hxxp://Google[.]com

Resubmissions

25/03/2025, 20:32

250325-za94cawjy9 10

25/03/2025, 20:27

25/03/2025, 20:24

25/03/2025, 20:20

25/03/2025, 20:16

25/03/2025, 20:12

25/03/2025, 20:08

Analysis

max time kernel
162s
max time network
166s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
25/03/2025, 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://Google.com

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
5720	MainWindow.exe
2616	PatBlt.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	WScript.exe
File opened (read-only)	\??\N:	WScript.exe
File opened (read-only)	\??\V:	WScript.exe
File opened (read-only)	\??\X:	WScript.exe
File opened (read-only)	\??\Q:	WScript.exe
File opened (read-only)	\??\H:	WScript.exe
File opened (read-only)	\??\M:	WScript.exe
File opened (read-only)	\??\O:	WScript.exe
File opened (read-only)	\??\P:	WScript.exe
File opened (read-only)	\??\Y:	WScript.exe
File opened (read-only)	\??\A:	WScript.exe
File opened (read-only)	\??\U:	WScript.exe
File opened (read-only)	\??\Z:	WScript.exe
File opened (read-only)	\??\B:	WScript.exe
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\J:	WScript.exe
File opened (read-only)	\??\L:	WScript.exe
File opened (read-only)	\??\R:	WScript.exe
File opened (read-only)	\??\S:	WScript.exe
File opened (read-only)	\??\T:	WScript.exe
File opened (read-only)	\??\W:	WScript.exe
File opened (read-only)	\??\G:	WScript.exe
File opened (read-only)	\??\I:	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
56	raw.githubusercontent.com
67	raw.githubusercontent.com

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/560-558-0x0000000000400000-0x00000000004F1000-memory.dmp	upx
behavioral1/memory/560-599-0x0000000000400000-0x00000000004F1000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PatBlt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coffin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MainWindow.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133874077273063238"	chrome.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1136229799-3442283115-138161576-1000\{C6F32985-CB75-43CC-A7BA-EB38F84AA42D}	WScript.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Coffin32.zip:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4976	chrome.exe
4976	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5720	MainWindow.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 2808	4028	chrome.exe	81
PID 4028 wrote to memory of 2808	4028	chrome.exe	81
PID 4028 wrote to memory of 1736	4028	chrome.exe	82
PID 4028 wrote to memory of 1736	4028	chrome.exe	82
PID 4028 wrote to memory of 1736	4028	chrome.exe	82
PID 4028 wrote to memory of 1736	4028	chrome.exe	82
PID 4028 wrote to memory of 1736	4028	chrome.exe	82
PID 4028 wrote to memory of 1736	4028	chrome.exe	82
PID 4028 wrote to memory of 1736	4028	chrome.exe	82
PID 4028 wrote to memory of 1736	4028	chrome.exe	82
PID 4028 wrote to memory of 1736	4028	chrome.exe	82
PID 4028 wrote to memory of 1736	4028	chrome.exe	82
PID 4028 wrote to memory of 1736	4028	chrome.exe	82
PID 4028 wrote to memory of 1736	4028	chrome.exe	82
PID 4028 wrote to memory of 1736	4028	chrome.exe	82
PID 4028 wrote to memory of 1736	4028	chrome.exe	82
PID 4028 wrote to memory of 1736	4028	chrome.exe	82
PID 4028 wrote to memory of 1736	4028	chrome.exe	82
PID 4028 wrote to memory of 1736	4028	chrome.exe	82
PID 4028 wrote to memory of 1736	4028	chrome.exe	82
PID 4028 wrote to memory of 1736	4028	chrome.exe	82
PID 4028 wrote to memory of 1736	4028	chrome.exe	82
PID 4028 wrote to memory of 1736	4028	chrome.exe	82
PID 4028 wrote to memory of 1736	4028	chrome.exe	82
PID 4028 wrote to memory of 1736	4028	chrome.exe	82
PID 4028 wrote to memory of 1736	4028	chrome.exe	82
PID 4028 wrote to memory of 1736	4028	chrome.exe	82
PID 4028 wrote to memory of 1736	4028	chrome.exe	82
PID 4028 wrote to memory of 1736	4028	chrome.exe	82
PID 4028 wrote to memory of 1736	4028	chrome.exe	82
PID 4028 wrote to memory of 1736	4028	chrome.exe	82
PID 4028 wrote to memory of 1736	4028	chrome.exe	82
PID 4028 wrote to memory of 2396	4028	chrome.exe	83
PID 4028 wrote to memory of 2396	4028	chrome.exe	83
PID 4028 wrote to memory of 4808	4028	chrome.exe	84
PID 4028 wrote to memory of 4808	4028	chrome.exe	84
PID 4028 wrote to memory of 4808	4028	chrome.exe	84
PID 4028 wrote to memory of 4808	4028	chrome.exe	84
PID 4028 wrote to memory of 4808	4028	chrome.exe	84
PID 4028 wrote to memory of 4808	4028	chrome.exe	84
PID 4028 wrote to memory of 4808	4028	chrome.exe	84
PID 4028 wrote to memory of 4808	4028	chrome.exe	84
PID 4028 wrote to memory of 4808	4028	chrome.exe	84
PID 4028 wrote to memory of 4808	4028	chrome.exe	84
PID 4028 wrote to memory of 4808	4028	chrome.exe	84
PID 4028 wrote to memory of 4808	4028	chrome.exe	84
PID 4028 wrote to memory of 4808	4028	chrome.exe	84
PID 4028 wrote to memory of 4808	4028	chrome.exe	84
PID 4028 wrote to memory of 4808	4028	chrome.exe	84
PID 4028 wrote to memory of 4808	4028	chrome.exe	84
PID 4028 wrote to memory of 4808	4028	chrome.exe	84
PID 4028 wrote to memory of 4808	4028	chrome.exe	84
PID 4028 wrote to memory of 4808	4028	chrome.exe	84
PID 4028 wrote to memory of 4808	4028	chrome.exe	84
PID 4028 wrote to memory of 4808	4028	chrome.exe	84
PID 4028 wrote to memory of 4808	4028	chrome.exe	84
PID 4028 wrote to memory of 4808	4028	chrome.exe	84
PID 4028 wrote to memory of 4808	4028	chrome.exe	84
PID 4028 wrote to memory of 4808	4028	chrome.exe	84
PID 4028 wrote to memory of 4808	4028	chrome.exe	84
PID 4028 wrote to memory of 4808	4028	chrome.exe	84
PID 4028 wrote to memory of 4808	4028	chrome.exe	84
PID 4028 wrote to memory of 4808	4028	chrome.exe	84
PID 4028 wrote to memory of 4808	4028	chrome.exe	84

