bbd05de19aa2af1455c0494639215898a15286d9b05073b6c4817fe24b2c36fa

Resubmissions

10-10-2024 19:50

241010-yj8q7syfnn 1

10-10-2024 18:01

241010-wl6nhsyfkh 5

10-10-2024 17:55

241010-whj1caydme 4

Analysis

max time kernel
152s
max time network
155s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
10-10-2024 18:01

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

42.zip
Size

41KB
MD5

1df9a18b18332f153918030b7b516615
SHA1

6c42c62696616b72bbfc88a4be4ead57aa7bc503
SHA256

bbd05de19aa2af1455c0494639215898a15286d9b05073b6c4817fe24b2c36fa
SHA512

6382ca9c307d66ab7566acf78b1afd44b18b24d766253e1dc1cb3a3c0be96ecf1f2042d6bd3332d49078ffee571cf98869c1284c1d3e5c1c7dc3e4c64f71af80
SSDEEP

768:hzyVr8GSKL6O3QOXk/0u3wqOghrFCezL1VFJdbq2QTJTw02Q:hGx8DKXE//ZhhCirFi2cwK

Score

5^/10

discovery

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Recovery\ReAgent.xml	bootim.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	bootim.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	bootim.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	bootim.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	bootim.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "228"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133730570441225714"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4464	chrome.exe
4464	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4464	chrome.exe
4464	chrome.exe
4464	chrome.exe
4464	chrome.exe
4464	chrome.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeRestorePrivilege	4696	7zFM.exe
Token: 35	4696	7zFM.exe
Token: SeShutdownPrivilege	4464	chrome.exe
Token: SeCreatePagefilePrivilege	4464	chrome.exe
Token: SeShutdownPrivilege	4464	chrome.exe
Token: SeCreatePagefilePrivilege	4464	chrome.exe
Token: SeShutdownPrivilege	4464	chrome.exe
Token: SeCreatePagefilePrivilege	4464	chrome.exe
Token: SeShutdownPrivilege	4464	chrome.exe
Token: SeCreatePagefilePrivilege	4464	chrome.exe
Token: SeShutdownPrivilege	4464	chrome.exe
Token: SeCreatePagefilePrivilege	4464	chrome.exe
Token: SeShutdownPrivilege	4464	chrome.exe
Token: SeCreatePagefilePrivilege	4464	chrome.exe
Token: SeShutdownPrivilege	4464	chrome.exe
Token: SeCreatePagefilePrivilege	4464	chrome.exe
Token: SeShutdownPrivilege	4464	chrome.exe
Token: SeCreatePagefilePrivilege	4464	chrome.exe
Token: SeShutdownPrivilege	4464	chrome.exe
Token: SeCreatePagefilePrivilege	4464	chrome.exe
Token: SeShutdownPrivilege	4464	chrome.exe
Token: SeCreatePagefilePrivilege	4464	chrome.exe
Token: SeShutdownPrivilege	4464	chrome.exe
Token: SeCreatePagefilePrivilege	4464	chrome.exe
Token: SeShutdownPrivilege	4464	chrome.exe
Token: SeCreatePagefilePrivilege	4464	chrome.exe
Token: SeShutdownPrivilege	4464	chrome.exe
Token: SeCreatePagefilePrivilege	4464	chrome.exe
Token: SeShutdownPrivilege	4464	chrome.exe
Token: SeCreatePagefilePrivilege	4464	chrome.exe
Token: SeShutdownPrivilege	4464	chrome.exe
Token: SeCreatePagefilePrivilege	4464	chrome.exe
Token: SeShutdownPrivilege	4464	chrome.exe
Token: SeCreatePagefilePrivilege	4464	chrome.exe
Token: SeShutdownPrivilege	4464	chrome.exe
Token: SeCreatePagefilePrivilege	4464	chrome.exe
Token: SeShutdownPrivilege	4464	chrome.exe
Token: SeCreatePagefilePrivilege	4464	chrome.exe
Token: SeShutdownPrivilege	4464	chrome.exe
Token: SeCreatePagefilePrivilege	4464	chrome.exe
Token: SeShutdownPrivilege	4464	chrome.exe
Token: SeCreatePagefilePrivilege	4464	chrome.exe
Token: SeShutdownPrivilege	4464	chrome.exe
Token: SeCreatePagefilePrivilege	4464	chrome.exe
Token: SeShutdownPrivilege	4464	chrome.exe
Token: SeCreatePagefilePrivilege	4464	chrome.exe
Token: SeTakeOwnershipPrivilege	2760	bootim.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4696	7zFM.exe
4464	chrome.exe
4464	chrome.exe
4464	chrome.exe
4464	chrome.exe
4464	chrome.exe
4464	chrome.exe
4464	chrome.exe
4464	chrome.exe
4464	chrome.exe
4464	chrome.exe
4464	chrome.exe
4464	chrome.exe
