b0ce56d5762ec06a4252249a3be3873763ecfdc3d86173933bee829389edfefa

Analysis

max time kernel
149s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-09-2024 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OperaGXSetup.exe
Size

3.1MB
MD5

ced94adcd39f3f6fee5245c79df492e6
SHA1

260cf40e5da44266523e8dd315932f2f3e497ef4
SHA256

b0ce56d5762ec06a4252249a3be3873763ecfdc3d86173933bee829389edfefa
SHA512

e189b85be92770f9b4c0a67de10c28a27753744e0d009ba6d005b2d014fb605a4e06019370bf6f3acb8a2c7824ef670ee1aef37bec6be1edee532a6b26261812
SSDEEP

98304:WAJbF/eB26JB6+hafAQ2NFSrsf9qgMsIZ/JUFmRT22:HGpafS0U9q0IFYK

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
804	setup.exe

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowsUpdate.log	ehshell.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpshare.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OperaGXSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	ehshell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ehshell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	ehshell.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ehshell.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer	wmplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}"	wmplayer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2280	chrome.exe
2280	chrome.exe
2212	ehshell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2212	ehshell.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2280	chrome.exe
Token: SeShutdownPrivilege	2280	chrome.exe
Token: SeShutdownPrivilege	2280	chrome.exe
Token: SeShutdownPrivilege	2280	chrome.exe
Token: SeShutdownPrivilege	2280	chrome.exe
Token: SeShutdownPrivilege	2280	chrome.exe
Token: SeShutdownPrivilege	2280	chrome.exe
Token: SeShutdownPrivilege	2280	chrome.exe
Token: SeShutdownPrivilege	2280	chrome.exe
Token: SeShutdownPrivilege	2280	chrome.exe
Token: SeShutdownPrivilege	2280	chrome.exe
Token: SeShutdownPrivilege	2280	chrome.exe
Token: SeShutdownPrivilege	2280	chrome.exe
Token: SeShutdownPrivilege	2280	chrome.exe
Token: SeShutdownPrivilege	2280	chrome.exe
Token: SeShutdownPrivilege	2280	chrome.exe
Token: SeShutdownPrivilege	2280	chrome.exe
Token: SeShutdownPrivilege	2280	chrome.exe
Token: SeShutdownPrivilege	2280	chrome.exe
Token: SeShutdownPrivilege	2280	chrome.exe
Token: SeShutdownPrivilege	2280	chrome.exe
Token: SeShutdownPrivilege	2280	chrome.exe
Token: SeShutdownPrivilege	2280	chrome.exe
Token: SeShutdownPrivilege	2280	chrome.exe
Token: SeShutdownPrivilege	2280	chrome.exe
Token: SeShutdownPrivilege	2280	chrome.exe
Token: SeShutdownPrivilege	2280	chrome.exe
Token: SeShutdownPrivilege	2280	chrome.exe
Token: SeShutdownPrivilege	2280	chrome.exe
Token: SeShutdownPrivilege	2280	chrome.exe
Token: SeShutdownPrivilege	2280	chrome.exe
Token: SeShutdownPrivilege	2280	chrome.exe
Token: SeDebugPrivilege	2212	ehshell.exe
Token: 33	2052	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2052	AUDIODG.EXE
Token: 33	2052	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2052	AUDIODG.EXE
Token: SeShutdownPrivilege	2212	ehshell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
1636	rundll32.exe
1636	rundll32.exe
1636	rundll32.exe
1636	rundll32.exe
1636	rundll32.exe
1636	rundll32.exe
1636	rundll32.exe
1636	rundll32.exe
1636	rundll32.exe
1636	rundll32.exe
1636	rundll32.exe
1636	rundll32.exe
1636	rundll32.exe
1636	rundll32.exe
1636	rundll32.exe
1636	rundll32.exe
1636	rundll32.exe
1636	rundll32.exe
1636	rundll32.exe
1636	rundll32.exe
1636	rundll32.exe
1636	rundll32.exe
1636	rundll32.exe
1636	rundll32.exe
1636	rundll32.exe
1636	rundll32.exe
1636	rundll32.exe
1636	rundll32.exe
1636	rundll32.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe
2280	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2344	2280	chrome.exe	33
PID 2280 wrote to memory of 2344	2280	chrome.exe	33
PID 2280 wrote to memory of 2344	2280	chrome.exe	33
PID 2280 wrote to memory of 2844	2280	chrome.exe	35
PID 2280 wrote to memory of 2844	2280	chrome.exe	35
PID 2280 wrote to memory of 2844	2280	chrome.exe	35
PID 2280 wrote to memory of 2844	2280	chrome.exe	35
PID 2280 wrote to memory of 2844	2280	chrome.exe	35
PID 2280 wrote to memory of 2844	2280	chrome.exe	35
PID 2280 wrote to memory of 2844	2280	chrome.exe	35
PID 2280 wrote to memory of 2844	2280	chrome.exe	35
PID 2280 wrote to memory of 2844	2280	chrome.exe	35
PID 2280 wrote to memory of 2844	2280	chrome.exe	35
PID 2280 wrote to memory of 2844	2280	chrome.exe	35
PID 2280 wrote to memory of 2844	2280	chrome.exe	35
PID 2280 wrote to memory of 2844	2280	chrome.exe	35
PID 2280 wrote to memory of 2844	2280	chrome.exe	35
PID 2280 wrote to memory of 2844	2280	chrome.exe	35
PID 2280 wrote to memory of 2844	2280	chrome.exe	35
PID 2280 wrote to memory of 2844	2280	chrome.exe	35
PID 2280 wrote to memory of 2844	2280	chrome.exe	35
PID 2280 wrote to memory of 2844	2280	chrome.exe	35
PID 2280 wrote to memory of 2844	2280	chrome.exe	35
PID 2280 wrote to memory of 2844	2280	chrome.exe	35
PID 2280 wrote to memory of 2844	2280	chrome.exe	35
PID 2280 wrote to memory of 2844	2280	chrome.exe	35
PID 2280 wrote to memory of 2844	2280	chrome.exe	35
PID 2280 wrote to memory of 2844	2280	chrome.exe	35
PID 2280 wrote to memory of 2844	2280	chrome.exe	35
PID 2280 wrote to memory of 2844	2280	chrome.exe	35
PID 2280 wrote to memory of 2844	2280	chrome.exe	35
PID 2280 wrote to memory of 2844	2280	chrome.exe	35
PID 2280 wrote to memory of 2844	2280	chrome.exe	35
PID 2280 wrote to memory of 2844	2280	chrome.exe	35
PID 2280 wrote to memory of 2844	2280	chrome.exe	35
PID 2280 wrote to memory of 2844	2280	chrome.exe	35
PID 2280 wrote to memory of 2844	2280	chrome.exe	35
PID 2280 wrote to memory of 2844	2280	chrome.exe	35
PID 2280 wrote to memory of 2844	2280	chrome.exe	35
PID 2280 wrote to memory of 2844	2280	chrome.exe	35
PID 2280 wrote to memory of 2844	2280	chrome.exe	35
PID 2280 wrote to memory of 2844	2280	chrome.exe	35
PID 2280 wrote to memory of 2168	2280	chrome.exe	36
PID 2280 wrote to memory of 2168	2280	chrome.exe	36
PID 2280 wrote to memory of 2168	2280	chrome.exe	36
PID 2280 wrote to memory of 2584	2280	chrome.exe	37
PID 2280 wrote to memory of 2584	2280	chrome.exe	37
PID 2280 wrote to memory of 2584	2280	chrome.exe	37
PID 2280 wrote to memory of 2584	2280	chrome.exe	37
PID 2280 wrote to memory of 2584	2280	chrome.exe	37
PID 2280 wrote to memory of 2584	2280	chrome.exe	37
PID 2280 wrote to memory of 2584	2280	chrome.exe	37
PID 2280 wrote to memory of 2584	2280	chrome.exe	37
PID 2280 wrote to memory of 2584	2280	chrome.exe	37
PID 2280 wrote to memory of 2584	2280	chrome.exe	37
PID 2280 wrote to memory of 2584	2280	chrome.exe	37
PID 2280 wrote to memory of 2584	2280	chrome.exe	37
PID 2280 wrote to memory of 2584	2280	chrome.exe	37
PID 2280 wrote to memory of 2584	2280	chrome.exe	37
PID 2280 wrote to memory of 2584	2280	chrome.exe	37
PID 2280 wrote to memory of 2584	2280	chrome.exe	37
PID 2280 wrote to memory of 2584	2280	chrome.exe	37
PID 2280 wrote to memory of 2584	2280	chrome.exe	37
PID 2280 wrote to memory of 2584	2280	chrome.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
"C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2328
- C:\Users\Admin\AppData\Local\Temp\7zS819AE8E6\setup.exe
  C:\Users\Admin\AppData\Local\Temp\7zS819AE8E6\setup.exe --server-tracking-blob=MzE1YzlhM2JhMTU2NTA2ZmQ5NTMzY2FlOTJkYTBhMjYyMjcwNTUyYzNkMjliNTBkODlhNWY5ZTFkOTA0NDNhNzp7ImNvdW50cnkiOiJVUyIsImh0dHBfcmVmZXJyZXIiOiJodHRwczovL3d3dy5vcGVyYS5jb20vIiwiaW5zdGFsbGVyX25hbWUiOiJPcGVyYUdYU2V0dXAuZXhlIiwicHJvZHVjdCI6Im9wZXJhX2d4IiwicXVlcnkiOiIvb3BlcmFfZ3gvc3RhYmxlL3dpbmRvd3M/dXRtX3NvdXJjZT1nb29nbGUmdXRtX21lZGl1bT1vc2UmdXRtX2NhbXBhaWduPSUyOG5vbmUlMjkmaHR0cF9yZWZlcnJlcj1odHRwcyUzQSUyRiUyRnd3dy5nb29nbGUuY29tJTJGJnV0bV9zaXRlPW9wZXJhX2NvbSZ1dG1fbGFzdHBhZ2U9b3BlcmEuY29tJTJGJmRsX3Rva2VuPTY5NjEwMDQwIiwidGltZXN0YW1wIjoiMTcyNjIzODA5Ni44NTkwIiwidXNlcmFnZW50IjoiTW96aWxsYS81LjAgKFgxMTsgQ3JPUyB4ODZfNjQgMTQ1NDEuMC4wKSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTI0LjAuMC4wIFNhZmFyaS81MzcuMzYiLCJ1dG0iOnsiY2FtcGFpZ24iOiIobm9uZSkiLCJsYXN0cGFnZSI6Im9wZXJhLmNvbS8iLCJtZWRpdW0iOiJvc2UiLCJzaXRlIjoib3BlcmFfY29tIiwic291cmNlIjoiZ29vZ2xlIn0sInV1aWQiOiJjMzgyMzI3Yi1mNTNiLTQ5MzgtOTQ0OC00MWZmZGEzN2U5MzAifQ==
  2⤵
  - Executes dropped EXE
  PID:804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5989758,0x7fef5989768,0x7fef5989778
  2⤵
  PID:2344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1160 --field-trial-handle=1132,i,2807024479728065484,5459532346228167209,131072 /prefetch:2
  2⤵
  PID:2844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1484 --field-trial-handle=1132,i,2807024479728065484,5459532346228167209,131072 /prefetch:8
  2⤵
  PID:2168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1504 --field-trial-handle=1132,i,2807024479728065484,5459532346228167209,131072 /prefetch:8
  2⤵
  PID:2584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2208 --field-trial-handle=1132,i,2807024479728065484,5459532346228167209,131072 /prefetch:1
  2⤵
  PID:2044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2216 --field-trial-handle=1132,i,2807024479728065484,5459532346228167209,131072 /prefetch:1
  2⤵
  PID:3048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1380 --field-trial-handle=1132,i,2807024479728065484,5459532346228167209,131072 /prefetch:2
  2⤵
  PID:2108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3104 --field-trial-handle=1132,i,2807024479728065484,5459532346228167209,131072 /prefetch:1
  2⤵
  PID:404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3552 --field-trial-handle=1132,i,2807024479728065484,5459532346228167209,131072 /prefetch:8
  2⤵
  PID:1908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3648 --field-trial-handle=1132,i,2807024479728065484,5459532346228167209,131072 /prefetch:1
  2⤵
  PID:1708

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2428

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\UnlockMerge.raw
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1636

C:\Windows\eHome\ehshell.exe
"C:\Windows\eHome\ehshell.exe" /prefetch:1003 "C:\Users\Admin\Desktop\RemoveWait.DVR"
1⤵
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2212

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x480
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2052

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:908
- C:\Program Files (x86)\Windows Media Player\wmpshare.exe
  "C:\Program Files (x86)\Windows Media Player\wmpshare.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\33e65f8c-18a2-462e-afed-e0df4d4e2e83.tmp

Filesize
337KB

MD5
883bdffb6af0e5c51f746c1783948b3c

SHA1
dd43472a5e275b546e35d4876bc9368a64245fb5

SHA256
8938905c9507e91351e516a7756bd6fca6ca7b123d53978ab7e332a6ad6587d0

SHA512
9137df7816330f0653c18a06375a1b1fe044cc759ea7040880aac510def5f06c8b02c87fbf5a69622213b3888e79180e61cb72196a4eb49e1457ec14993f00fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
212KB

MD5
08ec57068db9971e917b9046f90d0e49

SHA1
28b80d73a861f88735d89e301fa98f2ae502e94b

SHA256
7a68efe41e5d8408eed6e9d91a7b7b965a3062e4e28eeffeefb8cdba6391f4d1

SHA512
b154142173145122bc49ddd7f9530149100f6f3c5fd2f2e7503b13f7b160147b8b876344f6faae5e8616208c51311633df4c578802ac5d34c005bb154e9057cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
b14878887d2ef9af1af0eef248f91f0e

SHA1
8e0d1e53ffd60c33c00253570062b61a15bd15f1

SHA256
91fcd10492838bc49a505139492880ae3cc4eb2c1c92f48f3f7eafe2c677b49d

SHA512
8d4a91b8ccadeac459f7497c592700a10956c814c031d5c9adfc7d1106375daac0cce769aa00ed00beb5e3cb3b1695694251f825cb38fa7ced4054bfe3faf2ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
6506a00263a19fc5e37b16d4d7a7a326

SHA1
0d21b8398ffcecea975555fcd0c718d9cb2b3011

SHA256
11c253561aabb257448b03103dd7cb3c94d6eeccee1fa532665fc7faaf6ce8b0

SHA512
bc4b37d52c6e872907cf1d4dbaa561da9ef5f90bd244f462116f0fe842dbf1efeb61f76841fe71479ab7f5a23f32351355051f340568d1f2350cf330d3026f13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
337KB

MD5
f9889f7bf306ab911e215fb2f8bc3cd5

SHA1
50ef1659c48a9e6e1534b292c5f5b7ad6cc82409

SHA256
2ab6e1ec89cad4a6a623db91eddcde05d63142362b863a5a0417c0a5f1ee89cd

SHA512
9ddcceba97cbd023de819cc6fb84ce11b2818d8893c7384344969f6eba07100c18061abe3248757d9ba81e17f1fdafc1860d75d17c3b65aeffd193b4c66e459a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\Art Cache\LocalMLS\{4343E10E-47FF-4A16-9252-B9994B967573}.jpg

Filesize
22KB

MD5
35e787587cd3fa8ed360036c9fca3df2

SHA1
84c76a25c6fe336f6559c033917a4c327279886d

SHA256
98c49a68ee578e10947209ebc17c0ad188ed39c7d0c91a2b505f317259c0c9b2

SHA512
aeec3eed5a52670f4cc35935005bb04bb435964a1975e489b8e101adfbce278142fd1a6c475860b7ccb414afe5e24613361a66d92f457937de9b21a7a112e1f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\Art Cache\LocalMLS\{EA413669-2350-45D4-A4B8-5612D7502094}.jpg

Filesize
23KB

MD5
fd5fd28e41676618aac733b243ad54db

SHA1
b2d69ad6a2e22c30ef1806ac4f990790c3b44763

SHA256
a26544648ef8ceffad6c789a3677031be3c515918627d7c8f8e0587d3033c431

SHA512
4c32623796679be7066b719f231d08d24341784ecfd5d6461e8140379f5b394216e446865df56e05b5f1e36962c9d34d2b5041275366aeabcd606f4536217fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS819AE8E6\setup.exe

Filesize
6.3MB

MD5
eb798e91d503b97614756193e195a7b1

SHA1
06367f70a0b4c6de9e208c419beb84fa10c0eeef

SHA256
406b5edbd94bc38ce345d3c0f34b6b5fcd0405bd290a2ad0fd55c08b0695eed8

SHA512
5738431f355f599e88ec8b603f692a23a779ef41183ee1ebad3f7c81a9296a3df626d852cca1256791cc665d912f8f73c4ac00a15e4f96259c253290a40ba020

Download Submit
C:\Users\Public\Music\Sample Music\AlbumArtSmall.jpg

Filesize
5KB

MD5
1c6a4f664e8e18eba1a5b61ac4dde46f

SHA1
f09e10bc312f20ccd61c65c892666677d54d2282

SHA256
ccc20b7b3b29325db0a0b1c2127c12d8a1c019ca159505a96cbcbc89701702f9

SHA512
3ff32e45c7b0c1f38d5296c0a1ed6a87c987d1b5a4fd0efed2aacbce0794a8f804ec985891bf03ed1ec4bf03b18b25b9717a2aa405dc45aadae4b2b30d6012a6

Download Submit
C:\Users\Public\Music\Sample Music\AlbumArt_{5FA05D35-A682-4AF6-96F7-0773E42D4D16}_Large.jpg

Filesize
32KB

MD5
84bba83cfbc0233517407678bb842686

SHA1
1c617de788de380d28c52dc733ad580c3745a1c1

SHA256
6ecf98adb3cd0931ec803f3a56a9563c7d60bb86ec1886b21e3d0f7eb25198d9

SHA512
a6a80c00a28c43c1c427018e6fb6dac4682d299d2f50202f520af0b1bca803546c850f04094ed2f532ff8775f6d45f2a40e4f5e069937bcaa0326a80bd818e0e

Download Submit
memory/2212-214-0x000000001E050000-0x000000001E658000-memory.dmp

Filesize
6.0MB

Download
memory/2212-221-0x000000001F050000-0x000000001F108000-memory.dmp

Filesize
736KB

Download
memory/2212-220-0x000000001EFB0000-0x000000001F04E000-memory.dmp

Filesize
632KB

Download
memory/2212-215-0x000000001E660000-0x000000001E7E4000-memory.dmp

Filesize
1.5MB

Download