hxxps://drive[.]google[.]com/file/d/1gIsNUJigWr6VtEdeRMysyNYgDD9vr5_g/view?usp=sharing

Resubmissions

13-11-2024 07:16

241113-h36g7awqct 6

13-11-2024 07:10

241113-hzk23sxfjr 6

Analysis

max time kernel
300s
max time network
276s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
13-11-2024 07:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1gIsNUJigWr6VtEdeRMysyNYgDD9vr5_g/view?usp=sharing

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	drive.google.com
7	drive.google.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133759554413572404"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3608	notepad.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4116	chrome.exe
4116	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe
3760	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe
Token: SeShutdownPrivilege	4116	chrome.exe
Token: SeCreatePagefilePrivilege	4116	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
3608	notepad.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4116 wrote to memory of 2544	4116	chrome.exe	81
PID 4116 wrote to memory of 2544	4116	chrome.exe	81
PID 4116 wrote to memory of 2620	4116	chrome.exe	82
PID 4116 wrote to memory of 2620	4116	chrome.exe	82
PID 4116 wrote to memory of 2620	4116	chrome.exe	82
PID 4116 wrote to memory of 2620	4116	chrome.exe	82
PID 4116 wrote to memory of 2620	4116	chrome.exe	82
PID 4116 wrote to memory of 2620	4116	chrome.exe	82
PID 4116 wrote to memory of 2620	4116	chrome.exe	82
PID 4116 wrote to memory of 2620	4116	chrome.exe	82
PID 4116 wrote to memory of 2620	4116	chrome.exe	82
PID 4116 wrote to memory of 2620	4116	chrome.exe	82
PID 4116 wrote to memory of 2620	4116	chrome.exe	82
PID 4116 wrote to memory of 2620	4116	chrome.exe	82
PID 4116 wrote to memory of 2620	4116	chrome.exe	82
PID 4116 wrote to memory of 2620	4116	chrome.exe	82
PID 4116 wrote to memory of 2620	4116	chrome.exe	82
PID 4116 wrote to memory of 2620	4116	chrome.exe	82
PID 4116 wrote to memory of 2620	4116	chrome.exe	82
PID 4116 wrote to memory of 2620	4116	chrome.exe	82
PID 4116 wrote to memory of 2620	4116	chrome.exe	82
PID 4116 wrote to memory of 2620	4116	chrome.exe	82
PID 4116 wrote to memory of 2620	4116	chrome.exe	82
PID 4116 wrote to memory of 2620	4116	chrome.exe	82
PID 4116 wrote to memory of 2620	4116	chrome.exe	82
PID 4116 wrote to memory of 2620	4116	chrome.exe	82
PID 4116 wrote to memory of 2620	4116	chrome.exe	82
PID 4116 wrote to memory of 2620	4116	chrome.exe	82
PID 4116 wrote to memory of 2620	4116	chrome.exe	82
PID 4116 wrote to memory of 2620	4116	chrome.exe	82
PID 4116 wrote to memory of 2620	4116	chrome.exe	82
PID 4116 wrote to memory of 2620	4116	chrome.exe	82
PID 4116 wrote to memory of 1220	4116	chrome.exe	83
PID 4116 wrote to memory of 1220	4116	chrome.exe	83
PID 4116 wrote to memory of 4572	4116	chrome.exe	84
PID 4116 wrote to memory of 4572	4116	chrome.exe	84
PID 4116 wrote to memory of 4572	4116	chrome.exe	84
PID 4116 wrote to memory of 4572	4116	chrome.exe	84
PID 4116 wrote to memory of 4572	4116	chrome.exe	84
PID 4116 wrote to memory of 4572	4116	chrome.exe	84
PID 4116 wrote to memory of 4572	4116	chrome.exe	84
PID 4116 wrote to memory of 4572	4116	chrome.exe	84
PID 4116 wrote to memory of 4572	4116	chrome.exe	84
PID 4116 wrote to memory of 4572	4116	chrome.exe	84
PID 4116 wrote to memory of 4572	4116	chrome.exe	84
PID 4116 wrote to memory of 4572	4116	chrome.exe	84
PID 4116 wrote to memory of 4572	4116	chrome.exe	84
PID 4116 wrote to memory of 4572	4116	chrome.exe	84
PID 4116 wrote to memory of 4572	4116	chrome.exe	84
PID 4116 wrote to memory of 4572	4116	chrome.exe	84
PID 4116 wrote to memory of 4572	4116	chrome.exe	84
PID 4116 wrote to memory of 4572	4116	chrome.exe	84
PID 4116 wrote to memory of 4572	4116	chrome.exe	84
PID 4116 wrote to memory of 4572	4116	chrome.exe	84
PID 4116 wrote to memory of 4572	4116	chrome.exe	84
PID 4116 wrote to memory of 4572	4116	chrome.exe	84
PID 4116 wrote to memory of 4572	4116	chrome.exe	84
PID 4116 wrote to memory of 4572	4116	chrome.exe	84
PID 4116 wrote to memory of 4572	4116	chrome.exe	84
PID 4116 wrote to memory of 4572	4116	chrome.exe	84
PID 4116 wrote to memory of 4572	4116	chrome.exe	84
PID 4116 wrote to memory of 4572	4116	chrome.exe	84
PID 4116 wrote to memory of 4572	4116	chrome.exe	84
PID 4116 wrote to memory of 4572	4116	chrome.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/file/d/1gIsNUJigWr6VtEdeRMysyNYgDD9vr5_g/view?usp=sharing
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffa1a87cc40,0x7ffa1a87cc4c,0x7ffa1a87cc58
  2⤵
  PID:2544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1880,i,8739518577712818349,13516642797840062090,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1884 /prefetch:2
  2⤵
  PID:2620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2164,i,8739518577712818349,13516642797840062090,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  PID:1220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2244,i,8739518577712818349,13516642797840062090,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2456 /prefetch:8
  2⤵
  PID:4572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3136,i,8739518577712818349,13516642797840062090,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:4060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3144,i,8739518577712818349,13516642797840062090,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:4052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3764,i,8739518577712818349,13516642797840062090,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3768 /prefetch:1
  2⤵
  PID:2564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4652,i,8739518577712818349,13516642797840062090,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4820 /prefetch:8
  2⤵
  PID:2872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4872,i,8739518577712818349,13516642797840062090,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4660 /prefetch:1
  2⤵
  PID:4524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5512,i,8739518577712818349,13516642797840062090,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5436 /prefetch:8
  2⤵
  PID:3688
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" "C:\Users\Admin\Downloads\ClipboardCutCopyHandler.ps1"
  2⤵
  - Opens file in notepad (likely ransom note)
  - Suspicious use of FindShellTrayWindow
  PID:3608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5292,i,8739518577712818349,13516642797840062090,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5496 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5428,i,8739518577712818349,13516642797840062090,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5020 /prefetch:1
  2⤵
  PID:1856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5732,i,8739518577712818349,13516642797840062090,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:2348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5904,i,8739518577712818349,13516642797840062090,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5900 /prefetch:8
  2⤵
  PID:4044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6076,i,8739518577712818349,13516642797840062090,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=6084 /prefetch:8
  2⤵
  PID:2132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=1204,i,8739518577712818349,13516642797840062090,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=6024 /prefetch:1
  2⤵
  PID:1816

