a7902245c670cb4298fe5a6a7a30de35c28817b1ddbbb395e8e4c10c211fcf53

Resubmissions

11/08/2024, 17:41

240811-v9f74athpg 6

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/08/2024, 17:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dxdd.zip
Size

17.1MB
MD5

2c6792f81952ae869dbe5ef7f40d7a93
SHA1

cda4b9aa7c66d4f058c28e52b6e254a39f35ae0b
SHA256

a7902245c670cb4298fe5a6a7a30de35c28817b1ddbbb395e8e4c10c211fcf53
SHA512

0e615fd6c473f720f2f20b1694340c00b8b42cd9e1a0388c22fa9e3315659a9432181f6d25371e97b66541d740ecd31cfe7cc28aa53833d94ba5742c98af2bc7
SSDEEP

393216:IrJQAvxXZEWZnZStM96RuRvUjDpbCAItVOqwxQK/rRxpFu/Lbn4EnYW3Op3GCylt:IVQAOWFstM964RsjD5dkVOXQKDRqX1vx

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000469d591516ecda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000081520d1516ecda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a971091416ecda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000064982f1416ecda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004b5c341416ecda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133678718595338484"	chrome.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000047956d1416ecda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000081984e1416ecda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3324	chrome.exe
3324	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	4848	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4848	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4848	SearchIndexer.exe
Token: SeShutdownPrivilege	3324	chrome.exe
Token: SeCreatePagefilePrivilege	3324	chrome.exe
Token: SeShutdownPrivilege	3324	chrome.exe
Token: SeCreatePagefilePrivilege	3324	chrome.exe
Token: SeShutdownPrivilege	3324	chrome.exe
Token: SeCreatePagefilePrivilege	3324	chrome.exe
Token: SeShutdownPrivilege	3324	chrome.exe
Token: SeCreatePagefilePrivilege	3324	chrome.exe
Token: SeShutdownPrivilege	3324	chrome.exe
Token: SeCreatePagefilePrivilege	3324	chrome.exe
Token: SeShutdownPrivilege	3324	chrome.exe
Token: SeCreatePagefilePrivilege	3324	chrome.exe
Token: SeShutdownPrivilege	3324	chrome.exe
Token: SeCreatePagefilePrivilege	3324	chrome.exe
Token: SeShutdownPrivilege	3324	chrome.exe
Token: SeCreatePagefilePrivilege	3324	chrome.exe
Token: SeShutdownPrivilege	3324	chrome.exe
Token: SeCreatePagefilePrivilege	3324	chrome.exe
Token: SeShutdownPrivilege	3324	chrome.exe
Token: SeCreatePagefilePrivilege	3324	chrome.exe
Token: SeShutdownPrivilege	3324	chrome.exe
Token: SeCreatePagefilePrivilege	3324	chrome.exe
Token: SeShutdownPrivilege	3324	chrome.exe
Token: SeCreatePagefilePrivilege	3324	chrome.exe
Token: SeShutdownPrivilege	3324	chrome.exe
Token: SeCreatePagefilePrivilege	3324	chrome.exe
Token: SeShutdownPrivilege	3324	chrome.exe
Token: SeCreatePagefilePrivilege	3324	chrome.exe
Token: SeShutdownPrivilege	3324	chrome.exe
Token: SeCreatePagefilePrivilege	3324	chrome.exe
Token: SeShutdownPrivilege	3324	chrome.exe
Token: SeCreatePagefilePrivilege	3324	chrome.exe
Token: SeShutdownPrivilege	3324	chrome.exe
Token: SeCreatePagefilePrivilege	3324	chrome.exe
Token: SeShutdownPrivilege	3324	chrome.exe
Token: SeCreatePagefilePrivilege	3324	chrome.exe
Token: SeShutdownPrivilege	3324	chrome.exe
Token: SeCreatePagefilePrivilege	3324	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 3608	4848	SearchIndexer.exe	115
PID 4848 wrote to memory of 3608	4848	SearchIndexer.exe	115
PID 4848 wrote to memory of 4220	4848	SearchIndexer.exe	116
PID 4848 wrote to memory of 4220	4848	SearchIndexer.exe	116
PID 3324 wrote to memory of 2984	3324	chrome.exe	119
PID 3324 wrote to memory of 2984	3324	chrome.exe	119
PID 3324 wrote to memory of 5100	3324	chrome.exe	120
PID 3324 wrote to memory of 5100	3324	chrome.exe	120
PID 3324 wrote to memory of 5100	3324	chrome.exe	120
PID 3324 wrote to memory of 5100	3324	chrome.exe	120
PID 3324 wrote to memory of 5100	3324	chrome.exe	120
PID 3324 wrote to memory of 5100	3324	chrome.exe	120
PID 3324 wrote to memory of 5100	3324	chrome.exe	120
PID 3324 wrote to memory of 5100	3324	chrome.exe	120
PID 3324 wrote to memory of 5100	3324	chrome.exe	120
PID 3324 wrote to memory of 5100	3324	chrome.exe	120
PID 3324 wrote to memory of 5100	3324	chrome.exe	120
PID 3324 wrote to memory of 5100	3324	chrome.exe	120
PID 3324 wrote to memory of 5100	3324	chrome.exe	120
PID 3324 wrote to memory of 5100	3324	chrome.exe	120
PID 3324 wrote to memory of 5100	3324	chrome.exe	120
PID 3324 wrote to memory of 5100	3324	chrome.exe	120
PID 3324 wrote to memory of 5100	3324	chrome.exe	120
PID 3324 wrote to memory of 5100	3324	chrome.exe	120
PID 3324 wrote to memory of 5100	3324	chrome.exe	120
PID 3324 wrote to memory of 5100	3324	chrome.exe	120
PID 3324 wrote to memory of 5100	3324	chrome.exe	120
PID 3324 wrote to memory of 5100	3324	chrome.exe	120
PID 3324 wrote to memory of 5100	3324	chrome.exe	120
PID 3324 wrote to memory of 5100	3324	chrome.exe	120
PID 3324 wrote to memory of 5100	3324	chrome.exe	120
PID 3324 wrote to memory of 5100	3324	chrome.exe	120
PID 3324 wrote to memory of 5100	3324	chrome.exe	120
PID 3324 wrote to memory of 5100	3324	chrome.exe	120
PID 3324 wrote to memory of 5100	3324	chrome.exe	120
PID 3324 wrote to memory of 5100	3324	chrome.exe	120
PID 3324 wrote to memory of 4448	3324	chrome.exe	121
PID 3324 wrote to memory of 4448	3324	chrome.exe	121
PID 3324 wrote to memory of 3940	3324	chrome.exe	122
PID 3324 wrote to memory of 3940	3324	chrome.exe	122
PID 3324 wrote to memory of 3940	3324	chrome.exe	122
PID 3324 wrote to memory of 3940	3324	chrome.exe	122
PID 3324 wrote to memory of 3940	3324	chrome.exe	122
PID 3324 wrote to memory of 3940	3324	chrome.exe	122
PID 3324 wrote to memory of 3940	3324	chrome.exe	122
PID 3324 wrote to memory of 3940	3324	chrome.exe	122
PID 3324 wrote to memory of 3940	3324	chrome.exe	122
PID 3324 wrote to memory of 3940	3324	chrome.exe	122
PID 3324 wrote to memory of 3940	3324	chrome.exe	122
PID 3324 wrote to memory of 3940	3324	chrome.exe	122
PID 3324 wrote to memory of 3940	3324	chrome.exe	122
PID 3324 wrote to memory of 3940	3324	chrome.exe	122
PID 3324 wrote to memory of 3940	3324	chrome.exe	122
PID 3324 wrote to memory of 3940	3324	chrome.exe	122
PID 3324 wrote to memory of 3940	3324	chrome.exe	122
PID 3324 wrote to memory of 3940	3324	chrome.exe	122
PID 3324 wrote to memory of 3940	3324	chrome.exe	122
PID 3324 wrote to memory of 3940	3324	chrome.exe	122
PID 3324 wrote to memory of 3940	3324	chrome.exe	122
PID 3324 wrote to memory of 3940	3324	chrome.exe	122
PID 3324 wrote to memory of 3940	3324	chrome.exe	122
PID 3324 wrote to memory of 3940	3324	chrome.exe	122
PID 3324 wrote to memory of 3940	3324	chrome.exe	122
PID 3324 wrote to memory of 3940	3324	chrome.exe	122

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\dxdd.zip
1⤵
PID:1732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4396,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=1288 /prefetch:8
1⤵
PID:4728

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5072

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3608
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffbeec1cc40,0x7ffbeec1cc4c,0x7ffbeec1cc58
  2⤵
  PID:2984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1872,i,14478893781118746195,7042584706879119640,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1868 /prefetch:2
  2⤵
  PID:5100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1912,i,14478893781118746195,7042584706879119640,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2148 /prefetch:3
  2⤵
  PID:4448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2296,i,14478893781118746195,7042584706879119640,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2468 /prefetch:8
  2⤵
  PID:3940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,14478893781118746195,7042584706879119640,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:5136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3268,i,14478893781118746195,7042584706879119640,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:5144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4572,i,14478893781118746195,7042584706879119640,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4580 /prefetch:1
  2⤵
  PID:5320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4824,i,14478893781118746195,7042584706879119640,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4880 /prefetch:8
  2⤵
  PID:5752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5080,i,14478893781118746195,7042584706879119640,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4408 /prefetch:8
  2⤵
  PID:5924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4884,i,14478893781118746195,7042584706879119640,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5148 /prefetch:1
  2⤵
  PID:5308

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
505f8d2dd9dd0bd47acd368d600ad496

SHA1
80693c1256673ac58a6ec874e62122e6b9889821

SHA256
a9ab3e9a3172e69e836aa49b869f5ed3c0b281f446cc25eda2157dc282b26e60

SHA512
ccc9e33bb685cc7539824234f8891117e3d61afbf70744a5e887b89ad429944fe3a8f41f1d74961b8e043abc381bb7fcd9274ed77b4c77e92bacf4b5edced684

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
210KB

MD5
48d2860dd3168b6f06a4f27c6791bcaa

SHA1
f5f803efed91cd45a36c3d6acdffaaf0e863bf8c

SHA256
04d7bf7a6586ef00516bdb3f7b96c65e0b9c6b940f4b145121ed00f6116bbb77

SHA512
172da615b5b97a0c17f80ddd8d7406e278cd26afd1eb45a052cde0cb55b92febe49773b1e02cf9e9adca2f34abbaa6d7b83eaad4e08c828ef4bf26f23b95584e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
92ccccd24b5f6d052ee13efe547e0f56

SHA1
35828253ce18e5d27cd39a4be5229ceaee471199

SHA256
f4e30803e3b9ef08396a45440646869963adf9459f9d1eba65e11ff3a86b9cd5

SHA512
c3b0f5951ef008b521fe5801a2bfe9f4afe4d54d5d6ce1f3401b69bd5455829a8a4b6fa3da48310ef41d93538a9c69218dfb0885fa0724c760e696ca00caa1c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
a30129df0b942159580aafe147bd7a29

SHA1
4db8fb18704498d43d58fa87a2dd7732c7a590c5

SHA256
3185df30f012a9e264f647ee207f122a9c42e69178f018dcf21c7b7bbacdbfae

SHA512
a34d8291048642705a21b06f913776ea4c2d4bf04935e1d4f94ac5e3f9e74acb659dd70509623f5fdfe5c27eee85fdf39de7d051edcab58dea33daa040338c39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cb7d92a03c01dfe82efedb989013e92b

SHA1
6f49d4e3c33030b9a2ac6e194b0aab249385de1c

SHA256
3f226d894ffd9b74dbb721c9a95ef9844c1244df3ac75b9c5fd4067415048a74

SHA512
3a08c98ed3e5376bece3045ccd42f476633293544a9bbf27ee2eb1802530fb2d83f80a310c9f3c0f9333929a93715c9d09641d6d8c47bd86fd6237b0bbe617e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fcb08f396dc4a6859dda86e7de64f5c0

SHA1
b0d8c252f9b2ec1f78ccc1fbc389a7ec92601d65

SHA256
d4a20008f76c4e7ac5e9e53c431597c02c60914ede7599adf49523221a7d9727

SHA512
b8a2379b4f6b211fb5ee9a146ff21ffc5bd1151246373a27dbadfd62d0534bcae0e6430b01b300c44cf6f6e1ca0107abd913c5b764570273e3b895e1d53f781d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6cf6f73bfba2913ce5a363dc734f5a2a

SHA1
78b7ce1568758216a55e4f3f74119a09e9ad56bf

SHA256
5abbcd0803bd26a85d23270e7b55318d602e2590b8ac6bcdcb594212f094db46

SHA512
6f70a584413e90c3ed604000166265c5a2785b302f76027e6ee11cee05176a634bbb7a8f6a764f6ec70dc06605030442098e88874b8a048e94aeeb0805bccdb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b2c5028f8cd4cd34bfa12df2b4e2459e

SHA1
a01f2fda88baccf68936a63c7fe47df1c0943ef4

SHA256
2033ebb374d804fe0eb7a062a8dc80f4e45861b7ae07211784352aefd0211252

SHA512
1fc7897a8796e78e3c340fe052d50443ccc258e776e46a2330068a2896e7788bd3405aee8293672b681aaa0d861878bbdac83df7788f2c49f41241d05bd05bf8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
444385ce5febbe089ba1d7064e4f5382

SHA1
dc63387a947635ea53a644c606a5c9d779a1dc13

SHA256
784982a3c49a496db71a9ceecdc66e30b34edfe64922b502bf1c74c0ea6d4dd3

SHA512
7dca1e66ceb7bb7d19382eda87a0ca392c2b15d0ea9751b494fdc2aa54dc8b39fc29fa1390c1da8518225ff15b8cee5609c6388843165a4d90cf5b200beb2029

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
194KB

MD5
e797b05baf9f2c0510edf468ac25dba1

SHA1
ceaf6c65de956a6e1f2ed8c91b1939c010b6050e

SHA256
81d917b79565d78c5e8dd185474f15d396c9af9090ce32a8d2bd809c0ecb5201

SHA512
84886f3413cb0d891c3fef435bc3db077e3e85125fa552f1cc97636d247a3654f3d6bc10ced49576614827e940d4e2201af7f3803f66920b7a35760aa81cfdde

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
194KB

MD5
4a651a0b0340db401be7e01e938c0c24

SHA1
3bffaf6fac9ac84a15ebf8083bef6f530e5b877a

SHA256
c496bf0583e80a956bf8c0b5c4e40a03521fa7db69d47ac0590b450780bdea28

SHA512
a0b3800bd1e28cdbdd90d0b0658406ccaf2ec2cb00073bcff9aba2e30b3e53c56245b828590e62ad34eb0907375cd8af20d21ab8fdf7a28d0792e2be1d510d73

Download Submit
memory/4220-57-0x000002403C340000-0x000002403C350000-memory.dmp

Filesize
64KB

Download
memory/4220-56-0x000002403C340000-0x000002403C350000-memory.dmp

Filesize
64KB

Download
memory/4220-50-0x000002403C340000-0x000002403C350000-memory.dmp

Filesize
64KB

Download
memory/4220-49-0x000002403C340000-0x000002403C350000-memory.dmp

Filesize
64KB

Download
memory/4220-48-0x000002403C340000-0x000002403C350000-memory.dmp

Filesize
64KB

Download
memory/4220-47-0x000002403C340000-0x000002403C350000-memory.dmp

Filesize
64KB

Download
memory/4220-46-0x000002403C340000-0x000002403C350000-memory.dmp

Filesize
64KB

Download
memory/4220-45-0x000002403C340000-0x000002403C350000-memory.dmp

Filesize
64KB

Download
memory/4220-44-0x000002403C340000-0x000002403C350000-memory.dmp

Filesize
64KB

Download
memory/4220-41-0x000002403C340000-0x000002403C350000-memory.dmp

Filesize
64KB

Download
memory/4220-58-0x000002403C340000-0x000002403C350000-memory.dmp

Filesize
64KB

Download
memory/4220-59-0x000002403C340000-0x000002403C350000-memory.dmp

Filesize
64KB

Download
memory/4220-61-0x000002403C340000-0x000002403C350000-memory.dmp

Filesize
64KB

Download
memory/4220-60-0x000002403C340000-0x000002403C350000-memory.dmp

Filesize
64KB

Download
memory/4220-62-0x000002403C340000-0x000002403C350000-memory.dmp

Filesize
64KB

Download
memory/4220-63-0x000002403C340000-0x000002403C350000-memory.dmp

Filesize
64KB

Download
memory/4220-64-0x000002403C340000-0x000002403C350000-memory.dmp

Filesize
64KB

Download
memory/4220-66-0x000002403C340000-0x000002403C350000-memory.dmp

Filesize
64KB

Download
memory/4220-68-0x000002403C340000-0x000002403C350000-memory.dmp

Filesize
64KB

Download
memory/4220-67-0x000002403C340000-0x000002403C350000-memory.dmp

Filesize
64KB

Download
memory/4220-65-0x000002403C340000-0x000002403C350000-memory.dmp

Filesize
64KB

Download
memory/4220-52-0x000002403C340000-0x000002403C350000-memory.dmp

Filesize
64KB

Download
memory/4220-53-0x000002403C340000-0x000002403C350000-memory.dmp

Filesize
64KB

Download
memory/4220-54-0x000002403C340000-0x000002403C350000-memory.dmp

Filesize
64KB

Download
memory/4220-55-0x000002403C340000-0x000002403C350000-memory.dmp

Filesize
64KB

Download
memory/4220-51-0x000002403C340000-0x000002403C350000-memory.dmp

Filesize
64KB

Download
memory/4220-43-0x000002403C340000-0x000002403C350000-memory.dmp

Filesize
64KB

Download
memory/4220-42-0x000002403C340000-0x000002403C350000-memory.dmp

Filesize
64KB

Download
memory/4848-0-0x0000017D34CB0000-0x0000017D34CC0000-memory.dmp

Filesize
64KB

Download
memory/4848-39-0x0000017D3A490000-0x0000017D3A498000-memory.dmp

Filesize
32KB

Download
memory/4848-37-0x0000017D3A490000-0x0000017D3A491000-memory.dmp

Filesize
4KB

Download
memory/4848-36-0x0000017D3A4A0000-0x0000017D3A4A8000-memory.dmp

Filesize
32KB

Download
memory/4848-32-0x0000017D392A0000-0x0000017D392A8000-memory.dmp

Filesize
32KB

Download
memory/4848-16-0x0000017D34DB0000-0x0000017D34DC0000-memory.dmp

Filesize
64KB

Download