hxxps://drive[.]google[.]com/file/d/1zJuPgbw22nmGohlIFoRdk8NtWcNS1L3d/view?usp=drive_link

Resubmissions

03-08-2024 13:25

240803-qpbdwsyhkb 6

03-08-2024 13:22

240803-qmnansthmn 6

03-08-2024 13:19

240803-qkssdayglb 6

Analysis

max time kernel
138s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-08-2024 13:25

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1zJuPgbw22nmGohlIFoRdk8NtWcNS1L3d/view?usp=drive_link

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	drive.google.com
4	drive.google.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "103"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133671652462525415"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4308	chrome.exe
4308	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe
Token: SeShutdownPrivilege	4308	chrome.exe
Token: SeCreatePagefilePrivilege	4308	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe
4308	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4924	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4308 wrote to memory of 1916	4308	chrome.exe	83
PID 4308 wrote to memory of 1916	4308	chrome.exe	83
PID 4308 wrote to memory of 4000	4308	chrome.exe	86
PID 4308 wrote to memory of 4000	4308	chrome.exe	86
PID 4308 wrote to memory of 4000	4308	chrome.exe	86
PID 4308 wrote to memory of 4000	4308	chrome.exe	86
PID 4308 wrote to memory of 4000	4308	chrome.exe	86
PID 4308 wrote to memory of 4000	4308	chrome.exe	86
PID 4308 wrote to memory of 4000	4308	chrome.exe	86
PID 4308 wrote to memory of 4000	4308	chrome.exe	86
PID 4308 wrote to memory of 4000	4308	chrome.exe	86
PID 4308 wrote to memory of 4000	4308	chrome.exe	86
PID 4308 wrote to memory of 4000	4308	chrome.exe	86
PID 4308 wrote to memory of 4000	4308	chrome.exe	86
PID 4308 wrote to memory of 4000	4308	chrome.exe	86
PID 4308 wrote to memory of 4000	4308	chrome.exe	86
PID 4308 wrote to memory of 4000	4308	chrome.exe	86
PID 4308 wrote to memory of 4000	4308	chrome.exe	86
PID 4308 wrote to memory of 4000	4308	chrome.exe	86
PID 4308 wrote to memory of 4000	4308	chrome.exe	86
PID 4308 wrote to memory of 4000	4308	chrome.exe	86
PID 4308 wrote to memory of 4000	4308	chrome.exe	86
PID 4308 wrote to memory of 4000	4308	chrome.exe	86
PID 4308 wrote to memory of 4000	4308	chrome.exe	86
PID 4308 wrote to memory of 4000	4308	chrome.exe	86
PID 4308 wrote to memory of 4000	4308	chrome.exe	86
PID 4308 wrote to memory of 4000	4308	chrome.exe	86
PID 4308 wrote to memory of 4000	4308	chrome.exe	86
PID 4308 wrote to memory of 4000	4308	chrome.exe	86
PID 4308 wrote to memory of 4000	4308	chrome.exe	86
PID 4308 wrote to memory of 4000	4308	chrome.exe	86
PID 4308 wrote to memory of 4000	4308	chrome.exe	86
PID 4308 wrote to memory of 3924	4308	chrome.exe	87
PID 4308 wrote to memory of 3924	4308	chrome.exe	87
PID 4308 wrote to memory of 3156	4308	chrome.exe	88
PID 4308 wrote to memory of 3156	4308	chrome.exe	88
PID 4308 wrote to memory of 3156	4308	chrome.exe	88
PID 4308 wrote to memory of 3156	4308	chrome.exe	88
PID 4308 wrote to memory of 3156	4308	chrome.exe	88
PID 4308 wrote to memory of 3156	4308	chrome.exe	88
PID 4308 wrote to memory of 3156	4308	chrome.exe	88
PID 4308 wrote to memory of 3156	4308	chrome.exe	88
PID 4308 wrote to memory of 3156	4308	chrome.exe	88
PID 4308 wrote to memory of 3156	4308	chrome.exe	88
PID 4308 wrote to memory of 3156	4308	chrome.exe	88
PID 4308 wrote to memory of 3156	4308	chrome.exe	88
PID 4308 wrote to memory of 3156	4308	chrome.exe	88
PID 4308 wrote to memory of 3156	4308	chrome.exe	88
PID 4308 wrote to memory of 3156	4308	chrome.exe	88
PID 4308 wrote to memory of 3156	4308	chrome.exe	88
PID 4308 wrote to memory of 3156	4308	chrome.exe	88
PID 4308 wrote to memory of 3156	4308	chrome.exe	88
PID 4308 wrote to memory of 3156	4308	chrome.exe	88
PID 4308 wrote to memory of 3156	4308	chrome.exe	88
PID 4308 wrote to memory of 3156	4308	chrome.exe	88
PID 4308 wrote to memory of 3156	4308	chrome.exe	88
PID 4308 wrote to memory of 3156	4308	chrome.exe	88
PID 4308 wrote to memory of 3156	4308	chrome.exe	88
PID 4308 wrote to memory of 3156	4308	chrome.exe	88
PID 4308 wrote to memory of 3156	4308	chrome.exe	88
PID 4308 wrote to memory of 3156	4308	chrome.exe	88
PID 4308 wrote to memory of 3156	4308	chrome.exe	88
