86c8812621c9af04b428b99aeb96627a340c3810d2bdb1053d2fb0357337a99e

Resubmissions

03-08-2024 14:36

240803-ryw8dswelq 10

03-08-2024 14:34

240803-rxs5cawejl 6

03-08-2024 14:30

240803-rvcpkswdkr 6

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-08-2024 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gothymilly76b779.mp4
Size

261KB
MD5

d3d13a4ac1f069c0c305836dca7a79f4
SHA1

9b3fdb93a1e59d3238b110bef6a56ddc4c94c449
SHA256

86c8812621c9af04b428b99aeb96627a340c3810d2bdb1053d2fb0357337a99e
SHA512

f3f8a5814fab743ab4f3f31f800ef66171673dbacbe66722e2a865cc97fc3e59deb2655da10e5ac84826d3fcb2c4ee0d671c7d0179a0b6e3ee850f43b348515f
SSDEEP

6144:lPL62UN2BRLvehowE4wFFrAuROLFgCRofacyfI5IhdgDJkihg8T0t+:d7A2DvehXwb0uRCg7fa9w5KCdV1b

Score

6^/10

discovery

Malware Config

Signatures

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	setup.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3124	1832	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133671690989738555"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-945322488-2060912225-3527527000-1000\{524BC33A-87F5-449A-B553-4AFA4A3A70EB}	wmplayer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4568	chrome.exe
4568	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2908	unregmp2.exe
Token: SeCreatePagefilePrivilege	2908	unregmp2.exe
Token: SeShutdownPrivilege	1832	wmplayer.exe
Token: SeCreatePagefilePrivilege	1832	wmplayer.exe
Token: 33	2124	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2124	AUDIODG.EXE
Token: SeShutdownPrivilege	1832	wmplayer.exe
Token: SeCreatePagefilePrivilege	1832	wmplayer.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe
Token: SeShutdownPrivilege	4568	chrome.exe
Token: SeCreatePagefilePrivilege	4568	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
1832	wmplayer.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe
4568	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 4564	1832	wmplayer.exe	85
PID 1832 wrote to memory of 4564	1832	wmplayer.exe	85
PID 1832 wrote to memory of 4564	1832	wmplayer.exe	85
PID 4564 wrote to memory of 2908	4564	unregmp2.exe	86
PID 4564 wrote to memory of 2908	4564	unregmp2.exe	86
PID 4568 wrote to memory of 2080	4568	chrome.exe	102
PID 4568 wrote to memory of 2080	4568	chrome.exe	102
PID 4568 wrote to memory of 1416	4568	chrome.exe	103
PID 4568 wrote to memory of 1416	4568	chrome.exe	103
PID 4568 wrote to memory of 1416	4568	chrome.exe	103
PID 4568 wrote to memory of 1416	4568	chrome.exe	103
PID 4568 wrote to memory of 1416	4568	chrome.exe	103
PID 4568 wrote to memory of 1416	4568	chrome.exe	103
PID 4568 wrote to memory of 1416	4568	chrome.exe	103
PID 4568 wrote to memory of 1416	4568	chrome.exe	103
PID 4568 wrote to memory of 1416	4568	chrome.exe	103
PID 4568 wrote to memory of 1416	4568	chrome.exe	103
PID 4568 wrote to memory of 1416	4568	chrome.exe	103
PID 4568 wrote to memory of 1416	4568	chrome.exe	103
PID 4568 wrote to memory of 1416	4568	chrome.exe	103
PID 4568 wrote to memory of 1416	4568	chrome.exe	103
PID 4568 wrote to memory of 1416	4568	chrome.exe	103
PID 4568 wrote to memory of 1416	4568	chrome.exe	103
PID 4568 wrote to memory of 1416	4568	chrome.exe	103
PID 4568 wrote to memory of 1416	4568	chrome.exe	103
PID 4568 wrote to memory of 1416	4568	chrome.exe	103
PID 4568 wrote to memory of 1416	4568	chrome.exe	103
PID 4568 wrote to memory of 1416	4568	chrome.exe	103
PID 4568 wrote to memory of 1416	4568	chrome.exe	103
PID 4568 wrote to memory of 1416	4568	chrome.exe	103
PID 4568 wrote to memory of 1416	4568	chrome.exe	103
PID 4568 wrote to memory of 1416	4568	chrome.exe	103
PID 4568 wrote to memory of 1416	4568	chrome.exe	103
PID 4568 wrote to memory of 1416	4568	chrome.exe	103
PID 4568 wrote to memory of 1416	4568	chrome.exe	103
PID 4568 wrote to memory of 1416	4568	chrome.exe	103
PID 4568 wrote to memory of 1416	4568	chrome.exe	103
PID 4568 wrote to memory of 2336	4568	chrome.exe	104
PID 4568 wrote to memory of 2336	4568	chrome.exe	104
PID 4568 wrote to memory of 4928	4568	chrome.exe	105
PID 4568 wrote to memory of 4928	4568	chrome.exe	105
PID 4568 wrote to memory of 4928	4568	chrome.exe	105
PID 4568 wrote to memory of 4928	4568	chrome.exe	105
PID 4568 wrote to memory of 4928	4568	chrome.exe	105
PID 4568 wrote to memory of 4928	4568	chrome.exe	105
PID 4568 wrote to memory of 4928	4568	chrome.exe	105
PID 4568 wrote to memory of 4928	4568	chrome.exe	105
PID 4568 wrote to memory of 4928	4568	chrome.exe	105
PID 4568 wrote to memory of 4928	4568	chrome.exe	105
PID 4568 wrote to memory of 4928	4568	chrome.exe	105
PID 4568 wrote to memory of 4928	4568	chrome.exe	105
PID 4568 wrote to memory of 4928	4568	chrome.exe	105
PID 4568 wrote to memory of 4928	4568	chrome.exe	105
PID 4568 wrote to memory of 4928	4568	chrome.exe	105
PID 4568 wrote to memory of 4928	4568	chrome.exe	105
PID 4568 wrote to memory of 4928	4568	chrome.exe	105
PID 4568 wrote to memory of 4928	4568	chrome.exe	105
PID 4568 wrote to memory of 4928	4568	chrome.exe	105
PID 4568 wrote to memory of 4928	4568	chrome.exe	105
PID 4568 wrote to memory of 4928	4568	chrome.exe	105
PID 4568 wrote to memory of 4928	4568	chrome.exe	105
PID 4568 wrote to memory of 4928	4568	chrome.exe	105
PID 4568 wrote to memory of 4928	4568	chrome.exe	105
PID 4568 wrote to memory of 4928	4568	chrome.exe	105

