f427f2d354acd78f2177aaeb78a677d34d7825751dc3abe70d40fd537b70c4d8

Analysis

max time kernel
359s
max time network
385s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
11/05/2024, 19:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ReShade_Setup_6.1.1.exe
Size

3.5MB
MD5

7e72f7c4a2aac0c96a66138cc3e4f94d
SHA1

99b211f68dce11fb87f9ff55ab0b801c5f6fa4ff
SHA256

f427f2d354acd78f2177aaeb78a677d34d7825751dc3abe70d40fd537b70c4d8
SHA512

8ecd30aba23d25ce43d353fee209de9a06d8e6bfbfdcfd591e0432d448e5127e713a4b5ace12bdceebcefe651882d508935bef25151212fc9726d6704c7d3ab4
SSDEEP

49152:TJ3bUDVjzGEOWTLBM6mYI5pOo11cz8Y+z1LJwzkXcO78v26twH8Fr8etqNqD4Sa:TiBjqiLBt7apOapYee26td8ea8a

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133599285068431141"	chrome.exe

Modifies registry class 20 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	ReShade_Setup_6.1.1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	ReShade_Setup_6.1.1.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	ReShade_Setup_6.1.1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	ReShade_Setup_6.1.1.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	ReShade_Setup_6.1.1.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	ReShade_Setup_6.1.1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	ReShade_Setup_6.1.1.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	ReShade_Setup_6.1.1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	ReShade_Setup_6.1.1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	ReShade_Setup_6.1.1.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	ReShade_Setup_6.1.1.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	ReShade_Setup_6.1.1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	ReShade_Setup_6.1.1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	ReShade_Setup_6.1.1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	ReShade_Setup_6.1.1.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	ReShade_Setup_6.1.1.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	ReShade_Setup_6.1.1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	ReShade_Setup_6.1.1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	ReShade_Setup_6.1.1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	ReShade_Setup_6.1.1.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
220	chrome.exe
220	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeDebugPrivilege	4496	ReShade_Setup_6.1.1.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe
Token: SeShutdownPrivilege	220	chrome.exe
Token: SeCreatePagefilePrivilege	220	chrome.exe

Suspicious use of FindShellTrayWindow 54 IoCs

pid	Process
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe
220	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4496	ReShade_Setup_6.1.1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 220 wrote to memory of 4936	220	chrome.exe	76
PID 220 wrote to memory of 4936	220	chrome.exe	76
PID 220 wrote to memory of 4428	220	chrome.exe	78
PID 220 wrote to memory of 4428	220	chrome.exe	78
PID 220 wrote to memory of 4428	220	chrome.exe	78
PID 220 wrote to memory of 4428	220	chrome.exe	78
PID 220 wrote to memory of 4428	220	chrome.exe	78
PID 220 wrote to memory of 4428	220	chrome.exe	78
PID 220 wrote to memory of 4428	220	chrome.exe	78
PID 220 wrote to memory of 4428	220	chrome.exe	78
PID 220 wrote to memory of 4428	220	chrome.exe	78
PID 220 wrote to memory of 4428	220	chrome.exe	78
PID 220 wrote to memory of 4428	220	chrome.exe	78
PID 220 wrote to memory of 4428	220	chrome.exe	78
PID 220 wrote to memory of 4428	220	chrome.exe	78
PID 220 wrote to memory of 4428	220	chrome.exe	78
PID 220 wrote to memory of 4428	220	chrome.exe	78
PID 220 wrote to memory of 4428	220	chrome.exe	78
PID 220 wrote to memory of 4428	220	chrome.exe	78
PID 220 wrote to memory of 4428	220	chrome.exe	78
PID 220 wrote to memory of 4428	220	chrome.exe	78
PID 220 wrote to memory of 4428	220	chrome.exe	78
PID 220 wrote to memory of 4428	220	chrome.exe	78
PID 220 wrote to memory of 4428	220	chrome.exe	78
PID 220 wrote to memory of 4428	220	chrome.exe	78
PID 220 wrote to memory of 4428	220	chrome.exe	78
PID 220 wrote to memory of 4428	220	chrome.exe	78
PID 220 wrote to memory of 4428	220	chrome.exe	78
PID 220 wrote to memory of 4428	220	chrome.exe	78
PID 220 wrote to memory of 4428	220	chrome.exe	78
PID 220 wrote to memory of 4428	220	chrome.exe	78
PID 220 wrote to memory of 4428	220	chrome.exe	78
PID 220 wrote to memory of 4428	220	chrome.exe	78
PID 220 wrote to memory of 4428	220	chrome.exe	78
PID 220 wrote to memory of 4428	220	chrome.exe	78
PID 220 wrote to memory of 4428	220	chrome.exe	78
PID 220 wrote to memory of 4428	220	chrome.exe	78
PID 220 wrote to memory of 4428	220	chrome.exe	78
PID 220 wrote to memory of 4428	220	chrome.exe	78
PID 220 wrote to memory of 4428	220	chrome.exe	78
PID 220 wrote to memory of 2284	220	chrome.exe	79
PID 220 wrote to memory of 2284	220	chrome.exe	79
PID 220 wrote to memory of 4424	220	chrome.exe	80
PID 220 wrote to memory of 4424	220	chrome.exe	80
PID 220 wrote to memory of 4424	220	chrome.exe	80
PID 220 wrote to memory of 4424	220	chrome.exe	80
PID 220 wrote to memory of 4424	220	chrome.exe	80
PID 220 wrote to memory of 4424	220	chrome.exe	80
PID 220 wrote to memory of 4424	220	chrome.exe	80
PID 220 wrote to memory of 4424	220	chrome.exe	80
PID 220 wrote to memory of 4424	220	chrome.exe	80
PID 220 wrote to memory of 4424	220	chrome.exe	80
PID 220 wrote to memory of 4424	220	chrome.exe	80
PID 220 wrote to memory of 4424	220	chrome.exe	80
PID 220 wrote to memory of 4424	220	chrome.exe	80
PID 220 wrote to memory of 4424	220	chrome.exe	80
PID 220 wrote to memory of 4424	220	chrome.exe	80
PID 220 wrote to memory of 4424	220	chrome.exe	80
PID 220 wrote to memory of 4424	220	chrome.exe	80
PID 220 wrote to memory of 4424	220	chrome.exe	80
PID 220 wrote to memory of 4424	220	chrome.exe	80
PID 220 wrote to memory of 4424	220	chrome.exe	80
PID 220 wrote to memory of 4424	220	chrome.exe	80
PID 220 wrote to memory of 4424	220	chrome.exe	80

