hxxps://drive[.]google[.]com/drive/folders/11uuozk4aHKQkmOGEBTfTq--XWle2lc1h

Analysis

max time kernel
106s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2024 17:07

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://drive.google.com/drive/folders/11uuozk4aHKQkmOGEBTfTq--XWle2lc1h

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
5	drive.google.com
1	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies data under HKEY_USERS 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "126"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4832	WINWORD.EXE
4832	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
3244	chrome.exe
3244	chrome.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe
Token: SeShutdownPrivilege	3244	chrome.exe
Token: SeCreatePagefilePrivilege	3244	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
3244	chrome.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
4832	WINWORD.EXE
4832	WINWORD.EXE
4832	WINWORD.EXE
4832	WINWORD.EXE
4832	WINWORD.EXE
4832	WINWORD.EXE
4832	WINWORD.EXE
4832	WINWORD.EXE
4832	WINWORD.EXE
4832	WINWORD.EXE
4832	WINWORD.EXE
4832	WINWORD.EXE
4832	WINWORD.EXE
3720	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3244 wrote to memory of 4560	3244	chrome.exe	81
PID 3244 wrote to memory of 4560	3244	chrome.exe	81
PID 3244 wrote to memory of 2928	3244	chrome.exe	83
PID 3244 wrote to memory of 2928	3244	chrome.exe	83
PID 3244 wrote to memory of 2928	3244	chrome.exe	83
PID 3244 wrote to memory of 2928	3244	chrome.exe	83
PID 3244 wrote to memory of 2928	3244	chrome.exe	83
PID 3244 wrote to memory of 2928	3244	chrome.exe	83
PID 3244 wrote to memory of 2928	3244	chrome.exe	83
PID 3244 wrote to memory of 2928	3244	chrome.exe	83
PID 3244 wrote to memory of 2928	3244	chrome.exe	83
PID 3244 wrote to memory of 2928	3244	chrome.exe	83
PID 3244 wrote to memory of 2928	3244	chrome.exe	83
PID 3244 wrote to memory of 2928	3244	chrome.exe	83
PID 3244 wrote to memory of 2928	3244	chrome.exe	83
PID 3244 wrote to memory of 2928	3244	chrome.exe	83
PID 3244 wrote to memory of 2928	3244	chrome.exe	83
PID 3244 wrote to memory of 2928	3244	chrome.exe	83
PID 3244 wrote to memory of 2928	3244	chrome.exe	83
PID 3244 wrote to memory of 2928	3244	chrome.exe	83
PID 3244 wrote to memory of 2928	3244	chrome.exe	83
PID 3244 wrote to memory of 2928	3244	chrome.exe	83
PID 3244 wrote to memory of 2928	3244	chrome.exe	83
PID 3244 wrote to memory of 2928	3244	chrome.exe	83
PID 3244 wrote to memory of 2928	3244	chrome.exe	83
PID 3244 wrote to memory of 2928	3244	chrome.exe	83
PID 3244 wrote to memory of 2928	3244	chrome.exe	83
PID 3244 wrote to memory of 2928	3244	chrome.exe	83
PID 3244 wrote to memory of 2928	3244	chrome.exe	83
PID 3244 wrote to memory of 2928	3244	chrome.exe	83
PID 3244 wrote to memory of 2928	3244	chrome.exe	83
PID 3244 wrote to memory of 2928	3244	chrome.exe	83
PID 3244 wrote to memory of 4112	3244	chrome.exe	84
PID 3244 wrote to memory of 4112	3244	chrome.exe	84
PID 3244 wrote to memory of 1068	3244	chrome.exe	85
PID 3244 wrote to memory of 1068	3244	chrome.exe	85
PID 3244 wrote to memory of 1068	3244	chrome.exe	85
PID 3244 wrote to memory of 1068	3244	chrome.exe	85
PID 3244 wrote to memory of 1068	3244	chrome.exe	85
PID 3244 wrote to memory of 1068	3244	chrome.exe	85
PID 3244 wrote to memory of 1068	3244	chrome.exe	85
PID 3244 wrote to memory of 1068	3244	chrome.exe	85
PID 3244 wrote to memory of 1068	3244	chrome.exe	85
PID 3244 wrote to memory of 1068	3244	chrome.exe	85
PID 3244 wrote to memory of 1068	3244	chrome.exe	85
PID 3244 wrote to memory of 1068	3244	chrome.exe	85
PID 3244 wrote to memory of 1068	3244	chrome.exe	85
PID 3244 wrote to memory of 1068	3244	chrome.exe	85
PID 3244 wrote to memory of 1068	3244	chrome.exe	85
PID 3244 wrote to memory of 1068	3244	chrome.exe	85
PID 3244 wrote to memory of 1068	3244	chrome.exe	85
PID 3244 wrote to memory of 1068	3244	chrome.exe	85
PID 3244 wrote to memory of 1068	3244	chrome.exe	85
PID 3244 wrote to memory of 1068	3244	chrome.exe	85
PID 3244 wrote to memory of 1068	3244	chrome.exe	85
PID 3244 wrote to memory of 1068	3244	chrome.exe	85
PID 3244 wrote to memory of 1068	3244	chrome.exe	85
PID 3244 wrote to memory of 1068	3244	chrome.exe	85
PID 3244 wrote to memory of 1068	3244	chrome.exe	85
PID 3244 wrote to memory of 1068	3244	chrome.exe	85
PID 3244 wrote to memory of 1068	3244	chrome.exe	85
PID 3244 wrote to memory of 1068	3244	chrome.exe	85
PID 3244 wrote to memory of 1068	3244	chrome.exe	85
PID 3244 wrote to memory of 1068	3244	chrome.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/drive/folders/11uuozk4aHKQkmOGEBTfTq--XWle2lc1h
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ff82e88cc40,0x7ff82e88cc4c,0x7ff82e88cc58
  2⤵
  PID:4560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1936,i,8640979892261478011,10542503494810690546,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  PID:2928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2120,i,8640979892261478011,10542503494810690546,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1764 /prefetch:3
  2⤵
  PID:4112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2228,i,8640979892261478011,10542503494810690546,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2248 /prefetch:8
  2⤵
  PID:1068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,8640979892261478011,10542503494810690546,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3120 /prefetch:1
  2⤵
  PID:4576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,8640979892261478011,10542503494810690546,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:4396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4704,i,8640979892261478011,10542503494810690546,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4716 /prefetch:8
  2⤵
  PID:3932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4380,i,8640979892261478011,10542503494810690546,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4872 /prefetch:1
  2⤵
  PID:4324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=5048,i,8640979892261478011,10542503494810690546,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4724 /prefetch:1
  2⤵
  PID:4464

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3824

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\StopExport.odt"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4832

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4740

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3912055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
936B

MD5
fdcb31d52b5138e9063bc5605406c5f9

SHA1
c06bbca421c185cb02b6c639bc650a86e508de7c

SHA256
a502ba797549590ff400ceb6e42ae095a9eecf779b2d9e65164ce6030fa6a3b5

SHA512
5c87b8224e86c79afa0b54ad61c8e6499af88a7819d7ab83f6bad0a3512e7c930edb8ce43dd05f878f8c6884d87a232062ecab1534d6acaf4308d0c9e04b4759

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
960B

MD5
9f8bcfa86ed6a9ab2c6a2a69642e7fbc

SHA1
0920da1399e59a8e12820c466fe112558942909a

SHA256
add9b7423eb9a316c594ac24a9aa9908be59b27c9fa8f87d3f4c74523faad1e6

SHA512
4339fc49b61bfa2b61e359e8cbd8874dc7a32ba4c9f1c0fa29b7e0e371521e72954de151ab548c266d6c0cc2a645be3c07811ae590e549c3e51a208308300466

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
b053e6d9bb4acf27f53a3040c5eb072b

SHA1
244fcbf1efc07e00fa1bbd08ea243be8bfa45558

SHA256
8a3d1fcf0cfbdaf18992bb4bef17424602580451a30c15eab0cce3ffa7309edf

SHA512
2ef8e092b00cdff4a085cc7d581432cd7d9f9e9a47833550de3d48585726805385e46f8c540eec4d5a9de3f02e3d1258c1f7527a5643f5c7a2dbd9ec3c38b5e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
0c87093a2a7a26ce0d8da9546df168d4

SHA1
718986328c2e196d0c805fa71cdc5f465dc6b007

SHA256
eb5b4aa7787328eec285d663bccff327002e26fcbb3c9850e8ac216e131226dc

SHA512
5585dacc45f60512511606f86947a2d69ea82164eed752dffffa9444f236c15335cea6b6451eed24d455db2c2fb8c10d3d83248ddfc3284536573592085107ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f1afa68b44b31aea3686782623ea46fe

SHA1
6d3f5311881159a2722f4193c0b6856b468d0583

SHA256
fbcbfa47e9d3dc95b843df2b5d0bae2ea495a040a3524add39ebfed7e0077059

SHA512
ccc2b311a68d0993a2e5936156bb4122213d03bb27ac38a84cc3eae7a5a9b7779d8b3715a786b2ca8e5b05684642eddf646bc1a4a15e3b4ace36f2574fc3ad44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c1c43e506c60ed91e5291e391f2b2315

SHA1
07e131ac5652827108c28643988d041b58a56c08

SHA256
d23b3c2fbc62f4ecd1ad470ef1b383e6453d7cd714ad6c608318f7a10e741d9f

SHA512
fbed2d76d72cbf76dd5509f63c7e0618ef7b58e88df579125886ad31ee653589bb2a760a6156bf3e6801d9902e07b0be1f69ae5f7fe2e06cb0b0f74695ce0c8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
313e718575b3ca8d3f6f02d6282de305

SHA1
52ced44b6a834bddee8f3fb69a525b8d7fa7e028

SHA256
304d2c50b7f7a849118bcd89e76ca0b3e562b3d993b558daa816e3e0c7c9f670

SHA512
91bb222fd263116cf4b0c2991b22fc9155d4fdf433742aef7e76cb92febda0c3dc3a381f384b38aee80c3e92f7509ac81db2a25787ceab0e995ed465c936c245

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
a1bc0307db314b9225586323d0f61825

SHA1
703bbb0965c3e93dfffbc12f5716597a47f446a3

SHA256
186b97f8620e9760f5ed9a73f6779509308b84d29a67834ad6a8f5bbe2307dfb

SHA512
77c6dfb84c0bfa764946327a3c6801cb5844cb690efc632d7819945dbad86581a5914796266ba33399b824eb961c5a849e6066d9c49a0867e2fce8e14de6cad6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
0ac5681195fd1ba7d10ca24cdb8e9527

SHA1
33baf7945ff45f50bb0e37d6a01a5d2a05aa9ba7

SHA256
108ace5c652de20235e3b39a858fe2a9dbabb2edfc86628fa28ea5700ee8124d

SHA512
350d1df00e637be8fc1f3f8d824cad89347b89194862dd61db20367049ee9915c5b7b2cb8a7e3ac80922b135566bd7c94650af335fa5b29c82f2873e81990f8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
84a7d5e8097a46511fe07b37e3293b34

SHA1
4944f9f33d245a37ca64febae897904376f453b7

SHA256
c52edfbef32a17620571134f1ee13e6c9e51d5c302a7c2d10a7b61f330a16839

SHA512
20c59914f773b484644a760e391972fe1842a8e5b1998853ed11bf7b0e76aed6844c64eeb840eef0e17ef5677260cbc0ae7fcf9c1930f1ec07bb949bdc722f2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1d26f3caec4bc5f95fba1147250479b2

SHA1
ecbfd56d516fc97790feb09e8818600601f38631

SHA256
1ac170d557884c2702025675da4ea7c602cae30851a72df95a83c0f33a79c12d

SHA512
3e9c8c25ccb8dbdf8b4024f6724a4830650cadcd499b1d15b0419df8cfeedab96669825c4022442377c16d1483a9b089c30272ea3d5ad82d3ff66e372c29e1b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
68d237c7f293cb649f3b08786c2da925

