snakebot | hxxps://ufile[.]io/9zbtsv7u

Analysis

max time kernel
1800s
max time network
1685s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
30-03-2024 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://ufile.io/9zbtsv7u

Score

10^/10

snakebot snakebot

Malware Config

Signatures

SnakeBOT
SnakeBOT is a heavily obfuscated .NET downloader.
snakebot

Contains SnakeBOT related strings 1 IoCs

snakebot

resource	yara_rule
behavioral1/files/0x000300000002a77b-200.dat	snakebot_strings

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
4192	UT27-AowVN-FREE.exe

Loads dropped DLL 1 IoCs

pid	Process
4192	UT27-AowVN-FREE.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133562475068103510"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1637591879-962683004-3585269084-1000\{6749ED22-F635-4E40-8E7A-47D39F7E6DFF}	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\UT27-AowVN-FREE.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4616	chrome.exe
4616	chrome.exe
1840	chrome.exe
1840	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe
Token: SeShutdownPrivilege	4616	chrome.exe
Token: SeCreatePagefilePrivilege	4616	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe
4616	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4192	UT27-AowVN-FREE.exe
4192	UT27-AowVN-FREE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4616 wrote to memory of 2456	4616	chrome.exe	76
PID 4616 wrote to memory of 2456	4616	chrome.exe	76
PID 4616 wrote to memory of 3560	4616	chrome.exe	78
PID 4616 wrote to memory of 3560	4616	chrome.exe	78
PID 4616 wrote to memory of 3560	4616	chrome.exe	78
PID 4616 wrote to memory of 3560	4616	chrome.exe	78
PID 4616 wrote to memory of 3560	4616	chrome.exe	78
PID 4616 wrote to memory of 3560	4616	chrome.exe	78
PID 4616 wrote to memory of 3560	4616	chrome.exe	78
PID 4616 wrote to memory of 3560	4616	chrome.exe	78
PID 4616 wrote to memory of 3560	4616	chrome.exe	78
PID 4616 wrote to memory of 3560	4616	chrome.exe	78
PID 4616 wrote to memory of 3560	4616	chrome.exe	78
PID 4616 wrote to memory of 3560	4616	chrome.exe	78
PID 4616 wrote to memory of 3560	4616	chrome.exe	78
PID 4616 wrote to memory of 3560	4616	chrome.exe	78
PID 4616 wrote to memory of 3560	4616	chrome.exe	78
PID 4616 wrote to memory of 3560	4616	chrome.exe	78
PID 4616 wrote to memory of 3560	4616	chrome.exe	78
PID 4616 wrote to memory of 3560	4616	chrome.exe	78
PID 4616 wrote to memory of 3560	4616	chrome.exe	78
PID 4616 wrote to memory of 3560	4616	chrome.exe	78
PID 4616 wrote to memory of 3560	4616	chrome.exe	78
PID 4616 wrote to memory of 3560	4616	chrome.exe	78
PID 4616 wrote to memory of 3560	4616	chrome.exe	78
PID 4616 wrote to memory of 3560	4616	chrome.exe	78
PID 4616 wrote to memory of 3560	4616	chrome.exe	78
PID 4616 wrote to memory of 3560	4616	chrome.exe	78
PID 4616 wrote to memory of 3560	4616	chrome.exe	78
PID 4616 wrote to memory of 3560	4616	chrome.exe	78
PID 4616 wrote to memory of 3560	4616	chrome.exe	78
PID 4616 wrote to memory of 3560	4616	chrome.exe	78
PID 4616 wrote to memory of 3560	4616	chrome.exe	78
PID 4616 wrote to memory of 3560	4616	chrome.exe	78
PID 4616 wrote to memory of 3560	4616	chrome.exe	78
PID 4616 wrote to memory of 3560	4616	chrome.exe	78
PID 4616 wrote to memory of 3560	4616	chrome.exe	78
PID 4616 wrote to memory of 3560	4616	chrome.exe	78
PID 4616 wrote to memory of 3560	4616	chrome.exe	78
PID 4616 wrote to memory of 3560	4616	chrome.exe	78
PID 4616 wrote to memory of 4140	4616	chrome.exe	79
PID 4616 wrote to memory of 4140	4616	chrome.exe	79
PID 4616 wrote to memory of 3564	4616	chrome.exe	80
PID 4616 wrote to memory of 3564	4616	chrome.exe	80
PID 4616 wrote to memory of 3564	4616	chrome.exe	80
PID 4616 wrote to memory of 3564	4616	chrome.exe	80
PID 4616 wrote to memory of 3564	4616	chrome.exe	80
PID 4616 wrote to memory of 3564	4616	chrome.exe	80
PID 4616 wrote to memory of 3564	4616	chrome.exe	80
PID 4616 wrote to memory of 3564	4616	chrome.exe	80
PID 4616 wrote to memory of 3564	4616	chrome.exe	80
PID 4616 wrote to memory of 3564	4616	chrome.exe	80
PID 4616 wrote to memory of 3564	4616	chrome.exe	80
PID 4616 wrote to memory of 3564	4616	chrome.exe	80
PID 4616 wrote to memory of 3564	4616	chrome.exe	80
PID 4616 wrote to memory of 3564	4616	chrome.exe	80
PID 4616 wrote to memory of 3564	4616	chrome.exe	80
PID 4616 wrote to memory of 3564	4616	chrome.exe	80
PID 4616 wrote to memory of 3564	4616	chrome.exe	80
PID 4616 wrote to memory of 3564	4616	chrome.exe	80
PID 4616 wrote to memory of 3564	4616	chrome.exe	80
PID 4616 wrote to memory of 3564	4616	chrome.exe	80
PID 4616 wrote to memory of 3564	4616	chrome.exe	80
PID 4616 wrote to memory of 3564	4616	chrome.exe	80