PID 4308 wrote to memory of 3156	4308	chrome.exe	88
PID 4308 wrote to memory of 3156	4308	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/file/d/1zJuPgbw22nmGohlIFoRdk8NtWcNS1L3d/view?usp=drive_link
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x104,0x108,0x10c,0xd4,0xd8,0x7fffeda3cc40,0x7fffeda3cc4c,0x7fffeda3cc58
  2⤵
  PID:1916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1932,i,9248007035226570406,16899934076159450190,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:4000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1560,i,9248007035226570406,16899934076159450190,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2024 /prefetch:3
  2⤵
  PID:3924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2232,i,9248007035226570406,16899934076159450190,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2432 /prefetch:8
  2⤵
  PID:3156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,9248007035226570406,16899934076159450190,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3124 /prefetch:1
  2⤵
  PID:4788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3096,i,9248007035226570406,16899934076159450190,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:3324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4536,i,9248007035226570406,16899934076159450190,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4552 /prefetch:1
  2⤵
  PID:2444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4692,i,9248007035226570406,16899934076159450190,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4700 /prefetch:1
  2⤵
  PID:3344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3344,i,9248007035226570406,16899934076159450190,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3308 /prefetch:8
  2⤵
  PID:1656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4972,i,9248007035226570406,16899934076159450190,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  PID:1116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4792,i,9248007035226570406,16899934076159450190,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5144 /prefetch:1
  2⤵
  PID:4124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4500,i,9248007035226570406,16899934076159450190,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4512 /prefetch:1
  2⤵
  PID:2924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4564,i,9248007035226570406,16899934076159450190,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4800 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4604,i,9248007035226570406,16899934076159450190,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4744 /prefetch:1
  2⤵
  PID:3544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4520,i,9248007035226570406,16899934076159450190,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4800 /prefetch:1
  2⤵
  PID:3344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4768,i,9248007035226570406,16899934076159450190,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3136 /prefetch:1
  2⤵
  PID:1268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5248,i,9248007035226570406,16899934076159450190,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5224 /prefetch:1
  2⤵
  PID:4512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=4516,i,9248007035226570406,16899934076159450190,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:4128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=3196,i,9248007035226570406,16899934076159450190,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5320 /prefetch:1
  2⤵
  PID:3276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5396,i,9248007035226570406,16899934076159450190,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5452 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4440

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5020

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3951055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000009

Filesize
209KB

MD5
3e552d017d45f8fd93b94cfc86f842f2

SHA1
dbeebe83854328e2575ff67259e3fb6704b17a47

SHA256
27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6

SHA512
e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
b95c8b1a465ea94de543e782cab3c5d5