4464	chrome.exe
4464	chrome.exe
4464	chrome.exe
4464	chrome.exe
4464	chrome.exe
4464	chrome.exe
4464	chrome.exe
4464	chrome.exe
4464	chrome.exe
4464	chrome.exe
4464	chrome.exe
4464	chrome.exe
4464	chrome.exe
4464	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4464	chrome.exe
4464	chrome.exe
4464	chrome.exe
4464	chrome.exe
4464	chrome.exe
4464	chrome.exe
4464	chrome.exe
4464	chrome.exe
4464	chrome.exe
4464	chrome.exe
4464	chrome.exe
4464	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1200	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4464 wrote to memory of 1168	4464	chrome.exe	96
PID 4464 wrote to memory of 1168	4464	chrome.exe	96
PID 4464 wrote to memory of 2936	4464	chrome.exe	97
PID 4464 wrote to memory of 2936	4464	chrome.exe	97
PID 4464 wrote to memory of 2936	4464	chrome.exe	97
PID 4464 wrote to memory of 2936	4464	chrome.exe	97
PID 4464 wrote to memory of 2936	4464	chrome.exe	97
PID 4464 wrote to memory of 2936	4464	chrome.exe	97
PID 4464 wrote to memory of 2936	4464	chrome.exe	97
PID 4464 wrote to memory of 2936	4464	chrome.exe	97
PID 4464 wrote to memory of 2936	4464	chrome.exe	97
PID 4464 wrote to memory of 2936	4464	chrome.exe	97
PID 4464 wrote to memory of 2936	4464	chrome.exe	97
PID 4464 wrote to memory of 2936	4464	chrome.exe	97
PID 4464 wrote to memory of 2936	4464	chrome.exe	97
PID 4464 wrote to memory of 2936	4464	chrome.exe	97
PID 4464 wrote to memory of 2936	4464	chrome.exe	97
PID 4464 wrote to memory of 2936	4464	chrome.exe	97
PID 4464 wrote to memory of 2936	4464	chrome.exe	97
PID 4464 wrote to memory of 2936	4464	chrome.exe	97
PID 4464 wrote to memory of 2936	4464	chrome.exe	97
PID 4464 wrote to memory of 2936	4464	chrome.exe	97
PID 4464 wrote to memory of 2936	4464	chrome.exe	97
PID 4464 wrote to memory of 2936	4464	chrome.exe	97
PID 4464 wrote to memory of 2936	4464	chrome.exe	97
PID 4464 wrote to memory of 2936	4464	chrome.exe	97
PID 4464 wrote to memory of 2936	4464	chrome.exe	97
PID 4464 wrote to memory of 2936	4464	chrome.exe	97
PID 4464 wrote to memory of 2936	4464	chrome.exe	97
PID 4464 wrote to memory of 2936	4464	chrome.exe	97
PID 4464 wrote to memory of 2936	4464	chrome.exe	97
PID 4464 wrote to memory of 2936	4464	chrome.exe	97
PID 4464 wrote to memory of 4256	4464	chrome.exe	98
PID 4464 wrote to memory of 4256	4464	chrome.exe	98
PID 4464 wrote to memory of 3076	4464	chrome.exe	99
PID 4464 wrote to memory of 3076	4464	chrome.exe	99
PID 4464 wrote to memory of 3076	4464	chrome.exe	99
PID 4464 wrote to memory of 3076	4464	chrome.exe	99
PID 4464 wrote to memory of 3076	4464	chrome.exe	99
PID 4464 wrote to memory of 3076	4464	chrome.exe	99
PID 4464 wrote to memory of 3076	4464	chrome.exe	99
PID 4464 wrote to memory of 3076	4464	chrome.exe	99
PID 4464 wrote to memory of 3076	4464	chrome.exe	99
PID 4464 wrote to memory of 3076	4464	chrome.exe	99
PID 4464 wrote to memory of 3076	4464	chrome.exe	99
PID 4464 wrote to memory of 3076	4464	chrome.exe	99
PID 4464 wrote to memory of 3076	4464	chrome.exe	99
PID 4464 wrote to memory of 3076	4464	chrome.exe	99
PID 4464 wrote to memory of 3076	4464	chrome.exe	99
PID 4464 wrote to memory of 3076	4464	chrome.exe	99
PID 4464 wrote to memory of 3076	4464	chrome.exe	99
PID 4464 wrote to memory of 3076	4464	chrome.exe	99
PID 4464 wrote to memory of 3076	4464	chrome.exe	99
PID 4464 wrote to memory of 3076	4464	chrome.exe	99
PID 4464 wrote to memory of 3076	4464	chrome.exe	99
PID 4464 wrote to memory of 3076	4464	chrome.exe	99
PID 4464 wrote to memory of 3076	4464	chrome.exe	99
PID 4464 wrote to memory of 3076	4464	chrome.exe	99
PID 4464 wrote to memory of 3076	4464	chrome.exe	99
PID 4464 wrote to memory of 3076	4464	chrome.exe	99
PID 4464 wrote to memory of 3076	4464	chrome.exe	99
PID 4464 wrote to memory of 3076	4464	chrome.exe	99
PID 4464 wrote to memory of 3076	4464	chrome.exe	99
PID 4464 wrote to memory of 3076	4464	chrome.exe	99

