hxxp://Google[.]com

Resubmissions

25/03/2025, 20:32

250325-za94cawjy9 10

25/03/2025, 20:27

25/03/2025, 20:24

25/03/2025, 20:20

25/03/2025, 20:16

25/03/2025, 20:12

25/03/2025, 20:08

Analysis

max time kernel
176s
max time network
173s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
25/03/2025, 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://Google.com

Score

7^/10

bootkit discovery persistence upx

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
4024	mbr.exe
480	noise.exe
1588	mbr.exe
3052	mousedraw.exe
2292	sussywaves.exe
2348	noise.exe
352	mousedraw.exe
4900	BitBlt1.exe
3280	sussywaves.exe
872	BitBlt1.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
60	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	mbr.exe
File opened for modification	\??\PhysicalDrive0	mbr.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1776-537-0x0000000000400000-0x000000000062C000-memory.dmp	upx
behavioral1/memory/1776-580-0x0000000000400000-0x000000000062C000-memory.dmp	upx
behavioral1/memory/2312-637-0x0000000000400000-0x000000000062C000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	noise.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitBlt1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitBlt1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chlorine 2.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mbr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mbr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mousedraw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sussywaves.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	noise.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chlorine 2.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mousedraw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sussywaves.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133874074277401111"	chrome.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings	wscript.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Chlorine 2.0.zip:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
3196	chrome.exe
3196	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeCreatePagefilePrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeCreatePagefilePrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeCreatePagefilePrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeCreatePagefilePrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeCreatePagefilePrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeCreatePagefilePrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeCreatePagefilePrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeCreatePagefilePrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeCreatePagefilePrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeCreatePagefilePrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeCreatePagefilePrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeCreatePagefilePrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeCreatePagefilePrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeCreatePagefilePrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeCreatePagefilePrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeCreatePagefilePrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeCreatePagefilePrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeCreatePagefilePrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeCreatePagefilePrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeCreatePagefilePrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeCreatePagefilePrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeCreatePagefilePrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeCreatePagefilePrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeCreatePagefilePrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeCreatePagefilePrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeCreatePagefilePrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeCreatePagefilePrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeCreatePagefilePrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeCreatePagefilePrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeCreatePagefilePrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeCreatePagefilePrivilege	1708	chrome.exe
Token: SeShutdownPrivilege	1708	chrome.exe
Token: SeCreatePagefilePrivilege	1708	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe
1708	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1776	Chlorine 2.0.exe
2312	Chlorine 2.0.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 3904	1708	chrome.exe	81
PID 1708 wrote to memory of 3904	1708	chrome.exe	81
PID 1708 wrote to memory of 4892	1708	chrome.exe	82
PID 1708 wrote to memory of 4892	1708	chrome.exe	82
PID 1708 wrote to memory of 3912	1708	chrome.exe	83
PID 1708 wrote to memory of 3912	1708	chrome.exe	83
PID 1708 wrote to memory of 4892	1708	chrome.exe	82
PID 1708 wrote to memory of 4892	1708	chrome.exe	82
PID 1708 wrote to memory of 4892	1708	chrome.exe	82
PID 1708 wrote to memory of 4892	1708	chrome.exe	82
PID 1708 wrote to memory of 4892	1708	chrome.exe	82
PID 1708 wrote to memory of 4892	1708	chrome.exe	82
PID 1708 wrote to memory of 4892	1708	chrome.exe	82
PID 1708 wrote to memory of 4892	1708	chrome.exe	82
PID 1708 wrote to memory of 4892	1708	chrome.exe	82
