hxxps://citra-emulator[.]com/download/windows/

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-08-2024 05:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://citra-emulator.com/download/windows/

Score

5^/10

discovery

Malware Config

Signatures

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\.md\ = "md_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\md_auto_file\shell\edit	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\md_auto_file\shell\edit\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\.md	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\md_auto_file	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\md_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\md_auto_file\shell\open\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\퇶阋Ѐ耀\ = "md_auto_file"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\md_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\md_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\퇷阄̀蠀⹠作ɟ	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\퇶阋Ѐ耀	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\md_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\퇷阄̀蠀⹠作ɟ\ = "md_auto_file"	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4908	chrome.exe
4908	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4092	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe
Token: SeShutdownPrivilege	4908	chrome.exe
Token: SeCreatePagefilePrivilege	4908	chrome.exe

Suspicious use of FindShellTrayWindow 44 IoCs

pid	Process
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe
4908	chrome.exe

Suspicious use of SetWindowsHookEx 27 IoCs

pid	Process
4092	OpenWith.exe
4092	OpenWith.exe
4092	OpenWith.exe
4092	OpenWith.exe
4092	OpenWith.exe
4092	OpenWith.exe
4092	OpenWith.exe
4092	OpenWith.exe
4092	OpenWith.exe
4092	OpenWith.exe
4092	OpenWith.exe
4092	OpenWith.exe
4092	OpenWith.exe
4092	OpenWith.exe
4092	OpenWith.exe
4092	OpenWith.exe
4092	OpenWith.exe
4092	OpenWith.exe
4092	OpenWith.exe
4092	OpenWith.exe
4092	OpenWith.exe
2092	OpenWith.exe
4044	OpenWith.exe
4044	OpenWith.exe
4044	OpenWith.exe
4044	OpenWith.exe
4044	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 2088	4908	chrome.exe	81
PID 4908 wrote to memory of 2088	4908	chrome.exe	81
PID 4908 wrote to memory of 3736	4908	chrome.exe	82
PID 4908 wrote to memory of 3736	4908	chrome.exe	82
PID 4908 wrote to memory of 3736	4908	chrome.exe	82
PID 4908 wrote to memory of 3736	4908	chrome.exe	82
PID 4908 wrote to memory of 3736	4908	chrome.exe	82
PID 4908 wrote to memory of 3736	4908	chrome.exe	82
PID 4908 wrote to memory of 3736	4908	chrome.exe	82
PID 4908 wrote to memory of 3736	4908	chrome.exe	82
PID 4908 wrote to memory of 3736	4908	chrome.exe	82
PID 4908 wrote to memory of 3736	4908	chrome.exe	82
PID 4908 wrote to memory of 3736	4908	chrome.exe	82
PID 4908 wrote to memory of 3736	4908	chrome.exe	82
PID 4908 wrote to memory of 3736	4908	chrome.exe	82
PID 4908 wrote to memory of 3736	4908	chrome.exe	82
PID 4908 wrote to memory of 3736	4908	chrome.exe	82
PID 4908 wrote to memory of 3736	4908	chrome.exe	82
PID 4908 wrote to memory of 3736	4908	chrome.exe	82
PID 4908 wrote to memory of 3736	4908	chrome.exe	82
PID 4908 wrote to memory of 3736	4908	chrome.exe	82
PID 4908 wrote to memory of 3736	4908	chrome.exe	82
PID 4908 wrote to memory of 3736	4908	chrome.exe	82
PID 4908 wrote to memory of 3736	4908	chrome.exe	82
PID 4908 wrote to memory of 3736	4908	chrome.exe	82
PID 4908 wrote to memory of 3736	4908	chrome.exe	82
PID 4908 wrote to memory of 3736	4908	chrome.exe	82
PID 4908 wrote to memory of 3736	4908	chrome.exe	82
PID 4908 wrote to memory of 3736	4908	chrome.exe	82
PID 4908 wrote to memory of 3736	4908	chrome.exe	82
PID 4908 wrote to memory of 3736	4908	chrome.exe	82
PID 4908 wrote to memory of 3736	4908	chrome.exe	82
PID 4908 wrote to memory of 4108	4908	chrome.exe	83
PID 4908 wrote to memory of 4108	4908	chrome.exe	83
PID 4908 wrote to memory of 3840	4908	chrome.exe	84
PID 4908 wrote to memory of 3840	4908	chrome.exe	84
PID 4908 wrote to memory of 3840	4908	chrome.exe	84
PID 4908 wrote to memory of 3840	4908	chrome.exe	84
PID 4908 wrote to memory of 3840	4908	chrome.exe	84
PID 4908 wrote to memory of 3840	4908	chrome.exe	84
PID 4908 wrote to memory of 3840	4908	chrome.exe	84
PID 4908 wrote to memory of 3840	4908	chrome.exe	84
PID 4908 wrote to memory of 3840	4908	chrome.exe	84
PID 4908 wrote to memory of 3840	4908	chrome.exe	84
PID 4908 wrote to memory of 3840	4908	chrome.exe	84
PID 4908 wrote to memory of 3840	4908	chrome.exe	84
PID 4908 wrote to memory of 3840	4908	chrome.exe	84
PID 4908 wrote to memory of 3840	4908	chrome.exe	84
PID 4908 wrote to memory of 3840	4908	chrome.exe	84
PID 4908 wrote to memory of 3840	4908	chrome.exe	84
PID 4908 wrote to memory of 3840	4908	chrome.exe	84
PID 4908 wrote to memory of 3840	4908	chrome.exe	84
PID 4908 wrote to memory of 3840	4908	chrome.exe	84
PID 4908 wrote to memory of 3840	4908	chrome.exe	84
PID 4908 wrote to memory of 3840	4908	chrome.exe	84
PID 4908 wrote to memory of 3840	4908	chrome.exe	84
PID 4908 wrote to memory of 3840	4908	chrome.exe	84
PID 4908 wrote to memory of 3840	4908	chrome.exe	84
PID 4908 wrote to memory of 3840	4908	chrome.exe	84
PID 4908 wrote to memory of 3840	4908	chrome.exe	84
PID 4908 wrote to memory of 3840	4908	chrome.exe	84
PID 4908 wrote to memory of 3840	4908	chrome.exe	84
PID 4908 wrote to memory of 3840	4908	chrome.exe	84
PID 4908 wrote to memory of 3840	4908	chrome.exe	84

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://citra-emulator.com/download/windows/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff3813cc40,0x7fff3813cc4c,0x7fff3813cc58
  2⤵
  PID:2088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1984,i,14131661777784925149,14247111584666843675,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1980 /prefetch:2
  2⤵
  PID:3736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1812,i,14131661777784925149,14247111584666843675,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2016 /prefetch:3
  2⤵
  PID:4108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2228,i,14131661777784925149,14247111584666843675,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2488 /prefetch:8
  2⤵
  PID:3840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,14131661777784925149,14247111584666843675,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:3596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3120,i,14131661777784925149,14247111584666843675,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:2460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4620,i,14131661777784925149,14247111584666843675,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4688 /prefetch:1
  2⤵
  PID:3656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4856,i,14131661777784925149,14247111584666843675,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4716 /prefetch:8
  2⤵
  PID:4560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4872,i,14131661777784925149,14247111584666843675,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4952 /prefetch:1
  2⤵
  PID:4388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5156,i,14131661777784925149,14247111584666843675,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:1124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5352,i,14131661777784925149,14247111584666843675,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:3972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5640,i,14131661777784925149,14247111584666843675,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4776 /prefetch:1
  2⤵
  PID:3500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5620,i,14131661777784925149,14247111584666843675,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5700 /prefetch:8
  2⤵
  PID:2272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5064,i,14131661777784925149,14247111584666843675,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5036 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3540

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4768

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2336

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4092
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\citra-windows-msvc-20240717-518f723\citra-windows-msvc-20240717-518f723\README.md
  2⤵
  PID:4336

C:\Users\Admin\Downloads\citra-windows-msvc-20240717-518f723\citra-windows-msvc-20240717-518f723\citra.exe
"C:\Users\Admin\Downloads\citra-windows-msvc-20240717-518f723\citra-windows-msvc-20240717-518f723\citra.exe"
1⤵
PID:5088

C:\Users\Admin\Downloads\citra-windows-msvc-20240717-518f723\citra-windows-msvc-20240717-518f723\citra.exe
"C:\Users\Admin\Downloads\citra-windows-msvc-20240717-518f723\citra-windows-msvc-20240717-518f723\citra.exe"
1⤵
PID:4484

C:\Users\Admin\Downloads\citra-windows-msvc-20240717-518f723\citra-windows-msvc-20240717-518f723\citra-room.exe
"C:\Users\Admin\Downloads\citra-windows-msvc-20240717-518f723\citra-windows-msvc-20240717-518f723\citra-room.exe"
1⤵
PID:2356

C:\Users\Admin\Downloads\citra-windows-msvc-20240717-518f723\citra-windows-msvc-20240717-518f723\citra-qt.exe
"C:\Users\Admin\Downloads\citra-windows-msvc-20240717-518f723\citra-windows-msvc-20240717-518f723\citra-qt.exe"
1⤵
PID:3784

C:\Users\Admin\Downloads\citra-windows-msvc-20240717-518f723\citra-windows-msvc-20240717-518f723\citra-qt.exe
"C:\Users\Admin\Downloads\citra-windows-msvc-20240717-518f723\citra-windows-msvc-20240717-518f723\citra-qt.exe"
1⤵
PID:4336