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://ufile.io/9zbtsv7u
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffeb8f59758,0x7ffeb8f59768,0x7ffeb8f59778
  2⤵
  PID:2456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1716 --field-trial-handle=1788,i,2602773839426367818,3225772326424288237,131072 /prefetch:2
  2⤵
  PID:3560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=1788,i,2602773839426367818,3225772326424288237,131072 /prefetch:8
  2⤵
  PID:4140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2172 --field-trial-handle=1788,i,2602773839426367818,3225772326424288237,131072 /prefetch:8
  2⤵
  PID:3564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2896 --field-trial-handle=1788,i,2602773839426367818,3225772326424288237,131072 /prefetch:1
  2⤵
  PID:764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2904 --field-trial-handle=1788,i,2602773839426367818,3225772326424288237,131072 /prefetch:1
  2⤵
  PID:4716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4832 --field-trial-handle=1788,i,2602773839426367818,3225772326424288237,131072 /prefetch:8
  2⤵
  PID:1552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4820 --field-trial-handle=1788,i,2602773839426367818,3225772326424288237,131072 /prefetch:8
  2⤵
  - Modifies registry class
  PID:2180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 --field-trial-handle=1788,i,2602773839426367818,3225772326424288237,131072 /prefetch:8
  2⤵
  PID:2640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 --field-trial-handle=1788,i,2602773839426367818,3225772326424288237,131072 /prefetch:8
  2⤵
  PID:1460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4960 --field-trial-handle=1788,i,2602773839426367818,3225772326424288237,131072 /prefetch:1
  2⤵
  PID:3632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5048 --field-trial-handle=1788,i,2602773839426367818,3225772326424288237,131072 /prefetch:1
  2⤵
  PID:4268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3040 --field-trial-handle=1788,i,2602773839426367818,3225772326424288237,131072 /prefetch:8
  2⤵
  PID:2008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5676 --field-trial-handle=1788,i,2602773839426367818,3225772326424288237,131072 /prefetch:8
  2⤵
  PID:4876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5336 --field-trial-handle=1788,i,2602773839426367818,3225772326424288237,131072 /prefetch:8
  2⤵
  PID:4464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6084 --field-trial-handle=1788,i,2602773839426367818,3225772326424288237,131072 /prefetch:8
  2⤵
  - NTFS ADS
  PID:2300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6132 --field-trial-handle=1788,i,2602773839426367818,3225772326424288237,131072 /prefetch:8
  2⤵
  PID:1924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6016 --field-trial-handle=1788,i,2602773839426367818,3225772326424288237,131072 /prefetch:8
  2⤵
  PID:3540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5992 --field-trial-handle=1788,i,2602773839426367818,3225772326424288237,131072 /prefetch:8
  2⤵
  PID:1460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4680 --field-trial-handle=1788,i,2602773839426367818,3225772326424288237,131072 /prefetch:8
  2⤵
  PID:712
- C:\Users\Admin\Downloads\UT27-AowVN-FREE.exe
  "C:\Users\Admin\Downloads\UT27-AowVN-FREE.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:4192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5144 --field-trial-handle=1788,i,2602773839426367818,3225772326424288237,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1840

