6c63d9715bc084a6be4775ec881bca2f91e7a498c51cbaea27b671c1d213242e

Resubmissions

20/05/2024, 19:32

240520-x9fyfaea46 3

20/05/2024, 19:27

240520-x59d7adg72 6

Analysis

max time kernel
248s
max time network
243s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$RI2Z1MB.dll
Size

1.8MB
MD5

99b5c4ac12d28d840b0b65072a939517
SHA1

bd9c66db029a913b6496bcb1c8b3331b151dcdb9
SHA256

6c63d9715bc084a6be4775ec881bca2f91e7a498c51cbaea27b671c1d213242e
SHA512

7cfa930593dc103c28553aebce102a3352346b41c29b78b7d358e53c3feb5ddd67d1e4e3c6f0b8e34b8ca81e7af8fca7691a316cd9e553d66f340baa8133723d
SSDEEP

24576:4J587MMOug9hBE/FKFsD8Rc4alwRvuGKFzFTSpkPV/nmRwr5dcd:084MoSGqlnlRFTFVnbr2

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
90	discord.com
89	discord.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133607069711416918"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4124900551-4068476067-3491212533-1000\{19A348E2-CA88-45C6-B299-3DAE02F7DDE2}	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
448	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2120	chrome.exe
2120	chrome.exe
5492	chrome.exe
5492	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3504	OpenWith.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
668	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
3504	OpenWith.exe
3504	OpenWith.exe
3504	OpenWith.exe
3504	OpenWith.exe
3504	OpenWith.exe
3504	OpenWith.exe
3504	OpenWith.exe
3504	OpenWith.exe
3504	OpenWith.exe
3504	OpenWith.exe
3504	OpenWith.exe
3504	OpenWith.exe
3504	OpenWith.exe
3504	OpenWith.exe
3504	OpenWith.exe
3504	OpenWith.exe
3504	OpenWith.exe
3504	OpenWith.exe
3504	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3504 wrote to memory of 448	3504	OpenWith.exe	101
PID 3504 wrote to memory of 448	3504	OpenWith.exe	101
PID 2120 wrote to memory of 3892	2120	chrome.exe	105
PID 2120 wrote to memory of 3892	2120	chrome.exe	105
PID 2120 wrote to memory of 4408	2120	chrome.exe	106
PID 2120 wrote to memory of 4408	2120	chrome.exe	106
PID 2120 wrote to memory of 4408	2120	chrome.exe	106
PID 2120 wrote to memory of 4408	2120	chrome.exe	106
PID 2120 wrote to memory of 4408	2120	chrome.exe	106
PID 2120 wrote to memory of 4408	2120	chrome.exe	106
PID 2120 wrote to memory of 4408	2120	chrome.exe	106
PID 2120 wrote to memory of 4408	2120	chrome.exe	106
PID 2120 wrote to memory of 4408	2120	chrome.exe	106
PID 2120 wrote to memory of 4408	2120	chrome.exe	106
PID 2120 wrote to memory of 4408	2120	chrome.exe	106
PID 2120 wrote to memory of 4408	2120	chrome.exe	106
PID 2120 wrote to memory of 4408	2120	chrome.exe	106
PID 2120 wrote to memory of 4408	2120	chrome.exe	106
PID 2120 wrote to memory of 4408	2120	chrome.exe	106
PID 2120 wrote to memory of 4408	2120	chrome.exe	106
PID 2120 wrote to memory of 4408	2120	chrome.exe	106
PID 2120 wrote to memory of 4408	2120	chrome.exe	106
PID 2120 wrote to memory of 4408	2120	chrome.exe	106
PID 2120 wrote to memory of 4408	2120	chrome.exe	106
PID 2120 wrote to memory of 4408	2120	chrome.exe	106
PID 2120 wrote to memory of 4408	2120	chrome.exe	106
PID 2120 wrote to memory of 4408	2120	chrome.exe	106
PID 2120 wrote to memory of 4408	2120	chrome.exe	106
PID 2120 wrote to memory of 4408	2120	chrome.exe	106
PID 2120 wrote to memory of 4408	2120	chrome.exe	106
PID 2120 wrote to memory of 4408	2120	chrome.exe	106
PID 2120 wrote to memory of 4408	2120	chrome.exe	106
PID 2120 wrote to memory of 4408	2120	chrome.exe	106
PID 2120 wrote to memory of 4408	2120	chrome.exe	106
PID 2120 wrote to memory of 4408	2120	chrome.exe	106
PID 2120 wrote to memory of 4796	2120	chrome.exe	107
PID 2120 wrote to memory of 4796	2120	chrome.exe	107
PID 2120 wrote to memory of 4036	2120	chrome.exe	108
PID 2120 wrote to memory of 4036	2120	chrome.exe	108
PID 2120 wrote to memory of 4036	2120	chrome.exe	108
PID 2120 wrote to memory of 4036	2120	chrome.exe	108
PID 2120 wrote to memory of 4036	2120	chrome.exe	108
PID 2120 wrote to memory of 4036	2120	chrome.exe	108
PID 2120 wrote to memory of 4036	2120	chrome.exe	108
PID 2120 wrote to memory of 4036	2120	chrome.exe	108
PID 2120 wrote to memory of 4036	2120	chrome.exe	108
PID 2120 wrote to memory of 4036	2120	chrome.exe	108
PID 2120 wrote to memory of 4036	2120	chrome.exe	108
PID 2120 wrote to memory of 4036	2120	chrome.exe	108
PID 2120 wrote to memory of 4036	2120	chrome.exe	108
PID 2120 wrote to memory of 4036	2120	chrome.exe	108
PID 2120 wrote to memory of 4036	2120	chrome.exe	108
PID 2120 wrote to memory of 4036	2120	chrome.exe	108
PID 2120 wrote to memory of 4036	2120	chrome.exe	108
PID 2120 wrote to memory of 4036	2120	chrome.exe	108
PID 2120 wrote to memory of 4036	2120	chrome.exe	108
PID 2120 wrote to memory of 4036	2120	chrome.exe	108
PID 2120 wrote to memory of 4036	2120	chrome.exe	108
PID 2120 wrote to memory of 4036	2120	chrome.exe	108
PID 2120 wrote to memory of 4036	2120	chrome.exe	108
PID 2120 wrote to memory of 4036	2120	chrome.exe	108
PID 2120 wrote to memory of 4036	2120	chrome.exe	108
PID 2120 wrote to memory of 4036	2120	chrome.exe	108
PID 2120 wrote to memory of 4036	2120	chrome.exe	108

