0cfad1a9476e8b8fcf7e23dd291530ae2ffa1e4d64bb41104182ee04fac70818

Resubmissions

22/07/2024, 23:10

240722-25qz3atdlb 3

22/07/2024, 23:02

240722-2z5k9stfpp 4

Analysis

max time kernel
75s
max time network
72s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
22/07/2024, 23:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[vavilon.vip] [Skillbox] Здоровая самооценка.zip.torrent
Size

141KB
MD5

07a04e3a445f3491672a71392577c0f9
SHA1

a6295b119113f58ae999206f95392671ad4e9762
SHA256

6539b6d7c7bcb1a8694692ea3007e2fc456d48381844c5357b5dd0947f501e34
SHA512

ff681ab71bb98860f25d7a8ff02620bd95649d5cb99af3ea2b5c3f86fc8dae4db60c04be59223d4d88ff04c6908c55f39b380309646111c6fa9d74a22280faf8
SSDEEP

3072:6sX4d/NGF+Ydb6wuEob/84Hjy1PC9kOaDi+h4pu0EJfUTh3drIH4xM:EdsvIwudb/dHj39kOaDpuEJfyh3RI3

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133661630649294220"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3708	chrome.exe
3708	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3048	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe

Suspicious use of SetWindowsHookEx 37 IoCs

pid	Process
3048	OpenWith.exe
3048	OpenWith.exe
3048	OpenWith.exe
3048	OpenWith.exe
3048	OpenWith.exe
3048	OpenWith.exe
3048	OpenWith.exe
3048	OpenWith.exe
3048	OpenWith.exe
3048	OpenWith.exe
3048	OpenWith.exe
3048	OpenWith.exe
3048	OpenWith.exe
3048	OpenWith.exe
3048	OpenWith.exe
3048	OpenWith.exe
3048	OpenWith.exe
3048	OpenWith.exe
3048	OpenWith.exe
3048	OpenWith.exe
3048	OpenWith.exe
3048	OpenWith.exe
3048	OpenWith.exe
3048	OpenWith.exe
3048	OpenWith.exe
3048	OpenWith.exe
3048	OpenWith.exe
3048	OpenWith.exe
3048	OpenWith.exe
3048	OpenWith.exe
3048	OpenWith.exe
3048	OpenWith.exe
3048	OpenWith.exe
3368	AcroRd32.exe
3368	AcroRd32.exe
3368	AcroRd32.exe
3368	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 3368	3048	OpenWith.exe	80
PID 3048 wrote to memory of 3368	3048	OpenWith.exe	80
PID 3048 wrote to memory of 3368	3048	OpenWith.exe	80
PID 3368 wrote to memory of 540	3368	AcroRd32.exe	83
PID 3368 wrote to memory of 540	3368	AcroRd32.exe	83
PID 3368 wrote to memory of 540	3368	AcroRd32.exe	83
PID 540 wrote to memory of 3340	540	RdrCEF.exe	84
PID 540 wrote to memory of 3340	540	RdrCEF.exe	84
PID 540 wrote to memory of 3340	540	RdrCEF.exe	84
PID 540 wrote to memory of 3340	540	RdrCEF.exe	84
PID 540 wrote to memory of 3340	540	RdrCEF.exe	84
PID 540 wrote to memory of 3340	540	RdrCEF.exe	84
PID 540 wrote to memory of 3340	540	RdrCEF.exe	84
PID 540 wrote to memory of 3340	540	RdrCEF.exe	84
PID 540 wrote to memory of 3340	540	RdrCEF.exe	84
PID 540 wrote to memory of 3340	540	RdrCEF.exe	84
PID 540 wrote to memory of 3340	540	RdrCEF.exe	84
PID 540 wrote to memory of 3340	540	RdrCEF.exe	84
PID 540 wrote to memory of 3340	540	RdrCEF.exe	84
PID 540 wrote to memory of 3340	540	RdrCEF.exe	84
PID 540 wrote to memory of 3340	540	RdrCEF.exe	84
PID 540 wrote to memory of 3340	540	RdrCEF.exe	84
PID 540 wrote to memory of 3340	540	RdrCEF.exe	84
PID 540 wrote to memory of 3340	540	RdrCEF.exe	84
PID 540 wrote to memory of 3340	540	RdrCEF.exe	84
PID 540 wrote to memory of 3340	540	RdrCEF.exe	84
PID 540 wrote to memory of 3340	540	RdrCEF.exe	84
PID 540 wrote to memory of 3340	540	RdrCEF.exe	84
PID 540 wrote to memory of 3340	540	RdrCEF.exe	84
PID 540 wrote to memory of 3340	540	RdrCEF.exe	84
PID 540 wrote to memory of 3340	540	RdrCEF.exe	84
PID 540 wrote to memory of 3340	540	RdrCEF.exe	84
PID 540 wrote to memory of 3340	540	RdrCEF.exe	84
PID 540 wrote to memory of 3340	540	RdrCEF.exe	84
PID 540 wrote to memory of 3340	540	RdrCEF.exe	84
PID 540 wrote to memory of 3340	540	RdrCEF.exe	84
PID 540 wrote to memory of 3340	540	RdrCEF.exe	84
PID 540 wrote to memory of 3340	540	RdrCEF.exe	84
PID 540 wrote to memory of 3340	540	RdrCEF.exe	84
PID 540 wrote to memory of 3340	540	RdrCEF.exe	84
PID 540 wrote to memory of 3340	540	RdrCEF.exe	84
PID 540 wrote to memory of 3340	540	RdrCEF.exe	84
PID 540 wrote to memory of 3340	540	RdrCEF.exe	84
PID 540 wrote to memory of 3340	540	RdrCEF.exe	84
PID 540 wrote to memory of 3340	540	RdrCEF.exe	84
PID 540 wrote to memory of 3340	540	RdrCEF.exe	84
PID 540 wrote to memory of 3340	540	RdrCEF.exe	84
PID 540 wrote to memory of 4272	540	RdrCEF.exe	85
PID 540 wrote to memory of 4272	540	RdrCEF.exe	85
PID 540 wrote to memory of 4272	540	RdrCEF.exe	85
PID 540 wrote to memory of 4272	540	RdrCEF.exe	85
PID 540 wrote to memory of 4272	540	RdrCEF.exe	85
PID 540 wrote to memory of 4272	540	RdrCEF.exe	85
PID 540 wrote to memory of 4272	540	RdrCEF.exe	85
PID 540 wrote to memory of 4272	540	RdrCEF.exe	85
PID 540 wrote to memory of 4272	540	RdrCEF.exe	85
PID 540 wrote to memory of 4272	540	RdrCEF.exe	85
PID 540 wrote to memory of 4272	540	RdrCEF.exe	85
PID 540 wrote to memory of 4272	540	RdrCEF.exe	85
PID 540 wrote to memory of 4272	540	RdrCEF.exe	85
PID 540 wrote to memory of 4272	540	RdrCEF.exe	85
PID 540 wrote to memory of 4272	540	RdrCEF.exe	85
PID 540 wrote to memory of 4272	540	RdrCEF.exe	85
PID 540 wrote to memory of 4272	540	RdrCEF.exe	85

