dd54bfabacc30fa1b9c2d46ea178452004ec7680ed72e665b7c82137485f9b49

Analysis

max time kernel
95s
max time network
97s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
04-08-2024 15:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BEST NEW RAID TOOL/RTB.py
Size

213KB
MD5

35c3c1689a4159ad4f906dc2b449d30b
SHA1

b8725352bc9b2636951af7e1187b3185eda522dd
SHA256

95182b52838de0d5edf2a2c4ead9737f0074c16f14c397576ef7c6e9332fee0c
SHA512

ad55aa64867c07b6588c4f58c0fa7ca7b7535a031726be6d050bec52b284deeee785346567f86506e6a0373f60c8bceabf1c085fe3d60b04d9d40ca68e347a9a
SSDEEP

3072:xkDfGKqf1OD1z57ty/z7xcJbDIKwGvbg9M06LFmOUibpxhlMrTWP6nu035NbCF3p:xkXzIxWhIod2zkhh

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133672578961199406"	chrome.exe

Modifies registry class 38 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 8c0031000000000002598380110050524f4752417e310000740009000400efbec5525961025984802e0000003f0000000000010000000000000000004a0000000000aabb0f00500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	OpenWith.exe
Key created	\Registry\User\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\NotificationData	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2292	chrome.exe
2292	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3508	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3508	OpenWith.exe
3508	OpenWith.exe
3508	OpenWith.exe
3508	OpenWith.exe
3508	OpenWith.exe
3508	OpenWith.exe
3508	OpenWith.exe
3508	OpenWith.exe
3508	OpenWith.exe
3508	OpenWith.exe
3508	OpenWith.exe
3508	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 3140	2292	chrome.exe	89
PID 2292 wrote to memory of 3140	2292	chrome.exe	89
PID 2292 wrote to memory of 2396	2292	chrome.exe	90
PID 2292 wrote to memory of 2396	2292	chrome.exe	90
PID 2292 wrote to memory of 2396	2292	chrome.exe	90
PID 2292 wrote to memory of 2396	2292	chrome.exe	90
PID 2292 wrote to memory of 2396	2292	chrome.exe	90
PID 2292 wrote to memory of 2396	2292	chrome.exe	90
PID 2292 wrote to memory of 2396	2292	chrome.exe	90
PID 2292 wrote to memory of 2396	2292	chrome.exe	90
PID 2292 wrote to memory of 2396	2292	chrome.exe	90
PID 2292 wrote to memory of 2396	2292	chrome.exe	90
PID 2292 wrote to memory of 2396	2292	chrome.exe	90
PID 2292 wrote to memory of 2396	2292	chrome.exe	90
PID 2292 wrote to memory of 2396	2292	chrome.exe	90
PID 2292 wrote to memory of 2396	2292	chrome.exe	90
PID 2292 wrote to memory of 2396	2292	chrome.exe	90
PID 2292 wrote to memory of 2396	2292	chrome.exe	90
PID 2292 wrote to memory of 2396	2292	chrome.exe	90
PID 2292 wrote to memory of 2396	2292	chrome.exe	90
PID 2292 wrote to memory of 2396	2292	chrome.exe	90
PID 2292 wrote to memory of 2396	2292	chrome.exe	90
PID 2292 wrote to memory of 2396	2292	chrome.exe	90
PID 2292 wrote to memory of 2396	2292	chrome.exe	90
PID 2292 wrote to memory of 2396	2292	chrome.exe	90
PID 2292 wrote to memory of 2396	2292	chrome.exe	90
PID 2292 wrote to memory of 2396	2292	chrome.exe	90
PID 2292 wrote to memory of 2396	2292	chrome.exe	90
PID 2292 wrote to memory of 2396	2292	chrome.exe	90
PID 2292 wrote to memory of 2396	2292	chrome.exe	90
PID 2292 wrote to memory of 2396	2292	chrome.exe	90
PID 2292 wrote to memory of 2396	2292	chrome.exe	90
PID 2292 wrote to memory of 2376	2292	chrome.exe	91
PID 2292 wrote to memory of 2376	2292	chrome.exe	91
PID 2292 wrote to memory of 1992	2292	chrome.exe	92
PID 2292 wrote to memory of 1992	2292	chrome.exe	92
PID 2292 wrote to memory of 1992	2292	chrome.exe	92
PID 2292 wrote to memory of 1992	2292	chrome.exe	92
PID 2292 wrote to memory of 1992	2292	chrome.exe	92
PID 2292 wrote to memory of 1992	2292	chrome.exe	92
PID 2292 wrote to memory of 1992	2292	chrome.exe	92
PID 2292 wrote to memory of 1992	2292	chrome.exe	92
PID 2292 wrote to memory of 1992	2292	chrome.exe	92
PID 2292 wrote to memory of 1992	2292	chrome.exe	92
PID 2292 wrote to memory of 1992	2292	chrome.exe	92
PID 2292 wrote to memory of 1992	2292	chrome.exe	92
PID 2292 wrote to memory of 1992	2292	chrome.exe	92
PID 2292 wrote to memory of 1992	2292	chrome.exe	92
PID 2292 wrote to memory of 1992	2292	chrome.exe	92
PID 2292 wrote to memory of 1992	2292	chrome.exe	92
PID 2292 wrote to memory of 1992	2292	chrome.exe	92
PID 2292 wrote to memory of 1992	2292	chrome.exe	92
PID 2292 wrote to memory of 1992	2292	chrome.exe	92
PID 2292 wrote to memory of 1992	2292	chrome.exe	92
PID 2292 wrote to memory of 1992	2292	chrome.exe	92
PID 2292 wrote to memory of 1992	2292	chrome.exe	92
PID 2292 wrote to memory of 1992	2292	chrome.exe	92
PID 2292 wrote to memory of 1992	2292	chrome.exe	92
PID 2292 wrote to memory of 1992	2292	chrome.exe	92
PID 2292 wrote to memory of 1992	2292	chrome.exe	92
PID 2292 wrote to memory of 1992	2292	chrome.exe	92
PID 2292 wrote to memory of 1992	2292	chrome.exe	92
PID 2292 wrote to memory of 1992	2292	chrome.exe	92
PID 2292 wrote to memory of 1992	2292	chrome.exe	92

