8935e3403357fe433ea668e74207b37c65ce8e50cf70c1134c1c6463345b2958

Analysis

max time kernel
130s
max time network
153s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
07/08/2024, 23:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-08-07 14-32-43.mkv
Size

75.0MB
MD5

c76a3275238327ba99cd6dcf6a01cf64
SHA1

fbdae4a204083f72794bb98e614ea6353a0f7997
SHA256

8935e3403357fe433ea668e74207b37c65ce8e50cf70c1134c1c6463345b2958
SHA512

2ae89b1a7d12e02aafe364f17da44ef801f48051055c870f1fc6b8dc131ef62163b3b8be8d323afeeabb53c462ea1af1b5a085949a34e2abd6d68e24f3670678
SSDEEP

1572864:2VdnAkkr9KpS/7z53BT0REC53yzMule+QOLd2Pt6TBhZtd:2WScZ3BT0Rn5i46QsUQTBhZb

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\H:	wmplayer.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3196	2004	WerFault.exe	77

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133675480550164840"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-661032028-162657920-1226909816-1000\{5D955E5E-0386-403E-A857-6DE378E3C741}	wmplayer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2792	chrome.exe
2792	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2004	wmplayer.exe
Token: SeCreatePagefilePrivilege	2004	wmplayer.exe
Token: SeShutdownPrivilege	2652	unregmp2.exe
Token: SeCreatePagefilePrivilege	2652	unregmp2.exe
Token: 33	4916	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4916	AUDIODG.EXE
Token: SeShutdownPrivilege	2004	wmplayer.exe
Token: SeCreatePagefilePrivilege	2004	wmplayer.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe
Token: SeShutdownPrivilege	2792	chrome.exe
Token: SeCreatePagefilePrivilege	2792	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
2004	wmplayer.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe
2792	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 708	2004	wmplayer.exe	78
PID 2004 wrote to memory of 708	2004	wmplayer.exe	78
PID 2004 wrote to memory of 708	2004	wmplayer.exe	78
PID 708 wrote to memory of 2652	708	unregmp2.exe	79
PID 708 wrote to memory of 2652	708	unregmp2.exe	79
PID 2792 wrote to memory of 4192	2792	chrome.exe	91
PID 2792 wrote to memory of 4192	2792	chrome.exe	91
PID 2792 wrote to memory of 1516	2792	chrome.exe	92
PID 2792 wrote to memory of 1516	2792	chrome.exe	92
PID 2792 wrote to memory of 1516	2792	chrome.exe	92
PID 2792 wrote to memory of 1516	2792	chrome.exe	92
PID 2792 wrote to memory of 1516	2792	chrome.exe	92
PID 2792 wrote to memory of 1516	2792	chrome.exe	92
PID 2792 wrote to memory of 1516	2792	chrome.exe	92
PID 2792 wrote to memory of 1516	2792	chrome.exe	92
PID 2792 wrote to memory of 1516	2792	chrome.exe	92
PID 2792 wrote to memory of 1516	2792	chrome.exe	92
PID 2792 wrote to memory of 1516	2792	chrome.exe	92
PID 2792 wrote to memory of 1516	2792	chrome.exe	92
PID 2792 wrote to memory of 1516	2792	chrome.exe	92
PID 2792 wrote to memory of 1516	2792	chrome.exe	92
PID 2792 wrote to memory of 1516	2792	chrome.exe	92
PID 2792 wrote to memory of 1516	2792	chrome.exe	92
PID 2792 wrote to memory of 1516	2792	chrome.exe	92
PID 2792 wrote to memory of 1516	2792	chrome.exe	92
PID 2792 wrote to memory of 1516	2792	chrome.exe	92
PID 2792 wrote to memory of 1516	2792	chrome.exe	92
PID 2792 wrote to memory of 1516	2792	chrome.exe	92
PID 2792 wrote to memory of 1516	2792	chrome.exe	92
PID 2792 wrote to memory of 1516	2792	chrome.exe	92
PID 2792 wrote to memory of 1516	2792	chrome.exe	92
PID 2792 wrote to memory of 1516	2792	chrome.exe	92
PID 2792 wrote to memory of 1516	2792	chrome.exe	92
PID 2792 wrote to memory of 1516	2792	chrome.exe	92
PID 2792 wrote to memory of 1516	2792	chrome.exe	92
PID 2792 wrote to memory of 1516	2792	chrome.exe	92
PID 2792 wrote to memory of 1516	2792	chrome.exe	92
PID 2792 wrote to memory of 1992	2792	chrome.exe	93
PID 2792 wrote to memory of 1992	2792	chrome.exe	93
PID 2792 wrote to memory of 5000	2792	chrome.exe	94
PID 2792 wrote to memory of 5000	2792	chrome.exe	94
PID 2792 wrote to memory of 5000	2792	chrome.exe	94
PID 2792 wrote to memory of 5000	2792	chrome.exe	94
PID 2792 wrote to memory of 5000	2792	chrome.exe	94
PID 2792 wrote to memory of 5000	2792	chrome.exe	94
PID 2792 wrote to memory of 5000	2792	chrome.exe	94
PID 2792 wrote to memory of 5000	2792	chrome.exe	94
PID 2792 wrote to memory of 5000	2792	chrome.exe	94
PID 2792 wrote to memory of 5000	2792	chrome.exe	94
PID 2792 wrote to memory of 5000	2792	chrome.exe	94
PID 2792 wrote to memory of 5000	2792	chrome.exe	94
PID 2792 wrote to memory of 5000	2792	chrome.exe	94
PID 2792 wrote to memory of 5000	2792	chrome.exe	94
PID 2792 wrote to memory of 5000	2792	chrome.exe	94
PID 2792 wrote to memory of 5000	2792	chrome.exe	94
PID 2792 wrote to memory of 5000	2792	chrome.exe	94
PID 2792 wrote to memory of 5000	2792	chrome.exe	94
PID 2792 wrote to memory of 5000	2792	chrome.exe	94
PID 2792 wrote to memory of 5000	2792	chrome.exe	94
PID 2792 wrote to memory of 5000	2792	chrome.exe	94
PID 2792 wrote to memory of 5000	2792	chrome.exe	94
PID 2792 wrote to memory of 5000	2792	chrome.exe	94
PID 2792 wrote to memory of 5000	2792	chrome.exe	94
PID 2792 wrote to memory of 5000	2792	chrome.exe	94

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\2024-08-07 14-32-43.mkv"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:708
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:2652
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 2264
  2⤵
  - Program crash
  PID:3196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:4792

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x00000000000004D8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2004 -ip 2004
1⤵
PID:3760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcd81dcc40,0x7ffcd81dcc4c,0x7ffcd81dcc58
  2⤵
  PID:4192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,7312254832529558415,105306087583099425,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:1516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1740,i,7312254832529558415,105306087583099425,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1964 /prefetch:3
  2⤵
  PID:1992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2092,i,7312254832529558415,105306087583099425,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2084 /prefetch:8
  2⤵
  PID:5000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3084,i,7312254832529558415,105306087583099425,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:2824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3384,i,7312254832529558415,105306087583099425,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:2712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4468,i,7312254832529558415,105306087583099425,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4508 /prefetch:1
  2⤵
  PID:2064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4696,i,7312254832529558415,105306087583099425,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4704 /prefetch:8
  2⤵
  PID:1440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4804,i,7312254832529558415,105306087583099425,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4980 /prefetch:8
  2⤵
  PID:1268
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:1168
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff7d85b4698,0x7ff7d85b46a4,0x7ff7d85b46b0
    3⤵
    - Drops file in Windows directory
    PID:1084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4996,i,7312254832529558415,105306087583099425,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4640 /prefetch:1
  2⤵
  PID:4856

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2020

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3856

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\4c3a6aac-67a2-4b88-953a-e10402ae10c3.tmp

Filesize
13KB

MD5
794a96ea3a53e5fab6db223156090704

SHA1
1b443ac1080f2d2f5336d017355f798f45b67a64

SHA256
9544917995b9642c5a932d59387f3e16aa4a7bd77c89ee89bc5f7daf87049b33

SHA512
26dfa5f38bfc2300fc2634a6738c74d7c3070c29feee8e066fb7167974957b1782cfd0191b2685164a081d028bf70ad2f3e8d2099b6881b02909d23a258e04db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\613d2517-6f72-4170-9ab0-fc2abacff55e.tmp

Filesize
9KB

MD5
a09af7949db5cc0849e17546f90fe6f1

SHA1
86dfc529718f2a9001db54eca4a8ab05f611c7a9

SHA256
5ebf423b12a657ed9dd70e3addf3427d6ce8e913ec209653250823af7ecedd78

SHA512
59aa4595a7e5941f3e9ce8e0089a2ab7fc124819d7dfe513381bdd6da5e174b3af211a2f3d6ba5e60bab6b2633d02effc47945efe9b82fc4280d2179032c010f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
210KB

MD5
48d2860dd3168b6f06a4f27c6791bcaa

SHA1
f5f803efed91cd45a36c3d6acdffaaf0e863bf8c

SHA256
04d7bf7a6586ef00516bdb3f7b96c65e0b9c6b940f4b145121ed00f6116bbb77

SHA512
172da615b5b97a0c17f80ddd8d7406e278cd26afd1eb45a052cde0cb55b92febe49773b1e02cf9e9adca2f34abbaa6d7b83eaad4e08c828ef4bf26f23b95584e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
96c08300e9583cbef6e134ccc19e75ec

SHA1
6bd0b6427f50e08da775a99da9fde99d69b69f6e

SHA256
e41bc7228d2a7dddd66f2a26532919fc0a4b21e7265871a539efc41bfd5b827d

SHA512
6883e5554a7ba43dd3b94fd75e28c17787e80aab901b53d7adaf3ebc0c59c5ad5f28b1b47a1d80bd65daffc68f2a150cee30987587b0d3c528e2bcfffdc97ced

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
c78dfc76e91625e503d85cf7bf1521cc

SHA1
33ab639a5c8c90ddb4403b907014582953146393

SHA256
ff5bef7a9567c8734d5dbc5350fa2e0c0e9bf94b8f18b8d50671e2fac0470285

SHA512
597c471f5902ac2e985cae6dbb26c7484b180cdf3b7e25cbd3f03f041fa7a7c8b7957a4594432b6e41e458d44939a7fe10b8840e07f47d67b65aa6a121e0ef8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
39160b26a202c9fa13297ebc352ebde6

SHA1
c60976b335168a686aafa7810759393f42d43b10

SHA256
b380e1464e73de6d5825f0159b8e77780757ce0fb6da3a75ed301725bdd81b8e

SHA512
394305dc3cbe7101a5e7cde874419f358d9d2d70ab8285c04d788d588a529f492207a27cd0011d3ff8efc92acd5ce1a20a68cc173fb0767fc58e98b4b28d87f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
793e796de75be31b6c64b8ef901650e5

SHA1
ff2f32c121fc122aad7f648a091867d78c9fe400

SHA256
6375c07ae407594e80af5f7b6c5790c9d112f75d0b5af9f37d3d106a34a5d1dd

SHA512
1aa76a185fef8354a99bf7f80f61fdae919f12a542eef9c2025f1ffd3e0447a2a9d6870667c43d58587847f975aa6f59ee4e9f7710f270ceffa12507b2732db2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
aba831aae10cd9fa5160c06a56c1b888

SHA1
359df8633b144c1a3afa237e6a3d99d1595bc727

SHA256
fccdcf924804b57d4c928d2bc491141d91a6cf9c0adfbdce83f797e1d3cc162b

SHA512
1bb860bfd05ba89879dddb267e83d1c45f16c4875af27dcf44f846f1ecf542f38fd751061a1f80af4a60c7cb6f900abeda77711a4d4457df9df87ccb529c1f35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
9ff681502c007888289574d70fbdac43

SHA1
bccd95002612ed73f20ac5932e03e3d9a0f01e33

SHA256
8b90677fd44d3a9ea6ed27d82966b1b573a67537ad6d3807b3982559d10af13d

SHA512
cabe7e96e5041704e1558c2e5e9fcfa61510e11539a99b7a933a5c89fc205fffc4aefd09e05e3b1e144e01e22a14755944cd2c3730dbf72b01f84c6dc0468fb8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
6e30aa2c56abcef6d10a59425749ffc6

SHA1
a0050d251cd04623ca8d6d79908c282989c026a1

SHA256
801acc9ab70b45987ee0d4fefd867400e28a4664a3a44c3aabd5b71bec378fc3

SHA512
1c5ffee828d9459394bfdc5e13441c5591b5c82cd1f078055a748a80cdd186f92d6225b5229a283fbd89d1647a0baf1d1e486e403c46a33ecb693dfe007bb014

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
65e48a871ac91eb38dbe66d31b038051

SHA1
77da7190ec9be3462f5e1d0e10b6195581653108

SHA256
340b2168d70a3b6efdf5d1b1a8f06150e43283a067cbd5bd3456b48d4326eadf

SHA512
ba9cfb086a716ef504219a0cc085a1aec7cc2b03f9eff0661520bacf731ac6ac4dd154ec85ef70e6d09ae12baa1c8bcb05630436d74c85f725e64f210e55ec0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
2af29d9b9d4db88c70c1ce8ea96587f5

SHA1
f86f22c9f1c0400103f77b572a2148fccc86ae01

SHA256
c9f720f2123545398b13b956c011bd6b8e6eec55969d095702cd293b068c6a38

SHA512
9af560f621e38e2f4777f902249a42242e0db156d74f7eb3b60576a2da06b32f0e6751f34fd5e39b0acb457f38d87f275583d46272769ec474a80a54a952bede

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
abdfbba62a482efd1b5eb8d713ab30a5

SHA1
4b1a148b034269427e3c6ad36704a1ccde2b3ed7

SHA256
72e968771a5279958cbf74d2709b0c0999e418303de9dc2d9f74008d68dc214e

SHA512
306d4b6acdf0011cc635b598895ee7e730021a8a15854c67a901e6c4d0a83901d821c2c63089d1f04fedcb867f8a9f2dba21d532bf848b79d60fc2b4388288cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
576KB

MD5
239a07b85fa9e4eb495ef3921edea87b

SHA1
edeaceb5c8b678ba1c7bcf7f3673d5ccc727bece

SHA256
fb9ae4fd2e88c3a557d940ee81f3b18c7560dbcc8b5f5ee9dce48fe39a06d102

SHA512
b5305e4f6264d0935732d889ff49342e17b10a946e31484c5b4c16f28734caa564ed5ae47e26675dd58147840d75caf7049989c14eea47cad473121f02a34114

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
fab1885652ed3f62fc5ee58a63676eed

SHA1
9b802c272a89485d244828e8542954895392a828

SHA256
277f381de817d6ccc21e6fba2ff9502d646c0906fce534421c9ccfd99b5020e8

SHA512
dd264035907de42a9619a07bd82e8140bf8b5bd6ffd7f7002f06a08c81b4dff2f10916e277877022f300faa5a494a508aa51c81078121862d72edb6a0de0c04d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
52c27d962d204f4fc07d4734dc10e555

SHA1
4e268bd1985feffbabb5c0e06752f7da4d2c8bd9

SHA256
5fd1640712208ef6991b4fe84764a20381946368226a2458e6abc9ce4317176c

SHA512
688e062eb7545aed994209f48ede75c6153471848ec9ed1c227af0d27968c83431812212f1649aa63fd35c6ff8b7d0a798d008394e4853c54491f704ef96cccc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms

Filesize
1KB

MD5
3572b2985b7dfa68f181e7d57110f60d

SHA1
7b4f7613aa1140d327435e8c2f4bc5b84a7a0ecc

SHA256
52f6bf5e14094199340f76ae9cc2ed8407b8331484c66673e219124bbb803c06

SHA512
fe86e179b8238b41f660952b995119140a781f9c2573d0c138cd23b1bcc525c28c80cd9e77c9f45e13023ae104b8f15a61bd17d59ef4948d22952c58b5bb687e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms

Filesize
3KB

MD5
d609fbd9a272b5442b3566f220dbd206

SHA1
ff12e6216dd1a09f74192ee50b6cf634c995db00

SHA256
ef6895bc9a4fd036ace0d0699d98dab2cea93c01d763b45c5dc4680cdbc77409

SHA512
dc6df055324a15fdd4067c11ab0c0d4f16585aa68ac8fd42ad1ae401e17dc83d4b79b873070584c7661ec702eb432e672eda07e539527ddb9057c6c5e2bad84b

Download Submit
memory/2004-55-0x0000000005FF0000-0x0000000006000000-memory.dmp

Filesize
64KB

Download
memory/2004-42-0x0000000008C50000-0x0000000008C60000-memory.dmp

Filesize
64KB

Download
memory/2004-40-0x0000000005FF0000-0x0000000006000000-memory.dmp

Filesize
64KB

Download
memory/2004-41-0x0000000005FF0000-0x0000000006000000-memory.dmp

Filesize
64KB

Download
memory/2004-39-0x0000000008C40000-0x0000000008C50000-memory.dmp

Filesize
64KB

Download
memory/2004-38-0x0000000008C50000-0x0000000008C60000-memory.dmp

Filesize
64KB

Download
memory/2004-37-0x0000000008C50000-0x0000000008C60000-memory.dmp

Filesize
64KB

Download
memory/2004-33-0x0000000005FF0000-0x0000000006000000-memory.dmp

Filesize
64KB

Download
memory/2004-34-0x0000000005FF0000-0x0000000006000000-memory.dmp

Filesize
64KB

Download
memory/2004-36-0x0000000005FF0000-0x0000000006000000-memory.dmp

Filesize
64KB

Download
memory/2004-35-0x0000000005FF0000-0x0000000006000000-memory.dmp

Filesize
64KB

Download