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$RI2Z1MB.dll,#1
1⤵
PID:1116

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4412

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3504
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\AssertExport.jtx
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffefa21ab58,0x7ffefa21ab68,0x7ffefa21ab78
  2⤵
  PID:3892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1580 --field-trial-handle=1708,i,2402464078371979504,3242636657452575541,131072 /prefetch:2
  2⤵
  PID:4408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1708,i,2402464078371979504,3242636657452575541,131072 /prefetch:8
  2⤵
  PID:4796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2208 --field-trial-handle=1708,i,2402464078371979504,3242636657452575541,131072 /prefetch:8
  2⤵
  PID:4036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3088 --field-trial-handle=1708,i,2402464078371979504,3242636657452575541,131072 /prefetch:1
  2⤵
  PID:2356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3096 --field-trial-handle=1708,i,2402464078371979504,3242636657452575541,131072 /prefetch:1
  2⤵
  PID:3436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4296 --field-trial-handle=1708,i,2402464078371979504,3242636657452575541,131072 /prefetch:1
  2⤵
  PID:2572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4516 --field-trial-handle=1708,i,2402464078371979504,3242636657452575541,131072 /prefetch:8
  2⤵
  PID:940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4612 --field-trial-handle=1708,i,2402464078371979504,3242636657452575541,131072 /prefetch:8
  2⤵
  PID:1040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4800 --field-trial-handle=1708,i,2402464078371979504,3242636657452575541,131072 /prefetch:8
  2⤵
  PID:1576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4888 --field-trial-handle=1708,i,2402464078371979504,3242636657452575541,131072 /prefetch:8
  2⤵
  PID:4532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 --field-trial-handle=1708,i,2402464078371979504,3242636657452575541,131072 /prefetch:8
  2⤵
  PID:1192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4208 --field-trial-handle=1708,i,2402464078371979504,3242636657452575541,131072 /prefetch:1
  2⤵
  PID:3748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5052 --field-trial-handle=1708,i,2402464078371979504,3242636657452575541,131072 /prefetch:1
  2⤵
  PID:2208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4940 --field-trial-handle=1708,i,2402464078371979504,3242636657452575541,131072 /prefetch:8
  2⤵
  PID:4920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3256 --field-trial-handle=1708,i,2402464078371979504,3242636657452575541,131072 /prefetch:8
  2⤵
  - Modifies registry class
  PID:2568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4692 --field-trial-handle=1708,i,2402464078371979504,3242636657452575541,131072 /prefetch:8
  2⤵
  PID:376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=3948 --field-trial-handle=1708,i,2402464078371979504,3242636657452575541,131072 /prefetch:1
  2⤵
  PID:464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2728 --field-trial-handle=1708,i,2402464078371979504,3242636657452575541,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5492

