vanillarat | 83d4b0869a1cd74c64c112556e1191e63b298876baf6ed51a358b72aced304f9

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-08-2024 14:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

konflickt.exe
Size

114KB
MD5

9ebe99b1ad006ec36e201a4ce8215d12
SHA1

966ae9009aef43ab0ffbc124ff66ce8c5e130697
SHA256

83d4b0869a1cd74c64c112556e1191e63b298876baf6ed51a358b72aced304f9
SHA512

d8f6ec298cd81cd7959db5b6256fadba7a5e8a7091ea6f19be6c5a0bcb7ab744ada5119acf4755bd9fc493c44ee2973df88c1791b85d5ac0405762afee15f799
SSDEEP

3072:ZgZApdYrD28fbJB2yLtyT4bjjxK3QdjrxivW+DXnH4vymb11g:Z/pe1J04bXtrxivW+D34vB

Score

10^/10

vanillarat discovery rat

Malware Config

Signatures

VanillaRat
VanillaRat is an advanced remote administration tool coded in C#.
rat vanillarat

Vanilla Rat payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/5012-1-0x00000000004B0000-0x00000000004D2000-memory.dmp	vanillarat

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	konflickt.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133675158136006866"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4640	chrome.exe
4640	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe
4828	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: 33	2368	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2368	AUDIODG.EXE
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe
Token: SeShutdownPrivilege	4640	chrome.exe
Token: SeCreatePagefilePrivilege	4640	chrome.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4640 wrote to memory of 2336	4640	chrome.exe	89
PID 4640 wrote to memory of 2336	4640	chrome.exe	89
PID 4640 wrote to memory of 2608	4640	chrome.exe	90
PID 4640 wrote to memory of 2608	4640	chrome.exe	90
PID 4640 wrote to memory of 2608	4640	chrome.exe	90
PID 4640 wrote to memory of 2608	4640	chrome.exe	90
PID 4640 wrote to memory of 2608	4640	chrome.exe	90
PID 4640 wrote to memory of 2608	4640	chrome.exe	90
PID 4640 wrote to memory of 2608	4640	chrome.exe	90
PID 4640 wrote to memory of 2608	4640	chrome.exe	90
PID 4640 wrote to memory of 2608	4640	chrome.exe	90
PID 4640 wrote to memory of 2608	4640	chrome.exe	90
PID 4640 wrote to memory of 2608	4640	chrome.exe	90
PID 4640 wrote to memory of 2608	4640	chrome.exe	90
PID 4640 wrote to memory of 2608	4640	chrome.exe	90
PID 4640 wrote to memory of 2608	4640	chrome.exe	90
PID 4640 wrote to memory of 2608	4640	chrome.exe	90
PID 4640 wrote to memory of 2608	4640	chrome.exe	90
PID 4640 wrote to memory of 2608	4640	chrome.exe	90
PID 4640 wrote to memory of 2608	4640	chrome.exe	90
PID 4640 wrote to memory of 2608	4640	chrome.exe	90
PID 4640 wrote to memory of 2608	4640	chrome.exe	90
PID 4640 wrote to memory of 2608	4640	chrome.exe	90
PID 4640 wrote to memory of 2608	4640	chrome.exe	90
PID 4640 wrote to memory of 2608	4640	chrome.exe	90
PID 4640 wrote to memory of 2608	4640	chrome.exe	90
PID 4640 wrote to memory of 2608	4640	chrome.exe	90
PID 4640 wrote to memory of 2608	4640	chrome.exe	90
PID 4640 wrote to memory of 2608	4640	chrome.exe	90
PID 4640 wrote to memory of 2608	4640	chrome.exe	90
PID 4640 wrote to memory of 2608	4640	chrome.exe	90
PID 4640 wrote to memory of 2608	4640	chrome.exe	90
PID 4640 wrote to memory of 4576	4640	chrome.exe	91
PID 4640 wrote to memory of 4576	4640	chrome.exe	91
PID 4640 wrote to memory of 2056	4640	chrome.exe	92
PID 4640 wrote to memory of 2056	4640	chrome.exe	92
PID 4640 wrote to memory of 2056	4640	chrome.exe	92
PID 4640 wrote to memory of 2056	4640	chrome.exe	92
PID 4640 wrote to memory of 2056	4640	chrome.exe	92
PID 4640 wrote to memory of 2056	4640	chrome.exe	92
PID 4640 wrote to memory of 2056	4640	chrome.exe	92
PID 4640 wrote to memory of 2056	4640	chrome.exe	92
PID 4640 wrote to memory of 2056	4640	chrome.exe	92
PID 4640 wrote to memory of 2056	4640	chrome.exe	92
PID 4640 wrote to memory of 2056	4640	chrome.exe	92
PID 4640 wrote to memory of 2056	4640	chrome.exe	92
PID 4640 wrote to memory of 2056	4640	chrome.exe	92
PID 4640 wrote to memory of 2056	4640	chrome.exe	92
PID 4640 wrote to memory of 2056	4640	chrome.exe	92
PID 4640 wrote to memory of 2056	4640	chrome.exe	92
PID 4640 wrote to memory of 2056	4640	chrome.exe	92
PID 4640 wrote to memory of 2056	4640	chrome.exe	92
PID 4640 wrote to memory of 2056	4640	chrome.exe	92
PID 4640 wrote to memory of 2056	4640	chrome.exe	92
PID 4640 wrote to memory of 2056	4640	chrome.exe	92
PID 4640 wrote to memory of 2056	4640	chrome.exe	92
PID 4640 wrote to memory of 2056	4640	chrome.exe	92
PID 4640 wrote to memory of 2056	4640	chrome.exe	92
PID 4640 wrote to memory of 2056	4640	chrome.exe	92
PID 4640 wrote to memory of 2056	4640	chrome.exe	92
PID 4640 wrote to memory of 2056	4640	chrome.exe	92
PID 4640 wrote to memory of 2056	4640	chrome.exe	92
PID 4640 wrote to memory of 2056	4640	chrome.exe	92
PID 4640 wrote to memory of 2056	4640	chrome.exe	92

C:\Users\Admin\AppData\Local\Temp\konflickt.exe
"C:\Users\Admin\AppData\Local\Temp\konflickt.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:5012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffd8bbecc40,0x7ffd8bbecc4c,0x7ffd8bbecc58
  2⤵
  PID:2336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1952,i,2814341148978192488,4368146213511835997,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1948 /prefetch:2
  2⤵
  PID:2608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2060,i,2814341148978192488,4368146213511835997,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1808 /prefetch:3
  2⤵
  PID:4576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2316,i,2814341148978192488,4368146213511835997,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2276 /prefetch:8
  2⤵
  PID:2056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,2814341148978192488,4368146213511835997,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:2232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3252,i,2814341148978192488,4368146213511835997,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:1668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4540,i,2814341148978192488,4368146213511835997,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4624 /prefetch:1
  2⤵
  PID:2204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4936,i,2814341148978192488,4368146213511835997,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4944 /prefetch:8
  2⤵
  PID:4756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5056,i,2814341148978192488,4368146213511835997,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5096 /prefetch:8
  2⤵
  PID:3956
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Program Files directory
  PID:2408
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x7ff6ccd34698,0x7ff6ccd346a4,0x7ff6ccd346b0
    3⤵
    - Drops file in Program Files directory
    PID:1432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4504,i,2814341148978192488,4368146213511835997,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5200 /prefetch:1
  2⤵
  PID:1012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5292,i,2814341148978192488,4368146213511835997,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5296 /prefetch:1
  2⤵
  PID:3032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4792,i,2814341148978192488,4368146213511835997,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4860 /prefetch:8
  2⤵
  PID:3052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5556,i,2814341148978192488,4368146213511835997,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5612 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:4752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd8bbecc40,0x7ffd8bbecc4c,0x7ffd8bbecc58
  2⤵
  PID:4572

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3336

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x50c 0x508
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
ebd1e0c475994371b3998462615f0d05

SHA1
14e355cb59a4e518018b776164c6d0217aca50e8

SHA256
6982055c717bbdaed4aeec95fd9209e1f933093cf5419bc09194366ee80b0541

SHA512
7aa0bc09e0f291418fe3b6683c2e6e83781a2d96af1d36fd47162a132cfb1fe0051135fe401c6f953c85948974aa79343fb88a0d40ed31be7c60249ae21a3a32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
c7ed0bc65a9bb6d5c021d3dea02a1962

SHA1
dd60424c30af14057df4a43823e721ab4621e6e0

SHA256
65c81681098c1f256cdc5ed304c23cf00200ebc8e0c53e2de88f1b5f0d2a8e71

SHA512
4e368d92f30703576e97038745b2c582444f9edf8c72ecac1f35e9d7183420b25b75e2418b60657f7530f7a024030fed77a31cea5f5ba873512b171975744b80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
813976e10f9f9c5e752cd8706d97984b

SHA1
e7136961bcc9a99f7819caf9b4dbc1d21605c22c

SHA256
f220b53b6120c8e326a13acad43373d2a6976db241423dda2c51db7cb8f24c9b

SHA512
b1dfbd32e76365a57c00781cc83c79945b50ed63835813885bb351670a7e511227d1be739f55022fae0535625ce07c82cf16b6a962c25705121e295df6c05b76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
857B

MD5
f81cf4872e6f055f68416f26e4e1bbb0

SHA1
108264668dd8f5e7223a278a6cabf5523f318452

SHA256
3828f7edc410509561d056d26d97eeb9fe3317e1897a41ce8926f68b008e637e

SHA512
65aef632358ab5433472c86d8565cc64aa689063aac51212ecdc31d695d91b670657febb7841e3399508a2ed8d8cdb258a426b2a2b952c1ac573e4cc64335793

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1024B

MD5
a5a93ed17c7ac6ab1c97d37f2a0f975c

SHA1
a373c4019a05398ec8da1302537aabb55a28620e

SHA256
bc97915bf2fbf4c322b6cf6219340c842e916ce6cf82a86ee7ed29cca7287801

SHA512
18c9bdffae462cbfb517f8015535444724f7a8c3f53bbebbd9d05c3243147f58c2b3ce3fa68efd2cfdedb96cd4958cace250c92f72ba6d98aab85a0dac2fc08f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1024B

MD5
f66d07ace37c39a5d0eea92a21363982

SHA1
4296b6504cb3f01dfc1ce5f760f53d57fa45b4c4

SHA256
162b3332b040cb52390b1f272510f3135f05414bacd839c8cf4e31b385b27225

SHA512
af46d37641c6d98da963bc371bdb778132286569ff96882747217e21a51d74b4957bf6e1c8e59b8f0ed167219243d056510293b78830ad7cf25e60db52e40e5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7f259c4543bd90e62abf8679172a9838

SHA1
4ab412071e84241dc7f6b8be1e2902922fdf5e76

SHA256
00344b25cd78fdd553561d5306960af490e4f5d96b32743a21914fce8be66fd5

SHA512
2e8dda20c36d61a5619a2e5cb5a2d4910e3149eb61566039be3cb75d21f77dee9aa43d3fc8bc18a12c73730e45a0364044eb03ff3018fefc9ca024e32a9bdcc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0eeae903407a2556ff7bea688b42242b

SHA1
0e97f781922448b7b59bf75e14cfb346ce185e8f

SHA256
119a13b4fd325f1a4c82947b5bf45ec4bea80c4eed2e121106de941543b8b645

SHA512
02bb8d31413c5298a10e4a62ecb5509bd1905d868ffe66027af065a183d2754a83a80ad31dbcd617b53db3970077877a2ced7917451d0232b0da75d0b030a0b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cf8c17f690d6cd5a1f2d8181c2faa05e

SHA1
9c9bd96f57799fca6da0fc01ed39d3b7350a38cd

SHA256
8a1936954297a52cb37c1f161f1b99e134cb4d26c92ddd7b4820e7d89c89111b

SHA512
41479a3736aab5063a4b63a6d81e3b2964a2727779663bde4fcb4b9ba6d3ccc84fc855067eac3554ea360de5b94238e8d80d9f743f9bcd700a6322ab456bd8a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7b41eb88d1e02eca81a625675646952a

SHA1
f681552d895b51403c303bbc30a8ca4a39aa7334

SHA256
50ffbb133ecf665059999540161c2c1fc397baaa46864da2840f23fe71be3e76

SHA512
ef1176281fe672fbf9e039d248dbaabe7cc7939cd0ad73566062b7325ae123e547fde78da4c63bf9a16300a8474427227240c59125b7a9feeb570fc4f09da41e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5800dda7303814db2fd566c0fa0b0b82

SHA1
bfd73329c80e5f49debf20d2dbaab1f97530d5cd

SHA256
6f103f22afe9628f4986fa97841753836a28c6a7d326a8c32c70e45c4c653ebb

SHA512
25319ef095498387e149331c85780d88988575918f5e139e19edaa5974c0138c1998955b59c8f68cf1e3943b24562d71b136d9abbbd746a89bf2e23839bb93e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0786bf67d971a543a34e0da26c75ed65

SHA1
5f65e28a6d4721ad332c8b8d548b1a3b9fb4bcc7

SHA256
ee0f6cc2fed42c02ac0a62aee6548b9cd6c7e2b8dae7ea4dde20821084599595

SHA512
cac3688ba12105a6cd90b404b52260045329d38d99fc961b17231b7a065584555d89672a0632c317b24128f4b5de5f81afdb6e40ba7599fe59fd704a80e7048f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
713cb61fe6abd95479f3ac58952b88b5

SHA1
a4512b96c3a2300066889de88349e2a0fa27bb25

SHA256
abfd5abc1b6d7f8fde5281040931e911ccc49117e6a713fac8ba04757f3bf9b9

SHA512
d5588f122c065dfff4a5ce5f1293839619f0241a99bd7bafe60debb83a5fef7a54b1e59891d0f0b1d7f0c4243f65f21adf18d7b868ae9fb4a2073f719ace8c5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
120B

MD5
379176ac49b1f0748219490a46acef5f

SHA1
57d42bec1297f5d089248eaa506a03b4a697fc07

SHA256
bd24567de146c68d672fd82b62852b9cae5b0dbb45167c1b64cfcb33df4614ba

SHA512
dd21de194f43be43a2685ba043a2b885f99c9b741878a5beb823cc43dcce4756cde65710c1468b903c5b874dba0176a89e6407362622cc0b457c3b386005f81d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
40cc2332ca25b262a3c12bdde528dfa1

SHA1
5de12e6aeabbf3ca8d24e5182d14369fece9aeaf

SHA256
85e2f3cda26a16a7069212232d857f79f76caa6cafff21bd89c01a7d0e96ed38

SHA512
3506446da7a91f37dfa8b970b02351543268c3a91def1d3fcd4470e621742fb0f5bc0124bd9fd59f80b6a5746e7608f9609f06d43e8466f7adf6225a3913f0b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
4b3e6bd159debcbfa2d88ad703a06a6b

SHA1
79f2764d51be77debc231400275aec5c079da5ef

SHA256
b3045b4114a5b20920fe62716e091b3963192a05adf2b5f1bd2f5f7bcce12a5f

SHA512
715c5aa49444531aa4381e35f9c317ad05c6927b3f352e6b7e4deaef8f01b302a9b82b234c400ccf775e6f71c5b732223e642332b14daddc1df19b970be78ea7

Download Submit
memory/5012-145-0x0000000074EEE000-0x0000000074EEF000-memory.dmp

Filesize
4KB

Download
memory/5012-2-0x00000000054D0000-0x0000000005A74000-memory.dmp

Filesize
5.6MB

Download
memory/5012-0-0x0000000074EEE000-0x0000000074EEF000-memory.dmp

Filesize
4KB

Download
memory/5012-3-0x0000000004F20000-0x0000000004FB2000-memory.dmp

Filesize
584KB

Download
memory/5012-154-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/5012-1-0x00000000004B0000-0x00000000004D2000-memory.dmp

Filesize
136KB

Download
memory/5012-4-0x0000000004EE0000-0x0000000004EEA000-memory.dmp

Filesize
40KB

Download
memory/5012-5-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download