PID 1708 wrote to memory of 4892	1708	chrome.exe	82
PID 1708 wrote to memory of 4892	1708	chrome.exe	82
PID 1708 wrote to memory of 4892	1708	chrome.exe	82
PID 1708 wrote to memory of 4892	1708	chrome.exe	82
PID 1708 wrote to memory of 4892	1708	chrome.exe	82
PID 1708 wrote to memory of 4892	1708	chrome.exe	82
PID 1708 wrote to memory of 4892	1708	chrome.exe	82
PID 1708 wrote to memory of 4892	1708	chrome.exe	82
PID 1708 wrote to memory of 4892	1708	chrome.exe	82
PID 1708 wrote to memory of 4892	1708	chrome.exe	82
PID 1708 wrote to memory of 4892	1708	chrome.exe	82
PID 1708 wrote to memory of 4892	1708	chrome.exe	82
PID 1708 wrote to memory of 4892	1708	chrome.exe	82
PID 1708 wrote to memory of 4892	1708	chrome.exe	82
PID 1708 wrote to memory of 4892	1708	chrome.exe	82
PID 1708 wrote to memory of 4892	1708	chrome.exe	82
PID 1708 wrote to memory of 4892	1708	chrome.exe	82
PID 1708 wrote to memory of 4892	1708	chrome.exe	82
PID 1708 wrote to memory of 4892	1708	chrome.exe	82
PID 1708 wrote to memory of 3692	1708	chrome.exe	85
PID 1708 wrote to memory of 3692	1708	chrome.exe	85
PID 1708 wrote to memory of 3692	1708	chrome.exe	85
PID 1708 wrote to memory of 3692	1708	chrome.exe	85
PID 1708 wrote to memory of 3692	1708	chrome.exe	85
PID 1708 wrote to memory of 3692	1708	chrome.exe	85
PID 1708 wrote to memory of 3692	1708	chrome.exe	85
PID 1708 wrote to memory of 3692	1708	chrome.exe	85
PID 1708 wrote to memory of 3692	1708	chrome.exe	85
PID 1708 wrote to memory of 3692	1708	chrome.exe	85
PID 1708 wrote to memory of 3692	1708	chrome.exe	85
PID 1708 wrote to memory of 2316	1708	chrome.exe	86
PID 1708 wrote to memory of 3692	1708	chrome.exe	85
PID 1708 wrote to memory of 3692	1708	chrome.exe	85
PID 1708 wrote to memory of 3692	1708	chrome.exe	85
PID 1708 wrote to memory of 2316	1708	chrome.exe	86
PID 1708 wrote to memory of 3692	1708	chrome.exe	85
PID 1708 wrote to memory of 3692	1708	chrome.exe	85
PID 1708 wrote to memory of 3692	1708	chrome.exe	85
PID 1708 wrote to memory of 3692	1708	chrome.exe	85
PID 1708 wrote to memory of 3692	1708	chrome.exe	85
PID 1708 wrote to memory of 3692	1708	chrome.exe	85
PID 1708 wrote to memory of 3692	1708	chrome.exe	85
PID 1708 wrote to memory of 3692	1708	chrome.exe	85
PID 1708 wrote to memory of 3692	1708	chrome.exe	85
PID 1708 wrote to memory of 3692	1708	chrome.exe	85
PID 1708 wrote to memory of 3692	1708	chrome.exe	85
PID 1708 wrote to memory of 3692	1708	chrome.exe	85
PID 1708 wrote to memory of 3692	1708	chrome.exe	85
PID 1708 wrote to memory of 3692	1708	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://Google.com
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb7456dcf8,0x7ffb7456dd04,0x7ffb7456dd10
  2⤵
  PID:3904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1868,i,5761574858345627213,17938311914793281574,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=1864 /prefetch:2
  2⤵
  PID:4892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1420,i,5761574858345627213,17938311914793281574,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2116 /prefetch:11
  2⤵
  PID:3912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2364,i,5761574858345627213,17938311914793281574,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2192 /prefetch:13
  2⤵
  PID:3692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2852,i,5761574858345627213,17938311914793281574,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2880 /prefetch:1
  2⤵
  PID:2316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2856,i,5761574858345627213,17938311914793281574,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2976 /prefetch:1
  2⤵
  PID:1448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4200,i,5761574858345627213,17938311914793281574,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4220 /prefetch:9
  2⤵
  PID:3928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=2628,i,5761574858345627213,17938311914793281574,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4572 /prefetch:1
  2⤵
  PID:952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5112,i,5761574858345627213,17938311914793281574,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5044 /prefetch:14
  2⤵
  PID:4404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5360,i,5761574858345627213,17938311914793281574,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:2620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5540,i,5761574858345627213,17938311914793281574,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5580 /prefetch:14
  2⤵
  PID:4696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5548,i,5761574858345627213,17938311914793281574,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5592 /prefetch:14
  2⤵
  PID:2024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5556,i,5761574858345627213,17938311914793281574,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5624 /prefetch:14
  2⤵
  PID:3168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5876,i,5761574858345627213,17938311914793281574,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5872 /prefetch:14
  2⤵
  - NTFS ADS
  PID:3004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=5776,i,5761574858345627213,17938311914793281574,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5748 /prefetch:10
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3196

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4360

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3196

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_Chlorine 2.0.zip\readme.txt
1⤵
PID:1792

C:\Users\Admin\Downloads\Chlorine 2.0\Chlorine 2.0.exe
"C:\Users\Admin\Downloads\Chlorine 2.0\Chlorine 2.0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1776
- C:\Windows\system32\wscript.exe
  "C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\3677.tmp\3678.tmp\3679.vbs //Nologo
  2⤵
  - Modifies registry class
  PID:2200
- - C:\Users\Admin\AppData\Local\Temp\3677.tmp\mbr.exe
    "C:\Users\Admin\AppData\Local\Temp\3677.tmp\mbr.exe"
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    PID:4024
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3677.tmp\msgloop.vbs"
    3⤵
    PID:3960
- - C:\Users\Admin\AppData\Local\Temp\3677.tmp\noise.exe
    "C:\Users\Admin\AppData\Local\Temp\3677.tmp\noise.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:480
- - C:\Users\Admin\AppData\Local\Temp\3677.tmp\mousedraw.exe
    "C:\Users\Admin\AppData\Local\Temp\3677.tmp\mousedraw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3052
- - C:\Users\Admin\AppData\Local\Temp\3677.tmp\sussywaves.exe
    "C:\Users\Admin\AppData\Local\Temp\3677.tmp\sussywaves.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2292
- - C:\Users\Admin\AppData\Local\Temp\3677.tmp\BitBlt1.exe
    "C:\Users\Admin\AppData\Local\Temp\3677.tmp\BitBlt1.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4900

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004D0
1⤵
PID:4952

C:\Users\Admin\Downloads\Chlorine 2.0\Chlorine 2.0.exe
"C:\Users\Admin\Downloads\Chlorine 2.0\Chlorine 2.0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2312
- C:\Windows\system32\wscript.exe
  "C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\75C3.tmp\75C4.tmp\75C5.vbs //Nologo
  2⤵
  - Modifies registry class
  PID:1888
- - C:\Users\Admin\AppData\Local\Temp\75C3.tmp\mbr.exe
    "C:\Users\Admin\AppData\Local\Temp\75C3.tmp\mbr.exe"
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    PID:1588
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75C3.tmp\msgloop.vbs"
    3⤵
    PID:2408
- - C:\Users\Admin\AppData\Local\Temp\75C3.tmp\noise.exe
    "C:\Users\Admin\AppData\Local\Temp\75C3.tmp\noise.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2348
- - C:\Users\Admin\AppData\Local\Temp\75C3.tmp\mousedraw.exe
    "C:\Users\Admin\AppData\Local\Temp\75C3.tmp\mousedraw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:352
- - C:\Users\Admin\AppData\Local\Temp\75C3.tmp\sussywaves.exe
    "C:\Users\Admin\AppData\Local\Temp\75C3.tmp\sussywaves.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3280
- - C:\Users\Admin\AppData\Local\Temp\75C3.tmp\BitBlt1.exe
    "C:\Users\Admin\AppData\Local\Temp\75C3.tmp\BitBlt1.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
25c1b9b3fccd8213f76d2f9fe66746bb

