hxxp://bit[.]ly/0nlyFans5

Analysis

max time kernel
46s
max time network
47s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
25/09/2024, 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://bit.ly/0nlyFans5

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	chrome.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	chrome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	chrome.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133717780405531584"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4192	chrome.exe
4192	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: 33	472	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	472	AUDIODG.EXE
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1776	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 3956	4192	chrome.exe	78
PID 4192 wrote to memory of 3956	4192	chrome.exe	78
PID 4192 wrote to memory of 4224	4192	chrome.exe	79
PID 4192 wrote to memory of 4224	4192	chrome.exe	79
PID 4192 wrote to memory of 4224	4192	chrome.exe	79
PID 4192 wrote to memory of 4224	4192	chrome.exe	79
PID 4192 wrote to memory of 4224	4192	chrome.exe	79
PID 4192 wrote to memory of 4224	4192	chrome.exe	79
PID 4192 wrote to memory of 4224	4192	chrome.exe	79
PID 4192 wrote to memory of 4224	4192	chrome.exe	79
PID 4192 wrote to memory of 4224	4192	chrome.exe	79
PID 4192 wrote to memory of 4224	4192	chrome.exe	79
PID 4192 wrote to memory of 4224	4192	chrome.exe	79
PID 4192 wrote to memory of 4224	4192	chrome.exe	79
PID 4192 wrote to memory of 4224	4192	chrome.exe	79
PID 4192 wrote to memory of 4224	4192	chrome.exe	79
PID 4192 wrote to memory of 4224	4192	chrome.exe	79
PID 4192 wrote to memory of 4224	4192	chrome.exe	79
PID 4192 wrote to memory of 4224	4192	chrome.exe	79
PID 4192 wrote to memory of 4224	4192	chrome.exe	79
PID 4192 wrote to memory of 4224	4192	chrome.exe	79
PID 4192 wrote to memory of 4224	4192	chrome.exe	79
PID 4192 wrote to memory of 4224	4192	chrome.exe	79
PID 4192 wrote to memory of 4224	4192	chrome.exe	79
PID 4192 wrote to memory of 4224	4192	chrome.exe	79
PID 4192 wrote to memory of 4224	4192	chrome.exe	79
PID 4192 wrote to memory of 4224	4192	chrome.exe	79
PID 4192 wrote to memory of 4224	4192	chrome.exe	79
PID 4192 wrote to memory of 4224	4192	chrome.exe	79
PID 4192 wrote to memory of 4224	4192	chrome.exe	79
PID 4192 wrote to memory of 4224	4192	chrome.exe	79
PID 4192 wrote to memory of 4224	4192	chrome.exe	79
PID 4192 wrote to memory of 1736	4192	chrome.exe	80
PID 4192 wrote to memory of 1736	4192	chrome.exe	80
PID 4192 wrote to memory of 2288	4192	chrome.exe	81
PID 4192 wrote to memory of 2288	4192	chrome.exe	81
PID 4192 wrote to memory of 2288	4192	chrome.exe	81
PID 4192 wrote to memory of 2288	4192	chrome.exe	81
PID 4192 wrote to memory of 2288	4192	chrome.exe	81
PID 4192 wrote to memory of 2288	4192	chrome.exe	81
PID 4192 wrote to memory of 2288	4192	chrome.exe	81
PID 4192 wrote to memory of 2288	4192	chrome.exe	81
PID 4192 wrote to memory of 2288	4192	chrome.exe	81
PID 4192 wrote to memory of 2288	4192	chrome.exe	81
PID 4192 wrote to memory of 2288	4192	chrome.exe	81
PID 4192 wrote to memory of 2288	4192	chrome.exe	81
PID 4192 wrote to memory of 2288	4192	chrome.exe	81
PID 4192 wrote to memory of 2288	4192	chrome.exe	81
PID 4192 wrote to memory of 2288	4192	chrome.exe	81
PID 4192 wrote to memory of 2288	4192	chrome.exe	81
PID 4192 wrote to memory of 2288	4192	chrome.exe	81
PID 4192 wrote to memory of 2288	4192	chrome.exe	81
PID 4192 wrote to memory of 2288	4192	chrome.exe	81
PID 4192 wrote to memory of 2288	4192	chrome.exe	81
PID 4192 wrote to memory of 2288	4192	chrome.exe	81
PID 4192 wrote to memory of 2288	4192	chrome.exe	81
PID 4192 wrote to memory of 2288	4192	chrome.exe	81
PID 4192 wrote to memory of 2288	4192	chrome.exe	81
PID 4192 wrote to memory of 2288	4192	chrome.exe	81
PID 4192 wrote to memory of 2288	4192	chrome.exe	81
PID 4192 wrote to memory of 2288	4192	chrome.exe	81
PID 4192 wrote to memory of 2288	4192	chrome.exe	81
PID 4192 wrote to memory of 2288	4192	chrome.exe	81
PID 4192 wrote to memory of 2288	4192	chrome.exe	81

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://bit.ly/0nlyFans5
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xa0,0x108,0x7ffcef5ecc40,0x7ffcef5ecc4c,0x7ffcef5ecc58
  2⤵
  PID:3956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1948,i,17732972742038570030,11402809680190232895,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  PID:4224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1880,i,17732972742038570030,11402809680190232895,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1980 /prefetch:3
  2⤵
  PID:1736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2160,i,17732972742038570030,11402809680190232895,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2176 /prefetch:8
  2⤵
  PID:2288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3016,i,17732972742038570030,11402809680190232895,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3036 /prefetch:1
  2⤵
  PID:3376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3028,i,17732972742038570030,11402809680190232895,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:1896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4392,i,17732972742038570030,11402809680190232895,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4264 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3520,i,17732972742038570030,11402809680190232895,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3724 /prefetch:1
  2⤵
  PID:1140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4672,i,17732972742038570030,11402809680190232895,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4684 /prefetch:1
  2⤵
  PID:3008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4808,i,17732972742038570030,11402809680190232895,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4696 /prefetch:1
  2⤵
  PID:3048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3344,i,17732972742038570030,11402809680190232895,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5036 /prefetch:1
  2⤵
  PID:1608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5588,i,17732972742038570030,11402809680190232895,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5616 /prefetch:8
  2⤵
  PID:4844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5620,i,17732972742038570030,11402809680190232895,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:1116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5748,i,17732972742038570030,11402809680190232895,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1472 /prefetch:1
  2⤵
  PID:2120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5764,i,17732972742038570030,11402809680190232895,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5916 /prefetch:8
  2⤵
  PID:2324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=6204,i,17732972742038570030,11402809680190232895,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6228 /prefetch:1
  2⤵
  PID:2180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=6160,i,17732972742038570030,11402809680190232895,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6148 /prefetch:1
  2⤵
  PID:2444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=6388,i,17732972742038570030,11402809680190232895,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6372 /prefetch:1
  2⤵
  PID:4636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5772,i,17732972742038570030,11402809680190232895,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6556 /prefetch:1
  2⤵
  PID:3728

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5064

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004D4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1676

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
b49992ae7bc03421a07da3fc6b06545c

SHA1
8e628ee37f39107bb3bef9bd52d2cf2b10404d30

SHA256
41210747c0a6300a915068c1b6a5293ca108a7a55352eb392c8e26144a3f54f4

SHA512
0562c27b1c78ac8266ac17c6c894f7f2aab2d301959117ce6ab08f3733f49f410f43cb6d70dec2e9af247359a67f03175ae64a76fc527edaa3e91c18d4788fab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
2ca7bcbf4637f43a506d772e96e4420a

SHA1
663075131eb3be6749686fcd2290b0c0a7e8a2c5

SHA256
116d533aff8e262b453d5459fb470fe73fcec6e2c74930456451aa12d34c2ef4

SHA512
804de4a95190d36ee16e848d222b32f18e4a6fca821888a5f565d613219976cec2a36adb4502cc9d3cb549a8a62d8cd0f26f76170822e19ce2ac4eb2984c867b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
8100be7b06f4843dd5f0437d74125f73

SHA1
aa65518debfd29c78cf58779f07dff6c145d1234

SHA256
aee82d80fbbce22e907f75210a6ed00e7ed9ec85b9a1086c5623ddff83326fe5

SHA512
dc45ea0a0ab705e3821a090f5eb303b519af83aeb9e3ce31a895fd3779a1957ec1d5ebd606cad85c41b9716d959ebe679ee90f61c589017b87056327c5c9b079

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
0829f8f59af7abf38abcdc5cb8c1a417

SHA1
9522b9f9e22acacebd59c7e2f1a30f1ecce9fbe5

SHA256
e05ca95058acc164c2ece3808892a76ef31e22f6ca7a7d331c0520aef5a39c9e

SHA512
d546188c02c2e7d5628182ca2c4edc3e661b9f1838a2a5b071eceaf2b0479079795be2f310a003dc8ee95c707e9efb1232163a2f530f2e1c36bc18984f3c585b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
ac0be8b63078238b33365b3829bf4ac0

SHA1
a97ced8f58cb3cba474f76fe2259bd508012df9d

SHA256
81ae536b1ca4b3445ec0bd0ea6cd0950123bbecc75faedc66b5e2c27ec600de6

SHA512
a406f5b9e9028562281b3cc313efc2fa5480dea2cf578b286491e3f4b5128ce1b2b3a9f548c8542ce459d66c141827c76c53ed7980c65a1aa1d504fd2d0af5bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
831702eb2856e8c0fb66be7cfe5766a8

SHA1
6d5df5fe248418dde3c8ce98b8b6ea686150eec1

SHA256
94accdf87a31e226c164bd02f21d1fde8d99113a5456cf02384c5ef4d9d6892a

SHA512
3700b54bce862dbe11dfdc21e9689a176efaef723d1ec9af43b4c663b93d6fa6964ed7d6247f79ec17f287531280c1bf499cba1d5d53239b12d775315693ba06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
90785a22adb9c6b4a7af7af95ccd2f4d

SHA1
7fa8919d2f2e21cfaa4d9939dac3f17c532d7c3a

SHA256
ed9202bd333880d35fa346c59163908057f7397b494d4e27a85742a8769f9bfc

SHA512
d0e4b26cd58b330e74212859840bd291b271877e7bb770c448e9acac31fa1248fdf6b5319960903e9127fde52db42415c9bc459af0ced1ea6c4c9d98467e3c31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0b6e51cc174103d424b8606c3d867ec1

SHA1
50388fa791ef034ea313b792add7443d5bfb4fbe

SHA256
408808662f70864f812e10d7dd9c777d87ee9b0cc8ffca7a9da5662c70a4df15

SHA512
99a0f93d8ca237679dc2ce33f2c5d20b76df8c9a94931362fcc5d73c1e6adf52ba28f239282c179a8ed2df16b18d89bf11703d3f1b82b1beb704c9613c460837

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
120B

MD5
94ce8845f171cfdf0d30e06f6249357d

SHA1
0dcd5ab3da3cf189af7fa06e1595b72a7d8d036e

SHA256
369ab0349e5fbbda1922c9f63c80ede54ed833623104cbb25ae2d7c9bb410d27

SHA512
e295207c2b5b42b495669c805b9f80ede30c4b0b1a0a05ef1a10130cf86ade4df5c8f231ecacf389d476bb89f8dc7ebff66c0b53c345b9117df2028633e25ac5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
2cd94f3c9690b12109d45c9947f0e406

SHA1
b3c7211cd9b6ac00cbb001354586bbb3b737a6b0

SHA256
ecbe978184d9525cfc00b603ad4600115d8e0a00a79c2341a03b0af13272ccfa

SHA512
3424109825ec25a76ca1ca54c088f98fdcc5c37bcfe64d3f54e49e73fe6475ee46ccf8b115807febffc459fb9350d45c23a135593684bbf6018731a9d210867c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
d77e972e0522236b9c9215b84e7e1853

SHA1
f1e1bc2dbae63e337fdf81bf1c22770530765712

SHA256
48df82f4f3622482badc125492e10dd541abc3ee9fdcb9daf0d0101ab2beaf06

SHA512
d5eae5252a7f1972ca08049cf4e4a990df3cdeb85c22ebacc2c3be49dc7d622ae11580eba40345b78ec1e221455f30d37ced73f8208bca67d76c2f595ea30486

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
0053c47b1c9f3feb36bfbfa088c5a7cc

SHA1
c14e589b4ace1dd1fe70d0a9ccaea65a671defed

SHA256
784c4a49b1aa3db40b73bfd5901857c99c2123ac12af5cf2617b3485dab57f7b

SHA512
e0d4ef478660358cfc16a4bdea9676bd4bf79116d08116137d6df31cea6232a78193ca4891618da215f42eb10c683e544a7f433a109c903b8dfe15336d1be9b7

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
7fc1af6f45e844eedd1a78d89ba2813d

SHA1
bdd93c47e99e7da95f5888d01cb85550f8fae9ab

SHA256
87577decf9290f786d76c3e9885e490106a7b00dd8a9b43471ff32f9eddd612e

SHA512
e79bc304620d23981c9bc03ada331755eaf74f356f32461bced715ef6e5c3ceab947a5a1dc51ef9061427b5c9132f58b1c14cce33960dd469c066ec4458abe86

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
a7f391566ceb7d310b04c1376aa66a07

SHA1
eda88e9134d3de209152481c9e8aa02054d4c2eb

SHA256
8ecb81fa22792fa6bb09abc86b9b5afb50773e2c5537def45dd8ba297f6c714e

SHA512
163bad20eaa9108286367367e6a54a9ac612026954ee2466b8f88f732a992695fe160d3fb5f092976ef15c1c1b71400e577a9a4833dfa616d7c9ee6a8237033c

Download Submit