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\gothymilly76b779.mp4"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:2908
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 1148
  2⤵
  - Program crash
  PID:3124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:784

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3d4 0x318
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 1832 -ip 1832
1⤵
PID:1360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf8,0x124,0x7ffe8e48cc40,0x7ffe8e48cc4c,0x7ffe8e48cc58
  2⤵
  PID:2080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1920,i,2437798070932061605,11323275496678945996,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:1416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2184,i,2437798070932061605,11323275496678945996,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  PID:2336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2296,i,2437798070932061605,11323275496678945996,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2472 /prefetch:8
  2⤵
  PID:4928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,2437798070932061605,11323275496678945996,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:4500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3328,i,2437798070932061605,11323275496678945996,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3736,i,2437798070932061605,11323275496678945996,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3756 /prefetch:1
  2⤵
  PID:2640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4772,i,2437798070932061605,11323275496678945996,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4928 /prefetch:8
  2⤵
  PID:1280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5048,i,2437798070932061605,11323275496678945996,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4736 /prefetch:8
  2⤵
  PID:1820
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Program Files directory
  PID:1388
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x7ff766c94698,0x7ff766c946a4,0x7ff766c946b0
    3⤵
    - Drops file in Program Files directory
    PID:748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4796,i,2437798070932061605,11323275496678945996,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5164 /prefetch:1
  2⤵
  PID:2288

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
209KB

MD5
3e552d017d45f8fd93b94cfc86f842f2

SHA1
dbeebe83854328e2575ff67259e3fb6704b17a47

SHA256
27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6

SHA512
e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
69a0a51bfba26bb957db92db583643ad

SHA1
968651d4c2b3cc5c14f6bf0e7639e401a6d3a0e7

SHA256
9298f9fb4f865065351978dcfc893f6c8c96460adeb1a9e8fd4e8296d0498ccb

SHA512
9180616841092e95a46b9f5cc6a3cc76a6a95aa99682ca5dfc795d8cac712c3fc3f73b028aa8480ed2cfd017afb32e41bbad858f65e65db3075cc345937ba222

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
9f5e68f72ba9e25f5c6289ce88f98705

SHA1
dfdfd63503880bf5ffeced8666fae2d8f2e30682

SHA256
d4451e95198935a93b329406498445c5fdf79a1ab883724341c32d0d1c2c045b

SHA512
efd981c36c54f6ccea4048d5caedcfd83af440033ebdafa6f1e5d3b02f0ff143b4261cc43805fc1e366dfb5611f8bb8a9dd4a39536a9d9f25fa49d1ac95e45d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
6419a732e86fc0d2cb6349d336d646a5

SHA1
2ec97eec5f7eab4fd419f40408ee2a9c4c8bd683

SHA256
6444e65a5b1c9ea17320ba394e96e2c3568acf4d7abe884510e2ebd10d39c2df

SHA512
e7758f9a092b9a541498b6e5013d064b92edc6a1dda2b866c83a682b8f2967bd3b43f917aab3ce2336df6c41075c7962a54ece1c284f5dddb7fc427c0a26e39b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
7277496123169a76c40484b6a19a6b4f

SHA1
ae691471ea681ef5077999f380d05af8436c1cee

SHA256
e802d08098d0e9bfc7831e7273306155ac3b391d5e4501d71c5ba3f5fe572cef

SHA512
f3e89daa1fa56768e1c81d4079ce7256d4e7eaa13484b8b241ef19b71e74e086158c9d17412c901f3e8eda749ca2a932618aa81c21fd9adc09e016030c65cece

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
f093a72787f1e0c286fa95659867728d

SHA1
3318809d8facfdfe8d655a8e616f8bc154eb9823

SHA256
f6da902db80e41118328ab8c502af174fb8cd7c076728cc35b77601371bc9109

SHA512
875b2ec12fa7bb0ac2a3056853b4eebf39efdf7a8f837c7ecb99f2f689eeb1fb13e89a275ecb218b17b4b2b84b036cc89171d4e54fb62535a508aaaecaa75a7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
cda570dd37884908f849b244d43c1939

SHA1
d0e02fa8b1c2fbd511f09fdf3498a0ab98105508

SHA256
c36cc0fb246175ce81aaebe155e63bd0bcb815964cf6955093ea5ef139206c37

SHA512
3871d86c35367b14a984fdb000e927118aed7c0913fd408a24e6d7a02d32e146d665efe7a91efecfb1c54cb0f53b8bc67e02183134484933433aa28e0d9f9c4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a7588a9cc1a74938b7e0e0a47fe534d9

SHA1
617e2151a6987a9868062746a4812537b61d0694

SHA256
0592ace9ef5d418ac9485698d135b2897d1886585f20d8328d4633f013e54894

SHA512
9ab02e59e83bfb6133ca16d682239bdc582205c84e81aee2e0e4dbd9ea5b06a25de80141ba0bdf67a623c415e5899bc8fa007f2d35a9a04a4a52dc1154891ac9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
d39acdd8dd7ead500e02daab416b2e97

SHA1
898f1e5d5bb70acf3d17c5d8c4a88fd1052595fe

SHA256
21f779ee3f961c2e258c7ff606d73a45e486ddbe89f50fb9693f747a4a7fd00a

SHA512
02a9ffa5e61672302014d466368f2d2d54d10f797fe9e30523ba71b6ce15bdfab76fcdaff9c434999550c819765401744f07e3911333b8cbe755b5e58b956f7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
aed5703f219af2fe1d38182a1a865bad

SHA1
33685c8c12977e20feb61106d7aa70bf4917f614

SHA256
838cadd9a50da2ed72254b23f4ce7ba7cff6abfb885e21eb843cab76ffbc9cce

SHA512
bbfdae8a6bb3dcd7aa2a97c0d32ef4c75df2f3907b5aa3b9418e0563bf00391b9d6592d2aa5752b6828909544838e4473828862310115818b433f8895294828d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ebf567a22a8e0f8e563618866bf36afd

SHA1
15366ef658620b118a5fdd73a2ee7ee612441cfc

SHA256
7ae0d057ad88c1869d78d0638cf7c2b28a36484c240482ab818cb985f12cf4e7

SHA512
fbc639cb6bb081bff8a7166b925ed472ed11a72a691cbeaae6760db9e8043197b5703c89f36755c78b5c4f89abb328c8ee85be4cde29af7da4c1e6ed875a6fd5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fc34de6394b205a2e92c0ae51e652d8a

SHA1
184873060bc8d283974625a958da4219e5567074

SHA256
a6bf02bb063be62b12360ac5caa8f00084c4b5f4519a2ca3280a755e0399b606

SHA512
2bd596192cb7c80e433e2cb5244dde30f4ee96af3a024cfe07e2e6972112bc809f371b105908cf5b028ba9063cd0f913bd6c98b2966f374623f6456739de9c2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
9e2b7b3d4dea9812f43bb2a665f2ad81

SHA1
d8b4be05ad385b2b52c47ba1ce2181a57e267d41

SHA256
a755cd1474f2ff65bf12c034aeb666e710067e6e12d58d51400b13b351d2f31a

SHA512
1e01144870ee6f64d4d793b52b4a405b4936567c9a9f8f402155ee73082af1bb4c79d874938ca277e8a8adc8e590b5ffb751f4c58d44224dacf2e192eac3c838

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\a517e396-aae8-4dbb-b832-37a929ad5545.tmp

Filesize
9KB

MD5
f10f7c89bf9cbb8e130c17a7b4fc6523

SHA1
766887c59aa3bf74e275a959e2e0562c855cfa92

SHA256
df483237faa098453263cf10daa1dce443a883bd4cd03a0d4026050f278c8033

SHA512
96f85b36970095c471d125d4f0d29cdebf1dabd9ac121ba5b70fa5e65ca76e1a6fce8daef3976d1f8359ecbb1922b1665baa33946d65a61168406a965c32b3da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
a93b30bedf0a20ddce4c7d3ec6293922

SHA1
e30fff957bea3df536560d352b13de980e77eda7

SHA256
a8b209f6354939b25ce41c50adab8c8bd872f6e4585880c9120bb6f1a42cb3dd

SHA512
4de494da5087a35198a792fe8d7f6287ac901200ed9861afb0906f029ea7b3b06f877fa444f3e13b3281be1577bba50653bbd8eb0b541b2c06851b36c4b92dd2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
6f201ee554d2ff3f65104ad9d47e5b3c

SHA1
ea8909268b5f2004d488c2cacced13b6d75d0564

SHA256
5c0f6249d991b5e21dc82e958dc1c56a33433b910704f34555b4d38d020c02c3

SHA512
5208830a057ffc311a2b58bf6e2f7a17e4aa839516a5d67ccd9aa1dd7515e2e49c5cb9ca306bba446518804e6ac8918668c2d04a8d8fa7588f78fcf348513081

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
64KB

MD5
c374c25875887db7d072033f817b6ce1

SHA1
3a6d10268f30e42f973dadf044dba7497e05cdaf

SHA256
05d47b87b577841cc40db176ea634ec49b0b97066e192e1d48d84bb977e696b6

SHA512
6a14f81a300695c09cb335c13155144e562c86bb0ddfdcab641eb3a168877ad3fcc0579ad86162622998928378ea2ffe5a244b3ddbe6c11a959dbb34af374a7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
7a400e43eb78032e2987c9ed669dae66

SHA1
833c553f26bc135b4270981c1665fffb26b24e8f

SHA256
59ff9de81d25fca15ac40bae4a69d27772b4e075123977ca9736bda79e2b7d41

SHA512
f6aa33adf4e33b0078714706df40ef39e34d8f90021cac0cdae48d759cf3d5d57da548fb8f17a860a4070e563f389671babfe8843e8ee9b8885f8c350b627f02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

Filesize
68KB

MD5
ec19b0027613d67a96820e6ec913f14f

SHA1
57580421900506f2a70908a3728b25614615f9c0

SHA256
1b0f9f98f106cef26d1f9d803b845c47716423a6fae666556309f31b6f55bdc0

SHA512
0dfad283d2b0756ea4a05331b7f32f8f0fc584398383cca065b5d8c59315cd21fa6e2d6b94f4204534392392eba45ccd918734575469db189773cbcdfe55bf18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
5433eab10c6b5c6d55b7cbd302426a39

SHA1
c5b1604b3350dab290d081eecd5389a895c58de5

SHA256
23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131

SHA512
207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
ce10dce87fbf87e1d6a05d10356db230

SHA1
9cd5170f3ea3a3db1a288c0b4c6a3cfa8b394605

SHA256
14d68db659fe8c26d18b4b86f757c4d870de5bc87d72654cbb67c3befab39b57

SHA512
571e205cc5f1e1562e1de810279e62dd675344580e10aa502873f08fa19c947431b3111d1b7cc513a2cb3296501723b707da39b6956ed23a57ccffd3c97ccd30

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms

Filesize
3KB

MD5
eba1c8bb74addc7edbd451a0cb45a3b7

SHA1
4a746f2f59a184df6e5311b0d4e93edb27f5136d

SHA256
b2a8b277e35d7301e370e4ac1c90133339704effcdcd21e4636e45567cfab3fd

SHA512
3683d133283bffb0669d956d0237befa98666bd69ca9767e46fdf187645a58094172785cf00a80c3ab7089c63ae17979cf9164659dd27b401a7634a6bf2840a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms

Filesize
1KB

MD5
0fb558498ee70de7b33cc05524753857

SHA1
1c51fb85fe4751aa98d8b160d6955da1f1b00dcf

SHA256
cdd14208a1ecfac1c0574f7b51ae47e845ac3fc608c0770981394c831748f776

SHA512
529973a5b03f75b2010e071be6e8828ca7620f3463ecbe6e3a5f71bb33c98bd5808c29293f06f21394047e45913f14b3adc581b1166946d1962af4b7c56b2a46

Download Submit
memory/1832-44-0x0000000007BA0000-0x0000000007BB0000-memory.dmp

Filesize
64KB

Download
memory/1832-47-0x0000000007BA0000-0x0000000007BB0000-memory.dmp

Filesize
64KB

Download
memory/1832-46-0x0000000005600000-0x0000000005610000-memory.dmp

Filesize
64KB

Download
memory/1832-45-0x0000000005600000-0x0000000005610000-memory.dmp

Filesize
64KB

Download
memory/1832-73-0x0000000005600000-0x0000000005610000-memory.dmp

Filesize
64KB

Download
memory/1832-43-0x0000000007BA0000-0x0000000007BB0000-memory.dmp

Filesize
64KB

Download
memory/1832-42-0x0000000009C30000-0x0000000009C40000-memory.dmp

Filesize
64KB

Download
memory/1832-39-0x0000000005600000-0x0000000005610000-memory.dmp

Filesize
64KB

Download
memory/1832-40-0x0000000005600000-0x0000000005610000-memory.dmp

Filesize
64KB

Download
memory/1832-38-0x0000000005600000-0x0000000005610000-memory.dmp

Filesize
64KB

Download
memory/1832-41-0x0000000005600000-0x0000000005610000-memory.dmp

Filesize
64KB

Download