C:\Users\Admin\AppData\Local\Temp\ReShade_Setup_6.1.1.exe
"C:\Users\Admin\AppData\Local\Temp\ReShade_Setup_6.1.1.exe"
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffbc61e9758,0x7ffbc61e9768,0x7ffbc61e9778
  2⤵
  PID:4936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1532 --field-trial-handle=1768,i,8141111682074487687,10279390620942567947,131072 /prefetch:2
  2⤵
  PID:4428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 --field-trial-handle=1768,i,8141111682074487687,10279390620942567947,131072 /prefetch:8
  2⤵
  PID:2284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2036 --field-trial-handle=1768,i,8141111682074487687,10279390620942567947,131072 /prefetch:8
  2⤵
  PID:4424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2928 --field-trial-handle=1768,i,8141111682074487687,10279390620942567947,131072 /prefetch:1
  2⤵
  PID:3012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2948 --field-trial-handle=1768,i,8141111682074487687,10279390620942567947,131072 /prefetch:1
  2⤵
  PID:3064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4436 --field-trial-handle=1768,i,8141111682074487687,10279390620942567947,131072 /prefetch:1
  2⤵
  PID:4776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4592 --field-trial-handle=1768,i,8141111682074487687,10279390620942567947,131072 /prefetch:8
  2⤵
  PID:344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4752 --field-trial-handle=1768,i,8141111682074487687,10279390620942567947,131072 /prefetch:8
  2⤵
  PID:596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4772 --field-trial-handle=1768,i,8141111682074487687,10279390620942567947,131072 /prefetch:1
  2⤵
  PID:4796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=2012 --field-trial-handle=1768,i,8141111682074487687,10279390620942567947,131072 /prefetch:1
  2⤵
  PID:2420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3136 --field-trial-handle=1768,i,8141111682074487687,10279390620942567947,131072 /prefetch:1
  2⤵
  PID:1976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4960 --field-trial-handle=1768,i,8141111682074487687,10279390620942567947,131072 /prefetch:8
  2⤵
  PID:2652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4924 --field-trial-handle=1768,i,8141111682074487687,10279390620942567947,131072 /prefetch:8
  2⤵
  PID:2172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5200 --field-trial-handle=1768,i,8141111682074487687,10279390620942567947,131072 /prefetch:1
  2⤵
  PID:4120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 --field-trial-handle=1768,i,8141111682074487687,10279390620942567947,131072 /prefetch:8
  2⤵
  PID:2768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5532 --field-trial-handle=1768,i,8141111682074487687,10279390620942567947,131072 /prefetch:8
  2⤵
  PID:2260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5688 --field-trial-handle=1768,i,8141111682074487687,10279390620942567947,131072 /prefetch:8
  2⤵
  PID:2272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=4512 --field-trial-handle=1768,i,8141111682074487687,10279390620942567947,131072 /prefetch:1
  2⤵
  PID:2480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=2952 --field-trial-handle=1768,i,8141111682074487687,10279390620942567947,131072 /prefetch:1
  2⤵
  PID:3656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=5644 --field-trial-handle=1768,i,8141111682074487687,10279390620942567947,131072 /prefetch:1
  2⤵
  PID:1604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=5008 --field-trial-handle=1768,i,8141111682074487687,10279390620942567947,131072 /prefetch:1
  2⤵
  PID:4584

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
675cb66bf44402292c9f513e881cfb31

SHA1
d386b8b985974dbcc333a5b4c4d6b249a7ba649a

SHA256
d34eda46ca4c4455ea9ab8434b3306eabebe0fe1eb4742d10d0d7e3294e31025

SHA512
9891cdfc97ffdb629392f22423daa9026265bf38db0728263a3ce41e2357a25e50577cf81ca79570915dd0fe4e43facdfd97b3165e3fdd80b4d6d3c910aa4c06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
e02115a20994e19962f5e100747096ad

SHA1
f791c0420eb7c4e3661455c02fbbe377d10e4bbb

SHA256
5fea2335360b02d99bbf9d1df7933a34fd829b1364e662b6b384d7ebfed7175f

SHA512
99ce2d54e6896d2692807f0bb5472f08b1444278dd5e81abb8210081e99b0db1a4db5b9de9de15b98e2ad0136dd6dea237fa71ecf100174eb689bbd1ba2cde4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
2d70f62b192d59ee5914d09dbfce9705

SHA1
7fbc9b14c462759ea3f250cbfe8b6f1c0660d62d

SHA256
e350dd6a06dc35fedf4aebf60a6409e20a3e62b96042075c78771fe9f462cc86

SHA512
ea5972772daccbcd9019c438fe9b15ac1e8dd191e9e86bb0036f5bd8cd41929ebe47538c07feca019d18be1c538da9a321165413fde326ec69c8488f3ff196d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
24887efa216cb12407d832ad44be0bda

SHA1
60546de9a6951504b9e819a6f67cb0f97c748672

SHA256
540f2a666dd3a957abfbcbf6ed99066e72d7db6437000ca6166b78830b496895

SHA512
d7253268730b3e1c4f1f94c0bb633aab469b3621bb4ead082b09d5a445cce650d93e90d355f254fa9730d79fdbe22845880add57aab9b3dd76ddd08b13f7d4bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
084c4a6e44341e0b6851d3c483b65164

SHA1
36ea9a316ed7a9424485665febbb981ce2dc92f0

SHA256
ba2c137db2b19b18490517a1cfa7b720f07812d2710d2fdb9641424d2f25d0ec

SHA512
bd1d5ab262e335654845651ee0c2a6f383672f3c22d6a3fb16fbd033769bb06720d9b7e76622f5a924ac3f634f88a434b97c83b5e00b2c9ee87e7c5431413d73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e9928cc056a6b73db327da23b22e7754