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\BEST NEW RAID TOOL\RTB.py"
1⤵
- Modifies registry class
PID:1488

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3508

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffa8a87cc40,0x7ffa8a87cc4c,0x7ffa8a87cc58
  2⤵
  PID:3140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1840,i,7329008097109503451,10304545955178827067,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1836 /prefetch:2
  2⤵
  PID:2396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2136,i,7329008097109503451,10304545955178827067,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2144 /prefetch:3
  2⤵
  PID:2376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2196,i,7329008097109503451,10304545955178827067,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2232 /prefetch:8
  2⤵
  PID:1992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,7329008097109503451,10304545955178827067,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:2520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3180,i,7329008097109503451,10304545955178827067,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4492,i,7329008097109503451,10304545955178827067,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4500 /prefetch:1
  2⤵
  PID:5092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4848,i,7329008097109503451,10304545955178827067,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4884 /prefetch:8
  2⤵
  PID:3416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4916,i,7329008097109503451,10304545955178827067,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4868 /prefetch:8
  2⤵
  PID:3876

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
95ae413c95c9760dd2ba431585df9619

SHA1
3730d914a66ddb1f7941a520029116da196531cf

SHA256
385f63ef0af4198f88dc5139eef7a90987f18258d0d5034571c60063fab2eaf7

SHA512
2d77004ff64c820a0a253498e9fe704f7cd3a48b689885cce9e0b66573f49372a53d8da56a318fdc2441e050dd67d01da0067be65b068053981c7c5341bbdc00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
8cbb4d4b8d20657e7a984f46daf64f84

SHA1
2e364d328680c2f76a8ef1d49d1397ffde2a6102

SHA256
f2849a9776ff91928898d816fc8b97aa0fb0c6588878c079c01e96773147907b

SHA512
f0794a90d3dff4ca16d001473882ed357972a7114c57fe36645fff006f792d63e9e2857a74996cf7f1c51e179dbe1991ac2756b3a53d3aa1e4ddeea627e3396c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
1d0c80e4e25a0dba32d1237c109ca636

SHA1
a8599d8bee9492cc27d82711db0f6d0693ea7a45

SHA256
f94ae0df3a3c8bba0b6d15aebb47610fd50903e1675672e76faebcaee2e56202

SHA512
7763f0695270821c88ac124395f3d7c0120f51d0fac970977b3dc45f604909e58c0eb78a7eea7a384fe5ddfb30652664e5aee2b6bbbff2faebf66905ea987565

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
645d32f94ccb193d7cd3380f68408e10

SHA1
b7337f8d1467019eab57e150c12e5012c8695232

SHA256
8d03a585e598e50c7e4491910d91d7344912aeaf95295aaa070ea31bad166e9e

SHA512
b93428a0f43e2f41d2f49b5cf0bcc0c00b48919c3dd5585850ed90ddad2f93c81d635b81ff19b92b64c38a0b86072f9163b10d374698636ca35fff6f99cfc205

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
4119d7c6794426a282a89d76bc2e6313

SHA1
1c1941f3ab31b227a4195801fbf904653dbadeba

SHA256
6d9e4b22ed44af1a9d6bccf9c6708e222c9d917e48cbdf87e6d8a0726daa1cf5

SHA512
a4085ccbb7edbf00ccc6d5544651bb71ac011c2976754dac657853d02b618379ae1adb800029ed08d5aa89be11561d8c550ed070db78d02d0946ec8e9f041102

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
c769a17d246b83af3b1bbecc22d75b9c

SHA1
7165026af91b8e104a393dcc4c3558bff21fb419

SHA256
00721ec5e6035a2283aa5423ec42ae2c6810043be0e4cce0da45bd0e60e2b08f

SHA512
a92b1418a2bce57ac691ac4bd3d116faba0b1ff889076983cbbed3faa3010236e062f59704ed854fccebd556ffc856a3490713483e74b3b8da052cbd1f190da3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
f0bb35c6773c2c9a185e9a1c5ce532fc

SHA1
4c635ae5d3236d37c0e47f1a3a2a9e5a186a4811

SHA256
f57961c9c1d731a42728fbc813ceec2654c40701afe7f385d958db20d4842d3f

SHA512
24d235cfda11da953f2e378dff9823a7a48042430c190815abf5f32edf76826ab03d44908f5682200990c9036ea05e9500bbf9047884f0eeedb9b3e4edd16546

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit