hxxps://cdn[.]discordapp[.]com/attachments/1222741952017989693/1223010409880227912/SavingFilesReaction[.]exe?ex=66184c34&is=6605d734&hm=9dea2706468a526ca8d69d45d12e6f8b7cbad3f24182d0f2d324e53714d6c2e6&

Analysis

max time kernel
2699s
max time network
2696s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2024, 23:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1222741952017989693/1223010409880227912/SavingFilesReaction.exe?ex=66184c34&is=6605d734&hm=9dea2706468a526ca8d69d45d12e6f8b7cbad3f24182d0f2d324e53714d6c2e6&

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
2200	SavingFilesReaction.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
45	discord.com
46	discord.com
47	discord.com
153	discord.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133561407166189633"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3270530367-132075249-2153716227-1000\{58D29175-F577-42EA-80AE-C763BAAAA344}	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2700	chrome.exe
2700	chrome.exe
5056	chrome.exe
5056	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeCreatePagefilePrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeCreatePagefilePrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeCreatePagefilePrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeCreatePagefilePrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeCreatePagefilePrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeCreatePagefilePrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeCreatePagefilePrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeCreatePagefilePrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeCreatePagefilePrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeCreatePagefilePrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeCreatePagefilePrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeCreatePagefilePrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeCreatePagefilePrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeCreatePagefilePrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeCreatePagefilePrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeCreatePagefilePrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeCreatePagefilePrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeCreatePagefilePrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeCreatePagefilePrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeCreatePagefilePrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeCreatePagefilePrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeCreatePagefilePrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeCreatePagefilePrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeCreatePagefilePrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeCreatePagefilePrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeCreatePagefilePrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeCreatePagefilePrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeCreatePagefilePrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeCreatePagefilePrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeCreatePagefilePrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeCreatePagefilePrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeCreatePagefilePrivilege	2700	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2672	2700	chrome.exe	85
PID 2700 wrote to memory of 2672	2700	chrome.exe	85
PID 2700 wrote to memory of 3376	2700	chrome.exe	90
PID 2700 wrote to memory of 3376	2700	chrome.exe	90
PID 2700 wrote to memory of 3376	2700	chrome.exe	90
PID 2700 wrote to memory of 3376	2700	chrome.exe	90
PID 2700 wrote to memory of 3376	2700	chrome.exe	90
PID 2700 wrote to memory of 3376	2700	chrome.exe	90
PID 2700 wrote to memory of 3376	2700	chrome.exe	90
PID 2700 wrote to memory of 3376	2700	chrome.exe	90
PID 2700 wrote to memory of 3376	2700	chrome.exe	90
PID 2700 wrote to memory of 3376	2700	chrome.exe	90
PID 2700 wrote to memory of 3376	2700	chrome.exe	90
PID 2700 wrote to memory of 3376	2700	chrome.exe	90
PID 2700 wrote to memory of 3376	2700	chrome.exe	90
PID 2700 wrote to memory of 3376	2700	chrome.exe	90
PID 2700 wrote to memory of 3376	2700	chrome.exe	90
PID 2700 wrote to memory of 3376	2700	chrome.exe	90
PID 2700 wrote to memory of 3376	2700	chrome.exe	90
PID 2700 wrote to memory of 3376	2700	chrome.exe	90
PID 2700 wrote to memory of 3376	2700	chrome.exe	90
PID 2700 wrote to memory of 3376	2700	chrome.exe	90
PID 2700 wrote to memory of 3376	2700	chrome.exe	90
PID 2700 wrote to memory of 3376	2700	chrome.exe	90
PID 2700 wrote to memory of 3376	2700	chrome.exe	90
PID 2700 wrote to memory of 3376	2700	chrome.exe	90
PID 2700 wrote to memory of 3376	2700	chrome.exe	90
PID 2700 wrote to memory of 3376	2700	chrome.exe	90
PID 2700 wrote to memory of 3376	2700	chrome.exe	90
PID 2700 wrote to memory of 3376	2700	chrome.exe	90
PID 2700 wrote to memory of 3376	2700	chrome.exe	90
PID 2700 wrote to memory of 3376	2700	chrome.exe	90
PID 2700 wrote to memory of 3376	2700	chrome.exe	90
PID 2700 wrote to memory of 3376	2700	chrome.exe	90
PID 2700 wrote to memory of 3376	2700	chrome.exe	90
PID 2700 wrote to memory of 3376	2700	chrome.exe	90
PID 2700 wrote to memory of 3376	2700	chrome.exe	90
PID 2700 wrote to memory of 3376	2700	chrome.exe	90
PID 2700 wrote to memory of 3376	2700	chrome.exe	90
PID 2700 wrote to memory of 3376	2700	chrome.exe	90
PID 2700 wrote to memory of 1532	2700	chrome.exe	91
PID 2700 wrote to memory of 1532	2700	chrome.exe	91
PID 2700 wrote to memory of 4752	2700	chrome.exe	92
PID 2700 wrote to memory of 4752	2700	chrome.exe	92
PID 2700 wrote to memory of 4752	2700	chrome.exe	92
PID 2700 wrote to memory of 4752	2700	chrome.exe	92
PID 2700 wrote to memory of 4752	2700	chrome.exe	92
PID 2700 wrote to memory of 4752	2700	chrome.exe	92
PID 2700 wrote to memory of 4752	2700	chrome.exe	92
PID 2700 wrote to memory of 4752	2700	chrome.exe	92
PID 2700 wrote to memory of 4752	2700	chrome.exe	92
PID 2700 wrote to memory of 4752	2700	chrome.exe	92
PID 2700 wrote to memory of 4752	2700	chrome.exe	92
PID 2700 wrote to memory of 4752	2700	chrome.exe	92
PID 2700 wrote to memory of 4752	2700	chrome.exe	92
PID 2700 wrote to memory of 4752	2700	chrome.exe	92
PID 2700 wrote to memory of 4752	2700	chrome.exe	92
PID 2700 wrote to memory of 4752	2700	chrome.exe	92
PID 2700 wrote to memory of 4752	2700	chrome.exe	92
PID 2700 wrote to memory of 4752	2700	chrome.exe	92
PID 2700 wrote to memory of 4752	2700	chrome.exe	92
PID 2700 wrote to memory of 4752	2700	chrome.exe	92
PID 2700 wrote to memory of 4752	2700	chrome.exe	92
PID 2700 wrote to memory of 4752	2700	chrome.exe	92

