hxxps://mega[.]nz/folder/HiYnBCZY#ccByNiBMYYsHfqDafZxo9A

Analysis

max time kernel
104s
max time network
104s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
17-08-2024 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/folder/HiYnBCZY#ccByNiBMYYsHfqDafZxo9A

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133683565519147181"	chrome.exe

Modifies registry class 44 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xpr64	Xenos64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\Run\command\ = "C:\\Users\\Admin\\Downloads\\YimMenu\\YimMenu\\Xenos64.exe --run %1"	Xenos64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Xenos64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64	Xenos64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\DefaultIcon\ = "C:\\Users\\Admin\\Downloads\\YimMenu\\YimMenu\\Xenos64.exe,-135"	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Xenos64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xpr64\Content Type = "Application/xml"	Xenos64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\Edit\command\ = "C:\\Users\\Admin\\Downloads\\YimMenu\\YimMenu\\Xenos64.exe --load %1"	Xenos64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\DefaultIcon	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Xenos64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xpr64\ = "XenosProfile64"	Xenos64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\ = "Run"	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Xenos64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\ = "Xenos 64-bit injection profile"	Xenos64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\Run	Xenos64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	Xenos64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\Edit	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Xenos64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Xenos64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\Edit\command	Xenos64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\Run\command	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Xenos64.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\YimMenu.zip:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
1968	Xenos64.exe
1968	Xenos64.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1968	Xenos64.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2664	chrome.exe
2664	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1968	Xenos64.exe
1968	Xenos64.exe
1968	Xenos64.exe
1968	Xenos64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 3432	2664	chrome.exe	81
PID 2664 wrote to memory of 3432	2664	chrome.exe	81
PID 2664 wrote to memory of 4888	2664	chrome.exe	82
PID 2664 wrote to memory of 4888	2664	chrome.exe	82
PID 2664 wrote to memory of 4888	2664	chrome.exe	82
PID 2664 wrote to memory of 4888	2664	chrome.exe	82
PID 2664 wrote to memory of 4888	2664	chrome.exe	82
PID 2664 wrote to memory of 4888	2664	chrome.exe	82
PID 2664 wrote to memory of 4888	2664	chrome.exe	82
PID 2664 wrote to memory of 4888	2664	chrome.exe	82
PID 2664 wrote to memory of 4888	2664	chrome.exe	82
PID 2664 wrote to memory of 4888	2664	chrome.exe	82
PID 2664 wrote to memory of 4888	2664	chrome.exe	82
PID 2664 wrote to memory of 4888	2664	chrome.exe	82
PID 2664 wrote to memory of 4888	2664	chrome.exe	82
PID 2664 wrote to memory of 4888	2664	chrome.exe	82
PID 2664 wrote to memory of 4888	2664	chrome.exe	82
PID 2664 wrote to memory of 4888	2664	chrome.exe	82
PID 2664 wrote to memory of 4888	2664	chrome.exe	82
PID 2664 wrote to memory of 4888	2664	chrome.exe	82
PID 2664 wrote to memory of 4888	2664	chrome.exe	82
PID 2664 wrote to memory of 4888	2664	chrome.exe	82
PID 2664 wrote to memory of 4888	2664	chrome.exe	82
PID 2664 wrote to memory of 4888	2664	chrome.exe	82
PID 2664 wrote to memory of 4888	2664	chrome.exe	82
PID 2664 wrote to memory of 4888	2664	chrome.exe	82
PID 2664 wrote to memory of 4888	2664	chrome.exe	82
PID 2664 wrote to memory of 4888	2664	chrome.exe	82
PID 2664 wrote to memory of 4888	2664	chrome.exe	82
PID 2664 wrote to memory of 4888	2664	chrome.exe	82
PID 2664 wrote to memory of 4888	2664	chrome.exe	82
PID 2664 wrote to memory of 4888	2664	chrome.exe	82
PID 2664 wrote to memory of 3764	2664	chrome.exe	83
PID 2664 wrote to memory of 3764	2664	chrome.exe	83
PID 2664 wrote to memory of 4784	2664	chrome.exe	84
PID 2664 wrote to memory of 4784	2664	chrome.exe	84
PID 2664 wrote to memory of 4784	2664	chrome.exe	84
PID 2664 wrote to memory of 4784	2664	chrome.exe	84
PID 2664 wrote to memory of 4784	2664	chrome.exe	84
PID 2664 wrote to memory of 4784	2664	chrome.exe	84
PID 2664 wrote to memory of 4784	2664	chrome.exe	84
PID 2664 wrote to memory of 4784	2664	chrome.exe	84
PID 2664 wrote to memory of 4784	2664	chrome.exe	84
PID 2664 wrote to memory of 4784	2664	chrome.exe	84
PID 2664 wrote to memory of 4784	2664	chrome.exe	84
PID 2664 wrote to memory of 4784	2664	chrome.exe	84
PID 2664 wrote to memory of 4784	2664	chrome.exe	84
PID 2664 wrote to memory of 4784	2664	chrome.exe	84
PID 2664 wrote to memory of 4784	2664	chrome.exe	84
PID 2664 wrote to memory of 4784	2664	chrome.exe	84
PID 2664 wrote to memory of 4784	2664	chrome.exe	84
PID 2664 wrote to memory of 4784	2664	chrome.exe	84
PID 2664 wrote to memory of 4784	2664	chrome.exe	84
PID 2664 wrote to memory of 4784	2664	chrome.exe	84
PID 2664 wrote to memory of 4784	2664	chrome.exe	84
PID 2664 wrote to memory of 4784	2664	chrome.exe	84
PID 2664 wrote to memory of 4784	2664	chrome.exe	84
PID 2664 wrote to memory of 4784	2664	chrome.exe	84
PID 2664 wrote to memory of 4784	2664	chrome.exe	84
PID 2664 wrote to memory of 4784	2664	chrome.exe	84
PID 2664 wrote to memory of 4784	2664	chrome.exe	84
PID 2664 wrote to memory of 4784	2664	chrome.exe	84
PID 2664 wrote to memory of 4784	2664	chrome.exe	84
PID 2664 wrote to memory of 4784	2664	chrome.exe	84

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mega.nz/folder/HiYnBCZY#ccByNiBMYYsHfqDafZxo9A
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffbb06cc40,0x7fffbb06cc4c,0x7fffbb06cc58
  2⤵
  PID:3432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1832,i,11127993298284359615,18178818201811422200,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1828 /prefetch:2
  2⤵
  PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2052,i,11127993298284359615,18178818201811422200,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2132 /prefetch:3
  2⤵
  PID:3764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2172,i,11127993298284359615,18178818201811422200,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2244 /prefetch:8
  2⤵
  PID:4784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3064,i,11127993298284359615,18178818201811422200,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3132 /prefetch:1
  2⤵
  PID:2524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3076,i,11127993298284359615,18178818201811422200,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:4760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4512,i,11127993298284359615,18178818201811422200,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4528 /prefetch:8
  2⤵
  PID:3644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4636,i,11127993298284359615,18178818201811422200,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4548 /prefetch:8
  2⤵
  PID:1988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4264,i,11127993298284359615,18178818201811422200,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5212 /prefetch:8
  2⤵
  - NTFS ADS
  PID:3236

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4452

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004B8 0x00000000000004D4
1⤵
PID:5104

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2268

C:\Users\Admin\Downloads\YimMenu\YimMenu\Xenos64.exe
"C:\Users\Admin\Downloads\YimMenu\YimMenu\Xenos64.exe"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
fdfab525a7374cb8d793c03b46bdbe53

SHA1
08d546f86ceba6b0a4d0f51d8dc0d3aef1d8ce83

SHA256
c2187006e7d63a6b4a005acedb0291569c19e794a53746d1a7bb4aa113826642

SHA512
ad41d5ecb96b4fe056cd7b498db342cc75dc80dad86ec19dacf77deebfd7c8070f250de6d120a0f53704297fcd5997b6017f778d3d5ac9968458d9502627632a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000022

Filesize
21KB

MD5
b1dfa46eee24480e9211c9ef246bbb93

SHA1
80437c519fac962873a5768f958c1c350766da15

SHA256
fc79a40b2172a04a5c2fe0d5111ebeb401b9a84ce80c6e9e5b96c9c73c9b0398

SHA512
44aefedf8a4c0c8cbc43c1260dc2bbc4605f83a189b6ef50e99058f54a58b61eb88af3f08164671bad4bd9c5e3b97b755f2fa433490bef56aa15cdf37fb412b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000023

Filesize
36KB

MD5
f90ac636cd679507433ab8e543c25de5

SHA1
3a8fe361c68f13c01b09453b8b359722df659b84

SHA256
5b4c63b2790a8f63c12368f11215a4ffec30c142371a819a81180a32baeb2bce

SHA512
7641a3610ad6516c9ecd0d5f4e5fa1893c7c60ca3ba8ae2e1b3b0cc3a72f7f9bef4c776a1f2fc52f366bd28a419ae3594a6576e886e79a20ebd98b55b2acc967

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000024

Filesize
17KB

MD5
950eca48e414acbe2c3b5d046dcb8521

SHA1
1731f264e979f18cdf08c405c7b7d32789a6fb59

SHA256
c0bbe530abfce19e06697bc4358eb426e076ccdb9113e22df4a6f32085da67a2

SHA512
27e55525ade4d099a6881011f6e2e0d5d3a9ca7181f4f014dc231d40b3b1907d0d437b0c44d336c25dd7b73209cd773b8563675ac260c43c7752e2d2d694d4d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
48f3151e387a972c91b666838abefbf5

SHA1
75e828186c75512a2a70ba850330386e035edb4e

SHA256
bcf6dd0f73f84aef37b3c387d3aed41def963ed341fc514579b391f3630142f8

SHA512
476a32c45907aec3ad27b2f4b81dee32dfc598dbd495b97382625ef030e72382dfe90b1f16a63daa1e3002aec7ad88e1d63225a58e2fe40c6a785e8b3d189006

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\p\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
fc9daf35b06f7369c199a660934c32e3

SHA1
5f238a5383c57a2f1314722f450bd7fafaf9b59a

SHA256
1e40bb0e6981c414eae51e5cc07cd33e74bdc08b500538bfae9fd2905e84094d

SHA512
544e245ddc5ff4ebb0b71b1ecef37221d030f81d5cd49cf0523eb9b03e5eb0194c762f5a2ff8359dc9a86833a04774a23f14db2372cb5f82c5043f821fe68bf1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
74fdab5c34961f86b824bb24cb7a05f0

SHA1
9c6f98da3cbd45e31c2784e805a9497f2a98a44e

SHA256
ce4e23b07dcde712b37f193df490b04a2f5675ff40c554ba363161f7d84f3cae

SHA512
0360aa95d23cf3b0044aa6737f0211183caa7e2ea842ec43fd3c43479be7c371f69900323ffb30ddf0fee5c7792adfb4d74587d7712b66a461292a6571c3d705

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ae9b89c38923bf10d7c2d136cd325de3

SHA1
729259b51072b637573c825eb861e92908777307

SHA256
73e4eb43ae0779fe53d79d9f8519408f030c09e40f7ea6fde913c2bec7c13f7e

SHA512
37c31833de85a20a8eab41cfccb713b5f5e25acc274ce7a33b392b548743044c180e9123969bc9984e3feb22847ed7a6d93dfc3189679e05b7805a9d2eae3a04

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
919e46856912a43d9b4879ad9678352a

SHA1
effb9947a4183204c81d962347711b44ed6b324a

SHA256
89d009562526a2ef4018e93c004df8ffd41cedd2b57beeea5866e73c6fcdb111

SHA512
f388b37ede31837c4a4dabffd647380d6d7faec4b0264d5fc766694c481a2a8c395c2699f06fb9498826d00de4b3aae076eba7852beda9ef511eaa7334efd202

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ce1d3716296a103146669f306e13d190

SHA1
0d544730a00875ee7148549a1746c5218b711eb5

SHA256
deffda7ef56ebd1575905db984a9d6de299301969006e3e4d28b2cf300b3338b

SHA512
eb199ddf240e53b7c4994d7b8ee78a5966f2b2029bb7c3d8c1ff9cfe695a1767886db1346c44b20d1871d9a4655255285be4439c2f4fadb67dc10aa6246e8df7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a518522f87279f39334617975f12aa12

SHA1
856c83c2ad5bf26bb4da1c40c8fb6f25f2d3fbba

SHA256
ded049ea374f1d48815b897b5bec7581de9dc54dbf9963990ca0df117b056440

SHA512
c129c219ddb1692abe1bcaf8fa8e53e41fed7ff4d7ee40acc25cbf31ac37566316e1ee4696e01b2a28d57e4d3d3e3f51f4dbeaaca4d32a3a96245215cc685621

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2563b58c5aa0f7a3b05ca1a6964fed5e

SHA1
5094a18adcc6aace2bb28513389dcdbbbc4aeae9

SHA256
f71241f981efbb0629c501299120f4a80a4bb234b51b8185a9e2606c5a519897

SHA512
39fef52b647c49a73f080ba0575f261b000fcf485ce5ac3d9516df4fa920409c2b9f7475957fd5c845fcdfbfc5227c58b3ae48a97b2602f14febec9d8b2602b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
284a7b8eba2e32b0e107eae4b039a2fc

SHA1
8ae7cb5625b29aa07e09ac3f1a374dbf7db9942b

SHA256
f14646af714f126193a63aade77f73d31cbba56bb4db09618d2ecfe20739e0e9

SHA512
aaef462284a58e46caa1d7c26fbf13bccff58d39885f63406fec7c2dd39b4bf2d7f28330c29a539e06d9f6308beadf3847083b5c089ee0383e083706a30cf626

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
eb1bf107e689f7777a05b98b84b71810

SHA1
e71d52688eb264a51444212a4c33caa447a9e5d0

SHA256
417e5f5c836561dbc6cfd9857701d1e989b618401e34d9c72de0bab7d0c32b04

SHA512
177747b40bd0d58f94a1448d350c4f8cdc8a85f487e9b70ef9471e40b46d5bc50e249a7d0ee0c9e8007673669787a33d50de324e600fbf04c17af4859a9c41d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\temp-index

Filesize
96B

MD5
87bab11278b5e53b396c9a3c4a480f5f

SHA1
9dde79fd76a10d910625dcca4fae36f6cb59da04

SHA256
3aa7b979300d09bff5edda51ce8edba72dd709f9cf8d824b2f6b08878143038b

SHA512
f763c80189a84af2d1cc44f934de7a3db68b48e56d133f92777d7c0f93d32e4486e69e9be950468be55046d64d7d8678e59a27c54281067be7b895207d47e884

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
1988799dc25aad32ba7da940d0fa0dfa

SHA1
600fb5f6400b7fff4e061f1b3401247f87cc331c

SHA256
3cf630a26417c73ed3b3182525e7cd27d7dc21a6a075c38ef432256c00531fb9

SHA512
ca011140302ce6d5b5731b41cb62251a073a821f3f47c3e291ec9ffe686d9a6a15406750a71ffa89fe3f261b0aaf1d19295b367a4d193bc14dc4ce260ea4366d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
2195ca199b435183aec1cc72f5b0004e

SHA1
8fcdc73ad99efc189db90b2be5e441d1e02b90de

SHA256
f31ce9acc7c16e27287dbaf5863602a180365a2b150f6fb5eb192a8d6503622d

SHA512
14b5e12ffd3cff982ab45117829c6be9de9c543cd4eaaba68d943b7a25af29912a118e7cf293012a62b84c3dbefa327316e7e6b7eabb29b1c058a67cf522d40d

Download Submit
C:\Users\Admin\Downloads\YimMenu.zip.crdownload

Filesize
12.4MB

MD5
20b6b1d9c8360997b271dbf0351b6527

SHA1
413f819d4e397beb701892e42e4b4a9e06f42e78

SHA256
183ac50d3c0619a04d85fa382b9d6d7900c52c8a7aacc8f768980299023e6e28

SHA512
239d56016f2e5a89bfd30a9354bd07704234eee8448858421bb28964d3bebcb221069ca014da66c5cbfd585c0c7a1783f71c33c4c259790c3fe7486d51e8c8ab

Download Submit
C:\Users\Admin\Downloads\YimMenu.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/1968-270-0x0000000002360000-0x0000000002569000-memory.dmp

Filesize
2.0MB

Download
memory/1968-271-0x0000000000050000-0x0000000000150000-memory.dmp

Filesize
1024KB

Download
memory/1968-259-0x0000000000050000-0x0000000000150000-memory.dmp

Filesize
1024KB

Download