3ec8bc64f586979417849f0ff2dcd849f30eeece2bd106c1526960e26327d359

Analysis

max time kernel
1737s
max time network
1747s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
25/06/2024, 05:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FurMark_2.3.0.0_win64.zip
Size

27.1MB
MD5

c9093258db90de959b7fc1ecd4505b4c
SHA1

ab2181262ea7116bea3e01d20af25d49a5e76894
SHA256

3ec8bc64f586979417849f0ff2dcd849f30eeece2bd106c1526960e26327d359
SHA512

188a33eb1556082da8cc38c0c2cc9467c45694757c2aadff73d045c82c1f99a6bbd07c620a2628d78893c2678be2f3fc659ae80e9e0f7dd8d8ccc008799b97a1
SSDEEP

786432:KvUngDG+7sgtrTjPQ91vqFWnIxwwD0xjxyTjPQ9CvX:KvUgSSsiQwFWuD0PyQM

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	vds.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\diskmgmt.msc	mmc.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000007974a9d88003442d0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800007974a9d80000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d012000000000000f0ef35000000ffffffff0000000007000100006809007974a9d8000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d7974a9d8000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007974a9d800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vds.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vds.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vds.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vds.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133637665192723635"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
748	mmc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
748	mmc.exe
748	mmc.exe
748	mmc.exe
748	mmc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 4208	2408	chrome.exe	83
PID 2408 wrote to memory of 4208	2408	chrome.exe	83
PID 2408 wrote to memory of 2172	2408	chrome.exe	84
PID 2408 wrote to memory of 2172	2408	chrome.exe	84
PID 2408 wrote to memory of 2172	2408	chrome.exe	84
PID 2408 wrote to memory of 2172	2408	chrome.exe	84
PID 2408 wrote to memory of 2172	2408	chrome.exe	84
PID 2408 wrote to memory of 2172	2408	chrome.exe	84
PID 2408 wrote to memory of 2172	2408	chrome.exe	84
PID 2408 wrote to memory of 2172	2408	chrome.exe	84
PID 2408 wrote to memory of 2172	2408	chrome.exe	84
PID 2408 wrote to memory of 2172	2408	chrome.exe	84
PID 2408 wrote to memory of 2172	2408	chrome.exe	84
PID 2408 wrote to memory of 2172	2408	chrome.exe	84
PID 2408 wrote to memory of 2172	2408	chrome.exe	84
PID 2408 wrote to memory of 2172	2408	chrome.exe	84
PID 2408 wrote to memory of 2172	2408	chrome.exe	84
PID 2408 wrote to memory of 2172	2408	chrome.exe	84
PID 2408 wrote to memory of 2172	2408	chrome.exe	84
PID 2408 wrote to memory of 2172	2408	chrome.exe	84
PID 2408 wrote to memory of 2172	2408	chrome.exe	84
PID 2408 wrote to memory of 2172	2408	chrome.exe	84
PID 2408 wrote to memory of 2172	2408	chrome.exe	84
PID 2408 wrote to memory of 2172	2408	chrome.exe	84
PID 2408 wrote to memory of 2172	2408	chrome.exe	84
PID 2408 wrote to memory of 2172	2408	chrome.exe	84
PID 2408 wrote to memory of 2172	2408	chrome.exe	84
PID 2408 wrote to memory of 2172	2408	chrome.exe	84
PID 2408 wrote to memory of 2172	2408	chrome.exe	84
PID 2408 wrote to memory of 2172	2408	chrome.exe	84
PID 2408 wrote to memory of 2172	2408	chrome.exe	84
PID 2408 wrote to memory of 2172	2408	chrome.exe	84
PID 2408 wrote to memory of 2172	2408	chrome.exe	84
PID 2408 wrote to memory of 2660	2408	chrome.exe	85
PID 2408 wrote to memory of 2660	2408	chrome.exe	85
PID 2408 wrote to memory of 4608	2408	chrome.exe	86
PID 2408 wrote to memory of 4608	2408	chrome.exe	86
PID 2408 wrote to memory of 4608	2408	chrome.exe	86
PID 2408 wrote to memory of 4608	2408	chrome.exe	86
PID 2408 wrote to memory of 4608	2408	chrome.exe	86
PID 2408 wrote to memory of 4608	2408	chrome.exe	86
PID 2408 wrote to memory of 4608	2408	chrome.exe	86
PID 2408 wrote to memory of 4608	2408	chrome.exe	86
PID 2408 wrote to memory of 4608	2408	chrome.exe	86
PID 2408 wrote to memory of 4608	2408	chrome.exe	86
PID 2408 wrote to memory of 4608	2408	chrome.exe	86
PID 2408 wrote to memory of 4608	2408	chrome.exe	86
PID 2408 wrote to memory of 4608	2408	chrome.exe	86
PID 2408 wrote to memory of 4608	2408	chrome.exe	86
PID 2408 wrote to memory of 4608	2408	chrome.exe	86
PID 2408 wrote to memory of 4608	2408	chrome.exe	86
PID 2408 wrote to memory of 4608	2408	chrome.exe	86
PID 2408 wrote to memory of 4608	2408	chrome.exe	86
PID 2408 wrote to memory of 4608	2408	chrome.exe	86
PID 2408 wrote to memory of 4608	2408	chrome.exe	86
PID 2408 wrote to memory of 4608	2408	chrome.exe	86
PID 2408 wrote to memory of 4608	2408	chrome.exe	86
PID 2408 wrote to memory of 4608	2408	chrome.exe	86
PID 2408 wrote to memory of 4608	2408	chrome.exe	86
PID 2408 wrote to memory of 4608	2408	chrome.exe	86
PID 2408 wrote to memory of 4608	2408	chrome.exe	86
PID 2408 wrote to memory of 4608	2408	chrome.exe	86
PID 2408 wrote to memory of 4608	2408	chrome.exe	86
PID 2408 wrote to memory of 4608	2408	chrome.exe	86

