bf6155050aee616b3dde64bbc42a3a0422be94e035945799ae20b0c0e35f963e

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ExeFile (99).exe
Size

990KB
MD5

4afc09642e78a70722fd3ab5ed29d27d
SHA1

9772ecbcfd5cda231c0124ac7f72d089369fb176
SHA256

bf6155050aee616b3dde64bbc42a3a0422be94e035945799ae20b0c0e35f963e
SHA512

9cbeddf750f114174e1908995626b5333faf2c1cb4f9e89e59e5f597d6b18950dad4c3f31b7a81ca1d335854a608d149abc7fb6ab7c5c3edf9f1c36dccdb9620
SSDEEP

24576:Y2G/nvxW3WsTQRzqlqaHb/YF6AXyUo5uoDF6mXy+o5+xfRq:YbA3DQRzI/TYwIUHwAU+rq

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	ExeFile (99).exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	mshta.exe

Executes dropped EXE 1 IoCs

pid	Process
1840	main.exe

Loads dropped DLL 2 IoCs

pid	Process
1840	main.exe
1840	main.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ExeFile (99).exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2796	TASKKILL.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133686369338561100"	chrome.exe

Runs .reg file with regedit 2 IoCs

pid	Process
4568	regedit.exe
3408	regedit.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3352	chrome.exe
3352	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe
3328	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2796	TASKKILL.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1840	main.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4744 wrote to memory of 1840	4744	ExeFile (99).exe	86
PID 4744 wrote to memory of 1840	4744	ExeFile (99).exe	86
PID 1840 wrote to memory of 2796	1840	main.exe	89
PID 1840 wrote to memory of 2796	1840	main.exe	89
PID 1840 wrote to memory of 4568	1840	main.exe	90
PID 1840 wrote to memory of 4568	1840	main.exe	90
PID 1840 wrote to memory of 2884	1840	main.exe	93
PID 1840 wrote to memory of 2884	1840	main.exe	93
PID 2884 wrote to memory of 2948	2884	cmd.exe	95
PID 2884 wrote to memory of 2948	2884	cmd.exe	95
PID 2948 wrote to memory of 2608	2948	mshta.exe	96
PID 2948 wrote to memory of 2608	2948	mshta.exe	96
PID 2608 wrote to memory of 3352	2608	cmd.exe	98
PID 2608 wrote to memory of 3352	2608	cmd.exe	98
PID 3352 wrote to memory of 4664	3352	chrome.exe	99
PID 3352 wrote to memory of 4664	3352	chrome.exe	99
PID 3352 wrote to memory of 2216	3352	chrome.exe	100
PID 3352 wrote to memory of 2216	3352	chrome.exe	100
PID 3352 wrote to memory of 2216	3352	chrome.exe	100
PID 3352 wrote to memory of 2216	3352	chrome.exe	100
PID 3352 wrote to memory of 2216	3352	chrome.exe	100
PID 3352 wrote to memory of 2216	3352	chrome.exe	100
PID 3352 wrote to memory of 2216	3352	chrome.exe	100
PID 3352 wrote to memory of 2216	3352	chrome.exe	100
PID 3352 wrote to memory of 2216	3352	chrome.exe	100
PID 3352 wrote to memory of 2216	3352	chrome.exe	100
PID 3352 wrote to memory of 2216	3352	chrome.exe	100
PID 3352 wrote to memory of 2216	3352	chrome.exe	100
PID 3352 wrote to memory of 2216	3352	chrome.exe	100
PID 3352 wrote to memory of 2216	3352	chrome.exe	100
PID 3352 wrote to memory of 2216	3352	chrome.exe	100
PID 3352 wrote to memory of 2216	3352	chrome.exe	100
PID 3352 wrote to memory of 2216	3352	chrome.exe	100
PID 3352 wrote to memory of 2216	3352	chrome.exe	100
PID 3352 wrote to memory of 2216	3352	chrome.exe	100
PID 3352 wrote to memory of 2216	3352	chrome.exe	100
PID 3352 wrote to memory of 2216	3352	chrome.exe	100
PID 3352 wrote to memory of 2216	3352	chrome.exe	100
PID 3352 wrote to memory of 2216	3352	chrome.exe	100
PID 3352 wrote to memory of 2216	3352	chrome.exe	100
PID 3352 wrote to memory of 2216	3352	chrome.exe	100
PID 3352 wrote to memory of 2216	3352	chrome.exe	100
PID 3352 wrote to memory of 2216	3352	chrome.exe	100
PID 3352 wrote to memory of 2216	3352	chrome.exe	100
PID 3352 wrote to memory of 2216	3352	chrome.exe	100
PID 3352 wrote to memory of 2216	3352	chrome.exe	100
PID 3352 wrote to memory of 3540	3352	chrome.exe	101
PID 3352 wrote to memory of 3540	3352	chrome.exe	101
PID 3352 wrote to memory of 960	3352	chrome.exe	102
PID 3352 wrote to memory of 960	3352	chrome.exe	102
PID 3352 wrote to memory of 960	3352	chrome.exe	102
PID 3352 wrote to memory of 960	3352	chrome.exe	102
PID 3352 wrote to memory of 960	3352	chrome.exe	102
PID 3352 wrote to memory of 960	3352	chrome.exe	102
PID 3352 wrote to memory of 960	3352	chrome.exe	102
PID 3352 wrote to memory of 960	3352	chrome.exe	102
PID 3352 wrote to memory of 960	3352	chrome.exe	102
PID 3352 wrote to memory of 960	3352	chrome.exe	102
PID 3352 wrote to memory of 960	3352	chrome.exe	102
PID 3352 wrote to memory of 960	3352	chrome.exe	102
PID 3352 wrote to memory of 960	3352	chrome.exe	102
PID 3352 wrote to memory of 960	3352	chrome.exe	102
PID 3352 wrote to memory of 960	3352	chrome.exe	102
PID 3352 wrote to memory of 960	3352	chrome.exe	102

C:\Users\Admin\AppData\Local\Temp\ExeFile (99).exe
"C:\Users\Admin\AppData\Local\Temp\ExeFile (99).exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\main.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\main.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Windows\SYSTEM32\TASKKILL.exe
    TASKKILL /F /IM chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2796
- - C:\Windows\regedit.exe
    regedit /s chrome.reg
    3⤵
    - Runs .reg file with regedit
    PID:4568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c chrome64.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Windows\system32\mshta.exe
      mshta vbscript:createobject("wscript.shell").run("chrome64.bat h",0)(window.close)
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:2948
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\chrome64.bat" h"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2608
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:/Program Files/Google/Chrome/Application/chrome.exe"
        6⤵
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3352
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffd0765cc40,0x7ffd0765cc4c,0x7ffd0765cc58
        7⤵
        
        PID:4664
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2112,i,1779271903495415548,12363708068025360069,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2108 /prefetch:2
        7⤵
        
        PID:2216
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1744,i,1779271903495415548,12363708068025360069,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2152 /prefetch:3
        7⤵
        
        PID:3540
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1824,i,1779271903495415548,12363708068025360069,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2300 /prefetch:8
        7⤵
        
        PID:960
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,1779271903495415548,12363708068025360069,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3164 /prefetch:1
        7⤵
        
        PID:4564
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3172,i,1779271903495415548,12363708068025360069,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3204 /prefetch:1
        7⤵
        
        PID:3984
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4252,i,1779271903495415548,12363708068025360069,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4380 /prefetch:8
        7⤵
        
        PID:3864
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3884,i,1779271903495415548,12363708068025360069,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4692 /prefetch:8
        7⤵
        
        PID:3512
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4840,i,1779271903495415548,12363708068025360069,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4868 /prefetch:1
        7⤵
        
        PID:4856
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3888,i,1779271903495415548,12363708068025360069,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4992 /prefetch:8
        7⤵
        
        PID:228
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4852,i,1779271903495415548,12363708068025360069,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5024 /prefetch:8
        7⤵
        
        PID:4940
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4532,i,1779271903495415548,12363708068025360069,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5244 /prefetch:8
        7⤵
        
        PID:1544
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5176,i,1779271903495415548,12363708068025360069,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5072 /prefetch:8
        7⤵
        
        PID:2372
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=844,i,1779271903495415548,12363708068025360069,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5056 /prefetch:8
        7⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3328
- - C:\Windows\regedit.exe
    regedit /s chrome-set.reg
    3⤵
    - Runs .reg file with regedit
    PID:3408