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/1222741952017989693/1223010409880227912/SavingFilesReaction.exe?ex=66184c34&is=6605d734&hm=9dea2706468a526ca8d69d45d12e6f8b7cbad3f24182d0f2d324e53714d6c2e6&
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe0b059758,0x7ffe0b059768,0x7ffe0b059778
  2⤵
  PID:2672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1720 --field-trial-handle=1912,i,5370349428977454192,16541204420212011585,131072 /prefetch:2
  2⤵
  PID:3376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1932 --field-trial-handle=1912,i,5370349428977454192,16541204420212011585,131072 /prefetch:8
  2⤵
  PID:1532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2208 --field-trial-handle=1912,i,5370349428977454192,16541204420212011585,131072 /prefetch:8
  2⤵
  PID:4752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2956 --field-trial-handle=1912,i,5370349428977454192,16541204420212011585,131072 /prefetch:1
  2⤵
  PID:3368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2964 --field-trial-handle=1912,i,5370349428977454192,16541204420212011585,131072 /prefetch:1
  2⤵
  PID:212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5320 --field-trial-handle=1912,i,5370349428977454192,16541204420212011585,131072 /prefetch:8
  2⤵
  PID:1276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5340 --field-trial-handle=1912,i,5370349428977454192,16541204420212011585,131072 /prefetch:8
  2⤵
  PID:2872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5344 --field-trial-handle=1912,i,5370349428977454192,16541204420212011585,131072 /prefetch:8
  2⤵
  PID:3868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5796 --field-trial-handle=1912,i,5370349428977454192,16541204420212011585,131072 /prefetch:8
  2⤵
  PID:3996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5480 --field-trial-handle=1912,i,5370349428977454192,16541204420212011585,131072 /prefetch:8
  2⤵
  PID:5076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4012 --field-trial-handle=1912,i,5370349428977454192,16541204420212011585,131072 /prefetch:8
  2⤵
  PID:1624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5644 --field-trial-handle=1912,i,5370349428977454192,16541204420212011585,131072 /prefetch:8
  2⤵
  PID:4804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5948 --field-trial-handle=1912,i,5370349428977454192,16541204420212011585,131072 /prefetch:1
  2⤵
  PID:2160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=6048 --field-trial-handle=1912,i,5370349428977454192,16541204420212011585,131072 /prefetch:1
  2⤵
  PID:2924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5372 --field-trial-handle=1912,i,5370349428977454192,16541204420212011585,131072 /prefetch:1
  2⤵
  PID:3524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4012 --field-trial-handle=1912,i,5370349428977454192,16541204420212011585,131072 /prefetch:8
  2⤵
  PID:3996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 --field-trial-handle=1912,i,5370349428977454192,16541204420212011585,131072 /prefetch:8
  2⤵
  - Modifies registry class
  PID:3792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3008 --field-trial-handle=1912,i,5370349428977454192,16541204420212011585,131072 /prefetch:8
  2⤵
  PID:3924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=3836 --field-trial-handle=1912,i,5370349428977454192,16541204420212011585,131072 /prefetch:1
  2⤵
  PID:2612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4664 --field-trial-handle=1912,i,5370349428977454192,16541204420212011585,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4740 --field-trial-handle=1912,i,5370349428977454192,16541204420212011585,131072 /prefetch:8
  2⤵
  PID:4696
- C:\Users\Admin\Downloads\SavingFilesReaction.exe
  "C:\Users\Admin\Downloads\SavingFilesReaction.exe"
  2⤵
  - Executes dropped EXE
  PID:2200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2728 --field-trial-handle=1912,i,5370349428977454192,16541204420212011585,131072 /prefetch:8
  2⤵
  PID:5020