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\42.zip"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4548

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:2220

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:2752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:3300

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:4488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8dfffcc40,0x7ff8dfffcc4c,0x7ff8dfffcc58
  2⤵
  PID:1168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1952,i,3722701347547134680,7626079548239784331,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1948 /prefetch:2
  2⤵
  PID:2936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1720,i,3722701347547134680,7626079548239784331,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1964 /prefetch:3
  2⤵
  PID:4256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2120,i,3722701347547134680,7626079548239784331,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2220 /prefetch:8
  2⤵
  PID:3076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,3722701347547134680,7626079548239784331,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3100 /prefetch:1
  2⤵
  PID:1904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3120,i,3722701347547134680,7626079548239784331,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3136 /prefetch:1
  2⤵
  PID:3304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4112,i,3722701347547134680,7626079548239784331,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4412 /prefetch:1
  2⤵
  PID:3436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4604,i,3722701347547134680,7626079548239784331,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4388 /prefetch:8
  2⤵
  PID:400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4608,i,3722701347547134680,7626079548239784331,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4724 /prefetch:8
  2⤵
  PID:4408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4664,i,3722701347547134680,7626079548239784331,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4652 /prefetch:8
  2⤵
  PID:772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4580,i,3722701347547134680,7626079548239784331,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4884 /prefetch:8
  2⤵
  PID:336
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:4976
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff7b5424698,0x7ff7b54246a4,0x7ff7b54246b0
    3⤵
    - Drops file in Windows directory
    PID:4092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4820,i,3722701347547134680,7626079548239784331,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:4656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3292,i,3722701347547134680,7626079548239784331,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5016 /prefetch:1
  2⤵
  PID:3232

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4948

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a2d055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1200

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:3136

C:\Windows\system32\bootim.exe
bootim.exe /startpage:1
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
850B

MD5
c232f6c9686e2630d3a152456aecfc0b

SHA1
7e5662e05ba4663babf0882a291980222aa0c121

SHA256
edf157b7e8b294953d536d3d2d95a0c6314353d731f77e5a60db460555742a6d

SHA512
1124482e73a7b33261ecc9a36d7417ad49f1feeb37fdbd56d60be9c2471b3fb8477d07141a2c8adcad9ff7980b156d037dee142aaf3844f8eae01643047e11ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
519B

MD5
72d62225b75067fef06b545bdae2286d

SHA1
cf377ced644eadaf6137f9b4e067d323d5a6d285

SHA256
c213dde176e84557436969f49ebf382821e121e43062fe81ccda06701b215107

SHA512
506722c3b62efd8bd7eb72afacf42ae2dbd78a2bb9a144d0d03012860073e8bec8793986f0f21d1aa9c72cf5cd6c600585b28d424f96bba0738a6fade4064c95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d9612c165db0bbdc81d0e2c5a3b12c66

SHA1
7e668b83fd46993c3bb43ee5059889bb6d32f5a1

SHA256
e4c52a28afa39a9954a522a0411345be35375ed8641d474c7ead013e2d721475

SHA512
14154ce72c22e0c50beb206832c196a9e7ed03a61689014f65fd591729352c053d69d5cd50f58d11b5f321795db12ef0d1b35ea4a3dc8c2ec68f8e5fbb3ae299

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7ff9c5f88205bbee90ce6568f1fa2b6f

SHA1
fbcc6cebd0e78afeff53dcfaee716759201af563

SHA256
0ad4166158e34b2eaeb214cdfb21166dd51b49e768dac3d209f68d3e34811f2a

SHA512
1d14d24c7eeea7315b1b141479becf5941485ebdab77e96325afc1a1b00d91b9ea4d62de8c247ee7f9e0a26e67b69b6bfb56c63bf85c1070ac22f439b7fe13ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
a384c44dfbaa49b51b9895dbe3990922

SHA1
4e5a8ef2eca9ec7a556c8f3fc6b067a34a2bef01

SHA256
55b4387e7d0e39fdc61a8e82caa2be85668396dcb42eeb02a4fab141bc6a05e0

SHA512
00f26fdb144c94f2f74d61cdc8ae439f16cb8b3c0691a20aed5bb592be072ab8c9d4586dbfa47555836f74f0b80bdad70f870465abdd74357632332ad0795e5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt

Filesize
76B

MD5
a7a2f6dbe4e14a9267f786d0d5e06097

SHA1
5513aebb0bda58551acacbfc338d903316851a7b

SHA256
dd9045ea2f3beaf0282320db70fdf395854071bf212ad747e8765837ec390cbc

SHA512
aa5d81e7ee3a646afec55aee5435dc84fe06d84d3e7e1c45c934f258292c0c4dc2f2853a13d2f2b37a98fe2f1dcc7639eacf51b09e7dcccb2e29c2cbd3ba1835

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt~RFe59d018.TMP

Filesize
140B

MD5
91af9fb3a8a1d6dcff0311475114c55c

SHA1
ab0118b6e1a9656f0effcda6668761855796380a

SHA256
3b223d14e8b41df1485e5fd3e44f62924be85dfae8ebf33cef42a6fbc7543cd1

SHA512
41e2d8ee4c4789ea2e6962c334958476d1da249e84da45c77427ca781ad2486e32acc8b7aae8587776af09a715d47a40fcb81d7be693479346f5f11b273bfb1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
09cde474ac131624088c42eb9a796149

SHA1
2c9b7e8843d112e0967136f8b3b24e64d9abe7fd

SHA256
636dad7af7ea50deafca229635d9cb6b3f917ed44c2e2f3d9d7142f5d1841857

SHA512
e1d6111f40e6d7538ba63c86ab614e4ed56c2caccf2f690bec7b188980daa1e9c713fc11b67b4dac5d0890bb26047871a7d09042fc8890031a622d59cfce564b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
4f60902c39c2025b50fcaf24a0f13734

SHA1
af4335001100d5cec5a3aa1ce379f339f172fb36

SHA256
968405716c49fb1cb5555125f213ced0742adf0042eaa5eac5e14cc27468d282

SHA512
b3131302956b3ffc89ebd0ac28cdeaf1466068e369ad91ee6a652c59a3dd589e75f642805bb42fd414ae4e2aaa8524faa84f7fd55514fc084a11caeafeced367

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
550c8024423c840a1e591c880168276e

SHA1
ae0a908b5c0bdb9924007f9bed3f1ccd3bc89dc8

SHA256
7e657edd46d5c248eacc3fd852f0ccd6ae5b90efaa76ba153c7a24e9f8e8e4fc

SHA512
4216275f1ce2034483aae0c8ff00e3f34fd10585f49b307bd2ae6a107257c7efec724fce23f3f5c292d45d13e792117c32b7be540c7f4c2963808937a86f1493

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\fa66f846-c268-44bd-8d43-9af5860ed8c8.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Windows\System32\Recovery\ReAgent.xml

Filesize
1KB

MD5
1160748623113673641a9992516b63da

SHA1
0a8842e4d2bd47c1ad13b98149f2c8f633f96c40

SHA256
8d981aff67955f0d77463c6bb041711005d023a12953e184f01fd39fb4f7fc71

SHA512
19c70794152b27e781846a36445290114bd7794e0639148c826911f2668793b62599bf918248de2cd6add0029366c12bc91f9b4ebf055caa79737f8fde31906e

Download Submit