ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595

Analysis

max time kernel
149s
max time network
141s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
01-05-2024 06:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
Size

1.1MB
MD5

29785aa96ca68a0327cf5eba9ce4fdf3
SHA1

cdfc6d159419c7cb2c979463a9b4cb901f922a0f
SHA256

ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595
SHA512

d5a3fdec0be338dc37d85c92833293afdc63abdef7e04d16b0253b1ecef04d1e981a02d9ec3e913ebe1abc7a4316ac4eec7be06deb0f794631dda69d03dcf638
SSDEEP

24576:7qDEvCTbMWu7rQYlBQcBiT6rprG8auu2+b+HdiJUX:7TvC/MTQYxsWR7auu2+b+HoJU

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133590199902936707"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1448	chrome.exe
1448	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1448	chrome.exe
1448	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe
Token: SeShutdownPrivilege	1448	chrome.exe
Token: SeCreatePagefilePrivilege	1448	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
1448	chrome.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3372 wrote to memory of 1448	3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe	80
PID 3372 wrote to memory of 1448	3372	ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe	80
PID 1448 wrote to memory of 4308	1448	chrome.exe	83
PID 1448 wrote to memory of 4308	1448	chrome.exe	83
PID 1448 wrote to memory of 1560	1448	chrome.exe	84
PID 1448 wrote to memory of 1560	1448	chrome.exe	84
PID 1448 wrote to memory of 1560	1448	chrome.exe	84
PID 1448 wrote to memory of 1560	1448	chrome.exe	84
PID 1448 wrote to memory of 1560	1448	chrome.exe	84
PID 1448 wrote to memory of 1560	1448	chrome.exe	84
PID 1448 wrote to memory of 1560	1448	chrome.exe	84
PID 1448 wrote to memory of 1560	1448	chrome.exe	84
PID 1448 wrote to memory of 1560	1448	chrome.exe	84
PID 1448 wrote to memory of 1560	1448	chrome.exe	84
PID 1448 wrote to memory of 1560	1448	chrome.exe	84
PID 1448 wrote to memory of 1560	1448	chrome.exe	84
PID 1448 wrote to memory of 1560	1448	chrome.exe	84
PID 1448 wrote to memory of 1560	1448	chrome.exe	84
PID 1448 wrote to memory of 1560	1448	chrome.exe	84
PID 1448 wrote to memory of 1560	1448	chrome.exe	84
PID 1448 wrote to memory of 1560	1448	chrome.exe	84
PID 1448 wrote to memory of 1560	1448	chrome.exe	84
PID 1448 wrote to memory of 1560	1448	chrome.exe	84
PID 1448 wrote to memory of 1560	1448	chrome.exe	84
PID 1448 wrote to memory of 1560	1448	chrome.exe	84
PID 1448 wrote to memory of 1560	1448	chrome.exe	84
PID 1448 wrote to memory of 1560	1448	chrome.exe	84
PID 1448 wrote to memory of 1560	1448	chrome.exe	84
PID 1448 wrote to memory of 1560	1448	chrome.exe	84
PID 1448 wrote to memory of 1560	1448	chrome.exe	84
PID 1448 wrote to memory of 1560	1448	chrome.exe	84
PID 1448 wrote to memory of 1560	1448	chrome.exe	84
PID 1448 wrote to memory of 1560	1448	chrome.exe	84
PID 1448 wrote to memory of 1560	1448	chrome.exe	84
PID 1448 wrote to memory of 4412	1448	chrome.exe	85
PID 1448 wrote to memory of 4412	1448	chrome.exe	85
PID 1448 wrote to memory of 2856	1448	chrome.exe	86
PID 1448 wrote to memory of 2856	1448	chrome.exe	86
PID 1448 wrote to memory of 2856	1448	chrome.exe	86
PID 1448 wrote to memory of 2856	1448	chrome.exe	86
PID 1448 wrote to memory of 2856	1448	chrome.exe	86
PID 1448 wrote to memory of 2856	1448	chrome.exe	86
PID 1448 wrote to memory of 2856	1448	chrome.exe	86
PID 1448 wrote to memory of 2856	1448	chrome.exe	86
PID 1448 wrote to memory of 2856	1448	chrome.exe	86
PID 1448 wrote to memory of 2856	1448	chrome.exe	86
PID 1448 wrote to memory of 2856	1448	chrome.exe	86
PID 1448 wrote to memory of 2856	1448	chrome.exe	86
PID 1448 wrote to memory of 2856	1448	chrome.exe	86
PID 1448 wrote to memory of 2856	1448	chrome.exe	86
PID 1448 wrote to memory of 2856	1448	chrome.exe	86
PID 1448 wrote to memory of 2856	1448	chrome.exe	86
PID 1448 wrote to memory of 2856	1448	chrome.exe	86
PID 1448 wrote to memory of 2856	1448	chrome.exe	86
PID 1448 wrote to memory of 2856	1448	chrome.exe	86
PID 1448 wrote to memory of 2856	1448	chrome.exe	86
PID 1448 wrote to memory of 2856	1448	chrome.exe	86
PID 1448 wrote to memory of 2856	1448	chrome.exe	86
PID 1448 wrote to memory of 2856	1448	chrome.exe	86
PID 1448 wrote to memory of 2856	1448	chrome.exe	86
PID 1448 wrote to memory of 2856	1448	chrome.exe	86
PID 1448 wrote to memory of 2856	1448	chrome.exe	86
PID 1448 wrote to memory of 2856	1448	chrome.exe	86
PID 1448 wrote to memory of 2856	1448	chrome.exe	86

