chaos | hxxps://wetransfer[.]com/downloads/9be1e0d748ecdb65fd7cd24652d997e620240912181016/ff05de

Analysis

max time kernel
66s
max time network
68s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12-09-2024 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://wetransfer.com/downloads/9be1e0d748ecdb65fd7cd24652d997e620240912181016/ff05de

Score

10^/10

chaos discovery ransomware

Malware Config

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 1 IoCs

resource	yara_rule
behavioral1/files/0x00070000000234c7-219.dat	family_chaos

Downloads MZ/PE file
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133706390394159656"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3524	vlc.exe
2168	vlc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4544	chrome.exe
4544	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3524	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: 33	3804	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3804	AUDIODG.EXE
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe
Token: SeShutdownPrivilege	4544	chrome.exe
Token: SeCreatePagefilePrivilege	4544	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
4544	chrome.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe
3524	vlc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3524	vlc.exe
2168	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4544 wrote to memory of 3352	4544	chrome.exe	85
PID 4544 wrote to memory of 3352	4544	chrome.exe	85
PID 4544 wrote to memory of 3184	4544	chrome.exe	86
PID 4544 wrote to memory of 3184	4544	chrome.exe	86
PID 4544 wrote to memory of 3184	4544	chrome.exe	86
PID 4544 wrote to memory of 3184	4544	chrome.exe	86
PID 4544 wrote to memory of 3184	4544	chrome.exe	86
PID 4544 wrote to memory of 3184	4544	chrome.exe	86
PID 4544 wrote to memory of 3184	4544	chrome.exe	86
PID 4544 wrote to memory of 3184	4544	chrome.exe	86
PID 4544 wrote to memory of 3184	4544	chrome.exe	86
PID 4544 wrote to memory of 3184	4544	chrome.exe	86
PID 4544 wrote to memory of 3184	4544	chrome.exe	86
PID 4544 wrote to memory of 3184	4544	chrome.exe	86
PID 4544 wrote to memory of 3184	4544	chrome.exe	86
PID 4544 wrote to memory of 3184	4544	chrome.exe	86
PID 4544 wrote to memory of 3184	4544	chrome.exe	86
PID 4544 wrote to memory of 3184	4544	chrome.exe	86
PID 4544 wrote to memory of 3184	4544	chrome.exe	86
PID 4544 wrote to memory of 3184	4544	chrome.exe	86
PID 4544 wrote to memory of 3184	4544	chrome.exe	86
PID 4544 wrote to memory of 3184	4544	chrome.exe	86
PID 4544 wrote to memory of 3184	4544	chrome.exe	86
PID 4544 wrote to memory of 3184	4544	chrome.exe	86
PID 4544 wrote to memory of 3184	4544	chrome.exe	86
PID 4544 wrote to memory of 3184	4544	chrome.exe	86
PID 4544 wrote to memory of 3184	4544	chrome.exe	86
PID 4544 wrote to memory of 3184	4544	chrome.exe	86
PID 4544 wrote to memory of 3184	4544	chrome.exe	86
PID 4544 wrote to memory of 3184	4544	chrome.exe	86
PID 4544 wrote to memory of 3184	4544	chrome.exe	86
PID 4544 wrote to memory of 3184	4544	chrome.exe	86
PID 4544 wrote to memory of 4940	4544	chrome.exe	87
PID 4544 wrote to memory of 4940	4544	chrome.exe	87
PID 4544 wrote to memory of 432	4544	chrome.exe	88
PID 4544 wrote to memory of 432	4544	chrome.exe	88
PID 4544 wrote to memory of 432	4544	chrome.exe	88
PID 4544 wrote to memory of 432	4544	chrome.exe	88
PID 4544 wrote to memory of 432	4544	chrome.exe	88
PID 4544 wrote to memory of 432	4544	chrome.exe	88
PID 4544 wrote to memory of 432	4544	chrome.exe	88
PID 4544 wrote to memory of 432	4544	chrome.exe	88
PID 4544 wrote to memory of 432	4544	chrome.exe	88
PID 4544 wrote to memory of 432	4544	chrome.exe	88
PID 4544 wrote to memory of 432	4544	chrome.exe	88
PID 4544 wrote to memory of 432	4544	chrome.exe	88
PID 4544 wrote to memory of 432	4544	chrome.exe	88
PID 4544 wrote to memory of 432	4544	chrome.exe	88
PID 4544 wrote to memory of 432	4544	chrome.exe	88
PID 4544 wrote to memory of 432	4544	chrome.exe	88
PID 4544 wrote to memory of 432	4544	chrome.exe	88
PID 4544 wrote to memory of 432	4544	chrome.exe	88
PID 4544 wrote to memory of 432	4544	chrome.exe	88
PID 4544 wrote to memory of 432	4544	chrome.exe	88
PID 4544 wrote to memory of 432	4544	chrome.exe	88
PID 4544 wrote to memory of 432	4544	chrome.exe	88
PID 4544 wrote to memory of 432	4544	chrome.exe	88
PID 4544 wrote to memory of 432	4544	chrome.exe	88
PID 4544 wrote to memory of 432	4544	chrome.exe	88
PID 4544 wrote to memory of 432	4544	chrome.exe	88
PID 4544 wrote to memory of 432	4544	chrome.exe	88
PID 4544 wrote to memory of 432	4544	chrome.exe	88
PID 4544 wrote to memory of 432	4544	chrome.exe	88
PID 4544 wrote to memory of 432	4544	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://wetransfer.com/downloads/9be1e0d748ecdb65fd7cd24652d997e620240912181016/ff05de
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff969c2cc40,0x7ff969c2cc4c,0x7ff969c2cc58
  2⤵
  PID:3352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1864,i,1168279347932240452,9360679999175867969,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1848 /prefetch:2
  2⤵
  PID:3184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2144,i,1168279347932240452,9360679999175867969,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2156 /prefetch:3
  2⤵
  PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,1168279347932240452,9360679999175867969,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2476 /prefetch:8
  2⤵
  PID:432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,1168279347932240452,9360679999175867969,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3136 /prefetch:1
  2⤵
  PID:4576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,1168279347932240452,9360679999175867969,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:2248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4632,i,1168279347932240452,9360679999175867969,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4660 /prefetch:8
  2⤵
  PID:4004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4704,i,1168279347932240452,9360679999175867969,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4804 /prefetch:8
  2⤵
  PID:4784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4928,i,1168279347932240452,9360679999175867969,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4912 /prefetch:1
  2⤵
  PID:4708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5092,i,1168279347932240452,9360679999175867969,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:4332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5240,i,1168279347932240452,9360679999175867969,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5272 /prefetch:1
  2⤵
  PID:2240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5420,i,1168279347932240452,9360679999175867969,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5264 /prefetch:1
  2⤵
  PID:4776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5428,i,1168279347932240452,9360679999175867969,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5560 /prefetch:1
  2⤵
  PID:712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5404,i,1168279347932240452,9360679999175867969,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5252 /prefetch:1
  2⤵
  PID:3144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5708,i,1168279347932240452,9360679999175867969,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5308 /prefetch:8
  2⤵
  PID:4920
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\oldprojectsarchive.m4a"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3524
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\oldprojectsarchive.m4a"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:2168