SHA1
c0bf7ebc877cb65e43bdc18edd7703549831fc64

SHA256
01141628aaa63181f963203fd82f4ddbd710bd272ca62321224a057b53bb706f

SHA512
37432bbd69e8b5efba7a25a1e2719ec4d18744541fad2b1b5cc98a1e8735138adabf40174aa698b1ec01590f6f7a0d0e1d90390a42fc1640cbfc82a7fb8726b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
304b0a7032c5203693d8d9a5dfd61458

SHA1
8aa9154c50bbd85e0a1397e9982b534a3f3038e2

SHA256
7ee60b6ecedf126e7b9603acb652ba8de47abc4e3c46ba1116cb4d24fcb7b7f0

SHA512
3b2206315f1b2d013d41171075de9077fe3610295fa2f7520245f8cc5a7761c4b1ce1d8d53919077b7eebba387c94ac83b03f187d5b4cffe0b97e80a77ca1cd0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\92f2fa7d-aeb3-417a-8f72-69598bd88d01.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
3ffa72bfc24ad6aa997ed7676f0cdfaf

SHA1
70cc2af724ddac5585208c6e2a922d6b10d4abf0

SHA256
b7f5a67fa7062326de065d5cecf2acb8963ab979238950b147b00eb86448433b

SHA512
7ec0e8d75d52f61f34dc83d87e49a4cf687556ea18110b291e53cf2474014d4ebfc3b19ddc1e0359c54e7a72f9f122d8d868c09056b7dff8a403a92e33139f4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
3a3ebef54d241304a7251e395ba715f9

SHA1
994666fbc9046946e6e3157c526ceb335c8998b7

SHA256
77e2de4dfcb7cfcb3dd61e43b8ce0e057872e7b9f852f2e8ef26441dc3bd9ebb

SHA512
27f922612675785cf2932c6ba6adfd12e5ae838a89000f293dee787c96cd0b7a1a15656506f571645d01b7c3bd474f470256f32f836a3dc354195eb5ea68051e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
e35379d62b0e3ce09edcde243eac2a69

SHA1
061366fbcf6bfe73a349750d561b8064eff658ca

SHA256
4049390c813580bfb500d0cad85b17450829a7a451b14b409df59a8d6d39d4d8

SHA512
b1ffe063efef54651f9701f5fcf10470363505c4290903b71e7167354dd483daeae020b58a5ca1da979217d1018f5c98faf6c86d402e7593dbde78aec6482b91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
28660dea8ad112d2dd98ec565dd983a2

SHA1
c9c218ae27fec4271aadd92c5bc5261b0353da24

SHA256
d751f160579ff8aa82a4ad89beaf1f2f18bdc02c56892cc7e85cae9f0527e10c

SHA512
0e9626b20781f0f3c5ca4f65c4f78e5e869641327eac11f3a9784460832aaf46d58e272a58f2665889177ecb20a22d9e59c97822ef8d598f0192cd1c99b9f577

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
1826cf6cc0111e3d779d638875217272

SHA1
1515d03597247a093b1c322d2a898cf89c6386bc

SHA256
d79d2b66f48fc297b4c1cfe21bf0304ddb89233db8a7efb5ebb8bf648fbd16f8

SHA512
5e1b7bc598b5eb68a56a4245b5832fdea13c6f91ed0e0d96c97cb37c42f4205f5a057a72857b6c5042891593c5e74290bdb88f479e9048700320b4e7076c5be4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e466f83012e912c8fd3167faa8442b6e

SHA1
3fe4f1aadb16369b0df0e3b970affe4172f2f246

SHA256
ffdc507df55b85118da97eb59859ba60afccc5c29d2ede0481c0ec94f1253979

SHA512
1bbd654cdcfcd82cf5e569c576f46416328b16e7cb3ef77e3d185a7008e48abe679d1f338051894a934c258aba12807f1bbf342d0d16e780463af2c6ba56f499

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
a8bb56ecfe871b00ae826bbd7b4a6fd0