SHA1
d603a14fecbf76180fd643451aacf10343413d2f

SHA256
3ef17fc11c69624ad67f1971dda0113f0e09cdd0e2170ce73ce3cab677bed9a8

SHA512
feee8f1d3f2207e708620935233534c35181ab0f928a50f19a0d9961a6162a372d55b1d482992c9e3adb9aeaa7d7bc800186346774a1914fccc7c5437484c14e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
12KB

MD5
beb15b5a70b56440a220199bd32177d9

SHA1
f50624af56005b7950ff7f06988bcfc37ebfda6c

SHA256
6624a99f9850f7a9b8dac6f67385652f6166c9ac8b88d59e0a5d5c0a8ab117cc

SHA512
25f2aac63ab919acd788e78ceca07686fcaf86b3e3e4f764cae5bccc82b2fce62aa836c03a4f4f8055578b0fa87a923fc2806bb1d13e67845b8c90cdc8648bcd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
273KB

MD5
0c1e1092d967ead228f02f38e5086524

SHA1
5181834f03a15272b0e9afdd45f51be0a50aeddd

SHA256
ed3a6cf6da5967e958a040d5ec92560d32d2366931f51c2dc1c834a23f0a8fdf

SHA512
16d8a9f4bb657f563e68c74a1fd1722f3513b20adcea68c6089feab5158529adbef8d1292c0c9335af5d39ea4e790ce5dbfd09ab97c2b536d9c21aa3de543fd0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
273KB

MD5
58944229a2e83f874c31bfa131dc880c

SHA1
43440c615a22bd2af6c68a66bc53c196fc41aeec

SHA256
e70ddc46d24d61b8dd8e08cad84b0370ba4236c8dc95b902bb6381ad6858204d

SHA512
160084abfafac7e1a88205a4fd6add864f0c5d6198b5b97c64f1f1fc735670528c4d1aea5427b7891e5c705ee4711980216b91e8a6c215ea403d18b91e54984b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
memory/4496-6-0x00007FFBCC3E0000-0x00007FFBCCDCC000-memory.dmp

Filesize
9.9MB

Download
memory/4496-0-0x00007FFBCC3E3000-0x00007FFBCC3E4000-memory.dmp

Filesize
4KB

Download
memory/4496-11-0x00007FFBCC3E0000-0x00007FFBCCDCC000-memory.dmp

Filesize
9.9MB

Download
memory/4496-10-0x00007FFBCC3E0000-0x00007FFBCCDCC000-memory.dmp

Filesize
9.9MB

Download
memory/4496-9-0x00007FFBCC3E0000-0x00007FFBCCDCC000-memory.dmp

Filesize
9.9MB

Download
memory/4496-8-0x00007FFBCC3E3000-0x00007FFBCC3E4000-memory.dmp

Filesize
4KB

Download
memory/4496-7-0x00007FFBCC3E0000-0x00007FFBCCDCC000-memory.dmp

Filesize
9.9MB

Download
memory/4496-12-0x00007FFBCC3E0000-0x00007FFBCCDCC000-memory.dmp

Filesize
9.9MB

Download
memory/4496-5-0x00000247FE950000-0x00000247FE988000-memory.dmp

Filesize
224KB

Download
memory/4496-4-0x00000247FC650000-0x00000247FC658000-memory.dmp

Filesize
32KB

Download
memory/4496-3-0x00007FFBCC3E0000-0x00007FFBCCDCC000-memory.dmp

Filesize
9.9MB

Download
memory/4496-2-0x00007FFBCC3E0000-0x00007FFBCCDCC000-memory.dmp

Filesize
9.9MB

Download
memory/4496-1-0x00000247FC260000-0x00000247FC29C000-memory.dmp

Filesize
240KB

Download
memory/4496-228-0x00007FFBCC3E0000-0x00007FFBCCDCC000-memory.dmp

Filesize
9.9MB

Download
memory/4496-229-0x00007FFBCC3E0000-0x00007FFBCCDCC000-memory.dmp

Filesize
9.9MB

Download