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://Google.com
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb0b4adcf8,0x7ffb0b4add04,0x7ffb0b4add10
  2⤵
  PID:2808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1940,i,5226472814315497918,9810640888620519600,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  PID:1736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2216,i,5226472814315497918,9810640888620519600,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2228 /prefetch:11
  2⤵
  PID:2396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2356,i,5226472814315497918,9810640888620519600,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2368 /prefetch:13
  2⤵
  PID:4808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3136,i,5226472814315497918,9810640888620519600,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:3100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3160,i,5226472814315497918,9810640888620519600,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:1696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4256,i,5226472814315497918,9810640888620519600,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4132 /prefetch:9
  2⤵
  PID:3180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4624,i,5226472814315497918,9810640888620519600,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4664 /prefetch:1
  2⤵
  PID:3708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5392,i,5226472814315497918,9810640888620519600,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5396 /prefetch:14
  2⤵
  PID:5032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3512,i,5226472814315497918,9810640888620519600,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5412 /prefetch:14
  2⤵
  PID:5020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4924,i,5226472814315497918,9810640888620519600,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3476 /prefetch:14
  2⤵
  PID:1960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3480,i,5226472814315497918,9810640888620519600,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5508 /prefetch:14
  2⤵
  PID:2092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5512,i,5226472814315497918,9810640888620519600,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:4280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5732,i,5226472814315497918,9810640888620519600,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5756 /prefetch:14
  2⤵
  - NTFS ADS
  PID:1332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1036,i,5226472814315497918,9810640888620519600,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5532 /prefetch:10
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4976

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:1376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3968