SHA1
6a276534042dbb3960221f93b25f02c749a66145

SHA256
2b0bfc928ea1bb191367c5d9d0ee0f850c78fbd248395df56ad9feb64ee92090

SHA512
5078e3ee603f7e08f7d3537c2cd4bc7891f3550fdb3be0498c0cbfeb6baea202b756d1b7dae2053f3fd64e05e1249ca6150fd16b6fea350a8ccdb1fe21ca5f18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
2fc0e9b086989768f46c88cef8d43741

SHA1
66d87e0e2df96c47cc814071e52a1b67e5f2139c

SHA256
99a6280aeb2616c2ccae0647b9d59e68e24364934a32f45585f02d57f44c77d0

SHA512
40d19e4d85a50b70676ba53aa487dc05d0fc35cca031d9a2f2ac38c5dc783299d03f6d8196b54d6d255e3425420ad5774affd92ad0cada4e683d9041728288fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57ce8b.TMP

Filesize
48B

MD5
e9e4c7dab9bf71b302bb4771069449eb

SHA1
728dcac640f936ce64077a85e976464a5cc41701

SHA256
19539f303b63174e0bc0424c49287a628ed4e50d95d3f6f8de3c86221ab8a233

SHA512
395a3af154026dd99e0c9142e1d52b4cb282e3601d8348aa22643c58be07bc2c328029c695433a7cdc04e32a8625e7589cbd4c376863948ba44ea16843c4d7c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
3e4e68a7af62c90d9c011461fbebed5b

SHA1
ceec9be9302e4639d8218caa3e226cd24ce8bb23

SHA256
08fc9ae40c0c1a3f6d155c87f3641ccf8840d2b03f83702db2dcc2a802d79af6

SHA512
ac57b4ed30b6c0b3b49764db2a8be625931f6cca562fb8e4eb0c5f41f4d1b71188c67af0645bd797ae62e94a4b8d392e5c0c48921ccde7674d825f0c5edba1e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
5054b7ff075a871db1b5c54e6075a440

SHA1
baea6dda170b1c11189a84070367113e5b00df8a

SHA256
4d168e321a31edd561b491ec5b612a3a7652ed19d96ae2ffe1eaba8aa0723d75

SHA512
7dc21e992999b9100c51825635763df0b7d152d1d39359a7d16d7f7302dd7e34ee73af7d79fcf2487874b27cf8a14e8146d9a8f12884de4764b51487f8fd9a82

Download Submit
C:\Users\Admin\AppData\Local\Temp\3677.tmp\3678.tmp\3679.vbs

Filesize
1KB

MD5
45b6873a3068a9fc124fe76d9bea42d4

SHA1
ab8be455775e5fcf1118fa68990b54daad9216b1

SHA256
76bc005b55d16fb4fe99d303a8cbcdfb8fa09a169a0f2dafdd1f15a514acff13

SHA512
0a3bd4b62b8a9b2edf81b30043f556ca18dadecdd358a007f797565dfbdaf191751c3df5e97b08bf1556fa59c82f4ea204fe0da4d9c457c2572495e00e36faa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3677.tmp\BitBlt1.exe

Filesize
105KB

MD5
19a8a16e2a0d3225d1fc390c0a11b5dd

SHA1
ca235475f7a767e10c81426e013ee59106deb306

SHA256
8d6452b5a2dacbf6a1e064fc959f16a5ec13b5986a2687e70b5458eefdb60573

SHA512
d470d61fa9b19c34cd9ed916f9a6b44c821ed47082393212c17c743a764d2eed4dea2aae31f37d984f3c359ca646b34f0c6486f5f473d940c675974deb313ec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3677.tmp\mbr.exe

Filesize
1.3MB

MD5
7a2bd73519cd758b01e8c3b28311cac1

SHA1
a2255b0aa4ea8e5ed139a2e9a1aa64307f7eb5ee

SHA256
24706c7d79457b47edca4623fbdef2c2ef1f56e905838c70ac44dc4cad539238

SHA512
aa5b48cf7685f0dc66ba3146e396fc3c8c3d4a70b0ab4ccf3bf183bd4e2b198909c09b82459694dc49040a775c74802abf32dd3252209051af7969796c674ea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3677.tmp\mousedraw.exe

