2cf71d098c608c56e07f4655855a886c3102553f648df88458df616b26fd612f

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 16:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dxwebsetup.exe
Size

288KB
MD5

2cbd6ad183914a0c554f0739069e77d7
SHA1

7bf35f2afca666078db35ca95130beb2e3782212
SHA256

2cf71d098c608c56e07f4655855a886c3102553f648df88458df616b26fd612f
SHA512

ff1af2d2a883865f2412dddcd68006d1907a719fe833319c833f897c93ee750bac494c0991170dc1cf726b3f0406707daa361d06568cd610eeb4ed1d9c0fbb10
SSDEEP

6144:kWK8fc2liXmrLxcdRDLiH1vVRGVOhMp421/7YQV:VcvgLARDI1KIOzO0

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1008	dxwsetup.exe

Loads dropped DLL 2 IoCs

pid	Process
1008	dxwsetup.exe
1008	dxwsetup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	dxwebsetup.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\directx\websetup\SET373D.tmp	dxwsetup.exe
File created	C:\Windows\SysWOW64\directx\websetup\SET373D.tmp	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\dsetup32.dll	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\DirectX\WebSetup	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\SET372D.tmp	dxwsetup.exe
File created	C:\Windows\SysWOW64\directx\websetup\SET372D.tmp	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\dsetup.dll	dxwsetup.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DirectX.log	dxwsetup.exe
File opened for modification	C:\Windows\security\logs\scecomp.log	dxwsetup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133640647540086685"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2244	chrome.exe
2244	chrome.exe
4948	chrome.exe
4948	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: 33	1832	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1832	AUDIODG.EXE
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe
Token: SeShutdownPrivilege	2244	chrome.exe
Token: SeCreatePagefilePrivilege	2244	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe
2244	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5092 wrote to memory of 1008	5092	dxwebsetup.exe	83
PID 5092 wrote to memory of 1008	5092	dxwebsetup.exe	83
PID 5092 wrote to memory of 1008	5092	dxwebsetup.exe	83
PID 2244 wrote to memory of 1772	2244	chrome.exe	94
PID 2244 wrote to memory of 1772	2244	chrome.exe	94
PID 2244 wrote to memory of 2844	2244	chrome.exe	95
PID 2244 wrote to memory of 2844	2244	chrome.exe	95
PID 2244 wrote to memory of 2844	2244	chrome.exe	95
PID 2244 wrote to memory of 2844	2244	chrome.exe	95
PID 2244 wrote to memory of 2844	2244	chrome.exe	95
PID 2244 wrote to memory of 2844	2244	chrome.exe	95
PID 2244 wrote to memory of 2844	2244	chrome.exe	95
PID 2244 wrote to memory of 2844	2244	chrome.exe	95
PID 2244 wrote to memory of 2844	2244	chrome.exe	95
PID 2244 wrote to memory of 2844	2244	chrome.exe	95
PID 2244 wrote to memory of 2844	2244	chrome.exe	95
PID 2244 wrote to memory of 2844	2244	chrome.exe	95
PID 2244 wrote to memory of 2844	2244	chrome.exe	95
PID 2244 wrote to memory of 2844	2244	chrome.exe	95
PID 2244 wrote to memory of 2844	2244	chrome.exe	95
PID 2244 wrote to memory of 2844	2244	chrome.exe	95
PID 2244 wrote to memory of 2844	2244	chrome.exe	95
PID 2244 wrote to memory of 2844	2244	chrome.exe	95
PID 2244 wrote to memory of 2844	2244	chrome.exe	95
PID 2244 wrote to memory of 2844	2244	chrome.exe	95
PID 2244 wrote to memory of 2844	2244	chrome.exe	95
PID 2244 wrote to memory of 2844	2244	chrome.exe	95
PID 2244 wrote to memory of 2844	2244	chrome.exe	95
PID 2244 wrote to memory of 2844	2244	chrome.exe	95
PID 2244 wrote to memory of 2844	2244	chrome.exe	95
PID 2244 wrote to memory of 2844	2244	chrome.exe	95
PID 2244 wrote to memory of 2844	2244	chrome.exe	95
PID 2244 wrote to memory of 2844	2244	chrome.exe	95
PID 2244 wrote to memory of 2844	2244	chrome.exe	95
PID 2244 wrote to memory of 2844	2244	chrome.exe	95
PID 2244 wrote to memory of 2844	2244	chrome.exe	95
PID 2244 wrote to memory of 2892	2244	chrome.exe	96
PID 2244 wrote to memory of 2892	2244	chrome.exe	96
PID 2244 wrote to memory of 3580	2244	chrome.exe	97
PID 2244 wrote to memory of 3580	2244	chrome.exe	97
PID 2244 wrote to memory of 3580	2244	chrome.exe	97
PID 2244 wrote to memory of 3580	2244	chrome.exe	97
PID 2244 wrote to memory of 3580	2244	chrome.exe	97
PID 2244 wrote to memory of 3580	2244	chrome.exe	97
PID 2244 wrote to memory of 3580	2244	chrome.exe	97
PID 2244 wrote to memory of 3580	2244	chrome.exe	97
PID 2244 wrote to memory of 3580	2244	chrome.exe	97
PID 2244 wrote to memory of 3580	2244	chrome.exe	97
PID 2244 wrote to memory of 3580	2244	chrome.exe	97
PID 2244 wrote to memory of 3580	2244	chrome.exe	97
PID 2244 wrote to memory of 3580	2244	chrome.exe	97
PID 2244 wrote to memory of 3580	2244	chrome.exe	97
PID 2244 wrote to memory of 3580	2244	chrome.exe	97
PID 2244 wrote to memory of 3580	2244	chrome.exe	97
PID 2244 wrote to memory of 3580	2244	chrome.exe	97
PID 2244 wrote to memory of 3580	2244	chrome.exe	97
PID 2244 wrote to memory of 3580	2244	chrome.exe	97
PID 2244 wrote to memory of 3580	2244	chrome.exe	97
PID 2244 wrote to memory of 3580	2244	chrome.exe	97
PID 2244 wrote to memory of 3580	2244	chrome.exe	97
PID 2244 wrote to memory of 3580	2244	chrome.exe	97
PID 2244 wrote to memory of 3580	2244	chrome.exe	97
PID 2244 wrote to memory of 3580	2244	chrome.exe	97
PID 2244 wrote to memory of 3580	2244	chrome.exe	97

