hxxp://signal[.]pod4[.]avatar[.]ext[.]hp[.]com/avatar/v1/collections/signal/8262

Analysis

max time kernel
299s
max time network
297s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
12/01/2024, 15:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://signal.pod4.avatar.ext.hp.com/avatar/v1/collections/signal/8262

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133495456690954223"	chrome.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings	mspaint.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3320	chrome.exe
3320	chrome.exe
1972	mspaint.exe
1972	mspaint.exe
2996	mspaint.exe
2996	mspaint.exe
3992	chrome.exe
3992	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe
Token: SeShutdownPrivilege	3320	chrome.exe
Token: SeCreatePagefilePrivilege	3320	chrome.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe
3320	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1972	mspaint.exe
1880	OpenWith.exe
2996	mspaint.exe
3600	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3320 wrote to memory of 2076	3320	chrome.exe	67
PID 3320 wrote to memory of 2076	3320	chrome.exe	67
PID 3320 wrote to memory of 3176	3320	chrome.exe	95
PID 3320 wrote to memory of 3176	3320	chrome.exe	95
PID 3320 wrote to memory of 3176	3320	chrome.exe	95
PID 3320 wrote to memory of 3176	3320	chrome.exe	95
PID 3320 wrote to memory of 3176	3320	chrome.exe	95
PID 3320 wrote to memory of 3176	3320	chrome.exe	95
PID 3320 wrote to memory of 3176	3320	chrome.exe	95
PID 3320 wrote to memory of 3176	3320	chrome.exe	95
PID 3320 wrote to memory of 3176	3320	chrome.exe	95
PID 3320 wrote to memory of 3176	3320	chrome.exe	95
PID 3320 wrote to memory of 3176	3320	chrome.exe	95
PID 3320 wrote to memory of 3176	3320	chrome.exe	95
PID 3320 wrote to memory of 3176	3320	chrome.exe	95
PID 3320 wrote to memory of 3176	3320	chrome.exe	95
PID 3320 wrote to memory of 3176	3320	chrome.exe	95
PID 3320 wrote to memory of 3176	3320	chrome.exe	95
PID 3320 wrote to memory of 3176	3320	chrome.exe	95
PID 3320 wrote to memory of 3176	3320	chrome.exe	95
PID 3320 wrote to memory of 3176	3320	chrome.exe	95
PID 3320 wrote to memory of 3176	3320	chrome.exe	95
PID 3320 wrote to memory of 3176	3320	chrome.exe	95
PID 3320 wrote to memory of 3176	3320	chrome.exe	95
PID 3320 wrote to memory of 3176	3320	chrome.exe	95
PID 3320 wrote to memory of 3176	3320	chrome.exe	95
PID 3320 wrote to memory of 3176	3320	chrome.exe	95
PID 3320 wrote to memory of 3176	3320	chrome.exe	95
PID 3320 wrote to memory of 3176	3320	chrome.exe	95
PID 3320 wrote to memory of 3176	3320	chrome.exe	95
PID 3320 wrote to memory of 3176	3320	chrome.exe	95
PID 3320 wrote to memory of 3176	3320	chrome.exe	95
PID 3320 wrote to memory of 3176	3320	chrome.exe	95
PID 3320 wrote to memory of 3176	3320	chrome.exe	95
PID 3320 wrote to memory of 3176	3320	chrome.exe	95
PID 3320 wrote to memory of 3176	3320	chrome.exe	95
PID 3320 wrote to memory of 3176	3320	chrome.exe	95
PID 3320 wrote to memory of 3176	3320	chrome.exe	95
PID 3320 wrote to memory of 3176	3320	chrome.exe	95
PID 3320 wrote to memory of 3176	3320	chrome.exe	95
PID 3320 wrote to memory of 3588	3320	chrome.exe	94
PID 3320 wrote to memory of 3588	3320	chrome.exe	94
PID 3320 wrote to memory of 812	3320	chrome.exe	93
PID 3320 wrote to memory of 812	3320	chrome.exe	93
PID 3320 wrote to memory of 812	3320	chrome.exe	93
PID 3320 wrote to memory of 812	3320	chrome.exe	93
PID 3320 wrote to memory of 812	3320	chrome.exe	93
PID 3320 wrote to memory of 812	3320	chrome.exe	93
PID 3320 wrote to memory of 812	3320	chrome.exe	93
PID 3320 wrote to memory of 812	3320	chrome.exe	93
PID 3320 wrote to memory of 812	3320	chrome.exe	93
PID 3320 wrote to memory of 812	3320	chrome.exe	93
PID 3320 wrote to memory of 812	3320	chrome.exe	93
PID 3320 wrote to memory of 812	3320	chrome.exe	93
PID 3320 wrote to memory of 812	3320	chrome.exe	93
PID 3320 wrote to memory of 812	3320	chrome.exe	93
PID 3320 wrote to memory of 812	3320	chrome.exe	93
PID 3320 wrote to memory of 812	3320	chrome.exe	93
PID 3320 wrote to memory of 812	3320	chrome.exe	93
PID 3320 wrote to memory of 812	3320	chrome.exe	93
PID 3320 wrote to memory of 812	3320	chrome.exe	93
PID 3320 wrote to memory of 812	3320	chrome.exe	93
PID 3320 wrote to memory of 812	3320	chrome.exe	93
PID 3320 wrote to memory of 812	3320	chrome.exe	93

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://signal.pod4.avatar.ext.hp.com/avatar/v1/collections/signal/8262
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd2f959758,0x7ffd2f959768,0x7ffd2f959778
  2⤵
  PID:2076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2940 --field-trial-handle=1880,i,1250123297474510480,14588190690481613337,131072 /prefetch:1
  2⤵
  PID:2116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2932 --field-trial-handle=1880,i,1250123297474510480,14588190690481613337,131072 /prefetch:1
  2⤵
  PID:1844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2188 --field-trial-handle=1880,i,1250123297474510480,14588190690481613337,131072 /prefetch:8
  2⤵
  PID:812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1880,i,1250123297474510480,14588190690481613337,131072 /prefetch:8
  2⤵
  PID:3588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1672 --field-trial-handle=1880,i,1250123297474510480,14588190690481613337,131072 /prefetch:2
  2⤵
  PID:3176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 --field-trial-handle=1880,i,1250123297474510480,14588190690481613337,131072 /prefetch:8
  2⤵
  PID:2464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 --field-trial-handle=1880,i,1250123297474510480,14588190690481613337,131072 /prefetch:8
  2⤵
  PID:3220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 --field-trial-handle=1880,i,1250123297474510480,14588190690481613337,131072 /prefetch:8
  2⤵
  PID:2256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 --field-trial-handle=1880,i,1250123297474510480,14588190690481613337,131072 /prefetch:8
  2⤵
  PID:2468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2456 --field-trial-handle=1880,i,1250123297474510480,14588190690481613337,131072 /prefetch:8
  2⤵
  PID:632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4568 --field-trial-handle=1880,i,1250123297474510480,14588190690481613337,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4616 --field-trial-handle=1880,i,1250123297474510480,14588190690481613337,131072 /prefetch:1
  2⤵
  PID:1192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5188 --field-trial-handle=1880,i,1250123297474510480,14588190690481613337,131072 /prefetch:1
  2⤵
  PID:3880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1616 --field-trial-handle=1880,i,1250123297474510480,14588190690481613337,131072 /prefetch:8
  2⤵
  PID:4276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5688 --field-trial-handle=1880,i,1250123297474510480,14588190690481613337,131072 /prefetch:8
  2⤵
  PID:4812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5464 --field-trial-handle=1880,i,1250123297474510480,14588190690481613337,131072 /prefetch:1
  2⤵
  PID:4952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=3368 --field-trial-handle=1880,i,1250123297474510480,14588190690481613337,131072 /prefetch:1
  2⤵
  PID:4080

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4904

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:968

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\8262.png" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1972

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:2468

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1880

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\8262.png" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2996