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1844

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x408 0x4cc
1⤵
PID:5936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

Filesize
29KB

MD5
852b0b2c2d8124eb0074ebcd068910b3

SHA1
d5725c2f174673a1a71d22d54e36c485cba702ba

SHA256
4bbe4f392079c9f4fea1a49a2fcfd9c67c2f55ed93e55db68ab050912855e06d

SHA512
5078fffab1191cd15220eb2d840cb7feb4bce697b11374a3a856f970496dffe3c01d1eccc8c06dafaae171274efbae052a89e4d57d9ff1149153269e31e71dfc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
d2e9f73e46ed0c14e9e8c240d9291443

SHA1
5aab8784358952905fdb4dd45eca14dd8ed4a78a

SHA256
486bdc8f616ae5b1e44850dc9d3d8ecb106844fb698fc446df2cea8db6b31a74

SHA512
7ee0568adc744660084030158b3244fdb87b9bae6ecee9e2478dcea24c3f36a66bf2fc1fe6a393e9c66fcea2b651a3aaef9411f4dd0d341f6367b34ec7110978

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
0ed5a9d18373e0ba26824bbd29ae6172

SHA1
44407b5cbfc9482fcd7cb6d8421269cd40fb9617

SHA256
0194e49d7fc5a062db8e3ce92552d07853e887640c080acdf6eab02f1aa9bc8e

SHA512
03555c9c68c5a665afd9c47a0ab6f17a1cb301deb76cf976f8d55511eea846faacc50bfeb0f315c372e2250a22293d7e462ff3d53db8d23517de58b02710d16d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
b359de3cdca940cbbe8ec7ff92274f81

SHA1
18917b816a0a9563f3fd23cfdbf513b001c78b91

SHA256
e44d99bcba8dbeb0441328cb40cb414be407b3ebd2c59bb9483f1c4a9d9c0578

SHA512
477896058b4c9ccd6dc6d0b6699e767486aa0d949221fa704ed5b864afabfa4fe5e0cfbfdd58fa7254c9afe2297607d470e428872fc3bddda785c11117c7e7f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
cbbbb36786716d361a244bfafccae28f

SHA1
34192c38a7086a45251467a9f1ba6d09b179d6a3

SHA256
df54e96f32793dfb10d272e32ff4b3c13622e12de159b56bfa0335e8c924e8f3

SHA512
838a3c0a94624c8e8d45c558b5e43ece5762cac48957cde432f4c74ca16b0145540342a23639710c0e929984743e76985449fe2aa5a64489f75ec96c7ebfac90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
9dcb66032991b685099900d967fa1d25

SHA1
736e1412fb2655c7769977cf4a5d01c6dc6d1d32

SHA256
8b21c6fa17cee31256b9083b4725539eb07d0ab20e857299587ecc15d4a15e77

SHA512
00df8164ebb4df611a831523dd1a584e5008c34b671823cf20889148be9e8f6056ec20284975f9457c836286a1f16880d0b1d92691c87b14fd7c5c0a970a5f75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
b679a615360789410d1d2a03bfbda71c

SHA1
bd48ed7ca4fe42b858f8565d3ea178e17330723b

SHA256
99a810d803698ce02aa074bd16e1a14960fa2b9570f1a5e06f8ad6603c59b056

SHA512
3395e2d8f867da398ce1ea4595ce02aafacc991bd80261965aace1740720aef2780d051dcc8de4cb1e3532cf84dbff0b3b60b3270e24c654ca7b539efbe32d56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3e87ecf971cd154b5f63ea9fdb5cbbb1

SHA1
6bd4c379c4b34b20d2d60c200d60f8dbccd2689a

SHA256
50efd6620fe041fa6f0747f2279d240b3b8b314f487e27a101fbb1f85b1baf2f

SHA512
f6cc8b272c5eabf042731d288bbe8a899a888cc1369a047bb1e8052019bdad9bb4a71be1d4f69d75f59ac3b063adecb5ff8a0669de647b9533fb0e5b9e4b63fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
efe7d16f6803b6fac41d4d0a89381531