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4516

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004F0
1⤵
PID:764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a

Filesize
198KB

MD5
cda68ffa26095220a82ae0a7eaea5f57

SHA1
e892d887688790ddd8f0594607b539fc6baa9e40

SHA256
f9db7dd5930be2a5c8b4f545a361d51ed9c38e56bd3957650a3f8dbdf9c547fb

SHA512
84c8b0a4f78d8f3797dedf13e833280e6b968b7aeb2c5479211f1ff0b0ba8d3c12e8ab71a89ed128387818e05e335e8b9280a49f1dc775bd090a6114644aaf62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
504B

MD5
01543282b7277b35eecbbdaed159a501

SHA1
32a56c0f99ad72c9ef189779557fdcf01432a455

SHA256
6b22d4413f133c4f1feafb1e1f53e8a6842747c8bd950201aa7fce9c52762b83

SHA512
14d50d1ab45caff19306e41b956f7d54ec406de497b585a91796433a227a8135e17b54bd6e792bcb83c1ab69de836af4c1df63e61b773307f5bc14eb5ddcb0b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
504B

MD5
731b502bd0d9be10ae417a33cee5881c

SHA1
ec082bba5454c4a0f11679f0dbf8f6655beb3a86

SHA256
c477ee435bf87df0b5bb4a0b3f0d57966727ae6b1f25c0963e3ad55b2f1c9055

SHA512
6b2c2934d8a95620d415e3848f79276dc58b96f06665aa97f8077338a5451c5884b400af0463a4f450d6a0b3e614fbb38b4921d761935e71f68fa8299d82de43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\75d1da8d-3796-4eae-9fdd-4741fe38a8f3.tmp

Filesize
2KB

MD5
e13a48bb13c5484e1136c0df91cd85db

SHA1
58e08c9cbdfa6b0599d5273ee143b5e069913069

SHA256
10d6eff4f2ca4d27fde06d02477fd0d88c572271499f941de28553f884eb8cab

SHA512
659e5cc130270febee4ea5529fdfc0b054a2189921910851286f30f0e6f190a6fe48e00f73903967419aa814d6e9d78a2034fe3abdd13f38db54a9f5efecd856

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
54ea5d8dc44edc499addc95aebdc7dca

SHA1
30dac643146272412d3e9ca5939c5ceba58dbd2f

SHA256
cfb1688ccf935007ff5c80c532f8a1236f86000e5ab4ef9145d1874915fd2f73

SHA512
0c7f416224c150c0eab4cbb1c52c2f0f2797368be1f0ad6a565d9f7803244cc47ca607eb019b30057a0218d7f5c59f36e94446a8e6951a78cd087fc0cec53bd1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
75552f731f4cc5010926cf8fbd974fe4

SHA1
c5a45ab22619e88f77ef70850e70d0e889b1eaac

SHA256
69c7aa5a2f7c3d0d53a788484c293396a060fa599c82f5f2a62fcf078d437657

SHA512
b26322a35d2c29a40cc17d861343dd95997b8f952f829f5867cfc769bc9b8e2c9658e05d0c0bcf7cf3df451958a54c53a2a441f5607dd85454bd8583791a3b22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
e9f377b18384f66a20ba1d9370e11c65