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3084

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x408 0x3cc
1⤵
PID:4308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\12c3cc90-14b0-45e4-ac21-64861775a463.tmp

Filesize
6KB

MD5
ce7897943c8f4a19a83b59e3dbfdf73a

SHA1
8c9e3060f02d04ddc288244d695aed0fa6d58b0d

SHA256
95be19e79b5f59d212f82e41eb8a6923ee089be7920c38033ec21f94e272e678

SHA512
508b66639a0bf42d73d317f188b73b757183b44f29ea80d5aa19d66712fd697ef0def6ef32dea86ec63deaf5265556581cdc198c07510b9b77aba6bd1cb54bf0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
c105b3818d0cea0fd8b9c4c0c46fe843

SHA1
edfa16a019513977d622cf8f0d0e58a7c7b633e8

SHA256
6992d221d9ff883b88cc6059acdb744e7aeb5dede6fceb1a1deb51e3633c1c15

SHA512
e2feb2f123a440c3ed7b510d04e6229255473d1bc2168d3ab4548698cedb055fc5f507d8a8cebeb8da283ed4acad82e104eeea3a758d5ed942e480419e83a7ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
0c78b07c6c0b9764e3f04524fdf700db

SHA1
efe6118c04310d14a5904d442e1c09f0d042a960

SHA256
a145f7fb67a601bb3b16188d3a74a4e7aa46055747743bfc31338b779620b07f

SHA512
ead06730bcd9d19de2183593064dc7b54a299c0da999d156d7f89314d6fb324cdf0f726751da6e74ad252ab82ade143a1fb531390ac9ca3ffa7425508066f742

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
7ff7d1a2cfd2baa3e7a8b66c2084491b

SHA1
d8b82a124d704637b215a215ba5e4e56564032bd

SHA256
e0c9945884f7f22407300b6737834d3fb24246417cebdc6308556f43c873f5ef

SHA512
cb4688f901c8c6bb524fee46819d623e761abede3cfb4b0d85bc78ef3ea446e46e2112883d46defa9c879e967ecdf9551165f17c733fba52ce283985acaceea8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
557866548bf041f21001469c6a68cd0c

SHA1
3ee987cf9bb230c31e16a0272ccd4cbf362b15fb

SHA256
fbebb2ada71cdaa9004d625da37ae9e13568954eb9c8d9cdb2ba654309a40b31

SHA512
33c98ff59b847ec6f073680a2d99cebed5bea16fcd0becf50b103d1c7d5423c5f11cab3f4fe6bc74cf0b10ed95c62d654650b2e5e370669b4157ba9bf0604e7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
ecd57dd8a9cc8b71440e3d87c4d0125a

SHA1
f8a4f00b8aa062ba698c9565e8a5d73a19e3db90

SHA256
78d77a1beaff1f5bdd30c72ae8c0e0edac8e64569da29ad1b7bbf293f3741e26

SHA512
930fcf8f416eb269b42b698fcc6664040dd3089fb2d27ec3a3d9ededbcc91dec0f4f7b912fcfcb03606bbd8af19d6cbab16c11a236b5e6acd63a74280c07ba84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
9315ff787e91db8dc7d96ae3a9c593f5