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\FurMark_2.3.0.0_win64.zip
1⤵
PID:5064

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffae6f7ab58,0x7ffae6f7ab68,0x7ffae6f7ab78
  2⤵
  PID:4208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1604 --field-trial-handle=1828,i,404120034743133087,8475684705529316415,131072 /prefetch:2
  2⤵
  PID:2172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1828,i,404120034743133087,8475684705529316415,131072 /prefetch:8
  2⤵
  PID:2660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2204 --field-trial-handle=1828,i,404120034743133087,8475684705529316415,131072 /prefetch:8
  2⤵
  PID:4608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1828,i,404120034743133087,8475684705529316415,131072 /prefetch:1
  2⤵
  PID:5116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3172 --field-trial-handle=1828,i,404120034743133087,8475684705529316415,131072 /prefetch:1
  2⤵
  PID:4092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4236 --field-trial-handle=1828,i,404120034743133087,8475684705529316415,131072 /prefetch:1
  2⤵
  PID:2476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4576 --field-trial-handle=1828,i,404120034743133087,8475684705529316415,131072 /prefetch:8
  2⤵
  PID:3528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 --field-trial-handle=1828,i,404120034743133087,8475684705529316415,131072 /prefetch:8
  2⤵
  PID:3992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4472 --field-trial-handle=1828,i,404120034743133087,8475684705529316415,131072 /prefetch:8
  2⤵
  PID:1756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4764 --field-trial-handle=1828,i,404120034743133087,8475684705529316415,131072 /prefetch:8
  2⤵
  PID:3844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4048 --field-trial-handle=1828,i,404120034743133087,8475684705529316415,131072 /prefetch:8
  2⤵
  PID:4348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4804 --field-trial-handle=1828,i,404120034743133087,8475684705529316415,131072 /prefetch:1
  2⤵
  PID:3208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5104 --field-trial-handle=1828,i,404120034743133087,8475684705529316415,131072 /prefetch:1
  2⤵
  PID:4600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4084 --field-trial-handle=1828,i,404120034743133087,8475684705529316415,131072 /prefetch:1
  2⤵
  PID:3552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=1560 --field-trial-handle=1828,i,404120034743133087,8475684705529316415,131072 /prefetch:1
  2⤵
  PID:8
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=868 --field-trial-handle=1828,i,404120034743133087,8475684705529316415,131072 /prefetch:1
  2⤵
  PID:4816

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3908

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\diskmgmt.msc"
1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:748

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:3792

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
810B

MD5
3a064e0ef25c29f9c9b57c8b598847fd

SHA1
1b4ea7c2b1393534204f585d3550b3b8358bdbe3

SHA256
0544de2bd168d80d730d31280cefb77f7549a45322f412bb016f0b37de26e8e4

SHA512
3644c90283a8c8abe4eed6c8251dbfb62e81ecd9ee1f0df6ff83edec7e7b171c3964c43f65c71e303ac47d90ca1e43dd91b54a22a62c7b049dc756615d692f34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
f41674283aee2b4c0e9c790235727171

