2018fc40b0faeb1ddd7406ec68677a55164633ee245966a07688329459f6da7d

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 14:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cheat.exe
Size

65KB
MD5

596bb1dd5ae0ac50a9218910d193d4cf
SHA1

377563b67e5601266d711345f78df4a7d95cad27
SHA256

2018fc40b0faeb1ddd7406ec68677a55164633ee245966a07688329459f6da7d
SHA512

b543f966b174f59384e0579935ae194bff479576007ef966c7bf1a3e3f256e9686383c21f5c239df9e28970106f7770b09fbb498400b7a26cc981a37a9555299
SSDEEP

1536:fj+u2LoN36tcQviFw1A+HIBnvbLfLteF3nLrB9z3nUaF9b6S9vM:fj+uIoN36tcQviFC9oBnnfWl9zkaF9bC

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Cheat.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation Cheat.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Cheat.exe

Drops startup file 3 IoCs

Processes:

HDAudio.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HDAudio.exe	HDAudio.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HDAudio.exe	HDAudio.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HDAudio.url	HDAudio.exe

Executes dropped EXE 4 IoCs

Processes:

HDAudio.exeHDAudio.exeHDAudio.exeHDAudio.exe

pid process

672 HDAudio.exe
1092 HDAudio.exe
3280 HDAudio.exe
4120 HDAudio.exe

pid	process
672	HDAudio.exe
1092	HDAudio.exe
3280	HDAudio.exe
4120	HDAudio.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

HDAudio.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HDAudio.exe = "\"C:\\Windows\\HDAudio.exe\" .."	HDAudio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HDAudio.exe = "\"C:\\Windows\\HDAudio.exe\" .."	HDAudio.exe

Drops file in Windows directory 2 IoCs

Processes:

Cheat.exeHDAudio.exe

description ioc process

File created C:\Windows\HDAudio.exe Cheat.exe
File opened for modification C:\Windows\HDAudio.exe HDAudio.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2860 schtasks.exe

description	ioc	process
File created	C:\Windows\HDAudio.exe	Cheat.exe
File opened for modification	C:\Windows\HDAudio.exe	HDAudio.exe

pid	process
2860	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133607763177477427"	chrome.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

chrome.exeHDAudio.exe

pid	process
2080	chrome.exe
2080	chrome.exe
672	HDAudio.exe
672	HDAudio.exe
672	HDAudio.exe
672	HDAudio.exe
672	HDAudio.exe
672	HDAudio.exe
672	HDAudio.exe
672	HDAudio.exe
672	HDAudio.exe
672	HDAudio.exe
672	HDAudio.exe
672	HDAudio.exe
672	HDAudio.exe
672	HDAudio.exe
672	HDAudio.exe
672	HDAudio.exe
672	HDAudio.exe
672	HDAudio.exe
672	HDAudio.exe
672	HDAudio.exe
672	HDAudio.exe
672	HDAudio.exe
672	HDAudio.exe
672	HDAudio.exe
672	HDAudio.exe
672	HDAudio.exe
672	HDAudio.exe
672	HDAudio.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

chrome.exe

pid process

2080 chrome.exe
2080 chrome.exe
2080 chrome.exe
2080 chrome.exe
2080 chrome.exe
2080 chrome.exe
2080 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

HDAudio.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	672	HDAudio.exe
Token: 33	672	HDAudio.exe
Token: SeIncBasePriorityPrivilege	672	HDAudio.exe
Token: 33	672	HDAudio.exe
Token: SeIncBasePriorityPrivilege	672	HDAudio.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeCreatePagefilePrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeCreatePagefilePrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeCreatePagefilePrivilege	2080	chrome.exe
Token: 33	672	HDAudio.exe
Token: SeIncBasePriorityPrivilege	672	HDAudio.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeCreatePagefilePrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeCreatePagefilePrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeCreatePagefilePrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeCreatePagefilePrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeCreatePagefilePrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeCreatePagefilePrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeCreatePagefilePrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeCreatePagefilePrivilege	2080	chrome.exe
Token: 33	672	HDAudio.exe
Token: SeIncBasePriorityPrivilege	672	HDAudio.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeCreatePagefilePrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeCreatePagefilePrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeCreatePagefilePrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeCreatePagefilePrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeCreatePagefilePrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeCreatePagefilePrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeCreatePagefilePrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeCreatePagefilePrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeCreatePagefilePrivilege	2080	chrome.exe
Token: 33	672	HDAudio.exe
Token: SeIncBasePriorityPrivilege	672	HDAudio.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeCreatePagefilePrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeCreatePagefilePrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeCreatePagefilePrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeCreatePagefilePrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeCreatePagefilePrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe
Token: SeCreatePagefilePrivilege	2080	chrome.exe
Token: SeShutdownPrivilege	2080	chrome.exe