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3580

C:\Users\Admin\Downloads\Coffin32\Coffin32.exe
"C:\Users\Admin\Downloads\Coffin32\Coffin32.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:560
- C:\Windows\system32\wscript.exe
  "C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\8284.tmp\8285.tmp\8296.vbs //Nologo
  2⤵
  - Modifies registry class
  PID:5708
- - C:\Users\Admin\AppData\Local\Temp\8284.tmp\MainWindow.exe
    "C:\Users\Admin\AppData\Local\Temp\8284.tmp\MainWindow.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5720
- - C:\Users\Admin\AppData\Local\Temp\8284.tmp\PatBlt.exe
    "C:\Users\Admin\AppData\Local\Temp\8284.tmp\PatBlt.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2616
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8284.tmp\musicplayer.vbs"
    3⤵
    - Enumerates connected drives
    - Modifies registry class
    PID:4756

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004D4
1⤵
PID:5292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
a0afdc570c206ba92d90a74f81cfa990

SHA1
a617df5e3fd2d9ebe05afa165ae558f4e8ec791f

SHA256
b50def6f3e2d6344cfeaf586f713bb7221c7c2fde5a2a119c943244d14838ee1

SHA512
4d03d1a91e6f97194a57f4bd58a99d10a4d34728ef8031b808049235439b9d58737c0b655182bb220860412b878e6f203db089b595de517f0ed7f8a553ca1264

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
c598ff080b254973fbba3498e14b3547

SHA1
32e51227f5e3ac05c0220e402b903c9ab65f21c2

SHA256
784b4d65a4128715a7547ec1a43c6625c8c51bc59ddb6f762d425e5ede0a381a

SHA512
3399394abc58d18fbab2bf7a0e34f19eebd03d4761ca8bbc4f68d6122d34dfe1355f422648042d49ebb18667884095e2f9f5817d14433e600b0583a7f8159ef8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
84c100a159406abeeb834400e1cb10f3

SHA1
b8274b40e6763fdd11135ab8e0d919740cd4d1ef

SHA256
94c9a46a32dd4ed11969953fbf612273220075faadd2c0381d1e66dce97a79f7

SHA512
b222b6f04b8650410245b600f118033507ffeb426b9109af79ee3d3055f0ee58edcc32d876f13d06d629ae62e4452f6eb43ef5583d3882b6e9deaf8e5e02648f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
4af5dacd3eee250d26e79318c34cf1d9

SHA1
ae26216da024bcc100e75c6a32f37e7fac070f1a

SHA256
04508e64ada023d9a2d73c9409f3d3c160be08770001f34c6a78892c221701cf

SHA512
58e12f72f5f9b325cafad3c9df0643a22ae1717f2bb69653afb409661677805a372ed9d65bba17366f0665a4e47dab0ab27f50adf91200f598af0d6638a61156

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
cc3bd1c87ab538a99ae0e06ad427878e

SHA1
493ba5d86cd013434fd2d05921afedfae40abf31

SHA256
b6af702c248420801476fa5dfff8f7af13ad87e9374777c654d9d5d9fd7a4c0c

SHA512
82fd5ff40a3acc5a9a08f6aa3b6a4decae00f52814bc0e29673b5df7efa8d3af7842448daa0f0f097ae30ae3b92c65f8b57ca0b0ffec8024ca686f598a41be52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
842eda47c17405010ade27dd78fa8b21

SHA1
00629495d523302ac9bff53c7039926b5b55374a

SHA256
c3252bb7fd98c9125dd2724df72885b8411ddd3e82dc9d85bb2530198f89c662

SHA512
99240b57690136dc5c6ba800707660de3965704b202146734cec028717ef06b1e71cf47c646c5c9ecb4e2d5ddac39b733286d6ff53fbab6a754037b4f8a4879e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
f3222af53fbd1d692d67f4a39cfb7487

SHA1
a80df72cce6a59b2410c1bb854d819e25042cbe4

SHA256
2d6fe88d35cc7ce479e43cc837c58031c01393cf29738ec58ee35c04b0bcb2dd

SHA512
cbab824f8cc833b66b2effa38443b57a7dc5d1851cb46d596530e8a996b380b272a4ff5d80ed0d649d43b3d80c54f1dbbc0707beff017b2ef8cf4d1ae1539c3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
7117965956228601e897ba403ba56287