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\[vavilon.vip] [Skillbox] Здоровая самооценка.zip.torrent"
1⤵
- Modifies registry class
PID:2604

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\[vavilon.vip] [Skillbox] Здоровая самооценка.zip.torrent"
  2⤵
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3368
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:540
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4562B473D01855033850D5FF5A1F9A48 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:3340
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=677F1C0CC47EFEF85661147C6654471E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=677F1C0CC47EFEF85661147C6654471E --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:4272
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9404496BDE146DE2F469229EF33FF3C4 --mojo-platform-channel-handle=2336 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:1156
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=220FBBDC39E41811F81D1CC0DE4F7047 --mojo-platform-channel-handle=1948 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:2676
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F1CE85A1E297A91C091DC2C6695A12C1 --mojo-platform-channel-handle=2320 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:4132

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc48f8cc40,0x7ffc48f8cc4c,0x7ffc48f8cc58
  2⤵
  PID:1748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1740,i,16156970283763276935,16537064742596674135,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=1736 /prefetch:2
  2⤵
  PID:2348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2108,i,16156970283763276935,16537064742596674135,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2100 /prefetch:3
  2⤵
  PID:412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2196,i,16156970283763276935,16537064742596674135,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2208 /prefetch:8
  2⤵
  PID:3744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3160,i,16156970283763276935,16537064742596674135,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:3556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3348,i,16156970283763276935,16537064742596674135,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:3980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4424,i,16156970283763276935,16537064742596674135,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3528 /prefetch:1
  2⤵
  PID:3908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4776,i,16156970283763276935,16537064742596674135,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4784 /prefetch:8
  2⤵
  PID:4932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4920,i,16156970283763276935,16537064742596674135,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4572 /prefetch:8
  2⤵
  PID:1352

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:4836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
186ab1b81ebc71496e80385b40ee8d98

SHA1
04fd65a2c75192c512bf4b5307c87c1c54c3be33

SHA256
d9f2c75324e15a658cd3cadff126d9c081756fd4decd788e91ba793e126771ed

SHA512
5a2221f7a2a7e6548847c769fb7dd5a59f5e94da1ad421ad30ebe5b193a54ebe550eca489840c97af1e877dc9c4778dca4eba9f9eb45f44a54e2ec7ab5d7e00b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
4cd60f2745a3262ba39f3a151dd65515

SHA1
a24f2ccff182df27869cf0c06d7148f7af7fb5f9

SHA256
6f69b02f3bd9b7fb72fa42c754dea0c0ddd898444a32070f783a601d84396cb4

SHA512
4c5c9d6ff73c6ab1c4468f717ea40479663a899a6e2e3aa277fd83900141508cf4c51ec4fb1c1d7d147ffecfb245bd8521ad85621566a0c50bb9e84878b2a849

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
1b59409436be191298342c714a70e373

SHA1
3ab40feba1ac6089d980bee5c6aa70c9296a77e2

SHA256
c68cb85d4c88bf695d0fcfc67414fef1134e7a64ab65ad53a093a86e82988866

SHA512
77b7ec9d387a00a96a3471bbe502d2964ea66d2766963b5170475476257b4162e660b57fe1350adeaca561d10055a2a7a202d9d0d3d06adb319e163fde94931f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
185KB

MD5
7c6aa41607d98a00ef3125340f41794c

SHA1
be9c78cd3da62a865a4d51e80cd73ae8ea1c00cf

SHA256
5a46c05c78b6ae48ba8ad8af7833bd38bb3a93b232adf6f98665a3f1d0707e31

SHA512
beedb5a33c62d3067711b597492f2366f10989bea8ebbfeb52a78387d8433b8bd51eee45b239ea0171558b6a2632a651efe9370aee15505845a3d9e0a25da5f2

Download Submit