Filesize
104KB

MD5
f7db0edd465e545dcd947f4beef32779

SHA1
a02d2dcbe4ea1146b726a6191354340f8dd41f6a

SHA256
9bbce9c9e1b513084b8a206e935b2512a341fd81688e71735ef27511d0378d47

SHA512
6d40cf365a30277328f9103083e939ac8fedf860ffef6d0c5bd80d708e0f73d606f456d37aa1fa5e69964ac2e20c263fbaa755a9c28eff962395e3509a7a4e25

Download Submit
C:\Users\Admin\AppData\Local\Temp\3677.tmp\msgloop.vbs

Filesize
336B

MD5
d95b234c9cef8f7f398d758564bf5821

SHA1
cd499485f7b128d2b475bc92311a45cd8c8b6de7

SHA256
33923a07189189bcb897d6617457ece2a93c0fc9f5de8a786c39c874af9a0630

SHA512
51dfccb4975eb385d20cf58af02ed4e19d954777fdcc289a00409d94611d177efc20307312d42fc8e03590d0afc02bf78802830847bd8f0e8a6485bcb9ef8154

Download Submit
C:\Users\Admin\AppData\Local\Temp\3677.tmp\noise.exe

Filesize
102KB

MD5
3c285eec317672f7eb27ec27244cbe59

SHA1
3bd2512ea461dd67babad9b398128c70a3dde059

SHA256
81cbb8c54d2dfdda281e37aff08f9f98afab3f415fbe3c7b5242c1b85495e715

SHA512
590ec0ed53848bee0ae82e0ecc62c48d66f0380ca04c6e425cc97bdd05f1b2cddeecf2e58d58dbfee4872500a425b7d5d1401f955d65d891114f61cd7baaf5d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3677.tmp\noise.wav

Filesize
1.0MB

MD5
cdc6c78486f27876fca2f9ce090fe2df

SHA1
5b2655c058b1a0415e00c207839113b863b0a750

SHA256
31be0f1ab83ae8bddccd657ca78c57ee26e2ac3b3a87637e3adc6405f018b399

SHA512
3f80524dbcfd2f1e756710f2f21cb498268da7528077833ed01b4f2030aa0df0f0528a69a6b516ad1e5988174d1395ae189981e707127bea0acdfa6be0477f2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3677.tmp\sussywaves.exe

Filesize
105KB

MD5
632da6456dceea4819027bad982ab3cb

SHA1
9a5da49ddc3458b72fa3eae77332cac643508ad3

SHA256
13304570c6ccb706114aaae4602be5c85fa1862e1ed0200b3f0de514b14fcd41

SHA512
cceb677651a8f7df59c8a22a076a69be31bc3a72992fbce6373d6908a33a0e2e1b7c669f664a9617933197ec7ff1b6e96fcc8613329b750dc143273f90991a55

Download Submit
C:\Users\Admin\Downloads\Chlorine 2.0.zip.crdownload

Filesize
8.7MB

MD5
283ace63f8098bc81085b1afa4a1b2e1

SHA1
4848409d5dd062eaea4664fb1471da87242f5e5a

SHA256
9882a822f94ab32f588d8db12165838798c8adefefc5301eb367592662df944f

SHA512
1ff5ed7b3d4bccfee9a12817cdc537eb37fe92c082fd445e696ceb4d595f05dffe180464dabe23037b9f46030ed2ed54fe82fba2b8b9856b62013ba3bf6cc3f0

Download Submit
memory/352-657-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/352-668-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/480-635-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/872-675-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1588-629-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1776-537-0x0000000000400000-0x000000000062C000-memory.dmp

Filesize
2.2MB

Download
memory/1776-580-0x0000000000400000-0x000000000062C000-memory.dmp

Filesize
2.2MB

Download
memory/2292-648-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2312-637-0x0000000000400000-0x000000000062C000-memory.dmp

Filesize
2.2MB

Download
memory/2348-652-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3052-651-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3052-660-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3052-671-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3052-639-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3280-663-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4024-574-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4900-658-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download