SHA1
cc6b444b3f79156e5a1fb8c0bc2ef1e35dc3cd7f

SHA256
5ca5d8f3a87dc80dd822bda64450cdba463035e86cfa8fb0f7f6806cfc4b606e

SHA512
ab83cc475ff31ee9488491e639573c3f7b605e4f30308cbd82e42a7459f47666f73ce4b468743019853cd7ea54c56288c7dd5de0c44edc78945996807202cddc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
ce99ec43c2695a5c388c9eceb858248d

SHA1
c800e02b523d92f0505322096787a7acd18fe20c

SHA256
b7000f072782c260156dd9ddd479159861dee61a334d56f5d9c55220e806ffab

SHA512
bf19dce5ac8d84d73ed1bfe24e5617488460177d20f3ce84c29089530f6e75cb953f9f506c1bfc901aec1315c95a7ef10014d301a1a00e7fe02dff14dbd6d831

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
9c413821ab0c5ab0b1144ccd986ffd0e

SHA1
6c461389eb13c9322027273473de583c2d0a8cf7

SHA256
dfde2d1656843fd0f1995c0395af8d78d65ba6cd49daf48f201e5f9da73e7cc7

SHA512
5c9335007b8cb9ff7ede2672e3cb1afd16c1cb3cd36e25442a589ee316ee1f4f871d30a6c60615049f74ad7e74d2c3bdf12605a931307dd885d50b6569c05b82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
a8bb56ecfe871b00ae826bbd7b4a6fd0

SHA1
6a276534042dbb3960221f93b25f02c749a66145

SHA256
2b0bfc928ea1bb191367c5d9d0ee0f850c78fbd248395df56ad9feb64ee92090

SHA512
5078e3ee603f7e08f7d3537c2cd4bc7891f3550fdb3be0498c0cbfeb6baea202b756d1b7dae2053f3fd64e05e1249ca6150fd16b6fea350a8ccdb1fe21ca5f18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
1486d25d48636e8750e3ff22f079fb93

SHA1
5751713307c37889d6cb103c75762f84c97ace2f

SHA256
2790ffbd1552a8cd38f21bbd820f32308f70b2b4b6524ba4317a0aba686300ae

SHA512
55390af1d54eacc426d0b5391b1f43eed9a23fd41d7c9800b1989211428c10d5c6ad8dc45002906a213a020678c2b04931eacbcf3e164d3ce3ce17bd43b27181

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57d68a.TMP

Filesize
48B

MD5
62f8f2ced6cf4ad0b7a7addaa07377bc

SHA1
3f38ca454756b6e97d8cb3ae6c282fec256e7e7a

SHA256
b64b571e5335e148ef4ce2777970ef6ab6c142cb157e0a019b1d465c122ccfd5

SHA512
892c3de2f95bf0413953a5587c232015938417a86c7a3edbb8305f1b79a6c7952b1e05abdaf312a0bcd5b625359a1fe2cfadc154c17bc288c85e8f9273a46ce3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
1600af40a54b66db8058d8810a7ee4c6

SHA1
ec138df559b1f8460946e1abcef912fc0c0a4640

SHA256
49653068b0a1e2a8e06acfa8e6b44a4fb2eb676f466e502b8d14de89e34c8d0c

SHA512
ee1f2519ebbf8db7e960382d570f0fa078916970193996677e78b9f5c0f3150ea3e595f4fa9f8e904ecf2adff14a606075a8ee16c85f2a366e9e9617ab49f69f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
40d766024451d0e8b04583722d5829cd

SHA1
2159989b040cb434c7e44fda629e604885d2bd11

SHA256
003c8569c5c0cf869bc107003b61074198b8a5bd7d0838dad895222d10ce5e59

SHA512
53d4fb3ca13a093f2055620ab8242dc389ebfc99fba5cb2338337a6f66f830f2b41d8746f07ddf22c43dd8e036fe8d25c8c9803f8df4918dc4a90b231f890e11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
2e318ffe1011f085eb9917bea79d347c

SHA1
7a2f156d0845dc302c009036dd6cbdc39b57e43c

SHA256
79815339161b6f3ec28258c8246375673d298e32a3d81a37b825fe949567aa17

SHA512
dd53be21981270dcb6013234c5e97f5c8955a833157a6358698f04a65a628b68ad8d3a45eb5b2978d1fec4b78db148a62490d16b8a5a9ca7e13e03c24ad986f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
576KB