SHA1
95600080adf17e40285fda360a0c69145830c894

SHA256
91bfa8101c07017b8fc92468c5efb4384dafe6b968890e7743b3017b8e8cd888

SHA512
ddc653d593a17cf3a458bf1cc9338937162345924a70fb0115d966e4607c4ef71a540eb29665601d33ea399f309c933c21b3cad7893c904e739f02e02d2bfc29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
792B

MD5
11ec0f58afaeca2029b7c5b8e98cbaae

SHA1
ed9edf1b86704331ba13611d53c4275443cf556b

SHA256
925188faaa147bc8697b7bafe648ab8e50cc48685c8db513642d3a6a1c13f417

SHA512
895714f6fe3ec44701b67d01ad13b126c754015fdc0b83d2940d23cd5049e59cf73a2c431652f25aee918b78aed729483da84d6c5266b3cc1552b74809d5ed9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
177197c94cd4bf48805fb37ccc2beb0c

SHA1
54420b3e8c62a54a5b7cb1d1ba7f6a34c44bdb5d

SHA256
02e202da1c92ad51de01107bfd9e2fe47bea5d1e351f2496fd93e04f400cae88

SHA512
935cedd45d7c47717f295212e5fe271052e14f906ec2947cee67025e780ebabbe89b3d20a328a26099fe9f5dafef942d3aabd2a9f3da0a985da6c3d50a558d98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
5bca04cac96dfe6e8212282fb93fed58

SHA1
4f224bfa57dbc3babb9980e79a88e55480c4ea6a

SHA256
7a9bb7ff2952e968936594fefaf5dba22d7021e4d6fd109c9dd43b6b882b4927

SHA512
a889e6eda66964b5ffbf0a16737a9e8991905b053d7478fbe475a23e96c6e7fa5f336ec2b934d37d6f47e0dab062c63a682ca7342a13fa90005582d6570431fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
e59ddda12866c9435c463ed050fad84d

SHA1
69592ef8ae7f47fb20deabfe8e9bfa3c951e6f38

SHA256
1784d35d634b3edf079f9ad48c9dd2f3b29e670f0b19d39899ad6d50b7651fc1

SHA512
07ebfb6e16a7908e72c69886f3343de2e7515d12c583b01bd33c2d49e760bbaff796b8da5bf65b45455dee1077bd3e5ffe6bc6b12ae3a8fcc9f69d7e64dec61a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
365c4d4855d3f4c8f34965b9fa9c7c6b

SHA1
08aafd2f19490f86a3aa53e8ac803b011546f031

SHA256
5cd2a6a1c6bc4d61da6c67d3a8343b07ebfc49147731d80564e33b2b82b23717

SHA512
bfd0dd5056c937d137c46d878fafbdb7635770d534520ab727c0fa01ceaa0060076014dd3910cf37c0c5308459e8a5f533eab46d6f6c7e5f69b66e8e09d9fecc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
3021540d1b0b8aa41cc980dfd0fec74d

SHA1
1d52096a48ffd254364ca020553646035209394b

SHA256
bef0e683521eef00daedfd5a9b326d6b100595463c59d65cddee782291f4a38a

SHA512
d8fcd0675d62248e4a14859be7e74c3a727b157df55a02d59ce9a466086b6222b4be4e6cde024ea35880f39906422835be9c1f25538cdf76f4063d7072ae41f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
9e09f70a70b28e93d7b9cf41d0293bf4

SHA1
c45c2955887477c9640bdef1676c3fa05024119a

SHA256
b9c77429610c722ea3924570ac4880abdf7daab424786b5f7d77e71b5b7da63e

SHA512
f02d8374e9c1697efb1ff10897552ea52960eb7612979e4b332979ca1981a9188ea9584892098b8b67b846665605614ab55f9e6a7511d90503b0a4726f245bc3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
2cbe15de1167386c6203b4b8317c4b9a