C:\Users\Admin\AppData\Local\Temp\ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe
"C:\Users\Admin\AppData\Local\Temp\ef176c396e70f3e6ee5b5b18ec596ca4956340624606fad67cf99018b61c7595.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
  2⤵
  - Drops file in Windows directory
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8d8b9cc40,0x7ff8d8b9cc4c,0x7ff8d8b9cc58
    3⤵
    PID:4308
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1776,i,10460510229272959571,18119201999070608154,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1768 /prefetch:2
    3⤵
    PID:1560
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2108,i,10460510229272959571,18119201999070608154,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2100 /prefetch:3
    3⤵
    PID:4412
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2184,i,10460510229272959571,18119201999070608154,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2404 /prefetch:8
    3⤵
    PID:2856
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,10460510229272959571,18119201999070608154,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3116 /prefetch:1
    3⤵
    PID:768
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3104,i,10460510229272959571,18119201999070608154,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3140 /prefetch:1
    3⤵
    PID:1176
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4428,i,10460510229272959571,18119201999070608154,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4372 /prefetch:8
    3⤵
    PID:4856
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4676,i,10460510229272959571,18119201999070608154,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4684 /prefetch:8
    3⤵
    PID:4956
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=212,i,10460510229272959571,18119201999070608154,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1132 /prefetch:8
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:2100

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:1592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
26e22c61b1686fa138416e93212aa2d5

SHA1
e97422e7f412d97ad6c24dc98050f2a680e89251

SHA256
ce1ef4291e574f9b1b461dcd2ee75105991de37b042339ab7339a06c49409e8f

SHA512
2f790bfda5f9ccb97ae067d470b1fbf77ed7c203eabfe8f6f0b32eec584ecb004dabdc469bda285a3e104beb50d046d6cc1cb8d807612d9849fb9539c85c1fdd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
b2a1d8ef951d4d3a8e8cdaef307903fe

SHA1
7a7a3c06f1839eff3822d8cbd58b1928a269c812

SHA256
954e86b8531f52d896055e657873f3c18b943752fdcc0ac63cbdc0375300f145

SHA512
82c649d4310ea9cb11e6e827f9f525a9b3402dbe8e9a8ce4c06853640195a92d4b5f051da307bd85a82d61df830bf8ac40e0f22f34df00dbeb71a2c163b2c302

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
9c5615f46d6ad928dc3f79678f02c014

SHA1
4a9a44deda445790d9a47df5e5c0e956de020bd1

SHA256
13c134db99ed465818baca52655b1d3c46d71747ace52b18d675cd58075e3d09

SHA512
136a6d07c650548a6e801b3255458c4408f65ba30b558536e4fb523ccb8e26fa3a5ba4b06aaeb1ccb25fad6f361cf6d305bfb281bfee758b1f4662ad15718bbf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
04d578140dcdad1be482389a2cb82bc7

SHA1
4ee3f826c853f02cbb56aaba3ca3347efb212391

SHA256
60c5ac146340b2f6a578dec0c63bf14e77de0f6468f9f7ee6848fb1a8042547e

SHA512
f65043bec02fefe1d99c677920db117f6497415e36fcdaf69d61d04376ca086ca02f2da00b931e48bc68fb18c807e6fe938c48a09a149934fd5ee703e307344d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
48dad1999743acb34d635a29cf42deee

SHA1
e65a32fe394423d5239c8ec4dc9232b327a86b0d

SHA256
b1bd6d9dcabd493baadc0165e60005100bdc27427bb4d5774b671ce1636746d1

SHA512
4a31b1fffac35a7240673479214618ce17b3ba0b83367ec7ac3125182fea61d1e18d4492fdb265f3ff125012b59c26e3224043da9c36d7e13f45508cfd93cede