SHA1
9f934deca43d43e5dbcc2d71ec6cc0b9ea0e2530

SHA256
25e9b499e8a84701d600c34226cd1048f1edb26a1be08fdf9da6cae39adc3ae5

SHA512
0a2f79afdee41f2e41f0c2056e537e306e06f1ef4ac0c97524a7521d8ece24f4b1221714a503962b679817ba81ace6e39038dfd37123c8cbb3223afa6e75f874

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8bf09d40f83f6b8139d61bad3873e44a

SHA1
2713c776d3365cd451078ef476a573ff47c0977f

SHA256
8b0971eedd045defb108bf18f0ad2f1d5ef41e82c7228dc16e1111cb5c6e1252

SHA512
d547a8dc69f8fe742fdf4f284eb806550b8a439af727aa57139512a1d38e179a21cc3655d06e99278a538ce3247258a92255d63ef7cd73fea498f8a7efd261c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e4dd941ea17188685725767408cbc5a8

SHA1
703179bf6c6280b6c8aa1addc53c2a9765a4a9c9

SHA256
cd7131a290dd10a8c54679cc28fbf424833c800f2565865a26328a1e3b2b3587

SHA512
1dae769b49368cf8b2b20f869597bc6daa9ccafc080d88d75c6f39114648c0c966c3813112a7dbbda0a18cccf5ecfe049f655c69f4c7515b6defca2374d1e09c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
a6ea819742162f826092731f7fd3aaaa

SHA1
11748497958c2a7f5bf3a44b7cd79fdc70f92bd4

SHA256
2f81fa66b08804c38f5f0cece657f00bc811fb0628ac5974a38b8a766f54ec38

SHA512
df7b3973713be2e1ec86656aa7dbf79475fd21667f11eedbeaa27059186139b84fb3d9166186e186bf8e22b5cbc21d7ed4846b8c7773c8bea4d0b7c9e2db6aea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
42b0dedcd6b7c561a53107df8faddb56

SHA1
81ac2d367c0cd26580804fe28687628048d23437

SHA256
fbee7ca72c40a80ab3b97548a92816aaaaa418c28a51578418e275f36f43936a

SHA512
f888295962355b404fa96cc859cf2966943b47dc161ba43b92921f43c90fea6633a17638a1cb3c7c68dc90c03af5f16a78bd93923cf7fb320c665de783fb5dc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
7f378ac40e3da3a891fe4e9cbbbff140

SHA1
8bdadbf6649474644f03bb4f07ef2ea14fcec490

SHA256
2696b094a867068cc3a706dfb90c8cfce61085aac4cd58de5b6d72fc039a443e

SHA512
e649897479caae9087b20b9f8ce6c03e834e8f592748eb7ad9832368c799abe585c45751b33f1da5cdee83ea4ea0018be90018bb164f7d3834cac794897e99c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
9d5412023f298ee89b14814d2284f920

SHA1
7a0196c1353255487b81af9ba490665f1353a6db

SHA256
2ec82a22621ec4913e76256610997d97379e1e2b5b147b99919b0272673919e0

SHA512
37a241b14ec69a3cdd0836ba30b1d1c5c339c32b454bd60e4b6fa5adbcdb16114ddbfedfe77e215ed87553536b3596499df8b2348428df6ad3d80561df095894

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD6DC4.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
memory/4740-606-0x000002950BED0000-0x000002950BED1000-memory.dmp

