hxxps://mega[.]nz/file/3LZ0hLYB#913cLGydaGLw03L_s9GNi4DLZEQAFO0ymymKQG-RwXM

Resubmissions

11/07/2024, 10:23

240711-me5cfavdmb 5

10/07/2024, 15:37

240710-s2qepayajd 7

Analysis

max time kernel
165s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 15:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/3LZ0hLYB#913cLGydaGLw03L_s9GNi4DLZEQAFO0ymymKQG-RwXM

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1448	RuntimeBroker.exe
1264	chrome.exe
3212	chrome.exe.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133650994632516649"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2528	chrome.exe
2528	chrome.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe
1448	RuntimeBroker.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1448	RuntimeBroker.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2528	chrome.exe
2528	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: 33	2620	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2620	AUDIODG.EXE
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeRestorePrivilege	552	7zG.exe
Token: 35	552	7zG.exe
Token: SeSecurityPrivilege	552	7zG.exe
Token: SeSecurityPrivilege	552	7zG.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe
Token: SeShutdownPrivilege	2528	chrome.exe
Token: SeCreatePagefilePrivilege	2528	chrome.exe

Suspicious use of FindShellTrayWindow 62 IoCs

pid	Process
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
552	7zG.exe
212	taskmgr.exe
212	taskmgr.exe
212	taskmgr.exe
212	taskmgr.exe
212	taskmgr.exe
212	taskmgr.exe
212	taskmgr.exe
212	taskmgr.exe
212	taskmgr.exe
212	taskmgr.exe
212	taskmgr.exe
212	taskmgr.exe
212	taskmgr.exe
212	taskmgr.exe
212	taskmgr.exe
212	taskmgr.exe
212	taskmgr.exe
212	taskmgr.exe
212	taskmgr.exe
212	taskmgr.exe
212	taskmgr.exe
212	taskmgr.exe
212	taskmgr.exe
212	taskmgr.exe
212	taskmgr.exe
212	taskmgr.exe
212	taskmgr.exe
212	taskmgr.exe

