358e

Download Submit