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2092

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4044
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\citra-windows-msvc-20240717-518f723\citra-windows-msvc-20240717-518f723\README.md
  2⤵
  PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001e

Filesize
20KB

MD5
6931123c52bee278b00ee54ae99f0ead

SHA1
6907e9544cd8b24f602d0a623cfe32fe9426f81f

SHA256
c54a6c3031bf3472077c716fa942bd683119dc483b7e0181e8a608fa0b309935

SHA512
40221fe98816aa369c45f87dc62e6d91fcdb559d9756cb6a05819f1cde629e23a51803e71371f4e4f27112a09489d58ed45b2b901a5f2f00c69c082b3576057f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
04a91700a83805e3fb5fa34bc666e470

SHA1
41775df4992b595b8a768655a31c3953b8ae8e7e

SHA256
aab21d281b85a2545ce9c9e3fd01a7f2dafbbf56a0c2bb88321a84eba0c918ca

SHA512
c533ac77ed430c1ea15bf17e8d708af2678d0252447cd38319db00a82e01ed96f80227508da25e2a555325b002796380778f87efbad20f72449ccb21aad6715e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
9KB

MD5
1349391fb0ff1cda63fe26862be8e807

SHA1
0c97fed0caf92350d1a243a6f63c96a25a7ed5bb

SHA256
f52dcdf8566ab3c4801b4d8e7d5e8aa0a14c1897aef3fdd025d0cf5e6bed474a

SHA512
3bbd68614cf6701819d3ef4d704cdd6e500d7ad358cfa13fb433d6b8f3cdfcb9da74b4c8e9ab5c2857fd14a50712931366cd53144fb74275cfb31d033c8bed82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
381f5a0e2902717ac0cf12b9e1084a5f

SHA1
09b90ead2b10b87d748b8864153b442e74a160fd

SHA256
145de27736422562f0dd6813685f6a9491c20da09b0b3375fff160948998ebd7

SHA512
7f2a73494d5d1b78639b80fe4e45dac83b7b38909499e4695f022d997637b4dfee39f25d6ff378892eb982aa7bd5243e78cc65f3284b1d84ef67a49448fcef68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
039b486f666a831812222a8c0aae6080

SHA1
2f5cea001cec80cd924d2a4dc36ea2fb277d6df7

SHA256
fcb91375d0d851f04c65b2acd807d7695d80edf864711558b35d3e5df32bff78

SHA512
343b30a6d7010432ad16b52e93cd87598658f3fdd1b1697942aed43e7532d3001a327d1bb2fadcfc03dce0096dd1da591bf3b862631323df4c7b719c02ffdb7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
97168bfd912d5873b7da56386c15e1a9

SHA1
3ff49c09e811a03229649dbe2b962e9e07122843

SHA256
884f3121ed76738cd8732fe831fc458f470044970e8812cbd56d7ea0ad2836ca

SHA512
649bf5fbb5b4c8fc2233007a93b084dbebc412ca9b3ba13e04766111d99b9eca4a5f5ef03c8453902487c14b541a2a20162e2909b14a56db0c51a156a7e6471c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
9500f1b9f1091f1a1f7755983983169e

SHA1
9af289b272b6308e33a923f782bccb06329a3b08

SHA256
d786c0242025f1988844ea4290c8e435832343ad14ddb4c3b06ec7a36f2c3371

SHA512
6755fcf6c91f9feb2873975efcf5400f13f076eb3aef3a6ad536e5743444b87f8649ecf55dcc640747c9b940265e54460abbae1e0b6b5ccd7c534ca7492746fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
af42319bed072ad8cce051c967613fd9

SHA1
b142fdcebd301580ba1528c466ec3c4c84cf4657

SHA256
81851709ab64dc50f1ae5088b5cc65b091e171b50a6938b5e8de9b1a59587428

SHA512
e4a06710b778f17bca0cac75cfa6967a20e9c5aab9f9d38aed7b2c68334176ee7b6f337e486663c6ccff0d3fc958f97df36a3df563d787b2307257aaa8b543d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
250155601743552f9b0dd8cf61f44e07

SHA1
7e1c8ac28ed6019abf044798a43301b099fffc50

SHA256
8ba5d61f4e0f597622d7286f1c06af96e3c94439c98215565404487713427652

SHA512
404d9a1447f40c0310dc0be8017091b8855a766c74753e936b94acb20e2a739a05e64fac218850bdcead3de0f20d33366356290c9cd242d3e1ac9a3814b688d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
03e42406e95a475601a4463cf9fdaf0c

SHA1
a435605029e370f7a2c651679c7028a760f386c2

SHA256
d3ea85888150c0e36e072da0e6cb0608672edc2b8173d486dad245f6bb384375

SHA512
a48f9e442b132810643240a416c658d42e8126a6d02947bd646fd413b852d1504b2969e9ca5a448e839e75076580198d69fb0b106e7f3c17457c1fe9c5de4acb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
5e3fa8027404b22a6da14b1ce2a4556d