C:\Users\Admin\AppData\Local\Temp\dxwebsetup.exe
"C:\Users\Admin\AppData\Local\Temp\dxwebsetup.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:1008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0x78,0x108,0x7ffcea7fab58,0x7ffcea7fab68,0x7ffcea7fab78
  2⤵
  PID:1772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=1924,i,13483385136968530297,3549232481353424490,131072 /prefetch:2
  2⤵
  PID:2844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=1924,i,13483385136968530297,3549232481353424490,131072 /prefetch:8
  2⤵
  PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2232 --field-trial-handle=1924,i,13483385136968530297,3549232481353424490,131072 /prefetch:8
  2⤵
  PID:3580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3112 --field-trial-handle=1924,i,13483385136968530297,3549232481353424490,131072 /prefetch:1
  2⤵
  PID:2864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3132 --field-trial-handle=1924,i,13483385136968530297,3549232481353424490,131072 /prefetch:1
  2⤵
  PID:1972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4428 --field-trial-handle=1924,i,13483385136968530297,3549232481353424490,131072 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4600 --field-trial-handle=1924,i,13483385136968530297,3549232481353424490,131072 /prefetch:8
  2⤵
  PID:4484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4732 --field-trial-handle=1924,i,13483385136968530297,3549232481353424490,131072 /prefetch:8
  2⤵
  PID:2176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4432 --field-trial-handle=1924,i,13483385136968530297,3549232481353424490,131072 /prefetch:8
  2⤵
  PID:1272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 --field-trial-handle=1924,i,13483385136968530297,3549232481353424490,131072 /prefetch:8
  2⤵
  PID:3084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5008 --field-trial-handle=1924,i,13483385136968530297,3549232481353424490,131072 /prefetch:8
  2⤵
  PID:4936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5064 --field-trial-handle=1924,i,13483385136968530297,3549232481353424490,131072 /prefetch:1
  2⤵
  PID:2836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4392 --field-trial-handle=1924,i,13483385136968530297,3549232481353424490,131072 /prefetch:8
  2⤵
  PID:1368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3224 --field-trial-handle=1924,i,13483385136968530297,3549232481353424490,131072 /prefetch:8
  2⤵
  PID:756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4908 --field-trial-handle=1924,i,13483385136968530297,3549232481353424490,131072 /prefetch:1
  2⤵
  PID:3120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4936 --field-trial-handle=1924,i,13483385136968530297,3549232481353424490,131072 /prefetch:1
  2⤵
  PID:1232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4780 --field-trial-handle=1924,i,13483385136968530297,3549232481353424490,131072 /prefetch:8
  2⤵
  PID:556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4788 --field-trial-handle=1924,i,13483385136968530297,3549232481353424490,131072 /prefetch:8
  2⤵
  PID:60
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 --field-trial-handle=1924,i,13483385136968530297,3549232481353424490,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4948