Filesize
4KB

Download
memory/4740-607-0x000002950BED0000-0x000002950BED1000-memory.dmp

Filesize
4KB

Download
memory/4740-597-0x000002950BED0000-0x000002950BED1000-memory.dmp

Filesize
4KB

Download
memory/4740-596-0x000002950BED0000-0x000002950BED1000-memory.dmp

Filesize
4KB

Download
memory/4740-595-0x000002950BED0000-0x000002950BED1000-memory.dmp

Filesize
4KB

Download
memory/4740-605-0x000002950BED0000-0x000002950BED1000-memory.dmp

Filesize
4KB

Download
memory/4740-604-0x000002950BED0000-0x000002950BED1000-memory.dmp

Filesize
4KB

Download
memory/4740-603-0x000002950BED0000-0x000002950BED1000-memory.dmp

Filesize
4KB

Download
memory/4740-602-0x000002950BED0000-0x000002950BED1000-memory.dmp

Filesize
4KB

Download
memory/4740-601-0x000002950BED0000-0x000002950BED1000-memory.dmp

Filesize
4KB

Download
memory/4832-174-0x00007FF7FDE70000-0x00007FF7FDE80000-memory.dmp

Filesize
64KB

Download
memory/4832-190-0x00007FF83DDF0000-0x00007FF83DFE5000-memory.dmp

Filesize
2.0MB

Download
memory/4832-186-0x00007FF83DDF0000-0x00007FF83DFE5000-memory.dmp

Filesize
2.0MB

Download
memory/4832-191-0x00007FF83DDF0000-0x00007FF83DFE5000-memory.dmp

Filesize
2.0MB

Download
memory/4832-192-0x00007FF83DDF0000-0x00007FF83DFE5000-memory.dmp

Filesize
2.0MB

Download
memory/4832-189-0x00007FF83DDF0000-0x00007FF83DFE5000-memory.dmp

Filesize
2.0MB

Download
memory/4832-232-0x00007FF83DDF0000-0x00007FF83DFE5000-memory.dmp

Filesize
2.0MB

Download
memory/4832-188-0x00007FF83DDF0000-0x00007FF83DFE5000-memory.dmp

Filesize
2.0MB

Download
memory/4832-187-0x00007FF83DDF0000-0x00007FF83DFE5000-memory.dmp

Filesize
2.0MB

Download
memory/4832-185-0x00007FF83DDF0000-0x00007FF83DFE5000-memory.dmp

Filesize
2.0MB

Download
memory/4832-172-0x00007FF7FDE70000-0x00007FF7FDE80000-memory.dmp

Filesize
64KB

Download
memory/4832-175-0x00007FF83DDF0000-0x00007FF83DFE5000-memory.dmp

Filesize
2.0MB

Download
memory/4832-183-0x00007FF83DDF0000-0x00007FF83DFE5000-memory.dmp

Filesize
2.0MB

Download
memory/4832-184-0x00007FF7FBE10000-0x00007FF7FBE20000-memory.dmp

Filesize
64KB

Download
memory/4832-182-0x00007FF83DDF0000-0x00007FF83DFE5000-memory.dmp

Filesize
2.0MB

Download
memory/4832-181-0x00007FF83DDF0000-0x00007FF83DFE5000-memory.dmp

Filesize
2.0MB

Download
memory/4832-177-0x00007FF83DDF0000-0x00007FF83DFE5000-memory.dmp

Filesize
2.0MB

Download
memory/4832-180-0x00007FF7FBE10000-0x00007FF7FBE20000-memory.dmp

Filesize
64KB

Download
memory/4832-178-0x00007FF83DDF0000-0x00007FF83DFE5000-memory.dmp

Filesize
2.0MB

Download
memory/4832-179-0x00007FF83DDF0000-0x00007FF83DFE5000-memory.dmp

Filesize
2.0MB

Download
memory/4832-176-0x00007FF83DDF0000-0x00007FF83DFE5000-memory.dmp

Filesize
2.0MB

Download
memory/4832-173-0x00007FF83DE8D000-0x00007FF83DE8E000-memory.dmp

Filesize
4KB

Download
memory/4832-171-0x00007FF7FDE70000-0x00007FF7FDE80000-memory.dmp

Filesize
64KB

Download
memory/4832-169-0x00007FF7FDE70000-0x00007FF7FDE80000-memory.dmp

Filesize
64KB

Download
memory/4832-170-0x00007FF7FDE70000-0x00007FF7FDE80000-memory.dmp

Filesize
64KB

Download
memory/4832-696-0x00007FF83DDF0000-0x00007FF83DFE5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads