hxxps://cdn[.]discordapp[.]com/attachments/1123901688529571921/1246648939441029240/unknown?ex=665d27cc&is=665bd64c&hm=38deb9822df85cc8f9bb7c2f592527c318329b2471975aed248764b2d7699531&

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 02:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1123901688529571921/1246648939441029240/unknown?ex=665d27cc&is=665bd64c&hm=38deb9822df85cc8f9bb7c2f592527c318329b2471975aed248764b2d7699531&

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Winword.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Winword.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133617683530679996"	chrome.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4896	Winword.exe
4896	Winword.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
3328	AcroRd32.exe
3328	AcroRd32.exe
3328	AcroRd32.exe
3328	AcroRd32.exe
3328	AcroRd32.exe
3328	AcroRd32.exe
3328	AcroRd32.exe
3328	AcroRd32.exe
3328	AcroRd32.exe
3328	AcroRd32.exe
3328	AcroRd32.exe
3328	AcroRd32.exe
3328	AcroRd32.exe
3328	AcroRd32.exe
3328	AcroRd32.exe
3328	AcroRd32.exe
3328	AcroRd32.exe
3328	AcroRd32.exe
3328	AcroRd32.exe
3328	AcroRd32.exe
4888	chrome.exe
4888	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4296	OpenWith.exe
4008	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2564	chrome.exe
2564	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe
Token: SeShutdownPrivilege	2564	chrome.exe
Token: SeCreatePagefilePrivilege	2564	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4296	OpenWith.exe
4268	OpenWith.exe
4268	OpenWith.exe
4268	OpenWith.exe
4268	OpenWith.exe
4268	OpenWith.exe
4268	OpenWith.exe
4268	OpenWith.exe
4268	OpenWith.exe
4268	OpenWith.exe
4268	OpenWith.exe
4268	OpenWith.exe
4268	OpenWith.exe
4268	OpenWith.exe
4268	OpenWith.exe
4268	OpenWith.exe
4268	OpenWith.exe
4268	OpenWith.exe
4268	OpenWith.exe
4268	OpenWith.exe
4268	OpenWith.exe
4268	OpenWith.exe
4268	OpenWith.exe
4268	OpenWith.exe
4268	OpenWith.exe
4268	OpenWith.exe
4268	OpenWith.exe
4268	OpenWith.exe
4268	OpenWith.exe
4268	OpenWith.exe
4268	OpenWith.exe
4268	OpenWith.exe
3328	AcroRd32.exe
3328	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 4940	2564	chrome.exe	85
PID 2564 wrote to memory of 4940	2564	chrome.exe	85
PID 2564 wrote to memory of 1632	2564	chrome.exe	86
PID 2564 wrote to memory of 1632	2564	chrome.exe	86
PID 2564 wrote to memory of 1632	2564	chrome.exe	86
PID 2564 wrote to memory of 1632	2564	chrome.exe	86
PID 2564 wrote to memory of 1632	2564	chrome.exe	86
PID 2564 wrote to memory of 1632	2564	chrome.exe	86
PID 2564 wrote to memory of 1632	2564	chrome.exe	86
PID 2564 wrote to memory of 1632	2564	chrome.exe	86
PID 2564 wrote to memory of 1632	2564	chrome.exe	86
PID 2564 wrote to memory of 1632	2564	chrome.exe	86
PID 2564 wrote to memory of 1632	2564	chrome.exe	86
PID 2564 wrote to memory of 1632	2564	chrome.exe	86
PID 2564 wrote to memory of 1632	2564	chrome.exe	86
PID 2564 wrote to memory of 1632	2564	chrome.exe	86
PID 2564 wrote to memory of 1632	2564	chrome.exe	86
PID 2564 wrote to memory of 1632	2564	chrome.exe	86
PID 2564 wrote to memory of 1632	2564	chrome.exe	86
PID 2564 wrote to memory of 1632	2564	chrome.exe	86
PID 2564 wrote to memory of 1632	2564	chrome.exe	86
PID 2564 wrote to memory of 1632	2564	chrome.exe	86
PID 2564 wrote to memory of 1632	2564	chrome.exe	86
PID 2564 wrote to memory of 1632	2564	chrome.exe	86
PID 2564 wrote to memory of 1632	2564	chrome.exe	86
PID 2564 wrote to memory of 1632	2564	chrome.exe	86
PID 2564 wrote to memory of 1632	2564	chrome.exe	86
PID 2564 wrote to memory of 1632	2564	chrome.exe	86
PID 2564 wrote to memory of 1632	2564	chrome.exe	86
PID 2564 wrote to memory of 1632	2564	chrome.exe	86
PID 2564 wrote to memory of 1632	2564	chrome.exe	86
PID 2564 wrote to memory of 1632	2564	chrome.exe	86
PID 2564 wrote to memory of 1632	2564	chrome.exe	86
PID 2564 wrote to memory of 4460	2564	chrome.exe	87
PID 2564 wrote to memory of 4460	2564	chrome.exe	87
PID 2564 wrote to memory of 3512	2564	chrome.exe	88
PID 2564 wrote to memory of 3512	2564	chrome.exe	88
PID 2564 wrote to memory of 3512	2564	chrome.exe	88
PID 2564 wrote to memory of 3512	2564	chrome.exe	88
PID 2564 wrote to memory of 3512	2564	chrome.exe	88
PID 2564 wrote to memory of 3512	2564	chrome.exe	88
PID 2564 wrote to memory of 3512	2564	chrome.exe	88
PID 2564 wrote to memory of 3512	2564	chrome.exe	88
PID 2564 wrote to memory of 3512	2564	chrome.exe	88
PID 2564 wrote to memory of 3512	2564	chrome.exe	88
PID 2564 wrote to memory of 3512	2564	chrome.exe	88
PID 2564 wrote to memory of 3512	2564	chrome.exe	88
PID 2564 wrote to memory of 3512	2564	chrome.exe	88
PID 2564 wrote to memory of 3512	2564	chrome.exe	88
PID 2564 wrote to memory of 3512	2564	chrome.exe	88
PID 2564 wrote to memory of 3512	2564	chrome.exe	88
PID 2564 wrote to memory of 3512	2564	chrome.exe	88
PID 2564 wrote to memory of 3512	2564	chrome.exe	88
PID 2564 wrote to memory of 3512	2564	chrome.exe	88
PID 2564 wrote to memory of 3512	2564	chrome.exe	88
PID 2564 wrote to memory of 3512	2564	chrome.exe	88
PID 2564 wrote to memory of 3512	2564	chrome.exe	88
PID 2564 wrote to memory of 3512	2564	chrome.exe	88
PID 2564 wrote to memory of 3512	2564	chrome.exe	88
PID 2564 wrote to memory of 3512	2564	chrome.exe	88
PID 2564 wrote to memory of 3512	2564	chrome.exe	88
PID 2564 wrote to memory of 3512	2564	chrome.exe	88
PID 2564 wrote to memory of 3512	2564	chrome.exe	88
PID 2564 wrote to memory of 3512	2564	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/1123901688529571921/1246648939441029240/unknown?ex=665d27cc&is=665bd64c&hm=38deb9822df85cc8f9bb7c2f592527c318329b2471975aed248764b2d7699531&
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0x9c,0x108,0x7fff76e2ab58,0x7fff76e2ab68,0x7fff76e2ab78
  2⤵
  PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1896,i,10131737940574348480,5767290174904504709,131072 /prefetch:2
  2⤵
  PID:1632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1896,i,10131737940574348480,5767290174904504709,131072 /prefetch:8
  2⤵
  PID:4460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2220 --field-trial-handle=1896,i,10131737940574348480,5767290174904504709,131072 /prefetch:8
  2⤵
  PID:3512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1896,i,10131737940574348480,5767290174904504709,131072 /prefetch:1
  2⤵
  PID:1736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=1896,i,10131737940574348480,5767290174904504709,131072 /prefetch:1
  2⤵
  PID:3768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4684 --field-trial-handle=1896,i,10131737940574348480,5767290174904504709,131072 /prefetch:8
  2⤵
  PID:4464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4780 --field-trial-handle=1896,i,10131737940574348480,5767290174904504709,131072 /prefetch:8
  2⤵
  PID:1152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 --field-trial-handle=1896,i,10131737940574348480,5767290174904504709,131072 /prefetch:8
  2⤵
  PID:1760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4724 --field-trial-handle=1896,i,10131737940574348480,5767290174904504709,131072 /prefetch:8
  2⤵
  PID:3632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4932 --field-trial-handle=1896,i,10131737940574348480,5767290174904504709,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4888