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2208

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
697cc7ba2a0fbe079d143a2eadaaa406

SHA1
c43a8b2f20cdf1c2a3df4c099c40869b578f9e1e

SHA256
165041767a6a95fe55324bb870197fb32404089ccf5e01a80dfed00d9730d01b

SHA512
3986564373f2f02e9ccf44803a51aed6bf48d9cbfabaa650a31096ab318bb20531f2eba5e4b749dbe49676103f7ef1992d7e2f3b0c13df90a0bba00f3a786d19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
8a41fbb40337699620ae1f2f3d6b7cc7

SHA1
1e603efa6eb649069a7ce8a8579c85b97e58f8bb

SHA256
b181230dab4492e18aab2098aac269b9479aeb8436bd85260451d50cd31f3a7e

SHA512
ca7f4d0d705fb570fd982f85ab7b1afdf3451acc02cdeea1c37b3f5731d96fb1b1df89800af14a51480f00d123c316807e4df4ede4a028d6161333e5fc440890

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
98b7415e947f7f0a1b09673f95d26459

SHA1
81beba6dbe1a0b87a49ff51baa777394af5f6eb0

SHA256
08e2bbe1d598f872fb71e103ddbfeb1920a75498fe5efd7c96a661c286327192

SHA512
24af6b5636369e01bb7439ccfc3558255b9ba0bb3e63a03e1e92148002899c1a15e89c9c2c9e4b728446025ee577c7f353cd24856f25a54c95f236996fa4d550

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
ef70a8f80767a00bddcd5e8ef80ff9bb

SHA1
6a3c38616c84c72624b0e276942fac7084f709c8

SHA256
9e7d15b9095a2f9b6e2f4edfadba29d425403b227b126e308b5501c362c0740f

SHA512
94e4d9bd68136d0ac09250d6790c8832c62b6a39885f1e116af269d3eea534d0f89b5280b8621fcf92bc9659581371993aeb9479ce4667058d9488961ddec52c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
4423ca0a1b005f51fcd54bbee018915b

SHA1
b57fe5489ad84534a9334c854a2c56fc6aa933eb

SHA256
b810c525e2c1daa3bd1cadd163b66c24fb0957702d698ec05156a6ffa67188ca

SHA512
680cfdd9ea1f105942bf9a41a94969ab7154933aa55a81d7a02a414671285e5d7b79888824d06987237495e4d952425cd5a9000eb8397622422dd3563d7ae47b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
7f803860623512b214cc424a56396533

SHA1
5b8c28af76a90cb5eb459af4d52d576410556f35

SHA256
e170b1fe8b55d06a93c701c93f030fceee4da4983d7e3ec72044316ddd4f7f40

SHA512
a30e0bfcfd5e702ddcf030fd13e73b0305c1a0d6a51917ebf5db16142b9393d525cdb39f2a5cdfa1e75105fa0c370f50b75d7d7ab532a8e9d8f515ef050f3202

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
5a27c68a8b15473775c532ad45378b5e

SHA1
d19ff46a40a3dbe973fe9e957fd31c95beda4421

SHA256
46fda9ca1a87f100d549b71c7c897d6bfe84285463111bbec7a773488bf19647

SHA512
f89cfefe718f837884537ff2ac02ba8da0db10557a5bb911c01135016befa1232fdfb86fc4523ae9ee22e3b3a3707e89f039e051c2c76abd7cabe34245f8c8d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
71f763b8f92f89da2d515a82fc9c0617

SHA1
44627c56eb396b807dfe8021c9e1470c5f159d45

SHA256
b6a7d136fc71b10e6ccf185bc45b4b8a1d78f0572fef110ce68d5bbbcf537235

SHA512
37252af9469d772986c8c50e132d2475d44da1b7795cc06d80cca46845097d57f5410024d9377740eefeaac3ae3546f632d78879ee0269304d5dace4b25d4056

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3172eb96dc417d9ec99256dde56719d2

SHA1
98ca80e0be61fe77ba94a7956071de4a4bb9ee2a

SHA256
c4cb2deda01892aa771cd3b6856c071f750164e5120fef980f49048734f0a80e

SHA512
143e56280fc13a49a870608e14c1608384b7542c69134860904ed83c8621e3b93aace838218b9b361bab28f1e658238a91f47d477a885b5c2416582b994b557c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
15dab3c2c7f5d335c356cc77b5a9ba54

SHA1
7b94cf4ab65fc467ffafe07137aaac6b8473d102

SHA256
eaa50b4221cafc83444f7fc3283b09664726f62e4343667ae0e72d2b315baa97

SHA512
50f7b488074c681c11c96d565be58531a696e4b095675b7e15954a77117bbcf3cb8db3488a5ac952dd8ee976c1cb36037626e8bff37ca73ae6d293bc41bf9931

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8efa7e15cd6689cfe53a616f783adf12

SHA1
3ef008385d627768d6903ab966fbbb298b9b5f61

SHA256
13016cc6ffd07205b1fdda292431fd982b03597bcb138bfb94d50995fb4df750

SHA512
ace4171b1571a4125f5477a06b7253e15a8ed9999fa9e082a6d202ca244a9004bcc35118a771fbba2f2397e87fc1e6eec548d9574d4788270ed3b1e08f8dfdfd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c5b96ff6a552846d32fa73a80a724117

SHA1
7631cc78f5721a4a5043fdeaba0e1200d6de4de1

SHA256
f8492629eea55d5c69e95c2932a41dd9a5f59d6b189e4fcbe37e9f6b39afb7d7

SHA512
581a2ec403241256df836b83410392fb85ea65cd499bd8a09e1188d2ac38b3c3187c46426698938a49745c303d8249cdb33f25958ff186661b056ea6e2612541

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
9ae99e34ca0ceeca6d4bbeae7e15c4d9

SHA1
210d77ea6604f99abeaf3f59be0729749bb06383

SHA256
d12b1b80d4bbca08e62ac663ddae05f2c37ad78dd8fd43b2c5ff484c1baa7381

SHA512
ca3b9f21fa5683911db177d2176838977115c81a9b2886cd8414021e7424924bd0b7b116ad4296cd61fefdd9e8689b52cb87f1c5dca2fd098c756b34684926eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f49ea785d914f9255d632896b8f31802

SHA1
5feec96b9d860700d95bb783f02fe918bbb820a6

SHA256
6ccc61514d3cb7da950582bf141f0387defa2ffe700608b7202fae722e7edaf8

SHA512
edb9055c08bc44077e1e269934cbd5cda7df6f039303ad8430a001793e1a283f0120abd7c962de27e4630def97078267b08ecbbd774c818f8a2b7828dc342474

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1b158969a993601f4c0bf1611411b96d

SHA1
980342cadfa043806d1e24869ff828c8b78d5f5f

SHA256
3a9ebe13e7dbb51e9eea5d778e72c2c6eaa7a6780584a3aba49282a8a9ccb9b0

SHA512
8c1b715036eb81eea115fbea2dd4813f234c6bed2395df532b356c140a92a19c38e11f5c063b4f5aef87ccbd9411a7a8a6aab6a56405b5676df506b61b357f27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
df8ecacb1e72e862e1d1a7aa0fddc11e

SHA1
bdfc0272e142fcfa6896a36f844d542c8900048e

SHA256
41dba374f87bc8c58a756c3c6e1fe6f1073d86615426498ee36b3e72752bef97

SHA512
df9a94506e8f7600cf13c913ad83d391ec5190e67f458cb4949eb5065856016a5c092ca9809e255a601dfe67ef590fe72e9f69d47174d723954306ae19652819

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7a9c066fe27d46ad00c8684e74502345

SHA1
b61b6079662549b2f0dd6aeed7e8bddb481ccd8d

SHA256
c9107f8cc2c15d4645e16b6e766f7c1c3f3788bc47378926965944e1ddaa5a51

SHA512
53172320454cdc114a59829ad7d1555ef970097e11885adc0acc26548d65aa0b98a9e482a112e46555e953df2b941e9517c73bd6a40c27c3dc10632a8809ac3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
efc8f9b03b49ae39409cb3acaaa4c45a

SHA1
47ec561090c6d194a08b1984cc1e401d7693f413

SHA256
67cbc26e93e0c6304407ad601246e32083b857b78dc2849715678c5d73836380

SHA512
140435c6e1be33bb5ee7db4fac070d90c5d6c4f3101e1c2af460a00fb604abe9f67a67feeeaca05f9a590b1e7c7a680228f6a3e69025629a528856963175a119

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f8afa0ead94e419443c685bece60bc50

SHA1
b4558270cd79153eac82bc28f36925bd805e3055

SHA256
8d4d760e3e7bf51a7efbd2ef58a80a136c67adae4803006a857f1bb2b7dc19ee

SHA512
d42b3b0daa1e573b13dd2229c3add1e85aaf457eaf3df4ab3ea74f29fca7484c64cdc0e96a7ef02b7eecb0042751b12dc07eefb818372a6c4f9c03dad9302319

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4f19169a1869cfe5ee5706c16a337d3c

SHA1
646fa2e0fbad512da833e19b0b89847886662682

SHA256
aaf09f5a419ca930b1c3dc6fa0057265ebe390893da691633bc65114db0259fd

SHA512
76fa70e2e45330d1b291710b6fa10a14f198c55e320b08d27ebea64b5029659d97fa2a391e2969dbb7e78df3b60cd1efa59842db3315e6876774eac980bce957

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f0826512b2a020cae57dfb1775da9930

SHA1
ef24aa4ff813285553d913498e713712c4ca0a23

SHA256
45b73af33f45d88aab86dc1d19914367d2d5c20bc3b00c312d7f87d94469c281

SHA512
ef4ad5f0a3b3189a2abae2ea62037a67a8fec704d560852ac7e920fa027b1a778334e387dec81e9cc3af337075aa7bb553109b32546e010f1253ccf74465272e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
55e84fa45616a227f257b7a7012eaa33

SHA1
9ea89aef6696827acf6331510ba77a80be2b40fd

SHA256
a1512978abd6d4b893c04f61e2655a00ba354c53b71e99eb1879e7cea552a262

SHA512
3744ff30b2c9ca26874e9c63959ea825354feab577841da4f366cdf1935e952d8258003ff15d03aa8cd83bdfb8e73767f4209ba92302e3da37c928a1d359ef31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
dd4022608bf92af3ed9d6b6f6d8fba4c

SHA1
4a9a4a6448d71aa0f6f4031a6a8eaf5b1d5f3c46

SHA256
4c21e3ff0ec5c1ca33c9c132255d980d85a00909521943785c07894cb809e79f

SHA512
c43310a99ded2eb7959be2c8bd1ab0e5ca9d0fa6282b3778a5cba1448afb8e6f126f0862fde8a133f3024384476d128c3e94569d9355d38ccf2a3917d3d23d53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
253fef557e1000a25d8397356857c337

SHA1
c34f7a955959790b8ac707341c12c9200673713a

SHA256
703038e4dce6f0e2d6483949ac58c7fd09d66f4d4c73e6cb747f889b1bcf930a

SHA512
9de3844921e989b9e29166806750345dcca2354c44d90535aced0dbbce26dc84c523aa3cf428828267d2460faa2e24dc1598b8fef713d4e3aae0e73dfde508f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
82efc789ac13ed37aa38f0502c8e15a2

SHA1
058e20251430cc684914af7691bc382d7eabec5c

SHA256
bee253d1f856d9d8a2dddaf37bd519f8f2651b7bde271a164c914c33e5f69a79

SHA512
2f589184a010fdeab6950dbaa70aa703d2fd53a5e89e3bbce119fc71dbd8919491b6e6aa4a55f5b0cf26023249a1ea22f1ada9e4e28f6d4b6baa265dc78f3661

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b0567f469a5575d73ed7260d7e652f1b

SHA1
b4ec54d1fe2b19f32fcfda9fb2927c0e1781d92c

SHA256
13d710929bb6945adeecb897f834da4030ceb9a5bb3117d91a279e724f313f89

SHA512
7501c9a8344ec961131bf8241d866ffc3162549d90216b0df9db7a9316e127e1fc408304b9d7912f0d1fcbc009f016edc5664a30200c2320fb4e33555f52998b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
5a49288eb04df6599d685116a504ea7c

SHA1
59441518c37217aa250bddd5bde0b3aad0f3c7b0

SHA256
41266f06eaa09bc1f557a1aee2c28006118c47a9cc6d96aa24642465d35a052d

SHA512
58a052a9885a18b14fd7fe768fdf0fbeb1737c0e19b38ac36332071044c0817b91bae1bbe52c631baed7ca9db6ad90215ad778225b6ee9a1a3ee40d4606d1305

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
160b70a1eaf35b02e827d26155b60993

SHA1
8d26b21695379865f67e350d8e3d8fd154eb1309

SHA256
0a23a82039bf0132aa2e6882408ab612ab63be0911841eb234703b869d408e3a

SHA512
8d605660e0180babd8211741e8a3f0663cdfed94e2e2bba85fecbea2612d144e05bdf588374e00c55d5e31fc6195004c0f43d33acd959c564b374b0c5fcf9c32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
de7585c978dfbc40bb1bfc32b14ecb3f

SHA1
e4498d91078299c0f1df5908212567f8dd889ff1

SHA256
773ee4a050e78a28e0f0c8192ec73f7e385e72af5a2013dbc308219eef26c19b

SHA512
6d38d006f29c23f5055bdc8099370b6229912e4fd4202c8a6a8f8a7b3cecf6e2fd8268448469d62d92ac42098f0c3d67de6a09502f6d7a781953939598c7e96d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
f0dc3823bbdc7b0e3dbc90f5a311d54a

SHA1
aa8298043254e826647bc58a26e9b77780f38330

SHA256
a6c8fb94737b029862222907104c2d5b87c49a9d6de6428d35f17f27a3f9249a

SHA512
5274e43d7f65066d91dac04d8ba9be152f86127389e6d7d93bc76cba5f5aef606e28647a867330abe826a0a81fbec027a430c28342dd5658f3445a29cea5f6ef

Download Submit
C:\Users\Admin\Downloads\ClipboardCutCopyHandler.ps1

Filesize
4KB

MD5
7ee8c5393ccc7d0d61dfcb78734093f2

SHA1
a733abe818f8121819ea4904a30456a4ee4eee2b

SHA256
935258f8551cfcd8089ced95692aa5d1016366e3395d5c07881481147f24497b

SHA512
10f361cc9d80e719cf7a00e2d3ca844cf4a2232fb2a61af9bd4396a0f60e2808ccdcba1ee7cd4b0e32888563224125dec53273959c4147e71614de8784b96512

Download Submit