Suspicious use of SendNotifyMessage 52 IoCs

pid	Process
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
2528	chrome.exe
212	taskmgr.exe
212	taskmgr.exe
212	taskmgr.exe
212	taskmgr.exe
212	taskmgr.exe
212	taskmgr.exe
212	taskmgr.exe
212	taskmgr.exe
212	taskmgr.exe
212	taskmgr.exe
212	taskmgr.exe
212	taskmgr.exe
212	taskmgr.exe
212	taskmgr.exe
212	taskmgr.exe
212	taskmgr.exe
212	taskmgr.exe
212	taskmgr.exe
212	taskmgr.exe
212	taskmgr.exe
212	taskmgr.exe
212	taskmgr.exe
212	taskmgr.exe
212	taskmgr.exe
212	taskmgr.exe
212	taskmgr.exe
212	taskmgr.exe
212	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 4796	2528	chrome.exe	83
PID 2528 wrote to memory of 4796	2528	chrome.exe	83
PID 2528 wrote to memory of 3016	2528	chrome.exe	85
PID 2528 wrote to memory of 3016	2528	chrome.exe	85
PID 2528 wrote to memory of 3016	2528	chrome.exe	85
PID 2528 wrote to memory of 3016	2528	chrome.exe	85
PID 2528 wrote to memory of 3016	2528	chrome.exe	85
PID 2528 wrote to memory of 3016	2528	chrome.exe	85
PID 2528 wrote to memory of 3016	2528	chrome.exe	85
PID 2528 wrote to memory of 3016	2528	chrome.exe	85
PID 2528 wrote to memory of 3016	2528	chrome.exe	85
PID 2528 wrote to memory of 3016	2528	chrome.exe	85
PID 2528 wrote to memory of 3016	2528	chrome.exe	85
PID 2528 wrote to memory of 3016	2528	chrome.exe	85
PID 2528 wrote to memory of 3016	2528	chrome.exe	85
PID 2528 wrote to memory of 3016	2528	chrome.exe	85
PID 2528 wrote to memory of 3016	2528	chrome.exe	85
PID 2528 wrote to memory of 3016	2528	chrome.exe	85
PID 2528 wrote to memory of 3016	2528	chrome.exe	85
PID 2528 wrote to memory of 3016	2528	chrome.exe	85
PID 2528 wrote to memory of 3016	2528	chrome.exe	85
PID 2528 wrote to memory of 3016	2528	chrome.exe	85
PID 2528 wrote to memory of 3016	2528	chrome.exe	85
PID 2528 wrote to memory of 3016	2528	chrome.exe	85
PID 2528 wrote to memory of 3016	2528	chrome.exe	85
PID 2528 wrote to memory of 3016	2528	chrome.exe	85
PID 2528 wrote to memory of 3016	2528	chrome.exe	85
PID 2528 wrote to memory of 3016	2528	chrome.exe	85
PID 2528 wrote to memory of 3016	2528	chrome.exe	85
PID 2528 wrote to memory of 3016	2528	chrome.exe	85
PID 2528 wrote to memory of 3016	2528	chrome.exe	85
PID 2528 wrote to memory of 3016	2528	chrome.exe	85
PID 2528 wrote to memory of 3560	2528	chrome.exe	86
PID 2528 wrote to memory of 3560	2528	chrome.exe	86
PID 2528 wrote to memory of 2696	2528	chrome.exe	87
PID 2528 wrote to memory of 2696	2528	chrome.exe	87
PID 2528 wrote to memory of 2696	2528	chrome.exe	87
PID 2528 wrote to memory of 2696	2528	chrome.exe	87
PID 2528 wrote to memory of 2696	2528	chrome.exe	87
PID 2528 wrote to memory of 2696	2528	chrome.exe	87
PID 2528 wrote to memory of 2696	2528	chrome.exe	87
PID 2528 wrote to memory of 2696	2528	chrome.exe	87
PID 2528 wrote to memory of 2696	2528	chrome.exe	87
PID 2528 wrote to memory of 2696	2528	chrome.exe	87
PID 2528 wrote to memory of 2696	2528	chrome.exe	87
PID 2528 wrote to memory of 2696	2528	chrome.exe	87
PID 2528 wrote to memory of 2696	2528	chrome.exe	87
PID 2528 wrote to memory of 2696	2528	chrome.exe	87
PID 2528 wrote to memory of 2696	2528	chrome.exe	87
PID 2528 wrote to memory of 2696	2528	chrome.exe	87
PID 2528 wrote to memory of 2696	2528	chrome.exe	87
PID 2528 wrote to memory of 2696	2528	chrome.exe	87
PID 2528 wrote to memory of 2696	2528	chrome.exe	87
PID 2528 wrote to memory of 2696	2528	chrome.exe	87
PID 2528 wrote to memory of 2696	2528	chrome.exe	87
PID 2528 wrote to memory of 2696	2528	chrome.exe	87
PID 2528 wrote to memory of 2696	2528	chrome.exe	87
PID 2528 wrote to memory of 2696	2528	chrome.exe	87
PID 2528 wrote to memory of 2696	2528	chrome.exe	87
PID 2528 wrote to memory of 2696	2528	chrome.exe	87
PID 2528 wrote to memory of 2696	2528	chrome.exe	87
PID 2528 wrote to memory of 2696	2528	chrome.exe	87
PID 2528 wrote to memory of 2696	2528	chrome.exe	87
PID 2528 wrote to memory of 2696	2528	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mega.nz/file/3LZ0hLYB#913cLGydaGLw03L_s9GNi4DLZEQAFO0ymymKQG-RwXM
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9ffc4cc40,0x7ff9ffc4cc4c,0x7ff9ffc4cc58
  2⤵
  PID:4796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1900,i,8002341793727168773,3853892034526373873,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=1896 /prefetch:2
  2⤵
  PID:3016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2128,i,8002341793727168773,3853892034526373873,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2160 /prefetch:3
  2⤵
  PID:3560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2232,i,8002341793727168773,3853892034526373873,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2288 /prefetch:8
  2⤵
  PID:2696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,8002341793727168773,3853892034526373873,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3136 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,8002341793727168773,3853892034526373873,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:2160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4552,i,8002341793727168773,3853892034526373873,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4328 /prefetch:8
  2⤵
  PID:2612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5048,i,8002341793727168773,3853892034526373873,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5060 /prefetch:8
  2⤵
  PID:4408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5216,i,8002341793727168773,3853892034526373873,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4876 /prefetch:8
  2⤵
  PID:5088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4856,i,8002341793727168773,3853892034526373873,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4580 /prefetch:8
  2⤵
  - Drops file in System32 directory
  PID:2000

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:3384

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3dc 0x4fc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4952

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1096

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap13847:68:7zEvent12040
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:552

C:\Users\Admin\Desktop\RuntimeBroker.exe
"C:\Users\Admin\Desktop\RuntimeBroker.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:1448

C:\Users\Admin\Desktop\chrome.exe
"C:\Users\Admin\Desktop\chrome.exe"
1⤵
- Executes dropped EXE
PID:1264

C:\Users\Admin\Desktop\chrome.exe.exe
"C:\Users\Admin\Desktop\chrome.exe.exe"
1⤵
- Executes dropped EXE
PID:3212

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
a6832d8d9407883d5128d8a749c054e3

SHA1
be929ba7ac2cada1e618bdb6e0f7453a29e2694d

SHA256
d52692f045c067e2128d5509247c8f85fc8872667f55a50e2c60b1d2648e102a

SHA512
d5680b92e48ef69c32af276357493c65233a21c0f72285e711b88a00a21162acecd8a361f3984c350f9039e8609a2cbe4c2945b577d635272904c1f72f15944c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\p\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
4c08ac8a9eac7405a2afcbbc85567aec

SHA1
c778d871a99b7aaa5bd724ad07a498b9d1af1d6a

SHA256
32ce4150aae0459e9144b1e53868094b5e8dedfc13c3c01c9af2aa22d70ef97a

SHA512
6f0ca7de02f43ae9ffd9cd8d54504ebe3609a3d29bf7c5903151c383416066ae73699dc806ada3647340aefb902165dd323521765087f24de69061890c45ca31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
519B

MD5
4167540aa55381fa6fd54984617918f6

SHA1
956e7d552bcb8bcb901c409cc392177da01ef15f

SHA256
160197a18f54a32f685967a784f4c9a58524ee9c83a5bc15a853a55e7877801e

SHA512
6cd7b199957b0e6d6bb3dc842089ec5ff9ca522743f557f1465de5af3bf00667b18eb55ea956d8651036c71345cceef51c0200f31ee2b48b7b0b2be1f175a166

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
b68899f3c3d13797278d44625f3fedc0

SHA1
c08b03ef874d5e0554a332269f1b2f9629173ffd

SHA256
68e0d0b2b551d0b2bba5fb6af6d6fa074701de5d943c86c09dcca5c1b7153fff

SHA512
2f0bab13a7b44c47960aa4914395367e544a71cfd9e7c45027e665d86108a75f3a10f62bb427526b8449c8d54a1586d23d69d98f127f856e29e3bb1964493cb8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
af57e0e2a2e02fa08c3b9bc85b95934a

SHA1
23a7b2c46b72778d3b80ae24e1902369b123684d

SHA256
469a6aa4c6dfae3d8d0ad13cafddc3dbcf526c1f23dea62d4b1baf6cfe7e845b

SHA512
180611e1f4e0750ff0ce1f046f29f049ba399b2f97d647c1229d41b6cfba403d3bcaba1d15329a779f2a8783b41c6c074ca2aebc8d71126e2817ac3d2612924d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
3e19f17f0ecd899fcb7c2864f1549024

SHA1
e9acb3dd1a3abf8918ff5c9b3aff604895eba46c

SHA256
bf4c5db227cd9ab4f2fef4eb07d25f0d8e4477b2a7b9269f69f626209c12110b

SHA512
731adf140cd6034ae0cdb4a54e3d3952c6b68b8d41d65bd26fe8bd73425adb76745add7ccfbb7a7d5d29d4b0b6a7a4aa1a27d8cdb7cf96df2315a88cd874a6a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
74c84cf2f5c817b565003899aeac37ad

SHA1
8549f39ad26ce7e71bc9053e7ab54d87544e9c46

SHA256
a788ea2cf6c43ca9c10858f2499916f1e57ea772ec98ec1b6091df9c7ce1fe90

SHA512
e69f16351bcb5273c7c893d17721dec8f2f79c86036d05e1960be59a7e48e4e308e07a9ac8bfabf6b6865c393f4a24ff95b8e98beb85eb989ca5c3143ef700c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3632792119b68d82e2a959dabaa9d776

SHA1
b743c8ae2201b9da7822577f60ac2ac20ee0b378

SHA256
07b4a39cfaa384127b0f3412a096b15bdc1a81c80705eaf16614fb19cfced930

SHA512
c3e830f7ac06a7ce19aa817ae1eb7ddea2a3852bac07ea9663dd4e108668327d7a79993eadb69ca6d78f84b8497e244f0b9f83b24df112fa6a19fa5fd8ec6389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c5bb5230d718554bbd2e792bf617808f

SHA1
7920336219935ae0367ba83fee46005d2b74c7d7

SHA256
6c5b92286150a9a51b992d73bbdc36e96ab2d4b6692e40194aeb82c754a7ed9f

SHA512
e12b4c9378f50fe549cdef5ee60ec60f04bf02caf716bef032b38c0adf2a4e0fb69734372df220d33f79bbdaa9f35b8178650390fcf0edf55f928a80b9bc040d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
56dfde5edc61ec456a0581512f13315e

SHA1
8ec3088074ffea989e4d5c2773be5a4873a23235

SHA256
5cee8ccc3c867b79d14b122cb6432b7fb6092dceccdec50a2301c0b017bacc17

SHA512
7c55b8d3a1f37047b07e049c234d021eae11276161e63dc06dec9fc57d2d6b06ac39784f21830ee129db44dcd9a358b2ada3c48484b9e9b7e3d4a90bf5726a0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2022979b1ad9a805a636bb4cb1888b98

SHA1
6a209a1ebeaf6e826ad159b47e0709ddfc613749

SHA256
4c89d05b0a630a03db41b74acd6013dcbc4e221f699dc33e174b8b5e46bffec6

SHA512
b95651d6ce04e2d83c7059c2cbf85e37450bf09930b34342ccd7b4319fb3e5e781df64448924a52a09b8fa0993bf60c21eaae6e6c8ab054f8985850a14a9b1f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8deba135ca489e04be8239e24163d792

SHA1
edaa2e143a28a9fb340f4e075b87682061a2a6a6

SHA256
a061202670e0cb5efd4b31bc8b3792f92fa689190c9fd77621b76eab03039d15

SHA512
5d0bf73ad7b859e1dea5ed804334f974acd50abd06e9945c9eea01cd0f13635bdd1f331a1780cd28e172d1fad0d99eb08476b69ea7992e61ad67f12278799609

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b11b7d38a38fe47b9d30cbc5b46e31c6

SHA1
728bcf29cc6d6c880549608a575233bda00b545a

SHA256
51f12e63d36d5f423dfda800158d8f30344ddb1c7e8e5d95864336f27ffda411

SHA512
f3907d5d9874dfb637b2c2c197cda96d1833727e843da88ee2e27fd1028b55a64ef6e9f81d2e1d40a863248b9341f980700a565c2498e51fb3748db3d4c039ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
53a49726c1b410d43f50cb9c9d32803d