Suspicious use of FindShellTrayWindow 59 IoCs

Processes:

chrome.exe

pid	process
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe

Suspicious use of SendNotifyMessage 56 IoCs

Processes:

chrome.exe

pid	process
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe
2080	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Cheat.exeHDAudio.exechrome.exe

description	pid	process	target process
PID 3000 wrote to memory of 672	3000	Cheat.exe	HDAudio.exe
PID 3000 wrote to memory of 672	3000	Cheat.exe	HDAudio.exe
PID 3000 wrote to memory of 672	3000	Cheat.exe	HDAudio.exe
PID 672 wrote to memory of 4044	672	HDAudio.exe	schtasks.exe
PID 672 wrote to memory of 4044	672	HDAudio.exe	schtasks.exe
PID 672 wrote to memory of 4044	672	HDAudio.exe	schtasks.exe
PID 672 wrote to memory of 2860	672	HDAudio.exe	schtasks.exe
PID 672 wrote to memory of 2860	672	HDAudio.exe	schtasks.exe
PID 672 wrote to memory of 2860	672	HDAudio.exe	schtasks.exe
PID 2080 wrote to memory of 3220	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 3220	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 5116	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 5116	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 5116	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 5116	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 5116	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 5116	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 5116	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 5116	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 5116	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 5116	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 5116	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 5116	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 5116	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 5116	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 5116	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 5116	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 5116	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 5116	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 5116	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 5116	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 5116	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 5116	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 5116	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 5116	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 5116	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 5116	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 5116	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 5116	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 5116	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 5116	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 5116	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 4800	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 4800	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 2400	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 2400	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 2400	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 2400	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 2400	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 2400	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 2400	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 2400	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 2400	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 2400	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 2400	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 2400	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 2400	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 2400	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 2400	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 2400	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 2400	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 2400	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 2400	2080	chrome.exe	chrome.exe
PID 2080 wrote to memory of 2400	2080	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\Cheat.exe
"C:\Users\Admin\AppData\Local\Temp\Cheat.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Windows\HDAudio.exe
  "C:\Windows\HDAudio.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:672
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "RealtekHDAudio" /f
    3⤵
    PID:4044
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
    3⤵
    - Creates scheduled task(s)
    PID:2860