SHA1
fc3b89a36722c2a916e3dd4e1c99fd0fa8c2669a

SHA256
4653805ce2011f6018555705123671ed3413f831b23b30081fc29a3de51edac9

SHA512
dc05838f18e2422e317f735077c66a6adb83a0d669136010c600722ee642bf2d29a5629ca9bd8fddedc26b040f1428e43ff6631969087805fba15f0d3ff71f5c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
6b67fc0179476c75846a2d1f18d11fe2

SHA1
c680b6f5f9407101443d6dcd94011347f7ab8615

SHA256
bce118281d6ee81305fe8ddd6e80d5505506ccac262a27674696c14902851e66

SHA512
5f3bdd8adb83d161f84a830a2a243e00ba4304844dbe47bbcb4ae701cb3f924d807134dd73d2a3320fb5f4762e56c0b753c558c3edfc5736b8ef0b4537b1a838

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
16c90a6b9ce183760d807b51fc87b4fc

SHA1
dd4f8b9594194543c5c3b66370bb2c6171503c65

SHA256
fef8d9d6b5f075df7f81a250793af205c589aad3af410527018583c664ef9ca6

SHA512
54eddc182304e63caffc8bc583e0b1276a39b1077b675db51dc554eabf31875cd1418800e6a19a0c54ec71ca3fd916c2bc82734aab9970e018fdf934107b21c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
872B

MD5
a4354a34982354a44766643e615f4f23

SHA1
8cd4f7f10b257133e48ec5e4ff9d0a768989153b

SHA256
32d0edb94b3c5847b4c70095eab683fb2722c5a71b264c8b2ce400a3866ab3cb

SHA512
1a201799c698912771595bc48646ecba0087b86ee69c29b11c7fb96998a535fe5935243370ad40b177154b288b1260e700999dea552e54b0eb732400fb6e0d86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
872B

MD5
95a6f5b92fbfaab9d580aa8a87af5bd2

SHA1
0c7af311f2b7661dde363fb052ac9d4bca34751c

SHA256
c42fcb06fb6a154d4cf5688010ed3d185d0f4a7df54547f3c3b048b7561544e2

SHA512
b9129c7c16630266d8dac53947efd7db9196fec22804d260db2e1519e609861d8a0693c9ba5a0087405d3b5b3c11d6197c496dea6133a3588f0b75d41200596a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e88a6cc2fe08bfc283ddf27a1a3fa305

SHA1
ea81cc741196396ac17dfbfdaed61ddbc7aad4e7

SHA256
e28eabde165485a9d0e20f556b978ba2f08eaca4bb4b4eb2a8c8a31bc3a7fd00

SHA512
97f64da90ea00b0122984ed52e68b3ef9e63533b1c37915fccf2cc3b47f85dc68a19a020a230d32a1c3ce75e761d97753bc8ecf28433109c9961b36a052e79d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d88cfb89492edebbd519e310623773dc

SHA1
f5062f01ea02e8181aca8e0bc34cd2a5b3b9d64a

SHA256
a8473f36813e6a78707f10c28b79f458e83149dd07ebdfe74c01bf51bb2cae8d

SHA512
85507180e75c40588db5c96fb777397f18655d8f623bdaac3b556887334e4aa0a051c8d96a6874abc10aa450548b4448ac9b522aea1c336d55c62a58ecd1faf1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
4c6d04e67381e59afa824ba9f9a03024

SHA1
f41c8db29fb00ef5c30756c2d3fac1321c637320

SHA256
7f34466f9f911d81531136b0618d4a30eb2b5dd4b2c9d02729402aeb287cc351

SHA512
42e958254ff3e051c63071df68299d8f95ecb20baaf696b968aa2a9e3612382aae730d8b3bf6be9b7451819fa8b66364228a04037bb84a88fa09b3f9e5f461d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
29245da84254b8a25ff67e25258a85e8

SHA1
1763b0426c94b9c2a87fd4d3ae52b6f64278e792

SHA256
44dda85bfeacfe57a3c5440ecf993c36cc714d31cf81c75d85ff4f1461a68375

SHA512
191896efe260fb6f1706b526796cb1fa10fc29f29f881de9436a6c90847e1e9c3a0f28752f0dc03c323fe1b3301f99bd07f10ced20ce12503b3551766ec24cf5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
109KB