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4696

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x49c 0x3cc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\0bbad9e2-7c29-4ae9-a8a9-ba2f6a800e4e.tmp

Filesize
281KB

MD5
9ece76a097ae22f82c6ee52df71ac9ed

SHA1
6e41d29fada73b3a04979521751342cf3e9a3d80

SHA256
958313f4390a9e33a002598af4635af26828effcab8931dea9dad36ed5adca7c

SHA512
6206ba93f5fdc058dd1e384cb49d4e9e1849cbd1035447e7e2c672e9ed70694d94c0b744c51f594e04198cd3c487767d8897fe50e760fb331fdae29f8dab63ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000d

Filesize
33KB

MD5
529c64a383f51d4987309b30a463e677

SHA1
292017e2884d09aaa8c66d9f18a7a8865131f1cf

SHA256
32d9c84816bd6c8a91f9a95ccc64828b1214421a2070417f550199b3d064e63e

SHA512
390fbfdeae08f4c87f5d4d82832a341a10f5b3cd8a392c450d5fe2b843e8c8ad2829c4698a7cff4d3e42728273d54559f380598fedd2224aec7e540357e7d764

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
2974c8d6dd53c0b98ab1e885670c4c99

SHA1
70512b712d8a20ead52f59f6a964c095c123daa3

SHA256
0bdec7ddce3eb0f7b4f9393705c7cc5de867d50b3ec2289f4b0afee9538e4b56

SHA512
141dd3090ce8725f68ae6ffe3951d5c471326a2dba7d031d17b2553771f2a81d66bccad5e214c764d5dbdb2445ffa7a4f41dbd1d35729b9b386c2daa1a74b90f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
2ad18ff06628f6f12b61b7b0e344f7b2

SHA1
1790092945524d70389d246cab3d261f13ca5012

SHA256
ca3297e2b51e421b5aab3c0577ea5f83b9b81fa27eb7865d7a154056f44a1a9b

SHA512
34209f103a7a26029bbb7cee6a90a9d4d578c45f7a77473462225a9278ccc0353d3c552e98f342a1a97e6077e51ff4e412ebc0ea2fe89ae652d2ff638fad4f33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
b4ef0c23b90a3107b45ca5fc5743c26b

SHA1
e93ee5e634bf2473ed7311a101a792c34bc5253d

SHA256
cca08abfec97164185818c3a04c2d75db92d27348ef78a54879d19485a52d474

SHA512
ab39023b3c4471abbefa1e783886c66a33fcc5733fa5f46dd17c5f2f80778fcf1854ae4fff8c16cc985ae1941b8561c2f6625a7ca8a451811e176d073dfa1283

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
691B

MD5
bb7f9f4aafbd4dd69988ee41574f61a2

SHA1
9a2fc472711de367e6ec538efe443d1c89e1ce74

SHA256
2f00e3df5e5e1eafbb821db3f75492a582a7ad47dc945e8cf1cacd628ec66765

SHA512
c01cf9aa888f6f56a6f487516c51fd304c1d236e90e36beff60f8ca5f919a9cd23ff0c4cba46535276f3ba560731863cda36d95ea2215b00ae6bcf738dba576a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
ad8885b082c70c0eaaf7c30d90fe4800

SHA1
fd2691a031aaabcdeb25e5bf422cd9a8c73a9581

SHA256
f59b1d4bde043bfb165d724e21e770c74a3b79aab9d4a2cece1b09373490a1be

SHA512
e20c6dee0c95db33759e7c7db5e0cede7a4b9e9cb51af5529637cf69b13a9dc7341e79b359b1ea60aa43c205b2cc5be3b1df90f08badd7155cb4757c68045dfa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1a22c2a0f18f68d0ece307265f7e6979