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
90d62f40a4f5a5dadb1f6f0f47d3c41d

SHA1
b834944a1dfbf7d6b2478151c4c965e39a1fd97a

SHA256
fe17c3d281fb1c0b6ae81343b5c2cc870fb2e64b4d5e371f9c70d105f42632b3

SHA512
bf0e18806a368be106818258ff1497b1063db53a8c8fc5e3203a4d14d08007efc942b86e741440f36e607efe77b65e422af530bb9a5358d23965b1626f7b4666

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
c058236e4eb2d9bedc72ab4472094ff8

SHA1
0c0d4ab9749fa76d62ef3bd2bd1e3d984b951051

SHA256
dd01aae2c3aa3a410ca96505625f22bc6af0f3e3db4f6ecc3da5bc3fc38a8c40

SHA512
1792c4a77ae258c187629bae748f32d01d710a8538e3cf629aefc48fa99145c9b07b892caf4e6c6da82fe141dfd1345f408a9320ce0abd567e18ea002222d626

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
04f0775652353cc022d71777427abf6c

SHA1
b8935a64f67338593e295d8b2ce1bf781f80f831

SHA256
07048525faf9abbbd63e1d64f414e0388fe06cc94cc25f51b7ced1ac02b57bf3

SHA512
ca472e47ce8ca1a5766a477048d1e7c45f0e34ada1207c8dba68ec3b630972e6325a113b7aa1d50c052b4b871b5c287b6eb552c1029f5926f6bb8f67e4991046

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
2882c48ea02f7cafa39ea1945cb731aa

SHA1
319a5dfac88a867e5f9949dbc0432a1bf68aa0aa

SHA256
141d31336c88bfdbc40bc6d7e03e04b51645bfd2430b63233a8a55d39db677e8

SHA512
03be5c4d32db98217760727b4b5869a4ae485d55a53d3aa79350d64335c17eb753aecf11eae5d7a5299e37ba67fdc026c3be49ce975904606e2b634dba01fc3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
8df7b16fe7f3dc155f67c5954f754e9b

SHA1
b852b879a180da3b80666ac2fdd639fca146684d

SHA256
615b26ec6c34517535065989366107a150d369de2e0a5c5ceb220d416de6c8d5

SHA512
067f14690246a059e218578f0f3d81d1320a0c810111f4c57d39780716d342a58ede51f0cd7a39065f217235293b8ff454bec457e6f6db926237568da2b379f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
fc36e5f4b870e4805eec265d27530b10

SHA1
8f16778089cca429f7397e3beb6879e0d3a07b78

SHA256
4c2ae8c2b1c5577095575c47f7a04a1f0495ad6f73d4252edffdd89511271e4c

SHA512
e759ff7b9eea7353b981a548708c6862255bc0a9e0a2ff6687fde70dfb00357f27ecda79b7614e5fcfc425a6cd4c69d29dbf2645ccf0b59c075f3040b28154a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
586e93dcdf3bbd51529ef1c26be801d8

SHA1
043c85571376e6889314d020eb9d2f5488fb911c

SHA256
361c31b4a251643867b03ee261325b971a8b52869a050d26d3043016ca568c59

SHA512
1691262d8d6e0a90ff2006fc0c595f867a8372a6a5350acc569a1daeb45c64c9fc0ea27b62ea9b3df12ea2b75808759fb6819e7777e75e490fdc34b9f5267653

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c71bf67dca0aae83514cb9c5709f4d1c

SHA1
6d9faef70832c9cd43dda6640a1aa16c6ee355d2

SHA256
592c448197b6ae966a373d1629499c9137ca0f1fc8896780f09fb27aee297dea

SHA512
3cac2eb087f5859d4067208e9374f42661c97f099032892a3e4ef8eed77317f62d7bc0c7e3afd37aece1b0afc45cddde7c2b1b06fd37de414e1cbf8a07df83af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5999604dcadfc1c154dbf8b5a1a3d170