C:\Windows\HDAudio.exe
C:\Windows\HDAudio.exe
1⤵
- Executes dropped EXE
PID:1092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa18b2ab58,0x7ffa18b2ab68,0x7ffa18b2ab78
  2⤵
  PID:3220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1632 --field-trial-handle=1784,i,14028102145990697067,9491990514917857576,131072 /prefetch:2
  2⤵
  PID:5116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=1784,i,14028102145990697067,9491990514917857576,131072 /prefetch:8
  2⤵
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2240 --field-trial-handle=1784,i,14028102145990697067,9491990514917857576,131072 /prefetch:8
  2⤵
  PID:2400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2872 --field-trial-handle=1784,i,14028102145990697067,9491990514917857576,131072 /prefetch:1
  2⤵
  PID:4516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2888 --field-trial-handle=1784,i,14028102145990697067,9491990514917857576,131072 /prefetch:1
  2⤵
  PID:3528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4420 --field-trial-handle=1784,i,14028102145990697067,9491990514917857576,131072 /prefetch:1
  2⤵
  PID:4204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4584 --field-trial-handle=1784,i,14028102145990697067,9491990514917857576,131072 /prefetch:8
  2⤵
  PID:208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4664 --field-trial-handle=1784,i,14028102145990697067,9491990514917857576,131072 /prefetch:8
  2⤵
  PID:4196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4728 --field-trial-handle=1784,i,14028102145990697067,9491990514917857576,131072 /prefetch:8
  2⤵
  PID:2512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4940 --field-trial-handle=1784,i,14028102145990697067,9491990514917857576,131072 /prefetch:8
  2⤵
  PID:512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4348 --field-trial-handle=1784,i,14028102145990697067,9491990514917857576,131072 /prefetch:8
  2⤵
  PID:3900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4648 --field-trial-handle=1784,i,14028102145990697067,9491990514917857576,131072 /prefetch:1
  2⤵
  PID:1316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5100 --field-trial-handle=1784,i,14028102145990697067,9491990514917857576,131072 /prefetch:1
  2⤵
  PID:4400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4932 --field-trial-handle=1784,i,14028102145990697067,9491990514917857576,131072 /prefetch:1
  2⤵
  PID:1172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=1608 --field-trial-handle=1784,i,14028102145990697067,9491990514917857576,131072 /prefetch:1
  2⤵
  PID:2500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5408 --field-trial-handle=1784,i,14028102145990697067,9491990514917857576,131072 /prefetch:8
  2⤵
  PID:4920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5488 --field-trial-handle=1784,i,14028102145990697067,9491990514917857576,131072 /prefetch:8
  2⤵
  PID:4916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3316 --field-trial-handle=1784,i,14028102145990697067,9491990514917857576,131072 /prefetch:8
  2⤵
  PID:2732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4124 --field-trial-handle=1784,i,14028102145990697067,9491990514917857576,131072 /prefetch:2
  2⤵
  PID:4516

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4400

C:\Windows\HDAudio.exe
C:\Windows\HDAudio.exe
1⤵
- Executes dropped EXE
PID:3280

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f0 0x50c
1⤵
PID:1560

C:\Windows\HDAudio.exe
C:\Windows\HDAudio.exe
1⤵
- Executes dropped EXE
PID:4120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000012

Filesize
184KB

MD5
b7882e9f477708327142eda25d38cf8f

SHA1
b8cfb07f53a2a2ad232ee5ad436c1bfaaa0b2331

SHA256
5dee7e333a79425a21101112b700ef3d5531f5c6e5006e2eca9ec801fc4cb5a7

SHA512
30be8d1a5e3723c25466eb49b0525cf0a0db60ba7069538cd8e0bac74456d0a3059f6cd8a09ccc0b18b1135965bddcf7d1d8505aed6c76dc82a7364baee1827e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
792B

MD5
6c223e2f1a5ec3cbb0b4e04834714665

SHA1
d99f446c4c059cbb2cada4e1aa21f55976131cf4

SHA256
b2fe346cbffc2f46323379bd9a52746b5c0faaebc0354395775d9b7094176901

SHA512
3d8fb16754cb8e3d06c936ce2ed44ae6606a16b0c663baa5bccd1993071cad22741a99b6db653a83bbf207cb8820317a55e8560407a3e4cd42eabd71459be9b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
cb69f3e75482fe1cb7a9656f2a845bc1

SHA1
b0f15da26bb74eee5a95bfad401432d04dc5a7a6

SHA256
d952c3066c9f1c60df33d30e3f76d7ff28db02d26e268d80f4c41b2ff1b9c9ed

SHA512
f2c6c033727408b49389aa6e77de6d4ac6e7d8918c13da826f23b3316967bb5ac5bb170cc827dd435cd0e40c110b3183e1f1240d908c7ea211da8b4feff66b46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
a38a48e06e2d02be9bb89d236b489276

SHA1
f9437ca500f21e3801b9b3a9c9ec2f83b716fb7f

SHA256
90ef5b9c48343d24029becee06f8b7ca0ae7baefff1f1c514e5a1b2e88497ec4

SHA512
247ab87fb4f3c0b51dfc9046ee1cabe8bdbc99e1f469850df566a9417a7e64d2b383aa910208f36bb30b163c7efaef31246c2502e6ff28174a166ed9886abf43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
bc98782a2b0ccb7eee829bee11a44e8b

SHA1
7556544224693bc90b1df62057c9b568da4de1c0

SHA256
1dc22cee5006609e8a83cf7733ac0e98fde80357616ff6b1658ced6ba72d0be4

SHA512
674684c7541ef58d7608378cea65a6e9198f41b3eabfc1b4e7a7b2047ee3691846b6795fda55971598e7a06affff1115d1a7150f3557d00b83a8858bf61afb56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
0158d8d55e04572607e38433bff38412

SHA1
0da14dd30a086d72ea4dbb7d082bd4ccbe2c231d

SHA256
f38fce1fb639d95e6d33e2636236f9db19f001679e688b585d99518e4e85b92a

SHA512
04fbc7bb14f281a2b1c1f08273843bda386a3374cf2925464ced6953f9cb55b97abbdcdfcbf23f23245103a56e5ffe1359c668dddf18a508c5541a8ef19eda4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c1a8a21b2a4b5b29aa22981c813af51c

SHA1
f6cb19e03bbf53ef2be633929794bb4c75161d3a

SHA256
6a74da6ab8e3cac73a5cd620fac687fcbbb4bf86dc386a8f0a58cb3fb508af86

SHA512
c2e99bfd4503f005ee7cf4d661b43cae319b99280a3b930bda1275b046d9d5f62be417fbd4d3edefd215f25e2200c71619f4a0cc3f17e448231614c97ed9f1e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
dd97c6546e04b92eccf9c35c94134311

SHA1
4793d9f0c977e4ad6cc9b207f6c6410fc8f55e01

SHA256
22e240789d085b7d2be5835d4118ea27961ee2780c07e818c5d2b5d8e5fe79b3

SHA512
51e0c6232c2eb5d5d43aa82f6fb3e3028bc2e4a565a3992fbc634b29bb1925d641321c436b5101940c7c0dac2e843526079a722039dada3bc7f906c601bb28c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
1aa41ae0d0a81a97f990447191d304b9

SHA1
2a8a5a1dc079bed0f532aa9b97952781746d060e

SHA256
d7632948b9069ad0e9837bb6c074481d93e1f6b6203ba0788f80d6052bcbcec9

SHA512
f38cdd372a751771325ae3db1b4b0319c048a5d33d5fea3742856cfe6a67416cb5fbe924e39898ff23a4a169eb8e1035101999823ace0c89ff64655d54238101

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
7755b5b1ef2d0daceed4096603c012b4

SHA1
82490ded2a77cdafcde410bf8e3b64a753a56732

SHA256
254025ad53cc78086a4922f6d264d2cfb599f987555548017ac25eae2aa3e03d

SHA512
710fcba28c4f4314040ca077ff88f954e28d49fb11316645b09dc0741f558f4e76bf6e573ddfc27412abfb8b42ee19448d72774742e3da7ae4d8df3a0f62463e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
850e45ece8a7d3cf91a76fe9a2fd6098

SHA1
cd6874b50b3057b75d2649d2892592a5a13c9cdf

SHA256
6b0b62ed46874c2ec3a9040031e0d86ee6f6541575aa16274ef86867aa48781f

SHA512
4aa632e9324b7ea953b0b6d954c7559f3716ae678676a4f4ee689697775a5b8c5160d6fcd7849688be85823225c4b7cc5c80f029be45f45f8ee1b2e0b47e0cba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
259KB

MD5
b8ab29adfda8ee6709918ec9e6c0e388

SHA1
2556a5c116367b6261541da389ed630b53fd0093

SHA256
c7a9c1f77a3b79c7010924b2c70ecbf25a52e28b6cf5b9b834e3784613deba7f

SHA512
232829125376dd5a425493d7a3076366387aa155b03fece4f83a0ce3161e09eae7320c06a9bc0c2810d0efcbcb33622ec2cb0cb0d3b2b7ae4896f36c490cf921