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:60

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1064

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4296
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\unknown
  2⤵
  PID:3884

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4268
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\unknown"
  2⤵
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3328
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    PID:4488
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=318F0DC9E678433BEE2847B4428DBEBF --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=318F0DC9E678433BEE2847B4428DBEBF --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:3500
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C7F47A6ABB3BAD495B823735F101A0CD --mojo-platform-channel-handle=1760 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:2796
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1EF6DED9F2DC8875CDD0FB202D81F280 --mojo-platform-channel-handle=2304 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:5080
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=17534A3AE4B998FCD99D40AEC22818B0 --mojo-platform-channel-handle=1984 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:4020
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3D3519F6535EE19E3D893FAEA890C07F --mojo-platform-channel-handle=2396 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:1148

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1564

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:4008
- C:\Program Files\Microsoft Office\root\Office16\Winword.exe
  "C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\Downloads\unknown"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  PID:4896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
ef18b28a59e703c6db105afa5ea22fdb

SHA1
66773e25a855fb4c26efc3ecfbc55b4631a84c5f

SHA256
a1f5d1870982fd42f2b0b7b9678e864b919e5fd3c6c88fb314aed4a16a3be133

SHA512
3664129ecccd362a43d3a6aabbc81a17d2f2382607dcff85e9ddb47deec3520eff183d0869583c9cbfb29d1631344040614d0081f6d4e12d914490a9224a6f71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
3d4c60b61d92d5a94449e96e11680c50

SHA1
38a7fbe249ddcac7e328f2285ad976d2affd654d

SHA256
4b7b5e22dd8800b2e4cfce8b52949e97a29e0cc146582c2684acd415ab5abb0a

SHA512
1efc2db293d853192a092d43e0f25f57ff80321ac0512d131aeea665b42ecf61fe0befed8ef242799c4c920544803ea56274ba0ea5e8b8cb554d218516ebf2ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
aa85147e6d343143d20ece4380ad9461

SHA1
8dec94d7690769b0e8654f9620d510e539d7ac56

SHA256
e571c7290f48444f77e84fe4530238e7a1b71270ec10b6c2719573dd0d01d658

SHA512
8c04ce636e6fb8703d5f4d5ea783ed2ca2eb77ad7a376ef25a040bd033073a71bbc1c0421c6216b4cd2f8e72a6cf6e860c41a3209976ffb9945bded4fee4e7a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
3cc9c7e1ea189983338eee90188c1123

SHA1
6cf97a8630db8981f74caeefcd629b131ada2826

SHA256
7b5b93bb6cd5f122a30cf4e9b0ad5fa23d3e10595ab1990611af8ca16f2a3397

SHA512
144d2a02f2f757937f07fc7388311ab545a780ebc8e27e3a9b353e5696a040b9b6c24cd1246843b95e9df6e801129f8c9d8d8bc61cf0286fc2799b0ee76fe311

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
6d085c9f729f530ebac01a11a2c0fffa

SHA1
1f75a7e50ded7d6b29ecd8ea0945927c3aca7c15

SHA256
2e46f6f330192888e2dfa0da155aea40d8ced0b81f8f2ab6652ae04e552e7578

SHA512
7c1f1ad7fa74472a0c3221906f902b00e3f06bec88b7c7e5399f7013d308734b7b8ff5c395fbc2a05680da6e96dce550f0407e874392c393979eb02466f9bd62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
8c17f5cdb00277bd7ec0567ce6ae68cf

SHA1
267b45cdee82493d5ecbefc897a31337e9e0698c

SHA256
266cfefc95bdd523cfe0b0c6299d35f224376697d57803460a3c334a874cf886

SHA512
1662a4d3518cb009234363312c4efaf59796e7b454b081c89c89726e6acc11bb674b5ceb5aeb1127b165dd7def94d0af18fb5c6574c1c6210b367de70e9b76ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
98KB

MD5
be536947aa62b540bf7e114e8eefa434

SHA1
492dbad9f529ceb5e65d2ed2c8d1103fb0a0a0c2

SHA256
2f0cc6ff4f7cbb64863a778e17ddef4aa0a2f7b641a676a884c12e61401d481e

SHA512
3c494666408be65c44abe12064d1261fb5eff83768b3c3725d48ee7e3b36dd76787fa6a2185b29f2ca264be5351047b39b6cdcf8628ba8e807335735bae22bab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57c7f3.TMP

Filesize
94KB

MD5
7b6844a38a96024aaa07b602b4a7d97a

SHA1
11f3806eb9aa4a490e1fb4876f30410194c97c31

SHA256
6fb67c8d505d9caa2684b49573a0cb0f89ca45c5238763fae97e0c7f355128f9

SHA512
067b7faa0441edc472e1ef7db941719cfdf858b5524eea018c3766a1696077b55c3a1d3b2899c51611b7d81530e5415a8c59a8996dcc499636751657c9400af4

Download Submit
C:\Users\Admin\Downloads\unknown.crdownload

Filesize
144KB

MD5
592bff6deaf0a0debc4504f27cd2571d

SHA1
a3facc97dffc1e29d0bdf150a7ff02b2a5662549

SHA256
8d32be8915c711a65331a2b9ab2315025bc92d21347fea3dae1099e488af03e6

SHA512
117850dd7d444f13350da8feee123c62e6a31fe1b1cf858a2bb37a70538e5b161857adfe5568a4bb7e3a269552d9ebf1f674519d8853ff566d2d7ca8cf760705

Download Submit
memory/4896-162-0x00007FFF45110000-0x00007FFF45120000-memory.dmp

Filesize
64KB

Download
memory/4896-164-0x00007FFF45110000-0x00007FFF45120000-memory.dmp

Filesize
64KB

Download
memory/4896-163-0x00007FFF45110000-0x00007FFF45120000-memory.dmp

Filesize
64KB

Download
memory/4896-165-0x00007FFF45110000-0x00007FFF45120000-memory.dmp

Filesize
64KB

Download
memory/4896-166-0x00007FFF45110000-0x00007FFF45120000-memory.dmp

Filesize
64KB

Download
memory/4896-167-0x00007FFF42B60000-0x00007FFF42B70000-memory.dmp

Filesize
64KB

Download
memory/4896-168-0x00007FFF42B60000-0x00007FFF42B70000-memory.dmp

Filesize
64KB

Download