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0f754e642286bb10c638dded8fa2f611

SHA1
bdfad1be4ef889af341254f635578786f030ba6f

SHA256
ee2449fc63b8bf038c0797acfee4f4bc2af10e5189ee8b5da17a5d109c215d5b

SHA512
5473f00c793243c1fef88b272d6802a9051597b34762a07a97fa293519624ea15add048167c268e73f8fdff7eefe95a5e67fe028fbfc46df4b2853855fb28d4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bb0dbf5a5d1eb5a12d9267cc59a156c4

SHA1
535ae993a622b13e4e2da9e5b439ffc399444ca2

SHA256
254b533c859ad51ed1cd98c76551e151514aaf4a51395ad09ee19bcabf7c77d9

SHA512
92a2c0d231fb10ebfbb7eaa355698c0f47a9a374755a9c850ca7e2258bc635a555607b9d124f97ab92886810ef80f7c4bafd950114f9f47ceb52d2c1ed18178c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d2b2b610044410b5b69552ecb437f09e

SHA1
7580b9c079a03d7e4363b00824648472e37c5f68

SHA256
01ad3e0a824c535ec5735eac3279f3580519d43817e5d027c41b8830b1c82aae

SHA512
98c4331ee797b9c3a153ed428a0d55308e4063e421cd1766eac536a949d47128ecaa9c9776f171e6fc5f80cfdec84261e9fee3a3d8a31c84e3ae1cf0460b256d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
838758f7afe11f2c05fbc960edef314c

SHA1
0b43d47f1d7ed51f4d0d4ecbe712696189879be2

SHA256
94cdd2c635a348bc4d54d0f4e6d18e80f5f9186e622c06c6bfe887043a3cda7d

SHA512
7d844d32e21425140def8965d30d4cb534ef486796c69938499c4b7fa36894c26bd8ecf39ee5b8472d193d2199533a035419c62a00e9157748cc6f08555e043d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e0b99945989994bedbb45d3559f27af6

SHA1
0bcd09a65501884713e7be6dfad96d002a90475a

SHA256
201f4fdabda5d8d591d1d4061e108221a71c71aad1dbb8b757d0114af5d8fb44

SHA512
0b44bdf08fa0a21882e8ea7530d1b3b7ec018bc551adcc289c6ba47988d6d8e52870db85baa38d627b12cfbe1b9cc4e95834d3f262a8db208154ff638163a175

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cbdc9672754371d3a33d7320f8cf865e

SHA1
46810e71f85759647ce40a7bd20ceb8d7256fb32

SHA256
3fc300246b865fb8b28911649b74f9e762c406d5ce78f2b63b05a7cb2c19b49d

SHA512
b5e90e1d36ef67f8e3c7f906c742b953beebd116636ca4391a4e9eb474682dde7cd95e25185caf160cd71636b0d621dc8f20e201242fea625162406388e61ee6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
02cc967a18ab89f4a13706881166650a

SHA1
673ccfafe13d7592fe70197ed59f23de96020ab2

SHA256
f983106243225f01e9673f9d84be0e9b7911dabf7a11fd3e2a8047fcc2fc2ac2

SHA512
2177fe01098e25b1c16e7e1cde8c3164c40881e03a47f3d10dddc9f5c5b5ee5f4c3f5430875307d3b620cfdc11a6f94527aa62941ca06d8bd57c5a6d4ccf4350

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
151KB

MD5
dd8a1a6ea6be2d5640ed9ef5d9363c5d

SHA1
dcfc9fd00bdf6964fbb271a8d0e0f1e9c58c2c8e

SHA256
58a0d5c93ec8ebca39b6bb4f8eae0bc0c0bb63f7f956dfdcaf246178169fd02b

SHA512
64b8bdfe1cd3cb226672fb157743d196f2c6e3b62423b178b2e31c12cd049991017f94d6d4f8134d3aa0ffbb27c8edbd416101499ef68824c2e5e2294334ea3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
152KB

MD5
17a085111caccd8704900ed3ad2d35aa

SHA1
4aba4746404cf9f41d78cb054a26ecb1a6c72ae3

SHA256
a81ed01954b38fb02872f8fe7f281104d941fc5667ba9baf38986f4dd8cbcfa4

SHA512
67e33e52b9e58dfee60c064513e73f9374680f4b56a16cb26080b8dcb11f42d320fb1955d42d9726bf5609a2e8422e7171f3ec6ce55a7c2e4500854d50cb4211

Download Submit