SHA1
2bbbb6ce306f39e78a3d244d5dac0262fb695396

SHA256
0498e71e29648324586c7015254e0fecff6ef33d90ebb6743fa8aaf770da5b4d

SHA512
02947196550049c5e612b40b9d0d33ef09f3a19bae9d42505ba50be55fb00f91c275a238ac7a60c5146725e6fa290f909a1e64d7e266a7c74a13d1c87543a16d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
4e80b1c251fbe5419485ef5fb7acd2b9

SHA1
29fdcc10cebed479d91a58f28605cd4cd15c4216

SHA256
7e139bf2ae1a9011591c621d0937d976c5e3f279990a72fb237b95a31465be3f

SHA512
d375ade5051d200a70e5023bb91b08a32b1b7387f7ffc4986d79c23be2502d665764cd2016f788de10d6919ac2881a46c52ca94663716ff4b1f729b7fb12a1c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
39691f828e8fd52a83efb07c07240df6

SHA1
7f999c417fe69d4920c60efb1b7e1b4835e03fc9

SHA256
4e678c14f582849c3021ade2880bb6c0084b0717e430080fc11959365e882d9f

SHA512
a6d37687902d1a9ea74cfe1823e21cf77fd4c3ea9abd0a57db3fe76442ef4c3da9c441b19455969ad7b68ec833c72118ad5b1645527e78e1a2f70157495482af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
1c39ef97bdf199b10b5f4c4596908046

SHA1
2f856e708d7db52fe413aa521560d6a9541506bd

SHA256
802c13efa6719679fe198e6cc05206b881fea84093982171dca364c0df462a80

SHA512
da7248e57a3de1a0ed3d6f0065962e9f57fb805acca1f6153d03316af85abb69ca437e37cb714e5fc94c95c2e0d9399fee944e0b61878e565be5e18c0b1d4708

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
82fd799d2a62f59895879eeadb6fb510

SHA1
7fd058eb04a8b96c7afbab101bab3ae02f38baaf

SHA256
a1716b4bab3ff8f2b61797ed24cf03818f41b835cb87413aa7d947363123a6d1

SHA512
b800ad6c280a399f76442765230cdc6e23302227be19013956a62497cc6410eef7ea30d67afdfc799cdccd81eec9694e48e9e5cb3fad2f13b1caef6ef3873642

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
1789cf3b84018b6bb46ff6f85e1a36d8

SHA1
28d19d1fe3b9516253f1119f13424db29c2554ad

SHA256
8b0b89afd27b751753dc858fc7a53cc120490d3357798ebde240584af15eec12

SHA512
f3ff407ecb5079bde65c75c3327145c60cd7074568e6182cba3dbe27c561863a99b8468186ff034cca69a5d3020ea2d52b387c182231116512d085951a2240b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
748d620897b49a0fcc8b36edaaa24c9a

SHA1
f84cf5537616a28bb8b93dacff5d167946b870be

SHA256
2cb479bdd1fffeafb66127a110ba6f34fc32658b0424f60e3d6a5f062383c4f9

SHA512
6617364ff73335ce4530f3de7de577f10628d5ae2f7cfc2387f2938abcf393db160dcfe366eb308024a6dac1efc040839f376c2c6fce1c98e6cf0f0bb6d16b31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a23052453262cba2273d776b06a3c85c

SHA1
84c25471c840cc75845bd8a1f6ac49a1c240a056

SHA256
2195dfb65da66ed47608dcee2dd1fc22dc6a8a876acc720a5258652326136588

SHA512
fadc9d4afdd036228ed383773c8dd87a6eb35b4a072a4c1e6c90fc4dc4bf6b75a330e1527fe006a1f0a97d81b9b321bfd52d1c68ca2b1f03ac0234f5889f9377

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
1d7e4c97490dfc0a388d350863dd0c73

SHA1
5c39026bfb09235a2adeb5d312005a4237cd86d2

SHA256
d2c863900462c8b50f4f3495555fe2e00799a65068bcdac26ca31c6c02db8f07

SHA512
3fc4c893979b124f94d93eca9ddb19c5299c2341c9063e2ca45128d6e4670342b958a23fa602162a67d282a4f230a2dbaaee16f26d99c74955a251a608629e36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e42f94043bcd08f5818dd30cd15e7add