SHA1
7dd4038a14c70b7a85badd7ee4d179f24af3a49b

SHA256
214c8c7462262cd8e12e4eb27cc1b78e0d12f6e1790426dd530d876c77834781

SHA512
e47ba3c949de6755509cb14472778c6997729c6835ee146cfbff9f6632aac7e434210926947379a4917be1ae7dbb14b5a3a43d773bd92df5b1a76f648b304bb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
674dc248a46a0f76a64c18fefccc4989

SHA1
1cd90dfb9f2990ae18c5d9a848967aceb68bbe42

SHA256
8c0707d6336e6c2751c2f734a385289f5e9fac57c62248e85807f7d095ef551c

SHA512
d3821daaa4441b605f9b0e1a99447d2d02a5354b90f3dec18a3dde62aa725e19b48b3236670f0504181432fb1f5a6d742390f83ec244395429f31bc8a134ef71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
7644381727e5302cd5aabae93ae203a2

SHA1
96954f9c2f5d1c57145eaf8ed89877ce3b41f6fe

SHA256
7d3e5c28e2f6fe0e6d7c4114326cfba2d23edf6ae6f04f5aa4d595894ebd36ff

SHA512
ece7b8d52ae8dc359cf9b7fe435b3d8ee10bbc80ef5bf5f43e30554ac82ea13fd38fcba8ecb4e67b72f095bcf7737399f012ed0a8b462de7d8206567690c0787

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
1c161bb331390fac37e77151651e5e6f

SHA1
9a33bcaedc567024209b243716329f21e91daf63

SHA256
a77d9df152f23af6bbb45fc51d12d385ac03eabe6c17aa36c9463466256e427d

SHA512
acbb742dc9ad2bbf829f4eb013b1a0e3fe2369e5b1d8c66ccdc32075a42b9bb32429351bdf349681f9582719556512a67fb2ebca75939c74b844c3fdc6d68ecc

Download Submit
C:\Users\Admin\Desktop\RuntimeBroker.exe

Filesize
3.5MB

MD5
b19e0418f436a10bfb7beba2008438e9

SHA1
79cbee755cf6b7766e7bdc7e224e12b3bad21efc

SHA256
117c66635cd244bcef83db4686f33d97fa463a925e508062a3ddb3f9ad17024d

SHA512
22c093e29bc66a91c00594df7081feda1743ff43a54231fd6bbe8af5bd5770035c99a1b5af7dd0e63facfbf51cb99615fa99367c5781e0abcf353ef37f055a62

Download Submit
C:\Users\Admin\Desktop\chrome.exe

Filesize
4KB

MD5
1be1ce6e2ba8d48d6b7723d1cee60835

SHA1
5275ab2168805661320f6b37e166767f3289d178

SHA256
e252353fd8a274c9c6fe53dfd4907b652c2a37b052987efca9e0a7b53322b46c

SHA512
1670327a7511b385e0b0cca326c69b43d8ff6627d8aab4e107fc15af540b0321a267e07018d687285a3feb1d844573c64d108e096113b6b5182266b7bb6d6559

Download Submit
C:\Users\Admin\Downloads\Local.zip

Filesize
6.2MB

MD5
28ec03cd428c58a975131517e6c50927

SHA1
cc35293d424773209b72f497b90907bb7e81d71e

SHA256
e626678a115d837a25e05d7220682c60d55a292645aa00ceb2459f207b95be2a

SHA512
37f31ca6d2b2e676986bec1dae35f976e6216b9a2c725bb11f2be579b6dc31a471b4da928d3075db20ff7a51116a693d9c00b169a8ce577fff8bdf5e56833aea