SHA1
21d600f6f73d7ddfc3c1d7e96c167cae515bbdf6

SHA256
085facd1b69d484473afdff10db2057fb5ac3ee29d3b0078801040c86b214715

SHA512
9ab9efcff64b4aa238dd3029806b90613d8b901f2c282257407a84f50e15dcee27136f56ecba17251d7f2d9ce17a29551a592815cc2b251fa7991bf9a68d2d88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
6efd604fb758c6873742600f85e3b7ba

SHA1
4f637fa92e968de6f7943d9a123c2c1d4b92d7a7

SHA256
189a14385a46aec9d861776c62036e6f74b5a349341e4dcfcd85a55deb77f27b

SHA512
b6d4288bf72b54fd0131e52dce3f4abdccda4df74a9d8fff0e48e383cf5ce403000202c6af288b121732a12cb9ede5de8313d83b9e0b685bc400bfb1f9d03d0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
834154f25a145f059f48dbac124f7a5a

SHA1
a251694f90f433bb1912e302f07e19c4972dfba5

SHA256
9e29b73870eeb9032f72d14a563708b6292ab8f6fce01a2ff68efde07acf5079

SHA512
eb167bc5f70c707d74fece0e0e8b964b8b2f5b910bfd31a5783ce4b8b866e068005850e6c5dc9d7f4a5905cddd374636dfc8844d20471c32cb7d1eac75f36b5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
fc6c888327caba95b69239ebe62c7869

SHA1
2c991466822956ac1cb3c018549e21a7cc5d9786

SHA256
640dc50a243f05ca459fc2a3116cfc78bddfdfd43d608c602d9d2db466ed06ab

SHA512
8bab9cc575b6f95cf616a01a73db64d05b03b36e4c1cf18a718a6d846f7f62fde3a073cfac63c50cd17c28c1161d55b78e863dfcc4ee4cf3ba2b9554b338b99d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\dec9ab8a-b3bc-478a-b827-13fe7fab7797.tmp

Filesize
8KB

MD5
2dadb999a0c01cc2ca027f1748e4a4f3

SHA1
106010e0f336e9b4d3253a23264968423d5a53f0

SHA256
5e9dfec22ee8db04ab8507c19c8f7a75c4b3a780135c038947de2dcb0e23fa2c

SHA512
72638290c4a89671b3c09493ae6200e74ccf78ed3f441e1076ee8ae821a248ccee8e62e4c7ecdaca703225f1fb08d0afca1a47c8e9c96cf8cc6cd228c889771a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
c8d538156587148bdebae3e564da6ab0

SHA1
98e7e942423506af750ffc4167c0475489d6e8a8

SHA256
3bae18d371cff6796b539b2e6fb330bb5de0b49185a863eed9d9ed1052362a85

SHA512
5c86fa6d5f834ee6f09675e87bf282ff6ea08f18773d5caccf19d9c42e42f846a9d0a3b69f323a1b7fe9f80a65752db2fee4b1a95af53b850f3664441b66fd63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
b2d68ecc04062b28084bc34093a97dd1

SHA1
7e3de6d51edf6017a6c6de910035f9452fb53ba0

SHA256
72168b0b5503008a3982225803c27c1b855969e37b6b564c5f72840980c9b316

SHA512
e52964f420f492b6d43aa351f7ef1f389b609e266748902b9ea3c78d07c716da56e6404a94ee528ae4378ba6d76e5d67dbe4133988d8371a3fe3d03108e64e11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
e98f530ef1644e7f4a8cdb49020c9dbc

SHA1
e9a8b72db31a312705d39d1e6fdd8ac6ffba6a00

SHA256
bde7f006b97c3365996e0b9b67f649cbce6f1ad84afed50ca9e6b19387141e75

SHA512
b2a228868e526e064b2164b5afc98e72c553365f54afbc419089cd0c7dec46041d4fca5fcb45c153323f5067b7eba70bb4bdba259b1e8ca92ca6f19567e74a88

Download Submit
memory/3784-303-0x00007FF79C060000-0x00007FF79D060000-memory.dmp

Filesize
16.0MB

Download
memory/3784-301-0x00007FF79C060000-0x00007FF79D060000-memory.dmp

Filesize
16.0MB

Download
memory/3784-302-0x00007FFF24820000-0x00007FFF24E4A000-memory.dmp

Filesize
6.2MB

Download
memory/4336-314-0x00007FFF24820000-0x00007FFF24E4A000-memory.dmp

Filesize
6.2MB

Download
memory/4336-315-0x00007FF79C060000-0x00007FF79D060000-memory.dmp

Filesize
16.0MB

Download