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
22502e206969b77dc054891a8481a5ae

SHA1
fe553b636279cb8c586b8ebfa58f43757a1efc2a

SHA256
0cb7ea3536dab466697a9d79e2b9d2d9d772eeb82fafb8edfc07c9e0a67d52f7

SHA512
876eb2ee1a3200c46589edd0ec858e289cbd50f130578d7d8c828980d2a0043d1e53c98dfce9e97425a0e4bc2abc92b06924d5cbaf44ea4ab4295faa7f3965dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\focdcjmgbkflegglldccphpndkljjnbc\1.0.0_0\_locales\zh_CN\messages.json

Filesize
66B

MD5
4f67dd220b42375823d71ebce041d90a

SHA1
106975d79cc08921bc96431cf65ca61780aee50c

SHA256
2d9dccfcc099c9f91cf49a23fc122e7b7c95bd5e930720193c44954e336f9ed4

SHA512
88868c1bb91ced549ddcea4394b8cc628c80b720fc46867c85f5fea4ecbe1af36ab8dc9305b96a9f2a6d03c3d034f2e6af14bc885447080b84cb57bf871c3c8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
d7523edcc09410df1d229642534907fc

SHA1
31b10717ab8b718f25b8a01835ccfde06ddb49be

SHA256
213eaa20552cda181cf9897deb4cff0ac90b8b088ea867f96140ae2677a8be56

SHA512
84d3f9fa0c57dc80a2a00ba670300e956327d937968ff50786c20d386cda6b157bd7e2237321995e8063bc625eaeef5cb4cf1c10e59b3340a8b3a218e0de81c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
ab4462f263bf2750e7f83b09fb267bde

SHA1
164b1dbb6cf2014c52c46a8264ad21122bfabd58

SHA256
7d3905b43f014367f6ba82a46eaac2746a65f729d3b3fca600d9226dc705ab03

SHA512
f847e22aead8ed08a71cd87bf43ebf2ed47fe8cd0594ef4deea6ede6cd18c3a8c566f053b78a5ed232e1144fae856bdb2f3c1511794c0a43703b8d670e251612

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
71a4ab9075d3b1a24613b588d448aeea

SHA1
e0240fe7ed5b1929d3efabf0af94690ba9b6c4cc

SHA256
c4fdb4ce06550e4446e565795a46cb0b3c9d032df53db753a7b1e557b115d6f2

SHA512
c3c4f47199d1f79b5911ab72523e47114ec8f218a74fc8c8c11abed3307a4f3c1da2f55400fdcd6e8963c8d9244f5210415bb9b47d526c72209396fca3354175

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
609b2d4997dfe402e002cbc7dbde68fc

SHA1
8baa182c54c20eb467489b955655bebc0171b9f1

SHA256
8c58f38b63f052fa3b3ba285997ef3ad33ee3d5b65e349b1e20f832a7f138866

SHA512
2a4492ae776c3f6da7653604c0a51d54a986c6c2893adb2e3b217326a35123e1c95cfd3131f288bfa44b4538ce605628c79a652d4c2c1d0c4bade405aaf1ec37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
baee4f481b34cffddedc35bab031480a

SHA1
90b64e47ed25868e52cdfcfeae8038e329242fba

SHA256
2e8010eec1bb5e82a6b9a891b4a11cb239fccfc04d40b64c7c0626e242dab52b

SHA512
65307b7197d128789204ac574b1f2c1a6f1a6a83365a8bbdd0ceb5f0652935ae659c2972841c446395e0cb1a862799093201e236d539fff97140896b9d78164b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
520c3bcc9432026ab2c29ea71fa9c770

SHA1
a5c814470a2950da1e563d3a600271cb30e2aa52

SHA256
576f2663da9211ee4b35fa96deee9d4b503b4582001125cfdf46cc36f238a817

SHA512
799d34db51a7037fe82506409b9869a63fb59ceaab715a8c300434d9e73590e3c2affdcbc18876c0b42e2cffb973369cb27cc12032bab48ac2208fd210c0855c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
088f7c075869bfd97aef0ec3a2fa5485

SHA1
79580353827bf7c46e727bdc92083dee4c7866bb

SHA256
85d9dc07c214f29757e8ca1eef59e927f2cefedd4a7ac52e9ee68db8b6927e01

SHA512
6be2d72f522b0dbcb3e204530fb0519ba10ee28be7556f24281c8d64f9d6d86db45a2287bbe47ef3ae77ece6b088de6d8d5cf22d565b76efd942047b8251ccb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9cb5b3adeb9ebb8a102940c98020e0a7

SHA1
1263e42ad1e4bf6a32533b4fa3f5304eada6283f

SHA256
0090fc4b5a5394aa72937c5d0a250544783abb42fcfde677664e6a2f882a0142

SHA512
2c7eaacb22d3dfc054f433ce76342c77bf554afb9991b48346534af0ef9b14c76b66daba964d90b22c9086bcd16f5b8067939f714ce233e59301da01f179c710

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
7e0c605d5ed6d022699032a13e547fef

SHA1
d3195561e164e9285f15dabd1660d960191d07bc

SHA256
34081d9f8139b2f741d5f40d13f2f29c7e8c3a85d6af8d64b22aed8dcddec9c1

SHA512
38490faa30f982b03667fd4b10a86c56bc7c614457669792f53f01e19400d9fa6a7d340116276501466766b7b4b4b04e01fe0bb4eaf476cb88e1558a639cbc32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
17KB

MD5
77baad2b8624f95c978839fef034dbc7

SHA1
991cee50d2b7634d7f255e73880887410c182bf1

SHA256
9a636c57a5bc34b4f479f9be39880b6dac6f2135ad9db23420b9fea92cd77c27

SHA512
5cfd6fcd3c4c3ab6d5d838bf605ec54704704bfa1d85f32fac383376cdd644a1afb14fafa290e8e468ed692e5ccf1b8a2ac8dfa1b5925509d028145877af0c03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
199KB

MD5
c7e04b166a287147e09d602c59bc8ab2

SHA1
3bfb5b46b5052c0bd821afa4392a4ee84cf88092

SHA256
9d5d2dd0706de9b9815bcec01c0530369d3162a02bb35ef9017f21ada3286461

SHA512
8f8ec76319787fbcb7e2dd8ceb7c26dd547a41d13ccb4e4a70613724f826a6994c5c7ffc9b391887898cf23650fe744164eb4385aaca40553dbbd2e40ecd7d4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
199KB

MD5
0663bef742edd23eeb13d06782de745d

SHA1
993258c5e978c7ef9206bbc213bf7e7487009580

SHA256
536ae1914ea16abef292c12199bdc6cb36beb2a05695a9d8c876e819eaff51f8

SHA512
fb1fa806ed849e1296521fe6bd3b64836a5a73a2ea2fe69df0297412f615b096f371aac995b33dcc2e6dd1115f853247b2b89addae128ad90852bb4e3100692a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCRUNTIME140_1.dll

Filesize
35KB

MD5
ab03551e4ef279abed2d8c4b25f35bb8

SHA1
09bc7e4e1a8d79ee23c0c9c26b1ea39de12a550e

SHA256
f8bc270449ca6bb6345e88be3632d465c0a7595197c7954357dc5066ed50ae44

SHA512
0e7533b8d7e5019ffd1e73937c1627213711725e88c6d7321588f7fffe9e1b4ef5c38311548adbd2c0ee9b407135646593bf1498cbee92275f4e0a22ace78909

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\chrome-set.reg

Filesize
913B

MD5
3e340776563dabf93d6facd415dc014c

SHA1
99c220b33423ce5307405a23507f4d4023b256f0

SHA256
9d82451d22500c2723d18e096971989902ddef5cbf6bc2215f26e9f95e8f5390

SHA512
bf044227a608c95279a87e3f6f998377baa1b1d1a214721f129fb5127eab4c51ec2fa5fd759ae00ee2eea94c95a303788ed0c420eb40fb0319cda6ca41a1360d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\chrome.reg

Filesize
412B

MD5
53924b9a3cee1936dca042f83a8c77d5

SHA1
5b162956b38483c5b5bf93221d71ccf931c69823

SHA256
e5d981cc07403a2207efd14f376f78540d83ba99c09063a1d0205247a753ce9f

SHA512
b075c865d2edcad060035b7b35f9211715118925acbd17dcd6880773a3f6f5e541361f5db35a1df7145d342ba926c92c59bb5ddc8263e0977af6e26b5a48c145

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\chrome64.bat

Filesize
197B

MD5
431927c4715b4e73c9b68ff675515391

SHA1
17bd1a044f85f1776fe932c01b8e707110d44f9c

SHA256
b142632ccb968e4d404827499ea7895f578e809ce9778ff263ae1d68f8234861

SHA512
f4d499b8eae75fb11cbe7017b1561325b0183ff1460210d04d40d3aa2c0b282c0d34675e3d714ddccc158da2b6e6ce677441d420f5466fde0b8a5dcf39074a29

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\edge.reg

Filesize
148B

MD5
84ca171b5ca3d26e4fed7a32025f3907

SHA1
d6e38106f659001fa06089fccb6e3f3bc8f6138d

SHA256
b98f6cc05e7a64fa43ca94b573cc5ddf274879e7002d85e7b1b9cf8f002d4023

SHA512
de0aee9a7508df79dee9743df7d92dc06dae19237a49ee54e31514cf7e9ac796225676b1b5e41e900f859093df87848059e5bb187967f27c1a1591f69708c2a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\id-chrome.txt

Filesize
32B

MD5
0167419b601a93258aeb85fc6e775893

SHA1
0a144617b0dd5c5cd4aee3afa8e950f19fda15e8

SHA256
6b01add656de1f80a188fb7407856c06b54c39946642a949c2eba2ee5801ca07

SHA512
76e24f6e46944f2063a0e0696048d9a665f13345b91090210965f0d017c396a8b302beba4f44678e98593d8701e2b23927ea29bd3ddacb942d651a4b6c472b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\id-edge.txt

Filesize
32B

MD5
61a1097d8931a08711609a2547c94272

SHA1
58b8b23b7ba2b9c194bdd7297beee92c2f0ed4c3

SHA256
a5d1355faa6ccdcc223fc792efbb0f02abbd7c2455abb43150af455737ade895

SHA512
2b90ad86e5fd4e888633d4ef744d7a155536f4c7eff96b474fcd7a47880f085e01c628001c33ccc43c23e156bf17217b7c32aa386188d95955f4ba261efe8c1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\id.txt

Filesize
9B

MD5
9e8486cdd435beda9a60806dd334d964

SHA1
bf3dab9d79bb0451c24b615d245ac0295407b023

SHA256
4a3f26e5142fdceee09b1324103d62b210e78c2b23710f50f708b8eddafa9e81

SHA512
de1f63b91cbe9fee9342a300d39c841fffe95e31427a7862879fb11afdd888c9cff1f22d5f0269ed5610e0710d4a55e1f40705da5e1898adacb26c28c19a7a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\main.exe

Filesize
555KB

MD5
c402a583d308d4d150d8a069a1ec76da

SHA1
d84858daf821778ac57801cd0822e9299f32f688

SHA256
8b9ce02e21440d3a6ef06a50da8bd69893da60fe3d5c55f80739e4bef55d4611

SHA512
89d2b8ad3c09687da5c4afdcee0bc4d7cd1e20c51f21e10a1736da3bd7f2b48a03fc7db374eaa58e3827e36e9235b68d5507dc41c52462a1b7904c0ee078cfe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\plugins-chrome.crx

Filesize
216KB

MD5
b76a448d15029df55127cdf2ae9e350d

SHA1
8f7cd0366ca1592b254dab83bd5ebbe58f0455de

SHA256
4b60226dce9dac7c5e8791903c1f93a08e4a45448f925c683be7bf740a64abe2

SHA512
59f8ee696644b6fdc55b57928a58bc7dd50ba538cc09a4f1799a685f013e9100783012fdb2b08e7335ce15542f5c91d062259d85d00ca831bab0bde92b8d6f72

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3352_987837131\CRX_INSTALL\_locales\zh_CN\messages.json

Filesize
47B

MD5
15270ddb6df7cbdfb45d6e4ab0b8b33e

SHA1
5a8bf5be51f244d126ffb9080bc345dae5d7aa70

SHA256
709692b4f8b46ee5a6f50567e327005393c23ee003909f1563c4b7aae31251d4

SHA512
64fd9ecca6eca2fcff243b1abac62ac590eba1d52e56bcedb16c2048083da8671018f26ad136d4ac85504648770410062b71319ee4d9bd1561dc9a75063e0fa4

Download Submit