MD5
6f5454b758cd0ebe1baf20a02ddf8afe

SHA1
45da5268b36f44417df8c98c395ca7c1e71b4ffe

SHA256
5578945d758891ab80a2d97c0ae5dc79419b16ec3b47ffead09e9205fdbc21c0

SHA512
0e1d73b7d76ec8590ef835e857dc4f82763d95cdb7a116b496584613b813fc598c0f732adbdc51450705ea9e3d2487a6163e33d1ede0dac282364c6177a7bb70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8284.tmp\8285.tmp\8296.vbs

Filesize
782B

MD5
da508c599810d199e7c353d9a600ba9d

SHA1
ebebfa193d54ccf1241be4f2da92616ab84e2843

SHA256
e51aaeeb3184139f174fd2090e1dd69840347fe3665023d1b82cea35a30e34f8

SHA512
d653c1ef7872447ebbbeb3411f776231f9478e35fa8251f8729b6b28ab22d05ee048dc69d345f59731deaf7cc041c706406e613602f22817e8afe36276589fce

Download Submit
C:\Users\Admin\AppData\Local\Temp\8284.tmp\Cofdance.mp3

Filesize
406KB

MD5
bc2ac588580df06caf8a3bce22487600

SHA1
e06a4e89e362c79469b457a3f3c51ce64165e54a

SHA256
2cee6b6a1eeb44ed10c6778fa47381bfc9516c34d4386e96bde902d79de950cf

SHA512
f42df72c7cb9cfa23c6e6fe94e8ba1e680414e090e29c36f2cd3b667e452fab4af10817c88ebab1b2869999576b8fb9caad26e5c8b2145c4da20a04e542b247b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8284.tmp\MainWindow.exe

Filesize
28KB

MD5
e0762f28ed02198f5749edff96628654

SHA1
6e1bf64a092c73e1cd9f561a3020d2eace40f76b

SHA256
47bb487575066212743ab91c15a5cb74ef5602afb688a97323558d04a2641c9b

SHA512
363e9d3afda7c7278fc25606c25f4d0283a248bc89c9bb78d15e8dc6a4f0ebea272766d20791f59539632a4df11657c7ab9d4a1d93c70610a422903c5cb3e4dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\8284.tmp\PatBlt.exe

Filesize
104KB

MD5
a60c5073545f2e379f835b4f76c760a6

SHA1
5db151b9121a765eb668ac015acc085639d5038a

SHA256
773553334b9b64ed0463d90f77c1eb663f830912ea743490f01835247665ed78

SHA512
8b0ad6a5e780b9c6baa7cf8e40b4115008f44d229b2fe612c41e431da740aea9dcf7a1549d9d97da6ddb2441474ea791dd8c9dbdf718916428826967c275a82c

Download Submit
C:\Users\Admin\AppData\Local\Temp\8284.tmp\musicplayer.vbs

Filesize
225B

MD5
d7d36bded41044507658fe2dbc18b6ee

SHA1
a0315cee9870bc29ece5004b9bb16bbdc19d3ab6

SHA256
212dcf7ddd19b37ba38100943c50f44c2d2ff349613714ee6b236cee4824a1a9

SHA512
ced62a37ced8e7de67286aaba013a7aadd0bfbd49cf33ba1ae8a7516b18cc0b4c496f8f5e60fca052f2d39a07451766622c837b906026bfb49c09050c25daf39

Download Submit
C:\Users\Admin\Downloads\Coffin32.zip.crdownload

Filesize
6.4MB

MD5
8d697ea23e055714d5bf096efc37b1b5

SHA1
aa221717741e679657f4b16735fec9b07e684807

SHA256
2f19bfb87a2f462ece90e7c39de3ac8c7a2e0de5bee29819ec804897b4d1adcf

SHA512
6fa30f004d443ef29d9d69cb105b1b2591668deb0bfb126d854dd89695b7604fc5ed5769433d5b1927d24a4336ef554de661712d5bb4c1a3781b6e242cead402

Download Submit
C:\Users\Admin\Downloads\Coffin32.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/560-558-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/560-599-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2616-600-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download