SHA1
9562e730358ae70706c2966759bd716761d10d20

SHA256
9a46e6a69c6ce3ef07e3fd14c406f73898bba3f87090c2632058f23664c22821

SHA512
dc88ae9f2b850def278b5863c60ba27bc777277fe8ce0836c0feaee89bbe031ea39c5c982f527b17b7d75ec1802f4aa8332a28704a302544e5193c36162bc3de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
699B

MD5
aab5c9d1c6e7982e5c822e868381eaa0

SHA1
a4d317b5bf249d92e3f0347b8f32d15cacb1d527

SHA256
3151aee00278bed3ebf93ee4e5c3352e01d1b16c2a185a09f87b62b6498dd54b

SHA512
8a08925deadc0ae4e64fff8c8dae4a0c254a5b5da33ce2b57282f6125eed615ab38b2c8172efed6a85ede9c82ca23a9adc36607c12fe8e11461f2c923ac2fa96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f9584f6c942aacff79861400923f48ba

SHA1
d58175b6a2a18f77f8b46ec6e06c60be7408c550

SHA256
607730fcbde75d9b36fa00764743a9ecfc2bcc28e675c98d7da18662b5678f2d

SHA512
b738536414de650296d8b14798f77b99eaa6dc64c036b5c4bf4e12108bad8c8f200546acf3fbfaad132b7cd12e89e9ce809ca74d7874470acf72494f6b0091de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
82de61fe6e58250eb6490952a87b8b28

SHA1
8751953012c19aedd804e90e3963185219ee51c8

SHA256
574000388cecdcb2ff68d462dbc282f383f7b117698f23ebfd3947427e9b08a5

SHA512
5de88ddb2ae13bc8dfefc854b493a5ae48de78143564d346cc2a48d4aa34da7251a41571f530c320174412a716274d643322b569f6b1c2a2a1d64ebd1fb5168d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
108fe0c155514257dbcb87dfce3233d3

SHA1
8f8bb56499b3392c32eeb3f36021c9774a4c3d05

SHA256
ab0c27f3224a769e0200ad1ab7cad6723522851473bb0cfba0d36863e8b82e66

SHA512
f48f57b0e7bc36d4a91ed51c36f76de4bef5628e6451cc801f054ec423ea3e0e0fb544d74546c224b7cb7b21f1ba8879f95369d63975e86931024f3ac5c4631b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
549b7e574b26682e269978c5f291d8a6

SHA1
bf3571d4f7977aedf0d57a074e7091245b13760f

SHA256
24d660960c9ce11d92320205b7f57b3d7f2ceaf1ee3ffac12da569ebb07cd949

SHA512
be5f6d31cbfee5fe6cefd4fa9c07d39690d534c540e4fe9b2013c567b30a05c57fada30abe70bb972cfef91d6c8ec27b4771f8fbd917f3f989950db85e556d8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
51b6398cbbaa5e4794456594697916a9

SHA1
aef577e732f5283828d2e5bf0cd75ce62f29355e

SHA256
3b5f0b98b2e83d7aa55e73f0b72d3dfeb67408bc157b88d833ad330a3ac29b16

SHA512
b3b6c0d9735202f0a2e18b58661a37505967f93be128331c1a3f4fa57f85f5ae4ccd2375caa6cdacbbabe7fa9f70dce3c162c12cedf1f8b9c103557a695d8a7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
97cfd0ef75e2797c2aca8b53e93cf1d4

SHA1
63813b484d38fb705074e6f1a907fe718827ef3e

SHA256
9fada4b730d7ded753264a5088695d6c44bdabfc097e1cd33db242c8196e69d5

SHA512
d4a79c96b75ad1b34945a9536368ca7a1b6af9f75484186099ce584a97285739335e3b008071f526e5b453005f5392deef77b0e61f2daf74a59dac4a7cd20410

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
5afa86a9ebcf1036eeaa19966ddf2ed8

SHA1
7325ebac42306e530fbaf42861f3ae1f27c026a4

SHA256
3b84ba108f0dd62b5b5407e61c283b6683b0c736ffe2905b0c9e51df3d14cfeb

SHA512
87e9be495a32d4b63b27f31f59c66f930396cadd01ea9597e2b0883bda77c721f25e19feee10f26195b33ff41544f4a64f4aa149a79d97e7b95c1bff91d2ed61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
af9cb37a9835fbc5c31c100e854d10af

SHA1
3d868e57e98da7d705876424bfa59383cf901550

SHA256
b564dda3730e01d4ebaab4a4911047cfb1c403860cdd9b55b839143650515612

SHA512
950575f2be31d040f515a4f8929c990bb6e51bfe7fb77791f5fae0d94a61347a933efac060db3a6ed91208b2be173019a2b46c6833b79285e8fbfdccad997eb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
118KB

MD5
b0d437f62ea81cbc083e733fb1ed7558

SHA1
055d19fc09189d661bbdb5954e76ae36704f716b

SHA256
ec1df736ee69c2294c46a1ca5ffd8726681cf810af6be1d915ae750d72a8b8b8

SHA512
208b6ea1f97a0c26a127e02baac5c5a340106a13b466b14a45d2ab04d0e8bcd244062ba3ad2c3a95a466e258cc35f120ea86b25062905c2d77417e7b1a93278b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
117KB

MD5
dc578ac341dcf34669d91ab92565d662

SHA1
7aeaaa520956fb369b430929fbc97420bffd195c

SHA256
98e58ed9381bc79930ca3363a4553fc0f05d6cff4c87126361c570a4426f486b

SHA512
a879d99ad8fc15afc6871797d01addad8ebdbd84bfff9fc3d8f07b148f4e67f5817388cfba42c11d0c80040b6d0a5423018648ef6de946bfea7855b2abe1d5dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
110KB

MD5
3b68be9716a03cf6e321975835e83e1c

SHA1
a7b5cebf1993b0da2d2e772cb3ebea6afac61380

SHA256
01b85f37bfbc52e2109245b97131738b95506a90d1e692740c618a79d30c68fa

SHA512
0a134ee377d00194ac24e59d1dd2d9de4dd0868e3c284c5735fd9d640a8b1c8e24029072228ae00fb28b3be7979da9d72d7427e8a941aeb6761ca06ad646c9b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe579599.TMP

Filesize
107KB

MD5
2a33a5d53ab00efcc306d5927ee17895

SHA1
ad55fafed372ec9458e3c652b1b1f787d4969600

SHA256
771db55c95584247f455d3daa0085078a56d8d5582dfc1914a4ea5f5c3a5ce0c

SHA512
df971c0e20b724d3d79a2a83a123549210853c26a94c8d4a4058b1cf1b42c6c1dfb4c13c75cac6bff751c13747357a1635abdeffb8ad91eef1126b8955ac2815

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\SavingFilesReaction.exe

Filesize
10KB

MD5
12834979707900249bca77e843acff49

SHA1
2d2f19901c0e6f92cf21dcf036e3841bccac3260

SHA256
84dd21f28fd594454d553506e51d8abb69a9a44d4dbb880ebdc62d466cbbe4f4

SHA512
7687c3b4b57251628b0ce8b36a4778d3e6ae11c8be4b36f4751ae952d01d7341577ee09f323bb675e84e7e5d6fd0c996d0669568a104230d0fb923293e49c60b

Download Submit
memory/2200-517-0x00000000746B0000-0x0000000074E60000-memory.dmp

Filesize
7.7MB

Download
memory/2200-520-0x0000000005A80000-0x0000000005A90000-memory.dmp

Filesize
64KB

Download
memory/2200-461-0x0000000005990000-0x000000000599A000-memory.dmp

Filesize
40KB

Download
memory/2200-539-0x0000000005A80000-0x0000000005A90000-memory.dmp

Filesize
64KB

Download
memory/2200-460-0x0000000005A80000-0x0000000005A90000-memory.dmp

Filesize
64KB

Download
memory/2200-549-0x0000000005A80000-0x0000000005A90000-memory.dmp

Filesize
64KB

Download
memory/2200-459-0x0000000005800000-0x0000000005892000-memory.dmp

Filesize
584KB

Download
memory/2200-458-0x0000000005D10000-0x00000000062B4000-memory.dmp

Filesize
5.6MB

Download
memory/2200-457-0x0000000000F70000-0x0000000000F78000-memory.dmp

Filesize
32KB

Download
memory/2200-456-0x00000000746B0000-0x0000000074E60000-memory.dmp

Filesize
7.7MB

Download