SHA1
ada1e73967c2d213f5c062414660d0e542766cb0

SHA256
9d0eae75f362e902805d3973bd6cc7b39b263ae62c8189aaf1f59edd500a58ea

SHA512
5d3b438a8b129d49804d7ce3ace4af5eb2e38db1d7205f282834682325ba29e7336047f3c568a6b52cd42b2ffdc744ff98ef1b812e1bd417d898c899dcdab568

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
d5c3ad4bfe53a966435260169dabeed5

SHA1
5564c86924dc2c681c366159b79d7e65c25ef12a

SHA256
8a1cee68f3a7af460697bbfdf8ad3c4574c1d5a2b98f1548b83d916e6aecd883

SHA512
7b79bdb1ed109ceff85610c2e1985ae88667cf1f762a6b8385ce73cb989fdb6b826f046aa8d95ad971fdf53dcf73e204e7574b23ea8d42e69996f8e0c2c3e95c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
7de000c2f25e61ed119b152c7be16f0d

SHA1
f535a725918b22cfca131c2cf4d430f2e9533279

SHA256
39039d408ad86cf228dd04304f822b87a0cf35b6d141f59b17e0ff18f6d13a6d

SHA512
19db4ad301ce4ea97f16bbbfa631241fcfc5899da230eda381a622efe7250fc4ef98d55a35105fcf96c3756ee1d41751bf355b9f92d50762acb429dc12673612

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
1d2c59bdb6b7ed48a47cd425dd8c2200

SHA1
988c57f700b4e03b563d3b479e365be216dbb3e6

SHA256
fe6c90f776d17605cf6a7c3487397a2b1b62cd4f40a67dcf0cc3353d5d645039

SHA512
611227b701dbffb336df09f6c6f8c4d15de45dc796d4cdb4e3490f7775c3c30bbaea71fabc048d2571b973a4d1962ec778d3d822a46ccec90e51a6d130d4db26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e7145552f627a36fb235b229c0cc843d

SHA1
57c2178bd5608f9882e879a9715ea77745b66d8d

SHA256
3e40ece9909528c96a77a9d19e4eac36a020b62860a393094ac418124ae6b3c4

SHA512
eb28ba0da3b68451b5035670125d77227fbee73f721f5c838e1faddf2e15aba233f2b25d7839cbb04324a2bdf3fbe0c24c7351fcbafa41da4d0eacbd1fe6102b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2f7657330ef7261b7f22914f1e226e26

SHA1
ee95532d2d623c3de214f2f50f85e423c4b7d650

SHA256
114ef4c863433abb74484facd4251c513ce20ce51ebc742d985ceaccd624b95f

SHA512
722368a4a2f6b4e5882d9e0c3d69edb799004382668a8adf7c1a1a906a2a1dbadcc6aaa92304018ffb0813b40681d89efeb00ac1e44ed6a004e47ed8246611b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a8f24271e5299d93e810aa5b7cbc2a61

SHA1
830ca66b83e8de702d5f7acb81498a1ddd14799c

SHA256
c53f47fb4a62a5cfd2ada7149b4289484af735410e8a52d419d59115fa33f03c

SHA512
fcfab1e7ab55b156fc7e3e285b858d5ba33fdbd8fdfd76789bc56a414df8afbab6573d9905003b840a79a1292bdfae5427c8b408629ba5122ff20769b251abea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c50d08403d796e30c9cde8e2d02b39be

SHA1
3764377f67c074fabddf7f68aa9801b81817eb06

SHA256
e2025c5b2a285014d68140c98d256fa9c552f780a2407fab202ee4b7fcce204d

SHA512
a948033931008ffb16103d2bd955d2716422a3701b5ffbeee5a22f97b7435d0106a3627d91d1ec740e879c90321845e355433aab4d0bd7edf22c6b0774dd87f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2c8b164ce08509e42a19474ef71e5995

SHA1
4178d5520d7a4e3c79edcfb76572b55a3947c393

SHA256
418bca19764b8cd7f5b213350399aeeb974d6c6fd6ba5c0e44280ad9d6b608dc

SHA512
8e45349fe49e176b7a91aa8e9758f96170ac7287d3819cf7763de875dabdafa97b76b29f6d4855aa54a63efe33bc0f6c24c829dbce4df8476df76d195360dce9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
faf64c3f904610f3314e5088f9e15e88

SHA1
a85e21ca564d9a987f92a9ad66df3bc4dbc5fe82

SHA256
0fe670181747f66c6f3e5d56e721560d565ba70214e7a81a3d04a19b7db2b13d

SHA512
65aa9350d4259f0e125fb8093a6d855098f24120f2821a50fc4ccfea439b93ff15d5c051ff0af27d747ce14d49782f0756a069f1d0e384066173984b649669cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
50971a035e93dedb18daf04649efb87d

SHA1
28e1cf580c5bb2bf3788e4407452261496e774a4

SHA256
ce810feffeba17cebf3d450c0ef35cf2198b05e815e5e4d270ff5a42320e06b1

SHA512
ea7e76e5b5f98d6edb8a88dacf62338c40625d6990263d6b7f81af5626b4b9c9ed1ddde6d0e79d48fb39aee18f2f873df88c627785c0bfa730882f301b24d097

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1428f6f46231f0a0edeb5bb76ac4dcb9

SHA1
7c0f99d34141be6ab094c0e6e5b443d8ddee07a3

SHA256
9d00fe82e7a4995a98edfdc2c4db99c1b163943f7b889efc7ded68b83e2a80ee

SHA512
42e3265a4c46ebb645879d1d33ab6673fe62652ecd86a382fc0fc87d694eb24d981c55b1e3496d74d824b0f7538b6ca72275a735c4a6c40bdb2f7113302b0863

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f27d9d409599abf2d3cffc6f8e8793bb

SHA1
07fcd030a05ba5de378c064dc018df8f155dbac9

SHA256
efab4c14bb2d199b9b55ce10ef61b661dea09a02107018db5b1a0445be3deab6

SHA512
2091673c0c2acae8b865b998c34db0acc3cef98e2b9fba2f5e7577148427077eb6a3ea576e0a7be3ab49f27eb9ac0c2eb730cc19d688399c670a24c01650a856

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
9f1067dd719d03e7dc419e6d1a128b22

SHA1
c96bbe24d33575da083cc36d2cc1e82034eff29d

SHA256
db1f11e32c9cf8a3c6bd60ab7610addcd07fb993507666750a954044c76b2426

SHA512
5cb7a0fa329a034a9e86b083c50a28a143c2e9cd78b68fd9501ce35fe9b173b3e0c1bf3984200e7fd57ec3cd42920c7a36a6f6902a560c57dcea1dfed74b0775

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
5dc101b40c0b4dc2581069eb18ceb9d8

SHA1
24725e7be584d8401f5e80a2db426bb393958f49

SHA256
0a65da34663862d7b5f5f9e0fa239e92c443f996b5b23aa6d5d0e7e5a34ded6c

SHA512
63c7a6a9ac9983340a6b50eb58888ee513806c5ca6a3de72999fbf08fa3e0e59e2e72a082f11f498e3bacb76e294a101d41f7c678aed3b75d0e5b2d47b4ea7dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
bfbf9af823bd6ad257dc7581020179e4

SHA1
a24b07e861750a825db32aaf878a3ed45b0bc38e

SHA256
e2b676e46fda9252331238ae50fbbf48715e3e99358ea09655149a731fba644f

SHA512
3cfb8b19b5fe0716565d37fb97163913b831d6d66a912432a814f92f6d8dc88ee9d95122bbd901c1749461ea0427000ff334e650d4db21139524d04c507ae814

Download Submit