hxxp://151[.]139[.]71[.]44/c/msdownload/update/software/defu/2023/10/am_delta_patch_1[.]399[.]431[.]0_d777e6943af6159ea4d208417e0c4a83277d3705[.]exe?cacheHostOrigin=11[.]au[.]download[.]windowsupdate[.]com

Resubmissions

12/10/2023, 07:22

231012-h7gdvsdf5t 8

12/10/2023, 07:16

231012-h3rn2add4v 8

Analysis

max time kernel
151s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20230915-de
resource tags

arch:x64arch:x86image:win10v2004-20230915-delocale:de-deos:windows10-2004-x64systemwindows
submitted
12/10/2023, 07:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://151.139.71.44/c/msdownload/update/software/defu/2023/10/am_delta_patch_1.399.431.0_d777e6943af6159ea4d208417e0c4a83277d3705.exe?cacheHostOrigin=11.au.download.windowsupdate.com

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133415685947065766"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
4008	chrome.exe
4008	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1964	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeCreatePagefilePrivilege	1964	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1964	chrome.exe
1964	chrome.exe
1964	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 3696	1964	chrome.exe	32
PID 1964 wrote to memory of 3696	1964	chrome.exe	32
PID 1964 wrote to memory of 2852	1964	chrome.exe	86
PID 1964 wrote to memory of 2852	1964	chrome.exe	86
PID 1964 wrote to memory of 2852	1964	chrome.exe	86
PID 1964 wrote to memory of 2852	1964	chrome.exe	86
PID 1964 wrote to memory of 2852	1964	chrome.exe	86
PID 1964 wrote to memory of 2852	1964	chrome.exe	86
PID 1964 wrote to memory of 2852	1964	chrome.exe	86
PID 1964 wrote to memory of 2852	1964	chrome.exe	86
PID 1964 wrote to memory of 2852	1964	chrome.exe	86
PID 1964 wrote to memory of 2852	1964	chrome.exe	86
PID 1964 wrote to memory of 2852	1964	chrome.exe	86
PID 1964 wrote to memory of 2852	1964	chrome.exe	86
PID 1964 wrote to memory of 2852	1964	chrome.exe	86
PID 1964 wrote to memory of 2852	1964	chrome.exe	86
PID 1964 wrote to memory of 2852	1964	chrome.exe	86
PID 1964 wrote to memory of 2852	1964	chrome.exe	86
PID 1964 wrote to memory of 2852	1964	chrome.exe	86
PID 1964 wrote to memory of 2852	1964	chrome.exe	86
PID 1964 wrote to memory of 2852	1964	chrome.exe	86
PID 1964 wrote to memory of 2852	1964	chrome.exe	86
PID 1964 wrote to memory of 2852	1964	chrome.exe	86
PID 1964 wrote to memory of 2852	1964	chrome.exe	86
PID 1964 wrote to memory of 2852	1964	chrome.exe	86
PID 1964 wrote to memory of 2852	1964	chrome.exe	86
PID 1964 wrote to memory of 2852	1964	chrome.exe	86
PID 1964 wrote to memory of 2852	1964	chrome.exe	86
PID 1964 wrote to memory of 2852	1964	chrome.exe	86
PID 1964 wrote to memory of 2852	1964	chrome.exe	86
PID 1964 wrote to memory of 2852	1964	chrome.exe	86
PID 1964 wrote to memory of 2852	1964	chrome.exe	86
PID 1964 wrote to memory of 2852	1964	chrome.exe	86
PID 1964 wrote to memory of 2852	1964	chrome.exe	86
PID 1964 wrote to memory of 2852	1964	chrome.exe	86
PID 1964 wrote to memory of 2852	1964	chrome.exe	86
PID 1964 wrote to memory of 2852	1964	chrome.exe	86
PID 1964 wrote to memory of 2852	1964	chrome.exe	86
PID 1964 wrote to memory of 2852	1964	chrome.exe	86
PID 1964 wrote to memory of 2852	1964	chrome.exe	86
PID 1964 wrote to memory of 2740	1964	chrome.exe	87
PID 1964 wrote to memory of 2740	1964	chrome.exe	87
PID 1964 wrote to memory of 1732	1964	chrome.exe	88
PID 1964 wrote to memory of 1732	1964	chrome.exe	88
PID 1964 wrote to memory of 1732	1964	chrome.exe	88
PID 1964 wrote to memory of 1732	1964	chrome.exe	88
PID 1964 wrote to memory of 1732	1964	chrome.exe	88
PID 1964 wrote to memory of 1732	1964	chrome.exe	88
PID 1964 wrote to memory of 1732	1964	chrome.exe	88
PID 1964 wrote to memory of 1732	1964	chrome.exe	88
PID 1964 wrote to memory of 1732	1964	chrome.exe	88
PID 1964 wrote to memory of 1732	1964	chrome.exe	88
PID 1964 wrote to memory of 1732	1964	chrome.exe	88
PID 1964 wrote to memory of 1732	1964	chrome.exe	88
PID 1964 wrote to memory of 1732	1964	chrome.exe	88
PID 1964 wrote to memory of 1732	1964	chrome.exe	88
PID 1964 wrote to memory of 1732	1964	chrome.exe	88
PID 1964 wrote to memory of 1732	1964	chrome.exe	88
PID 1964 wrote to memory of 1732	1964	chrome.exe	88
PID 1964 wrote to memory of 1732	1964	chrome.exe	88
PID 1964 wrote to memory of 1732	1964	chrome.exe	88
PID 1964 wrote to memory of 1732	1964	chrome.exe	88
PID 1964 wrote to memory of 1732	1964	chrome.exe	88
PID 1964 wrote to memory of 1732	1964	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://151.139.71.44/c/msdownload/update/software/defu/2023/10/am_delta_patch_1.399.431.0_d777e6943af6159ea4d208417e0c4a83277d3705.exe?cacheHostOrigin=11.au.download.windowsupdate.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff85d399758,0x7ff85d399768,0x7ff85d399778
  2⤵
  PID:3696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1904,i,11811762343503428485,9179630458494223634,131072 /prefetch:2
  2⤵
  PID:2852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1904,i,11811762343503428485,9179630458494223634,131072 /prefetch:8
  2⤵
  PID:2740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1904,i,11811762343503428485,9179630458494223634,131072 /prefetch:8
  2⤵
  PID:1732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2924 --field-trial-handle=1904,i,11811762343503428485,9179630458494223634,131072 /prefetch:1
  2⤵
  PID:2044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2956 --field-trial-handle=1904,i,11811762343503428485,9179630458494223634,131072 /prefetch:1
  2⤵
  PID:1292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4068 --field-trial-handle=1904,i,11811762343503428485,9179630458494223634,131072 /prefetch:1
  2⤵
  PID:2116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2936 --field-trial-handle=1904,i,11811762343503428485,9179630458494223634,131072 /prefetch:1
  2⤵
  PID:756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3276 --field-trial-handle=1904,i,11811762343503428485,9179630458494223634,131072 /prefetch:8
  2⤵
  PID:3212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5020 --field-trial-handle=1904,i,11811762343503428485,9179630458494223634,131072 /prefetch:8
  2⤵
  PID:1388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4908 --field-trial-handle=1904,i,11811762343503428485,9179630458494223634,131072 /prefetch:8
  2⤵
  PID:4180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4728 --field-trial-handle=1904,i,11811762343503428485,9179630458494223634,131072 /prefetch:8
  2⤵
  PID:3640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4176 --field-trial-handle=1904,i,11811762343503428485,9179630458494223634,131072 /prefetch:8
  2⤵
  PID:3648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4116 --field-trial-handle=1904,i,11811762343503428485,9179630458494223634,131072 /prefetch:8
  2⤵
  PID:2584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4140 --field-trial-handle=1904,i,11811762343503428485,9179630458494223634,131072 /prefetch:8
  2⤵
  PID:4568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4792 --field-trial-handle=1904,i,11811762343503428485,9179630458494223634,131072 /prefetch:1
  2⤵
  PID:5104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4280 --field-trial-handle=1904,i,11811762343503428485,9179630458494223634,131072 /prefetch:1
  2⤵
  PID:2560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5388 --field-trial-handle=1904,i,11811762343503428485,9179630458494223634,131072 /prefetch:8
  2⤵
  PID:3012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4840 --field-trial-handle=1904,i,11811762343503428485,9179630458494223634,131072 /prefetch:8
  2⤵
  PID:1472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=4360 --field-trial-handle=1904,i,11811762343503428485,9179630458494223634,131072 /prefetch:1
  2⤵
  PID:1372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3256 --field-trial-handle=1904,i,11811762343503428485,9179630458494223634,131072 /prefetch:8
  2⤵
  PID:2568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4304 --field-trial-handle=1904,i,11811762343503428485,9179630458494223634,131072 /prefetch:8
  2⤵
  PID:412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 --field-trial-handle=1904,i,11811762343503428485,9179630458494223634,131072 /prefetch:8
  2⤵
  PID:2980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5176 --field-trial-handle=1904,i,11811762343503428485,9179630458494223634,131072 /prefetch:8
  2⤵
  PID:2208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5332 --field-trial-handle=1904,i,11811762343503428485,9179630458494223634,131072 /prefetch:8
  2⤵
  PID:2188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 --field-trial-handle=1904,i,11811762343503428485,9179630458494223634,131072 /prefetch:8
  2⤵
  PID:2136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 --field-trial-handle=1904,i,11811762343503428485,9179630458494223634,131072 /prefetch:8
  2⤵
  PID:3864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=4120 --field-trial-handle=1904,i,11811762343503428485,9179630458494223634,131072 /prefetch:1
  2⤵
  PID:4652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5456 --field-trial-handle=1904,i,11811762343503428485,9179630458494223634,131072 /prefetch:8
  2⤵
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5608 --field-trial-handle=1904,i,11811762343503428485,9179630458494223634,131072 /prefetch:8
  2⤵
  PID:2644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4832 --field-trial-handle=1904,i,11811762343503428485,9179630458494223634,131072 /prefetch:8
  2⤵
  PID:4024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4316 --field-trial-handle=1904,i,11811762343503428485,9179630458494223634,131072 /prefetch:8
  2⤵
  PID:908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5212 --field-trial-handle=1904,i,11811762343503428485,9179630458494223634,131072 /prefetch:8
  2⤵
  PID:2612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 --field-trial-handle=1904,i,11811762343503428485,9179630458494223634,131072 /prefetch:8
  2⤵
  PID:2360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4752 --field-trial-handle=1904,i,11811762343503428485,9179630458494223634,131072 /prefetch:8
  2⤵
  PID:552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5228 --field-trial-handle=1904,i,11811762343503428485,9179630458494223634,131072 /prefetch:8
  2⤵
  PID:2796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4292 --field-trial-handle=1904,i,11811762343503428485,9179630458494223634,131072 /prefetch:8
  2⤵
  PID:3904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=5540 --field-trial-handle=1904,i,11811762343503428485,9179630458494223634,131072 /prefetch:1
  2⤵
  PID:4044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --mojo-platform-channel-handle=4144 --field-trial-handle=1904,i,11811762343503428485,9179630458494223634,131072 /prefetch:1
  2⤵
  PID:4336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3400 --field-trial-handle=1904,i,11811762343503428485,9179630458494223634,131072 /prefetch:8
  2⤵
  PID:4436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3296 --field-trial-handle=1904,i,11811762343503428485,9179630458494223634,131072 /prefetch:8
  2⤵
  PID:1392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=1848 --field-trial-handle=1904,i,11811762343503428485,9179630458494223634,131072 /prefetch:1
  2⤵
  PID:4668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4768 --field-trial-handle=1904,i,11811762343503428485,9179630458494223634,131072 /prefetch:8
  2⤵
  PID:1904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3692 --field-trial-handle=1904,i,11811762343503428485,9179630458494223634,131072 /prefetch:8
  2⤵
  PID:2192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5408 --field-trial-handle=1904,i,11811762343503428485,9179630458494223634,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --mojo-platform-channel-handle=2960 --field-trial-handle=1904,i,11811762343503428485,9179630458494223634,131072 /prefetch:1
  2⤵
  PID:4896

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4664

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\1bc9b39d-7a86-46d5-a53c-e208b9e990b1.tmp

Filesize
113KB

MD5
eec64eb4b57286e48f9dc8927250fc71

SHA1
5971237ffaf889e1a91ecc012dd5072a124d539f

SHA256
52b85153249bf48594c959bcb411fa5107030a864b3574491f483624c7e4e333

SHA512
d712fb810732f98d4b5c6264c9a01eda66b25641b673d606ff5d854b04c225ca7233ea75f39a73f538ab8eeb614aee7db5dd931057a1f72d58d7b31d1af2edd3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0d4108fed4075170f07410f08d69e430

SHA1
5f3190646be92cc7877bd5715ee32209f357897c

SHA256
2918896a2548a072523c176fba8bc4b6312361f054228fb0912f18d10847cb83

SHA512
cd7fffc53097929320283af66183a34eceb1cc58a1bc56bc08712b96465d7e9dacfcc3187974d18f2caba090eab36d410696e2344ff819620dc1207cb26fc7e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
3576832e7c4a6e37a974dc938550cee9

SHA1
112737589760d572a9960981b2d03e445faf952a

SHA256
580cc799f7bf3b1f8adb3c3d6c85b4f8a7ed7047f054e2bd0b932c8ab8ab1270

SHA512
600c3909f254ed96d58902a9b712d59e4ad6a6445dd015ef9153ac412aa967662aa493b148cb8d8ae72e6fa8aa24ff412ecd32773112e327c4b4fddcc1c8ef3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
8b55bf7854870325899b1878ffef50a1

SHA1
abd9b52761a2f056da7b595918d5bb061fa13bd7

SHA256
0718913cb2b1aca7baf7eadd31b6852fdf78fea106dcc105cdc07b31216c3019

SHA512
3155de59a0ad7c64f4292bb69f4cfd47cf3ea1d222139f88b166b06306ae497169fdfce390bf65bd1a19eb3240c32c3d02373713167d4ed300a11e7a62e05abf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
103KB

MD5
6c08e0544791dc9309fe5db7cb1e745f

SHA1
5381117291f5ed07e1e5e9bca7f6da6c96c44bf0

SHA256
ad3a77f80dad3d9fce31ec6065ebb6a40c102745e53df0ce72db798114d15a0f

SHA512
5d60c39f102addc910e0cc3337b79bbac57da10310d08a2b879de2adc07460ac5924c444b73074df5b8a5b356c4d28dd986e671e70dd6ade43d41ff8e0fe48ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
104KB

MD5
5773dc64aec0815dc85d5ffe45c9746a

SHA1
bb5ad43fd510c345b1eb87694e13824586974138

SHA256
8805fb49a506f7bba80aebeb01f9f4280c1a5565dd08b238cf91b19878cca095

SHA512
903e4ccc9651e35ec88d16d76ce7042f067809b1d7d9f799192f4b0491b2b1775aec21b6dc4c5a43c7fb6ae27deffc98eb7e48ad12d501f1aa6179c0d508b670

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
115KB

MD5
ca44cc9abd03846577f5251c6b900807

SHA1
b1e09050ac2b991d0493208ac549758c30c3ac1c

SHA256
658afc41d1219662b3e48e6ca317bbd4fa7cc0645ad0c132379fc15ad9f9b79d

SHA512
5e5e67f47cbbeb2ca6215ece4f3927e404e5a5fa18e27fe6414ac3e1b474801b26956f58d11193f08dc5cdcbbff6478f5ceea6744673e86869cdbc6c3729d595

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5896fb.TMP

Filesize
112KB

MD5
e4288dcdb53dc5c106b4c0b4453c7979

SHA1
b0d9f23c6127dea3cbb96ffec8b8e96f6e3bde73

SHA256
07256f1cc8da5406174bc3e2ced7d68342b63531278cb7b1106e2012b85b27d0

SHA512
3c0d1231487de826c59b611347a32bb197fd94d8376ea36a5191fe2606fbdba6052b3c5b36bbfbeec3320986bf16b7ebef34a8933ca769bacc13c932ec0ba208

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\am_delta_patch_1.399.431.0_d777e6943af6159ea4d208417e0c4a83277d3705.exe

Filesize
372KB

MD5
90896c4d5e96afd2f2c858ef49b4fd49

SHA1
d777e6943af6159ea4d208417e0c4a83277d3705

SHA256
389c3581c46ed6ec72518e70f02a03ac31b096c88d1bc0a739b83b80b0d33a06

SHA512
053379d6bb9c3a035f56e1c80a1bd85634f8abbb9083351d1ccf5917dd4abb82cf808b1195af9527b0b78ee7068b78349245dfccf9a0f7a6493c21ac6c57643c

Download Submit