SHA1
b7fbb36245c5bac3711b6fa03fd41bbd319ab142

SHA256
0e7acf0abc41af7e76885dce79b77714394333a9bccab93204db9e07ac33ddab

SHA512
0006979320e6f2a6131b08f0b1a704ba112ad83d5a65140b8522cb05a57305094d05b925950fb016d16f106146a2310c84a7d338912b6a48167e1aae50e84a29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8c5b78b38399fda90837e88ff5b7dc44

SHA1
8f10f2028f4fb0aaed74dacd6bf7f194bac9060b

SHA256
4d18c8c748386344ca141ee32df8dde4b0e8ea9eaeeb08363bf0c077b443ffce

SHA512
9830e1f9d4f23254bb7f2cb7614071df350c40857c98540e5e62ab8b9ee87680febedfff99b6357e09ffed91373f167ffd5023a977062abe1bf7b6cc75e347fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
499f4406565d938dd2cd8cee59c808b9

SHA1
057f0760528fe02ba8ac88e454fd33f67f822017

SHA256
aa3af474afc4a240bb830c3eb95ffd6645101282891b6619f835bc2d65fb9d08

SHA512
bdad92654db622c79d0ff0a420c00b5350f5ac3c6c4e9411f598e80dfa9ef458b77b7aaa0bf6ece247f12a10d8759be20d451cc2f44b5e3308eb41c4d60f4609

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
6c0803cb1cb40c61459b177fb2489dda

SHA1
1d6fbb614e108006d81669d2fe48ddb3a20d32c1

SHA256
76622006204d1aa838bb86dc40d02c89b2c5f06be8d46886a8fd0fd410af991e

SHA512
d9fb4149f8179e23ef5214b97e830c527f75159c9f206910ea1a89827e75e7039891e9a65caa34af06d522300286e7bc13497d7d0f11260bb69f6be1125a3619

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
27e342ca3d15c6ffc542f6917657fd6c

SHA1
9a0d218feb004a294505addc55ed73f60b031a20

SHA256
151572612a1fe018738156f0c2d406027ace9e7f82649e67395a2b7a748f8ae5

SHA512
ff2a9bf7068c2e2873bcce5a547045dba845c1a156a2d8eaafccff6bc9ab8d1fc677b8c488f75386a283c7f2da2e33264bbe0f63b7e829a786f934ffa8b379d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
85f19232b73b68a1af599592fb2ea94b

SHA1
116c5044e6d56b8e1aec43ea8aab9dff8d40dc8e

SHA256
de6659e8e809c0670330dc938171cabdf6376b87d049cb64186312f9f6509ae3

SHA512
98be4a36a49127ed52cee3d9b79802556536748fb6cdc9e36f133dcc2982bc93f245ff5d60896110e7f51c8c985c2f73f364cd80481d115256811b1cf166adbb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
260KB

MD5
b98516a6b22500b7002d99a461465c38

SHA1
4d2585374e90e122e3f7a45bcdc206552abd3fed

SHA256
dbaecec0f7754c469d44a72df10244ec9db1fa027745073e049fbecc0245f612

SHA512
223d4d0809535bf40230eee371106f34a3d87e2df78ca7850203bb94a28ba4ce4face97f34984ab9ca583fa1fc13bb179123468c03911528401ba0fae0693034

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
93KB

MD5
3981c16d48dfdb98dd661f97356631a9

SHA1
7a6803ac32ee8989c71c78b8150b63c0a91c9736

SHA256
36b0f36b766ed8832b0a6bbe702e60a97867454d67cfd042b7db4144aefae699

SHA512
1ab2e011a095b1568049e4ed5e267c0f2d62e3e49f03b44313a1528562a9e6d68310c6b359453ddc9cdb085ddd5d294cd18535f6c5b8493824f7498a2c14f25c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58e52b.TMP

Filesize
89KB

MD5
446617ec369dd49d85d47de5b9f7dcb7

SHA1
cdeee00eae7e773e798eb7d5211fc1beeb1f8b89

SHA256
20d138b6fe9289256e43bbc3d2487134c11af55a5a8f77a73a239fe1cf1e66bb

SHA512
df92ce8baa3b6bd4e5bbb094d137275cc5c61593bdb6c8641ee51f839f40ba393d6befc21d70da6cafbb2208abc76f98a7ae29bc54e0af82e4e115d22c9c5cb0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit