e761389fd971f39c9163005a08c1dcf1e6bcd7ecfd07c6f00e03c204a2cb0b1d

Resubmissions

18-11-2024 02:15

241118-cpm6ss1kak 8

18-11-2024 02:13

241118-cnnqyawajh 6

18-11-2024 02:13

241118-cng86awaje 6

18-11-2024 02:08

241118-ckyfzavpbw 8

Analysis

max time kernel
40s
max time network
42s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
18-11-2024 02:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gugugugu.mp3
Size

30KB
MD5

a2297b490db3cef3f0d0e511d412e6d4
SHA1

c06e920083a5724b3852b411d7da3a1b12139386
SHA256

e761389fd971f39c9163005a08c1dcf1e6bcd7ecfd07c6f00e03c204a2cb0b1d
SHA512

fb68a698d9d439135e08b30e7d43ca9dd68c96b3a09c04dd5f911379a767684a5f913831596ee85a0cc93ddf2b483421ba8c7b87effcb18eb4cc0d03c18777d3
SSDEEP

768:uXBKhU5ImUFFuYkj8AQu/e19thD/SLkgoAmbiq:+BKhlmUFFuJj8AVuhTSIgoAh

Score

6^/10

steam discovery phishing

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe

Detected potential entity reuse from brand STEAM.
phishing steam

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
700	3756	WerFault.exe	76

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133763696565083467"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2410826464-2353372766-2364966905-1000\{B9375ED5-ED68-4245-B078-6C50C67E7775}	wmplayer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2784	chrome.exe
2784	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3756	wmplayer.exe
Token: SeCreatePagefilePrivilege	3756	wmplayer.exe
Token: SeShutdownPrivilege	2560	unregmp2.exe
Token: SeCreatePagefilePrivilege	2560	unregmp2.exe
Token: 33	4928	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4928	AUDIODG.EXE
Token: SeShutdownPrivilege	3756	wmplayer.exe
Token: SeCreatePagefilePrivilege	3756	wmplayer.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeCreatePagefilePrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeCreatePagefilePrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeCreatePagefilePrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeCreatePagefilePrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeCreatePagefilePrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeCreatePagefilePrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeCreatePagefilePrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeCreatePagefilePrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeCreatePagefilePrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeCreatePagefilePrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeCreatePagefilePrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeCreatePagefilePrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeCreatePagefilePrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeCreatePagefilePrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeCreatePagefilePrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeCreatePagefilePrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeCreatePagefilePrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeCreatePagefilePrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeCreatePagefilePrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeCreatePagefilePrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeCreatePagefilePrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeCreatePagefilePrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeCreatePagefilePrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeCreatePagefilePrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeCreatePagefilePrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeCreatePagefilePrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeCreatePagefilePrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeCreatePagefilePrivilege	2784	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
3756	wmplayer.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3756 wrote to memory of 3328	3756	wmplayer.exe	77
PID 3756 wrote to memory of 3328	3756	wmplayer.exe	77
PID 3756 wrote to memory of 3328	3756	wmplayer.exe	77
PID 3328 wrote to memory of 2560	3328	unregmp2.exe	78
PID 3328 wrote to memory of 2560	3328	unregmp2.exe	78
PID 2784 wrote to memory of 5116	2784	chrome.exe	89
PID 2784 wrote to memory of 5116	2784	chrome.exe	89
PID 2784 wrote to memory of 1352	2784	chrome.exe	90
PID 2784 wrote to memory of 1352	2784	chrome.exe	90
PID 2784 wrote to memory of 1352	2784	chrome.exe	90
PID 2784 wrote to memory of 1352	2784	chrome.exe	90
PID 2784 wrote to memory of 1352	2784	chrome.exe	90
PID 2784 wrote to memory of 1352	2784	chrome.exe	90
PID 2784 wrote to memory of 1352	2784	chrome.exe	90
PID 2784 wrote to memory of 1352	2784	chrome.exe	90
PID 2784 wrote to memory of 1352	2784	chrome.exe	90
PID 2784 wrote to memory of 1352	2784	chrome.exe	90
PID 2784 wrote to memory of 1352	2784	chrome.exe	90
PID 2784 wrote to memory of 1352	2784	chrome.exe	90
PID 2784 wrote to memory of 1352	2784	chrome.exe	90
PID 2784 wrote to memory of 1352	2784	chrome.exe	90
PID 2784 wrote to memory of 1352	2784	chrome.exe	90
PID 2784 wrote to memory of 1352	2784	chrome.exe	90
PID 2784 wrote to memory of 1352	2784	chrome.exe	90
PID 2784 wrote to memory of 1352	2784	chrome.exe	90
PID 2784 wrote to memory of 1352	2784	chrome.exe	90
PID 2784 wrote to memory of 1352	2784	chrome.exe	90
PID 2784 wrote to memory of 1352	2784	chrome.exe	90
PID 2784 wrote to memory of 1352	2784	chrome.exe	90
PID 2784 wrote to memory of 1352	2784	chrome.exe	90
PID 2784 wrote to memory of 1352	2784	chrome.exe	90
PID 2784 wrote to memory of 1352	2784	chrome.exe	90
PID 2784 wrote to memory of 1352	2784	chrome.exe	90
PID 2784 wrote to memory of 1352	2784	chrome.exe	90
PID 2784 wrote to memory of 1352	2784	chrome.exe	90
PID 2784 wrote to memory of 1352	2784	chrome.exe	90
PID 2784 wrote to memory of 1352	2784	chrome.exe	90
PID 2784 wrote to memory of 3796	2784	chrome.exe	91
PID 2784 wrote to memory of 3796	2784	chrome.exe	91
PID 2784 wrote to memory of 2328	2784	chrome.exe	92
PID 2784 wrote to memory of 2328	2784	chrome.exe	92
PID 2784 wrote to memory of 2328	2784	chrome.exe	92
PID 2784 wrote to memory of 2328	2784	chrome.exe	92
PID 2784 wrote to memory of 2328	2784	chrome.exe	92
PID 2784 wrote to memory of 2328	2784	chrome.exe	92
PID 2784 wrote to memory of 2328	2784	chrome.exe	92
PID 2784 wrote to memory of 2328	2784	chrome.exe	92
PID 2784 wrote to memory of 2328	2784	chrome.exe	92
PID 2784 wrote to memory of 2328	2784	chrome.exe	92
PID 2784 wrote to memory of 2328	2784	chrome.exe	92
PID 2784 wrote to memory of 2328	2784	chrome.exe	92
PID 2784 wrote to memory of 2328	2784	chrome.exe	92
PID 2784 wrote to memory of 2328	2784	chrome.exe	92
PID 2784 wrote to memory of 2328	2784	chrome.exe	92
PID 2784 wrote to memory of 2328	2784	chrome.exe	92
PID 2784 wrote to memory of 2328	2784	chrome.exe	92
PID 2784 wrote to memory of 2328	2784	chrome.exe	92
PID 2784 wrote to memory of 2328	2784	chrome.exe	92
PID 2784 wrote to memory of 2328	2784	chrome.exe	92
PID 2784 wrote to memory of 2328	2784	chrome.exe	92
PID 2784 wrote to memory of 2328	2784	chrome.exe	92
PID 2784 wrote to memory of 2328	2784	chrome.exe	92
PID 2784 wrote to memory of 2328	2784	chrome.exe	92
PID 2784 wrote to memory of 2328	2784	chrome.exe	92

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\gugugugu.mp3"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3756
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3328
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:2560
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 2216
  2⤵
  - Program crash
  PID:700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:4844

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x000000000000049C 0x00000000000004DC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3756 -ip 3756
1⤵
PID:3304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcf9d4cc40,0x7ffcf9d4cc4c,0x7ffcf9d4cc58
  2⤵
  PID:5116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1936,i,1455869251894025475,14215247086359084304,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  PID:1352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1832,i,1455869251894025475,14215247086359084304,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2188 /prefetch:3
  2⤵
  PID:3796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2216,i,1455869251894025475,14215247086359084304,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2228 /prefetch:8
  2⤵
  PID:2328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3104,i,1455869251894025475,14215247086359084304,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:3428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,1455869251894025475,14215247086359084304,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:1564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4448,i,1455869251894025475,14215247086359084304,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4472 /prefetch:1
  2⤵
  PID:640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4324,i,1455869251894025475,14215247086359084304,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4792 /prefetch:8
  2⤵
  PID:2968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4880,i,1455869251894025475,14215247086359084304,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4968 /prefetch:8
  2⤵
  PID:4124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4980,i,1455869251894025475,14215247086359084304,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5072 /prefetch:8
  2⤵
  PID:2500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5124,i,1455869251894025475,14215247086359084304,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4972 /prefetch:8
  2⤵
  PID:3328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5048,i,1455869251894025475,14215247086359084304,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4884 /prefetch:8
  2⤵
  PID:2528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5076,i,1455869251894025475,14215247086359084304,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5052 /prefetch:8
  2⤵
  PID:3388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4808,i,1455869251894025475,14215247086359084304,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4988 /prefetch:2
  2⤵
  PID:5048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5216,i,1455869251894025475,14215247086359084304,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:3976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3828,i,1455869251894025475,14215247086359084304,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:3848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5548,i,1455869251894025475,14215247086359084304,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5556 /prefetch:1
  2⤵
  PID:3500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3188,i,1455869251894025475,14215247086359084304,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3388 /prefetch:8
  2⤵
  PID:1532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5568,i,1455869251894025475,14215247086359084304,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:3344

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
6943e1c93e4dc52bb29791a5013c4a6a

SHA1
86ff85aca973b52898e86299ec16499257d5d146

SHA256
441e413846159a0f5d1a7d35ef8841722c8f6f5decdb867e329a207c831f3a63

SHA512
a163d3e2b212c9b5f448b0a574eace4d334602365c6ba3f42e7b28ca89e4ad73f788556b8a39563bb06fb27ffbe353ee23ee99678f49380df0df9343cbf526bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
e96d4e35b14c02aca15f7e1656f8eb17

SHA1
6441c38f6d5af1c7f4e7b313f4f55d039e4ca928

SHA256
b68503b119073f709e4972c2ab6034e2a5e20665e9845ae99406e3fc6f66abf5

SHA512
674ebf5f446139a10bc74126e0837cd95514d4b4b53bf6d37ef795b2a50da0db8e5ef586e60e83c043c61d46addfc5b0023343ab65713aadd41cb17292e5e25f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
72b9e1e8ef6fbd502fdb16914fe6dc1e

SHA1
1870a30cb393079557c09bb62606e2d091713eef

SHA256
e2659ab01529ca106555af3d8915eee568d24343efc40d93a1c13e383cde1648

SHA512
8c6c08c0b1144bde02fce31c25094f1ccb584d0302bdc0a79129446d7879d61d8aa9cf763b19dc0575f7e04be7498dcb1fc3c9df368035017c5d24a5f2e7cf8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
418d223ec7d3687e79caafaf3b635b18

SHA1
48c7385d60cfaac78e22fca27da4522e1cc59c9e

SHA256
f58c299a93e0231bf0af3d9df9339274b9b5551d9601444dc5ddda06c1306a16

SHA512
bc3c7bef0c4157e4d5342e5035120f9b5e8855c7f159cfebe37983f2f5fe0a8e2f7913b7de81699f9b0e1121e944719313289ebd46e04bb65a0f04d49b53e31b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bdb4b092f2c8a126cca203c53097df69

SHA1
2da536ed470234b0c6389369e3b5bed9b280c7e1

SHA256
f2e295e6b87df8fd2288baf3b51f8f5efa5f04e0c99ae9654b9aef6775e67b47

SHA512
7fc4d17d44d2e66f6b9ef441a696eda1b284cdf27fa4218fe7367363e6212acd15fe0bd826955ad609e9b0fc8e6d18453e759515b6573e033105c0c57846d014

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
4baefc3fd26f2ed3339831f6a4e33230

SHA1
451e643a63c916e82a941d73f21e6600a046544b

SHA256
7491f4f78d883cb475557f8a369b2a7bb2ae7684d54dfba614fb6e29b1073243

SHA512
23cbfaa1c92cf5f930a2e42ff4aeffd027fa4f69d3adabe11c9d3094274b9955537bc37d04fb2c64937cb73fb52b59f1a8bdd854927ad88167b103809d9784c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
9135065f43e76cae241727316d195bc6

SHA1
83b6fce90e6ff18aac8ffe07e4ee12125ab27fc8

SHA256
4f2fbcc32c87240b96a41a8528903ea442bb617a7583b58af036e5cea29a7332

SHA512
f5af1cc24048f18a338b882da8147a9598280d0ecf9ac480ed6e8f15e726929a1c76a812a63eeaefa5623dfd80d0e0398677fc150d522e279d654ec51bf4e7f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\f9dba513-b77c-40cd-8b19-731ad0d04600.tmp

Filesize
16KB

MD5
96e3ed86f64ecf6204faf54a205f4c26

SHA1
38e06f8f139002cdeed3ffdabb1d075378542820

SHA256
defdf4abde3e6d80bd5dbb5dddf69793c4e9fc0bc48c1d41ff309b68d0cec97d

SHA512
c0e67b6a1f19b4a3442ba0a23827d4eb17e02cf07cb2d01047efc67f896b8b8f744380ef87c0b9591a130c65cad77c6d73614839fd9bd421ec714e1a80083749

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
e1dd9a1ee2770629413f18c88159b6fc

SHA1
6912797701b174c49291f33f8018ae3d93b8fca5

SHA256
391f70adbac571753412ea6f6dea679eaab6a1d7f720fe7054a0f77fd8ae2466

SHA512
e34faf1c8e28e1e9124aa6337eb8bf4480a762903c460f1ab9e0f0b7faed761bda169ccd449b12f0f96e43e19d0c52501a29bae67ad42f70629fb174128f8396

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
0904aa3f8335df5be22cba371022f205

SHA1
a961949c9ac1e44038181a7fcbc7226ced68ab97

SHA256
898295d06ab6d27311a7bc2fbce8c5ae0c1dafc0a2c32f2a40c1975b903ba05a

SHA512
844f3eefb4c3d1bc382e2f6d4fba5e8b18bbf0c81e64b0f275ca9cafdbceb64f28a3fb874cc4212240a789835ec294ed2a4a62ce5ca53fe347d0ef892010c69e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
384KB

MD5
d78fe491ac2a586b706bee544131393f

SHA1
6343a599be838f0ce41e353c234d5234feb75417

SHA256
084c52f281902ffe5cd101d12e8dcfdb5ec872226d37b86922cdcc9535e78688

SHA512
e8aa4b80c9a43dd110c5dc89bedbf0ec53bd48cdb83e51899fadcc10615a58fc5b5903dbd31200c5d4a694c0cdd48b16282d858cc928cacfeeb9887f2c68fd24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
7f7208efa10a73708415467b7af27f12

SHA1
f97e42ce0449699b7b27172df9b04c75c94891f8

SHA256
32b1de41c0774e04d79869916d81efb64a061b6c724434c7508c09ea2546f82a

SHA512
9f32a66674d55bab8069500621b0bcfd1b89c4b191e3223fc6868f7bfdb2cf970383448438a69adfc05e6cc20f90426f5094f6562444064384eb1f0fc9066a90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\0c68251e-98ac-4347-ade3-9177ba7099c2.tmp

Filesize
132KB

MD5
da75bb05d10acc967eecaac040d3d733

SHA1
95c08e067df713af8992db113f7e9aec84f17181

SHA256
33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2

SHA512
56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2784_256093367\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
a230bd59e888b81ff3f1778ce48fd8f0

SHA1
133612d242e97660238f1c44443c719877b88f98

SHA256
53611a2fc5cd9d46007a0d7216166a940b62d31053287c30c34c1c50d4f5cf27

SHA512
ff2237a6c48cb458e73190d63f48a564d8a7264e3229ba62be7f4f9426b267a11f0d8c194a2a91ab281b08c33fcf5edcc3a1cc088d62693130b00efb49736677

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/3756-37-0x00000000048B0000-0x00000000048C0000-memory.dmp

Filesize
64KB

Download
memory/3756-33-0x00000000048B0000-0x00000000048C0000-memory.dmp

Filesize
64KB

Download
memory/3756-34-0x00000000048B0000-0x00000000048C0000-memory.dmp

Filesize
64KB

Download
memory/3756-29-0x00000000048B0000-0x00000000048C0000-memory.dmp

Filesize
64KB

Download
memory/3756-32-0x00000000048B0000-0x00000000048C0000-memory.dmp

Filesize
64KB

Download
memory/3756-30-0x00000000048B0000-0x00000000048C0000-memory.dmp

Filesize
64KB

Download
memory/3756-31-0x00000000048B0000-0x00000000048C0000-memory.dmp

Filesize
64KB

Download