Download Submit
memory/212-390-0x0000026E63210000-0x0000026E63211000-memory.dmp

Filesize
4KB

Download
memory/212-383-0x0000026E63210000-0x0000026E63211000-memory.dmp

Filesize
4KB

Download
memory/212-385-0x0000026E63210000-0x0000026E63211000-memory.dmp

Filesize
4KB

Download
memory/212-384-0x0000026E63210000-0x0000026E63211000-memory.dmp

Filesize
4KB

Download
memory/212-389-0x0000026E63210000-0x0000026E63211000-memory.dmp

Filesize
4KB

Download
memory/212-395-0x0000026E63210000-0x0000026E63211000-memory.dmp

Filesize
4KB

Download
memory/212-394-0x0000026E63210000-0x0000026E63211000-memory.dmp

Filesize
4KB

Download
memory/212-393-0x0000026E63210000-0x0000026E63211000-memory.dmp

Filesize
4KB

Download
memory/212-392-0x0000026E63210000-0x0000026E63211000-memory.dmp

Filesize
4KB

Download
memory/212-391-0x0000026E63210000-0x0000026E63211000-memory.dmp

Filesize
4KB

Download
memory/1264-211-0x0000000000B80000-0x0000000000B88000-memory.dmp

Filesize
32KB

Download
memory/1448-254-0x000000001C760000-0x000000001C76E000-memory.dmp

Filesize
56KB

Download
memory/1448-256-0x000000001C800000-0x000000001C818000-memory.dmp

Filesize
96KB

Download
memory/1448-258-0x000000001C870000-0x000000001C8BE000-memory.dmp

Filesize
312KB

Download
memory/1448-252-0x000000001C750000-0x000000001C760000-memory.dmp

Filesize
64KB

Download
memory/1448-250-0x000000001C740000-0x000000001C74E000-memory.dmp

Filesize
56KB

Download
memory/1448-248-0x000000001C7A0000-0x000000001C7FA000-memory.dmp

Filesize
360KB

Download
memory/1448-246-0x000000001C3F0000-0x000000001C400000-memory.dmp

Filesize
64KB

Download
memory/1448-244-0x000000001C3E0000-0x000000001C3F0000-memory.dmp

Filesize
64KB

Download
memory/1448-242-0x000000001C360000-0x000000001C36E000-memory.dmp

Filesize
56KB

Download
memory/1448-240-0x000000001CC70000-0x000000001D198000-memory.dmp

Filesize
5.2MB

Download
memory/1448-239-0x000000001C720000-0x000000001C732000-memory.dmp

Filesize
72KB

Download
memory/1448-237-0x000000001C700000-0x000000001C716000-memory.dmp

Filesize
88KB

Download
memory/1448-233-0x000000001C350000-0x000000001C360000-memory.dmp

Filesize
64KB

Download
memory/1448-231-0x000000001C370000-0x000000001C382000-memory.dmp

Filesize
72KB

Download
memory/1448-229-0x000000001C340000-0x000000001C34E000-memory.dmp

Filesize
56KB

Download
memory/1448-227-0x000000001AF90000-0x000000001AFA0000-memory.dmp

Filesize
64KB

Download
memory/1448-225-0x000000001AF80000-0x000000001AF90000-memory.dmp

Filesize
64KB

Download
memory/1448-223-0x000000001AFE0000-0x000000001AFF8000-memory.dmp

Filesize
96KB

Download
memory/1448-221-0x000000001AF40000-0x000000001AF50000-memory.dmp

Filesize
64KB

Download
memory/1448-219-0x000000001C390000-0x000000001C3E0000-memory.dmp

Filesize
320KB

Download
memory/1448-218-0x000000001AFA0000-0x000000001AFBC000-memory.dmp

Filesize
112KB

Download
memory/1448-216-0x000000001AF30000-0x000000001AF3E000-memory.dmp

Filesize
56KB

Download
memory/1448-214-0x000000001AF50000-0x000000001AF76000-memory.dmp

Filesize
152KB

Download
memory/1448-208-0x00000000002E0000-0x0000000000668000-memory.dmp

Filesize
3.5MB

Download