SHA1
98dbe4852e381105da6f630bcb4d974bc60f8a3a

SHA256
0a8f515341cae795532688608c707ed99c6cb7d45fa7cf1e6248404c7a9e663f

SHA512
ce680af9947b2996dd087d423a512dea41c888cc229f8579d2b7a689b65d3148dec058ff2d9e0bff5eede0a01ba1e3d90f356338d3ddf88aa74c618f78d7b47f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
eba49831b11bf7cbdbce82633ab09651

SHA1
819351aae853a9d8cb82565bc515c1301e85fe25

SHA256
a9e500d9c72cb909f95dcfb6c1b54227af18fef87948fd5e9c583c62a936a117

SHA512
2e1145d85779943badd92c62fc534399ffa64f592d97a4137334e5495cfe985a9e85a4ea1b17cdd22cc3db15d8e2b4bed3e1a94dff0686e3a9ef35d12ea734ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
89KB

MD5
983ed1704dcffb6779874c46b797b0b5

SHA1
6c9468a62e0b9e8403233d50657c80534eae765c

SHA256
1472a8b2a5e3401307b3598d66eb8b405558d2d38a28c9e6c41d0b48e1f1120e

SHA512
357c9e3ddbb529c09c587ab127a8cb55f5a48c2b475fb77af74085304eacbc13c06a81a3a6049519af72bc416ab889874365f29462cf232ab420f6e59b8acbf0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57c89f.TMP

Filesize
87KB

MD5
0f3d3681fe5f3dfe24f01f46f0b25276

SHA1
2f81fdfa61922adcfef8e53d1ac254b70344a34e

SHA256
1e8bc12ccad2a07a9de5540418c5e371232beadc75d47ac09b1ca35318abacac

SHA512
6b3af40cfdb1047efc0741cb1722c3ee4788a26fddf084b4445d295b4754b7c750f0324699b9a39743b1268f19e73e761115ceeabc523ed1b1d42ff342138a36

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup.dll

Filesize
93KB

MD5
984cad22fa542a08c5d22941b888d8dc

SHA1
3e3522e7f3af329f2235b0f0850d664d5377b3cd

SHA256
57bc22850bb8e0bcc511a9b54cd3da18eec61f3088940c07d63b9b74e7fe2308

SHA512
8ef171218b331f0591a4b2a5e68dcbae98f5891518ce877f1d8d1769c59c0f4ddae43cc43da6606975078f889c832f0666484db9e047782e7a0ae4a2d41f5bef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

Filesize
515KB

MD5
ac3a5f7be8cd13a863b50ab5fe00b71c

SHA1
eee417cd92e263b84dd3b5dcc2b4b463fe6e84d9

SHA256
8f5e89298e3dc2e22d47515900c37cca4ee121c5ba06a6d962d40ad6e1a595da

SHA512
c8bbe791373dad681f0ac9f5ab538119bde685d4f901f5db085c73163fc2e868972b2de60e72ccd44f745f1fd88fcde2e27f32302d8cbd3c1f43e6e657c79fba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.inf

Filesize
477B

MD5
ad8982eaa02c7ad4d7cdcbc248caa941

SHA1
4ccd8e038d73a5361d754c7598ed238fc040d16b

SHA256
d63c35e9b43eb0f28ffc28f61c9c9a306da9c9de3386770a7eb19faa44dbfc00

SHA512
5c805d78bafff06c36b5df6286709ddf2d36808280f92e62dc4c285edd9176195a764d5cf0bb000da53ca8bbf66ddd61d852e4259e3113f6529e2d7bdbdd6e28

Download Submit
C:\Windows\SysWOW64\directx\websetup\dsetup32.dll

Filesize
1.5MB

MD5
a5412a144f63d639b47fcc1ba68cb029

SHA1
81bd5f1c99b22c0266f3f59959dfb4ea023be47e

SHA256
8a011da043a4b81e2b3d41a332e0ff23a65d546bd7636e8bc74885e8746927d6

SHA512
2679a4cb690e8d709cb5e57b59315d22f69f91efa6c4ee841943751c882b0c0457fd4a3376ac3832c757c6dfaffb7d844909c5665b86a95339af586097ee0405

Download Submit