SHA1
07c874600c38467428b236f2dbd7f978fb5153f9

SHA256
65adc8887b5ed405abb5060ca1b9e539ecfba07e34905529cd7900f1ecb79551

SHA512
b951e7b5d4f590810e9f1d5762305ba632f2b87f2bbc19c477d636f13f8e1106435a1e4b31dbc841b2e48621bca42d34ff6649f12175db2a9b26767380f2ceb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
755bd28608709b3aebcb16e9a1d3b1d2

SHA1
3290dc6d9a7cb052b2c9cd7e46873165dfd41035

SHA256
cea35e05c6c2718a5fe5dc7af972be1a1ed892e54518aebd36796883758d85fd

SHA512
6eff9571cdfe96da23bad80fe80bfd5656857fc0fadc12be0b9e87c1e92b0d854506194c6da66c80621567212c283fcab6ece9e96efc6c610a1bf3e528f9a581

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
93784cb3a639bb3c996d2b6fa86c0701

SHA1
8c1ff5eb9703a58f5bbb09c04434335449331807

SHA256
6204f047286a1b9b62dbf0d258df02a5524c060cb2e218e6022e8f14d6b48c32

SHA512
1b7ab15cf89dd6300cefd2e5fb1707c27ec9bdb3c5893e9f70e104ec1e2ca3f1fcee2fb32b51b3817378656ac2c7cc884712247a20c6dfd69f172103509ea92a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
107KB

MD5
7d7c16503a75cb82e081b70d8b586ddd

SHA1
bf63dc5ba66e59c15fd2d01d3177859efbeefbd8

SHA256
fcb43915e509996553f12cd220fa0a113211e71b2f6b5dfe2cb24cb8eb2dbd1d

SHA512
83c7669c7b208149c9fbac32ab150a334759b449899f2856f57777e65bd22ae03e5ce8c4215102d8300f324e55c02f0ddf7ad469c9d2c9f73bfc2536dd6f6b6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe578ea3.TMP

Filesize
103KB

MD5
e2f5041fa47a35e32ff78962997c376e

SHA1
e7e348f07f3a22084f4bcdac36fb4b7d45cfae8e

SHA256
47a0d94e1d87f9e3933824ebcf0576636a9b77dee5ff82e88292642ee1528e45

SHA512
c38e5452e05d48afb607a1ce97d35de22596808e9986773609189b22f59cd5c2d20a2d80c5215d9bbaaead290c5dc9c41dc7350402e96ccb395e1f86c44ea890

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\8262.png

Filesize
99B

MD5
672269cfdbeee8cfdb85e03ed00bf2fa

SHA1
280baa7f1534e63f26167a690f39a06d153197b8

SHA256
a88525d1d9c77f51119046dd3e71ff88686decdc3a300833237d4bafd8a89c46

SHA512
14100a68e6960877223589fab412fa3beea93a082f63b101c28a3b6db2f43cd17030acf428329b4fc0325e7376ac465529846d5d6544ca60059c6750cf1542be

Download Submit
memory/2468-55-0x00000166DFD30000-0x00000166DFD40000-memory.dmp

Filesize
64KB

Download
memory/2468-74-0x00000166E8AE0000-0x00000166E8AE1000-memory.dmp

Filesize
4KB

Download
memory/2468-73-0x00000166E8AE0000-0x00000166E8AE1000-memory.dmp

Filesize
4KB

Download
memory/2468-72-0x00000166E8AD0000-0x00000166E8AD1000-memory.dmp

Filesize
4KB

Download
memory/2468-71-0x00000166E8AD0000-0x00000166E8AD1000-memory.dmp

Filesize
4KB

Download
memory/2468-70-0x00000166E8A40000-0x00000166E8A41000-memory.dmp

Filesize
4KB

Download
memory/2468-68-0x00000166E8A40000-0x00000166E8A41000-memory.dmp

Filesize
4KB

Download
memory/2468-66-0x00000166E89C0000-0x00000166E89C1000-memory.dmp

Filesize
4KB

Download
memory/2468-59-0x00000166DFD70000-0x00000166DFD80000-memory.dmp

Filesize
64KB

Download