MD5
3e36b3603e7f4920c59b1bc92bf0689a

SHA1
59173bfa5aad4781687ddd11012e32aaa7df01be

SHA256
6ad36884545cbe94572396d6969f9d8c7fc8a470d12f7efe80e5d79293a795e1

SHA512
9531f11eff48093d26f3640c3e9260a85ec6e9920c95c173c279bf40dffff54c6de4e4821660efb425fd9012b66f4ffb921d58d241e3b10b9e50bd1c551ce216

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
98KB

MD5
6c0397b97149d22bb6385196179d75e9

SHA1
4307afacbbdfd8d4b0ca287a333fe093ff6a0449

SHA256
9dda0fe1ca2c797f8d6272894707f4265286b4c1a567ee6b21b25005f403096b

SHA512
af4e2ad703e26da41e7aa40073181d1ab17903b584db530c3c4c2cf25d7cab0a5071471b0bab978cff3c84550129dffc56a4ca39b9e9eeeb67677a4519794d91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe581b72.TMP

Filesize
93KB

MD5
1e6322c5fcbd8da6afb7cbe06d731fdd

SHA1
7b6fe3e8cad138e319a6eeb30605dc4a7b6b2373

SHA256
6070f93e167d22e21e1027996995d1b9a4ff0bf09e6fb017696a1f9ffcfc4972

SHA512
e145585399d40cf51ca9cba0fab6073224b2413dc312ae83d6f52e3386646a1b97616a5abb6260e1901e538a295698055d36a5225327cca67725a2fd55545148

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\evbD29E.tmp

Filesize
1KB

MD5
a86a7bc84be289e0f16db2c4a2760b75

SHA1
d64727fbee1d11a1686472edf17221d1f1757540

SHA256
7c38a57a41ca7f786ed6e0474d8e2f90eeee0a891fcef2ffec86f61b91963d75

SHA512
807978c2aeab0736a486b0b8ea4d732796cfd3d1f56c30f2936fb971e44897f2be3e897338156784f8808dbf059e66c37e1533d82633a086e7f1ede42ad47ac3

Download Submit
C:\Users\Admin\Downloads\UT27-AowVN-FREE.exe

Filesize
165.4MB

MD5
5ed1f0424dc104d6c2db05e1193a9b4a

SHA1
db12620f4b825e6bbc06ac1d4de89c318659026a

SHA256
4b6a4467623a9af817491bf7fd3785dd02f5934a74163ffd7157044d6dc270cb

SHA512
3e90ae0f761b843698aefeac6e628b01405913fb22419d6ded0239f9b77780f747169e0053c3cb9e27c9d62d72fe90cacee3630b0a882706aa8e5e5ed1cefa87

Download Submit
C:\Users\Admin\Downloads\UT27-AowVN-FREE.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/4192-247-0x0000000000400000-0x0000000000A95000-memory.dmp

Filesize
6.6MB

Download
memory/4192-248-0x0000000010000000-0x00000000101FF000-memory.dmp

Filesize
2.0MB

Download
memory/4192-258-0x0000000000400000-0x0000000000A95000-memory.dmp

Filesize
6.6MB

Download
memory/4192-260-0x0000000000400000-0x0000000000A95000-memory.dmp

Filesize
6.6MB

Download
memory/4192-266-0x0000000000400000-0x0000000000A95000-memory.dmp

Filesize
6.6MB

Download
memory/4192-268-0x0000000000400000-0x0000000000A95000-memory.dmp

Filesize
6.6MB

Download
memory/4192-225-0x0000000010000000-0x00000000101FF000-memory.dmp

Filesize
2.0MB

Download
memory/4192-279-0x0000000000400000-0x0000000000A95000-memory.dmp

Filesize
6.6MB

Download
memory/4192-280-0x0000000010000000-0x00000000101FF000-memory.dmp

Filesize
2.0MB

Download
memory/4192-220-0x0000000077864000-0x0000000077865000-memory.dmp

Filesize
4KB

Download
memory/4192-221-0x0000000077865000-0x0000000077866000-memory.dmp

Filesize
4KB

Download
memory/4192-219-0x0000000000400000-0x0000000000A95000-memory.dmp

Filesize
6.6MB

Download