SHA1
c2793e4aa9f9f61e0d49bec5658bdff2142d2cd7

SHA256
cd5ae0aa058e2d4a146a46714e37d0b3a75812b1ecc0e4aac004599cbf84b089

SHA512
e232e1302d33a9466602f4446a56abcfde4ed851749a3715b46dc6eec61d0f2d7bfe221811759e0a97a40425009f66c65b106cdf95cf769bdc6f72d3d57cc9c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
0fab9ce33ba111eb8c80c6cf3c2a8df6

SHA1
417f968bd968dfd99c11940ede842f47ad66f122

SHA256
b787aba405185b23f02436911b937cbe66b53aa58375469f4d06821358344309

SHA512
1099140f9cca49b934a65bf47b7f7d2bc4ef5714dda93184ffb69d1fdfcf8cfb9d32f1fee56b58ff294b319ce20d087046139dfc612452d51a70002035ddb441

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
131KB

MD5
905b2fe28c7a2f0399e863bf331e302a

SHA1
0b9ee1ffcd83a20b33a431225bfbb87b13a263b0

SHA256
d183aac3a7a16ea0bf3a2a194bec67203f40b4c32e4ce707d073f400f533ef42

SHA512
f6d05a5859799d2c2c482fe369581964d0337f4a4306d184bb76d9bf492f7059d5107361c0b6cf92a6a004d269ee2c718b92ab68997e0ec4a21d326a4c65fa26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
131KB

MD5
eae5ebc02d84a0f2ee9032ace7eef875

SHA1
d9148de44934e8d058627d643d74c80aab98ab9a

SHA256
0a8171585f8c8c61a5550aca94aca88c30d85168dd3b639fb4309ed339092e71

SHA512
170b46f569084a4d177d7217e01804cce00314fe203a8c2c5f4b620c19bfb770cdb53cb0abcd1673969d61cb6a08854fc83cfce64e7aab1a9219a4c4eb56290c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
180KB

MD5
db4bf09557ff9fc0afb4e4d2d449791f

SHA1
ac40cda639b72bcdec470f640f7600410bc5f107

SHA256
f165ed53226429604c3398d83591e0ae32ac41ba97cba79b9a6bb368645d79be

SHA512
7434ad175ed66298a2b159b2d3f8e872d976e7d20a7571c17a1299704d9efaab68177b6b6883936fdfd5a0c77cdcf65024dcf3befba2987494cfc717298c4f8b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
205KB

MD5
5b1cc4f643cb57c865c6a66271a696c4

SHA1
53eda90baae7b3356de57458b037d9d68a28a4ea

SHA256
a2f38dac7abc83cc945b84b40aa3befb308a6a384ad3fdd76061d8be2047e381

SHA512
75f41924bd3ccf65bb8bfa91dd0e0b3e18d106c9e4c3d73873b828fc664225bfb4d2f3e65efd0f0cbe2f85dfd3f37b1d0a7161c65e9de2e060b920bf18aabc21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
86KB

MD5
e52ffa22d4281f001c24ad1c2b593dd6

SHA1
e33dc18070ba1fc59b1d622078a490b30d8042b4

SHA256
21c52fc407efec29897ff20224d22ef4a58c1f215919404fb7da2c7ee22e37fc

SHA512
c65aa9e0da6892d87e92b887b7b7d6079e05e4a5b88a1338919f3dcce998c9d4ae7f3782f7eefe161cf1976b495ba0c5993805bd12b37f50141d6c44f36da78a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe599e0b.TMP

Filesize
83KB

MD5
efd77eb6604be8925d371711656c3f9f

SHA1
7a3eacf3a2cc7dff95b078761018d14082d8c1ce

SHA256
bb25c200ec6d1bd640f79754aa95f0822e44dce6223794b0408f13bff3b0b3ce

SHA512
eb67c9ed9439654cd6eba2f1ce4e70b5ae5c515b15ccad28e16234a5b243f095f726108beddfd79a7e886796c030a156a5365594f87e72c4a60c7895a8889f62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
df5af52ae231966e4519a4087beb3bbf

SHA1
c1cd335dc3abf7e9fbbfaabb7f39faabf6137f5b

SHA256
b0afbb9da38a4b75ab59038191f93694ee5cbfffad633a273f46118252c29203

SHA512
6fe759bbbb36c47bcdd64651d07821984c59e8f8a82f1483e69138a263500cd61a3bad65ee666b9bb2351b2c5564f5ec68c667d1db1ed1dfc9a9e2f18cbfd1d7

Download Submit