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3852

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4ec 0x470
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
8f2e70d93f7af21da77a75424328fb00

SHA1
3e11a354cfc77d01665e5fdd5d2f67b222c2582d

SHA256
888f292e7207b59b90b8eb8c9ba338eda81d225672b822b7fa38d642dd4db28a

SHA512
79d0068a072015e82e1a397d7e01949e9cd6c8aeac6c157f8018af87045d6bd5f1fc9a94bbdaf7d875a8297d720d3a645e5300fc7bef2ba74851096a96a87ade

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
087a9f06fe77b789a03467fb659df531

SHA1
0a9fe1f433ff89d4b247f4eb9f043f06ad42dc6c

SHA256
35f8fcfd5e3500cdfeba5755ee6f3444b4a335e21da8164c53879232668140f4

SHA512
30a6d1c4e473745b87ea0b019540982708d66b34d896277b8340b3a4b4ae5d84bd47493205f845cc80b134b61f53c9c02d1d7cd484749e264a56463c82f4fd7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ad9727f2199e4a7a514052834b96cce1

SHA1
b363e05834e3c3fccc11b31d49f3fab9d7efbcb2

SHA256
64dc57b8bf3842593eeba2e5867f87c88fe71c8c83ed9e1439c174a01174e64b

SHA512
4ee8241b84bb47f76cdd62b94a319c0f075f6815eb0aa5bd0ba236254ba7dbc9c7845639e9bc9a3fcdee07c470bbec64e977564cb7c13bd34932e759239f7932

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
c021d44c76b8da6f0eb3370b20e08454

SHA1
167b393d6048d1edc2ad346b22ea2dc8a2af9a05

SHA256
da4d0add9e05ea83b4dfb3d0305bd61ef4a37ecf6462e35488ba9d554693f582

SHA512
d0d32e6944e85879161edb127032088fdc68a51a920795b9fb219fbef40d12e8b9615f6c06b9cc9a31ff5e2e38dfba6b4152ef0f8e711c46e102a0d118634798

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
3b2f32d850044cbf9c79f44b6fe04130

SHA1
ffeb6cf8f6c11cd9e6c7218a5bed4bc8702f4966

SHA256
c47836c99a9f3a792cbcbd8bcc6514c800890df5f512c05349cf564273c92eb5

SHA512
8af67d75402b30a207231244d221c703f4e5c16cd80a8e7360a804ddcda9b18205c5d3b599ca898aee91a6d173e2d3146c7c69b880bf4c73d7ad76eb468047a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
ebfb6e14e74f146422f03b65dfad1ed2

SHA1
d6887ce0db607edfb7299d313f64740e94c8e0c0

SHA256
0b3dec4e0e166e14707fda92977daa5b14fba2e3afea544a64783ca15e311fc7

SHA512
12e3fa40390c36c53f6455b7bc4c1cacefe980e1bd1be35a5bd9ed487287b7c00c35f552e4b289af70f48c3701e779b1e991b9f78e2e9b7aefab604e979b88df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f87503cecfb67aade34ed57458c903d4

SHA1
94bdf409d087d29cad1b3c3705712f336af30690

SHA256
38efb5126b8e070170069cfce73231ced82c2468931adb860dbc0a25bf2efb11

SHA512
a3f4fd16c898d386cbc9633ce31e3c80ff7a72da5ec33e60e1f86b6b2cd15b48cdaafb47d65699c0acadb5a648bfd7c387c540d95a61f1b85f9d0075391e197c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ef908cf801398b7fb42921a152c9f9d9

SHA1
fb055a934fc5473073740a2b389f3893ff77ebcf

SHA256
44a29e677defc94d098f853be410e261a5a541cb7ad7b441d6935c5de7c7235f

SHA512
87f43324c487715a2cd1e210084ef239c018fb503f8dde31f991c4170f66ad428e57773c31913e201eb5e119671a687d4c7cc5b8ebb213260d85aa6f37d2e9ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ebea90767b824ea58f4662393dd543ff

SHA1
3194d19fa7c83e74375b19aaf032457132aae0d9

SHA256
e6d91276110424ab9c8de26b639f5641e4f48233e4291f6cea22eb39e1d7ae55

SHA512
fde5e5c37f0edf81d55fbc02eba2034d095ae5e105a7e9082320a2cfba63aed5b9fc04148da0aadd842549d069b48a52f16a02669819021b4b7668b99ce3155d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8c28f4da6392532d618b8b2bc28686b6

SHA1
32b81240a77793e17679a571bc0781d8d823a433

SHA256
d2a6b490c6eff704fd7e23524e5ed151927ad18a75dd1c10e24eb2910b6d37bd

SHA512
88cf5545c8435bba6c6bf722463e750888a0046cd91014b092ff042fe38042c42a1285ed7a0ab780222c93105f6774ef58387a70caaa04cb9b974ef41e960e72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\3\IndexedDB\indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\3\IndexedDB\indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
d2fe4dbd70bc1bdead834c94c0292724

SHA1
85cb29239abdce297ee21c6be6e5f010f0c68999

SHA256
6ec2edb825e67d541dd5af5b63e5c12e8b41abccf0886e34d9e0a54a389ae22c

SHA512
4e5611da950a5844f10b8f1be22dbeb6d7c7d1153d1e5508b980440ee82dfb488365b6fc1e8cfa220af46fc48edd054ec094e423f48778d6c6406eb849b30a6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
74cb071da1e602b4410c9dddce4caf20

SHA1
61e4f0c70c552bb2b997f85cb3672b987b6b968d

SHA256
300e5891e2a620f5a4c89df9618cc3b81c89b3e6c3912087583d3c99ec27bebe

SHA512
5ab4a2c805b253ece0982ecd35607b4986ca5a7dad61ba4bc09f875821ad97149090ea3274c44204d52a7fa748a25f7a4595ca16745ea9d64077e953bb321a00

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\ml.xspf

Filesize
304B

MD5
781602441469750c3219c8c38b515ed4

SHA1
e885acd1cbd0b897ebcedbb145bef1c330f80595

SHA256
81970dbe581373d14fbd451ac4b3f96e5f69b79645f1ee1ca715cff3af0bf20d

SHA512
2b0a1717d96edb47bdf0ffeb250a5ec11f7d0638d3e0a62fbe48c064379b473ca88ffbececb32a72129d06c040b107834f1004ccda5f0f35b8c3588034786461

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
540B

MD5
7b8e4135bf5416133a0a8450dd0df361

SHA1
eeca958149de4d62e0f6a88e3352772723b85dbc

SHA256
c686c21bd61e12f66785bf51ad66cc2a6ae04c22305c9b80ef8049229bf07284

SHA512
8720f573d87a4d526c9c95405dd0ca194b1d5943859114fbe9b3fb20dd6c92fbd9811e319bcc58c961e8f222c95ef9fa46c07fea61f9f5eaf729267413747600

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
85B

MD5
28e454f27c70953d7e569531de4ad4d2

SHA1
af1f8649a83e8ddad0011262fc7de56ea206edb4

SHA256
1c1b2f279140b2f0705eba3727a3178e1b479d3c9852ecf2ca3d418e638f4c39

SHA512
d6265cc62bb47fc619e8e496da0f6e2b56e459f83bcea611431fe5e8e819c73c01887ff58a2a3622b40a8263916c104ef722b672d8e7a6cfdb8dbab46388d76a

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.lock

Filesize
18B

MD5
650e01010e58ce0bb0822c4da5d2ecd4

SHA1
7d16cebcf967c83bf135581ae3c98c2128aae3bd

SHA256
2b620689cdd2a810fd3f040cc44da38a5b7ef187de744633e800490ae18daeb0

SHA512
756c6c12d89f2a1062091674d6e8614ea1de4a67e67a8d0bcd5381082b3ff75b632615d0a92ec1c1f047f7727e6c8f053282268bd3563777a57f91135cf2bfe9

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlcrc

Filesize
94KB

MD5
ec3bdb41d903f7f7569e7480d02999e3

SHA1
57c13d86e04a69e840f22092f75e9255fc81dbdf

SHA256
13f9604d1134251dbe1a950cd34cbde0ebb98c5cce8d3c81115e2fdee9f1270f

SHA512
82c2922003a03c853f9426f23c364503610a35301fe56917a97c72295ef0f8c23765734d84ed8d4c3748e14d4d3a23381671717102c3d4067f3d2383f2fc0ded

Download Submit
C:\Users\Admin\Downloads\oldprojectsarchive.m4a

Filesize
26KB

MD5
fea1a65314bafdb1fd96225dc4f7fb7f

SHA1
06f754725acd0c584259d10d59c0923994579ce2

SHA256
3ce856e07d2907ce3c9e93a54848452d57227524d5a5e1bb67ed0146cbd19e3c

SHA512
8e6e2ba63fa93548a59931523fba41fc495fdccfd1af3ea0c5fd032c4a5283157e327dd2d4aa004aa77df2035dfadc4b34b63acb429e7c60442b8ede376b7a12

Download Submit
memory/2168-419-0x00007FF9558B0000-0x00007FF95592C000-memory.dmp

Filesize
496KB

Download
memory/2168-407-0x00007FF955DD0000-0x00007FF955FDB000-memory.dmp

Filesize
2.0MB

Download
memory/2168-404-0x00007FF9695B0000-0x00007FF9695C8000-memory.dmp

Filesize
96KB

Download
memory/2168-405-0x00007FF969590000-0x00007FF9695A7000-memory.dmp

Filesize
92KB

Download
memory/2168-402-0x00007FF969FF0000-0x00007FF96A024000-memory.dmp

Filesize
208KB

Download
memory/2168-401-0x00007FF7A0700000-0x00007FF7A07F8000-memory.dmp

Filesize
992KB

Download
memory/2168-403-0x00007FF9562E0000-0x00007FF956596000-memory.dmp

Filesize
2.7MB

Download
memory/2168-406-0x00007FF969570000-0x00007FF969581000-memory.dmp

Filesize
68KB

Download
memory/2168-408-0x00007FF969520000-0x00007FF969561000-memory.dmp

Filesize
260KB

Download
memory/2168-409-0x00007FF9694F0000-0x00007FF969511000-memory.dmp

Filesize
132KB

Download
memory/2168-410-0x00007FF9694D0000-0x00007FF9694E8000-memory.dmp

Filesize
96KB

Download
memory/2168-411-0x00007FF9694B0000-0x00007FF9694C1000-memory.dmp

Filesize
68KB

Download
memory/2168-412-0x00007FF969490000-0x00007FF9694A1000-memory.dmp

Filesize
68KB

Download
memory/2168-413-0x00007FF969470000-0x00007FF969481000-memory.dmp

Filesize
68KB

Download
memory/2168-414-0x00007FF969450000-0x00007FF96946B000-memory.dmp

Filesize
108KB

Download
memory/2168-415-0x00007FF969430000-0x00007FF969441000-memory.dmp

Filesize
68KB

Download
memory/2168-416-0x00007FF969410000-0x00007FF969428000-memory.dmp

Filesize
96KB

Download
memory/2168-418-0x00007FF955930000-0x00007FF955997000-memory.dmp

Filesize
412KB

Download
memory/2168-420-0x00007FF9691F0000-0x00007FF969201000-memory.dmp

Filesize
68KB

Download
memory/2168-421-0x00007FF965DA0000-0x00007FF965DB1000-memory.dmp

Filesize
68KB

Download
memory/2168-422-0x00007FF955730000-0x00007FF9558B0000-memory.dmp

Filesize
1.5MB

Download
memory/2168-417-0x00007FF9580A0000-0x00007FF9580D0000-memory.dmp

Filesize
192KB

Download
memory/3524-256-0x00007FF957530000-0x00007FF957541000-memory.dmp

Filesize
68KB

Download
memory/3524-257-0x00007FF9562C0000-0x00007FF9562DD000-memory.dmp

Filesize
116KB

Download
memory/3524-255-0x00007FF960820000-0x00007FF960837000-memory.dmp

Filesize
92KB

Download
memory/3524-251-0x00007FF9562E0000-0x00007FF956596000-memory.dmp

Filesize
2.7MB

Download
memory/3524-259-0x00007FF955DD0000-0x00007FF955FDB000-memory.dmp

Filesize
2.0MB

Download
memory/3524-258-0x00007FF9562A0000-0x00007FF9562B1000-memory.dmp

Filesize
68KB

Download
memory/3524-380-0x000002076B220000-0x000002076C2D0000-memory.dmp

Filesize
16.7MB

Download
memory/3524-249-0x00007FF7A0700000-0x00007FF7A07F8000-memory.dmp

Filesize
992KB

Download
memory/3524-378-0x00007FF958090000-0x00007FF9580C4000-memory.dmp

Filesize
208KB

Download
memory/3524-379-0x00007FF9562E0000-0x00007FF956596000-memory.dmp

Filesize
2.7MB

Download
memory/3524-377-0x00007FF7A0700000-0x00007FF7A07F8000-memory.dmp

Filesize
992KB

Download
memory/3524-250-0x00007FF958090000-0x00007FF9580C4000-memory.dmp

Filesize
208KB

Download
memory/3524-329-0x000002076B220000-0x000002076C2D0000-memory.dmp

Filesize
16.7MB

Download
memory/3524-266-0x00007FF9547F0000-0x00007FF954801000-memory.dmp

Filesize
68KB

Download
memory/3524-253-0x00007FF965DA0000-0x00007FF965DB7000-memory.dmp

Filesize
92KB

Download
memory/3524-254-0x00007FF960E60000-0x00007FF960E71000-memory.dmp

Filesize
68KB

Download
memory/3524-252-0x00007FF9691F0000-0x00007FF969208000-memory.dmp

Filesize
96KB

Download
memory/3524-267-0x00007FF953FC0000-0x00007FF953FD1000-memory.dmp

Filesize
68KB

Download
memory/3524-261-0x00007FF9548A0000-0x00007FF9548E1000-memory.dmp

Filesize
260KB

Download
memory/3524-262-0x00007FF954870000-0x00007FF954891000-memory.dmp

Filesize
132KB

Download
memory/3524-260-0x000002076B220000-0x000002076C2D0000-memory.dmp

Filesize
16.7MB

Download
memory/3524-263-0x00007FF954850000-0x00007FF954868000-memory.dmp

Filesize
96KB

Download
memory/3524-264-0x00007FF954830000-0x00007FF954841000-memory.dmp

Filesize
68KB

Download
memory/3524-265-0x00007FF954810000-0x00007FF954821000-memory.dmp

Filesize
68KB

Download