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
90KB

MD5
0196b08ab64db94461c606c0ef4b144b

SHA1
ea1409cf9b5fc0ddc02b2f956d286970bb5e42b2

SHA256
20c72b72241b3b78c2e07e950f31d64578991fd1f94f09e3f344215fbdf652d0

SHA512
6e8a17a2a4d1bd46ac27c0cbd70b120e842cf6437be424f75534bb8a0a722cc9243e182373fa0b4993e30d39f3330bd9d315c9b16fc2419ac9e0bf029b73750b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
91KB

MD5
1788edbd5dda6e9920a7c886b8781cb9

SHA1
02d08d7ac79c3e40177f11c431432611ca5b2555

SHA256
8660d7b1de5a3db991fe1e70afe1c875ff91475a1cb1a0d57a04f126f74ef9c4

SHA512
c3a8f44d0a57f9a3c40658c7c6a56375b18e14a9e3f7eef28390d18f3645000c9a746e097d9e9803db12c4175ea522b8a9472294e63add5ab3ffd0f1937fd35e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58baa0.TMP

Filesize
89KB

MD5
8c93ed905c039886c5eadbf07051cb16

SHA1
7e22a470be104da81b9168c5dd179c72d89bb4f3

SHA256
2a46c558dfacace91c1bf4463f858479b173ab93e0380199dbce4f6a01395582

SHA512
0456c5c396faaee54ac55c5e14a5fa0c9069add85e86fa764f44e315fdf490a28bcb724f01fc480a30a8a4b89887a29ba82d59245bd2a8953562d0e0946af48a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\HDAudio.exe.log

Filesize
319B

MD5
da4fafeffe21b7cb3a8c170ca7911976

SHA1
50ef77e2451ab60f93f4db88325b897d215be5ad

SHA256
7341a4a13e81cbb5b7f39ec47bb45f84836b08b8d8e3ea231d2c7dad982094f7

SHA512
0bc24b69460f31a0ebc0628b99908d818ee85feb7e4b663271d9375b30cced0cd55a0bbf8edff1281a4c886ddf4476ffc989c283069cdcb1235ffcb265580fc6

Download Submit
C:\Windows\HDAudio.exe

Filesize
65KB

MD5
596bb1dd5ae0ac50a9218910d193d4cf

SHA1
377563b67e5601266d711345f78df4a7d95cad27

SHA256
2018fc40b0faeb1ddd7406ec68677a55164633ee245966a07688329459f6da7d

SHA512
b543f966b174f59384e0579935ae194bff479576007ef966c7bf1a3e3f256e9686383c21f5c239df9e28970106f7770b09fbb498400b7a26cc981a37a9555299

Download Submit
\??\pipe\crashpad_2080_WIPWGTJTLBNCEWYR

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/672-18-0x0000000075480000-0x0000000075A31000-memory.dmp

Filesize
5.7MB

Download
memory/672-25-0x0000000075480000-0x0000000075A31000-memory.dmp

Filesize
5.7MB

Download
memory/672-84-0x0000000075480000-0x0000000075A31000-memory.dmp

Filesize
5.7MB

Download
memory/672-13-0x0000000075480000-0x0000000075A31000-memory.dmp

Filesize
5.7MB

Download
memory/672-14-0x0000000075480000-0x0000000075A31000-memory.dmp

Filesize
5.7MB

Download
memory/1092-24-0x0000000075480000-0x0000000075A31000-memory.dmp

Filesize
5.7MB

Download
memory/1092-20-0x0000000075480000-0x0000000075A31000-memory.dmp

Filesize
5.7MB

Download
memory/1092-21-0x0000000075480000-0x0000000075A31000-memory.dmp

Filesize
5.7MB

Download
memory/1092-22-0x0000000075480000-0x0000000075A31000-memory.dmp

Filesize
5.7MB

Download
memory/3000-0-0x0000000075482000-0x0000000075483000-memory.dmp

Filesize
4KB

Download
memory/3000-12-0x0000000075480000-0x0000000075A31000-memory.dmp

Filesize
5.7MB

Download
memory/3000-2-0x0000000075480000-0x0000000075A31000-memory.dmp

Filesize
5.7MB

Download
memory/3000-1-0x0000000075480000-0x0000000075A31000-memory.dmp

Filesize
5.7MB

Download