ddfa9799f4c84be7e70ff0b3050c18ac0cf03cfba624b092b18d98cc1c227577

Resubmissions

24/08/2024, 19:39

240824-yc3avaxelp 7

24/08/2024, 19:32

24/08/2024, 19:24

24/08/2024, 19:18

24/08/2024, 19:13

Analysis

max time kernel
292s
max time network
266s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 19:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup RealStrat 6 v6.1.0.7549.exe
Size

614KB
MD5

5e8c8e327b3ff8c676097588a3fcffb9
SHA1

369e62a460d49bccdb78b8c2927112a078cef249
SHA256

ddfa9799f4c84be7e70ff0b3050c18ac0cf03cfba624b092b18d98cc1c227577
SHA512

d5927d022b5ef6dd73805994ae0b158062bd8dbb8d19bada4f8b62ac3317babba732dd0df32b97b9f100cc140a8b23a30ee4413898eb951633fd31bc8e62a0e5
SSDEEP

12288:uaHc64b888888888888W88888888888+7GAnqDjxiZl8zAeONQ9uZsnDmi3b+zZO:F86v7U91BoQ9uZUR+zZdQ

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3044	Setup RealStrat 6 v6.1.0.7549.tmp

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup RealStrat 6 v6.1.0.7549.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup RealStrat 6 v6.1.0.7549.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133690006165504507"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	mspaint.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3540	msedge.exe
3540	msedge.exe
740	mspaint.exe
740	mspaint.exe
4780	chrome.exe
4780	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
740	mspaint.exe
1460	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4044 wrote to memory of 3044	4044	Setup RealStrat 6 v6.1.0.7549.exe	84
PID 4044 wrote to memory of 3044	4044	Setup RealStrat 6 v6.1.0.7549.exe	84
PID 4044 wrote to memory of 3044	4044	Setup RealStrat 6 v6.1.0.7549.exe	84
PID 1612 wrote to memory of 1464	1612	msedge.exe	114
PID 1612 wrote to memory of 1464	1612	msedge.exe	114
PID 1612 wrote to memory of 4532	1612	msedge.exe	115
PID 1612 wrote to memory of 4532	1612	msedge.exe	115
PID 1612 wrote to memory of 4532	1612	msedge.exe	115
PID 1612 wrote to memory of 4532	1612	msedge.exe	115
PID 1612 wrote to memory of 4532	1612	msedge.exe	115
PID 1612 wrote to memory of 4532	1612	msedge.exe	115
PID 1612 wrote to memory of 4532	1612	msedge.exe	115
PID 1612 wrote to memory of 4532	1612	msedge.exe	115
PID 1612 wrote to memory of 4532	1612	msedge.exe	115
PID 1612 wrote to memory of 4532	1612	msedge.exe	115
PID 1612 wrote to memory of 4532	1612	msedge.exe	115
PID 1612 wrote to memory of 4532	1612	msedge.exe	115
PID 1612 wrote to memory of 4532	1612	msedge.exe	115
PID 1612 wrote to memory of 4532	1612	msedge.exe	115
PID 1612 wrote to memory of 4532	1612	msedge.exe	115
PID 1612 wrote to memory of 4532	1612	msedge.exe	115
PID 1612 wrote to memory of 4532	1612	msedge.exe	115
PID 1612 wrote to memory of 4532	1612	msedge.exe	115
PID 1612 wrote to memory of 4532	1612	msedge.exe	115
PID 1612 wrote to memory of 4532	1612	msedge.exe	115
PID 1612 wrote to memory of 4532	1612	msedge.exe	115
PID 1612 wrote to memory of 4532	1612	msedge.exe	115
PID 1612 wrote to memory of 4532	1612	msedge.exe	115
PID 1612 wrote to memory of 4532	1612	msedge.exe	115
PID 1612 wrote to memory of 4532	1612	msedge.exe	115
PID 1612 wrote to memory of 4532	1612	msedge.exe	115
PID 1612 wrote to memory of 4532	1612	msedge.exe	115
PID 1612 wrote to memory of 4532	1612	msedge.exe	115
PID 1612 wrote to memory of 4532	1612	msedge.exe	115
PID 1612 wrote to memory of 4532	1612	msedge.exe	115
PID 1612 wrote to memory of 4532	1612	msedge.exe	115
PID 1612 wrote to memory of 4532	1612	msedge.exe	115
PID 1612 wrote to memory of 4532	1612	msedge.exe	115
PID 1612 wrote to memory of 4532	1612	msedge.exe	115
PID 1612 wrote to memory of 4532	1612	msedge.exe	115
PID 1612 wrote to memory of 4532	1612	msedge.exe	115
PID 1612 wrote to memory of 4532	1612	msedge.exe	115
PID 1612 wrote to memory of 4532	1612	msedge.exe	115
PID 1612 wrote to memory of 4532	1612	msedge.exe	115
PID 1612 wrote to memory of 4532	1612	msedge.exe	115
PID 1612 wrote to memory of 3540	1612	msedge.exe	116
PID 1612 wrote to memory of 3540	1612	msedge.exe	116
PID 1612 wrote to memory of 3708	1612	msedge.exe	117
PID 1612 wrote to memory of 3708	1612	msedge.exe	117
PID 1612 wrote to memory of 3708	1612	msedge.exe	117
PID 1612 wrote to memory of 3708	1612	msedge.exe	117
PID 1612 wrote to memory of 3708	1612	msedge.exe	117
PID 1612 wrote to memory of 3708	1612	msedge.exe	117
PID 1612 wrote to memory of 3708	1612	msedge.exe	117
PID 1612 wrote to memory of 3708	1612	msedge.exe	117
PID 1612 wrote to memory of 3708	1612	msedge.exe	117
PID 1612 wrote to memory of 3708	1612	msedge.exe	117
PID 1612 wrote to memory of 3708	1612	msedge.exe	117
PID 1612 wrote to memory of 3708	1612	msedge.exe	117
PID 1612 wrote to memory of 3708	1612	msedge.exe	117
PID 1612 wrote to memory of 3708	1612	msedge.exe	117
PID 1612 wrote to memory of 3708	1612	msedge.exe	117
PID 1612 wrote to memory of 3708	1612	msedge.exe	117
PID 1612 wrote to memory of 3708	1612	msedge.exe	117

C:\Users\Admin\AppData\Local\Temp\Setup RealStrat 6 v6.1.0.7549.exe
"C:\Users\Admin\AppData\Local\Temp\Setup RealStrat 6 v6.1.0.7549.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Users\Admin\AppData\Local\Temp\is-3IKA8.tmp\Setup RealStrat 6 v6.1.0.7549.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-3IKA8.tmp\Setup RealStrat 6 v6.1.0.7549.tmp" /SL5="$70062,121344,0,C:\Users\Admin\AppData\Local\Temp\Setup RealStrat 6 v6.1.0.7549.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault9fdcd8edh47b6h4386h8c17h6c799927af64
1⤵
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffdeab146f8,0x7ffdeab14708,0x7ffdeab14718
  2⤵
  PID:1464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,8534303695151843759,16736937295473328481,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,8534303695151843759,16736937295473328481,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,8534303695151843759,16736937295473328481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
  2⤵
  PID:3708

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3016

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4444

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3716

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\My Wallpaper.jpg" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:4860

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffdebf0cc40,0x7ffdebf0cc4c,0x7ffdebf0cc58
  2⤵
  PID:1488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1976,i,3361550909473949558,18326640324883815645,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1968 /prefetch:2
  2⤵
  PID:2148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2108,i,3361550909473949558,18326640324883815645,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2096 /prefetch:3
  2⤵
  PID:1772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2304,i,3361550909473949558,18326640324883815645,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2492 /prefetch:8
  2⤵
  PID:4280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3196,i,3361550909473949558,18326640324883815645,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:2556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3312,i,3361550909473949558,18326640324883815645,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:3708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3756,i,3361550909473949558,18326640324883815645,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3704 /prefetch:1
  2⤵
  PID:5112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4864,i,3361550909473949558,18326640324883815645,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4860 /prefetch:8
  2⤵
  PID:4568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5116,i,3361550909473949558,18326640324883815645,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2996 /prefetch:8
  2⤵
  PID:5068
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Program Files directory
  PID:4092
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x7ff626e74698,0x7ff626e746a4,0x7ff626e746b0
    3⤵
    - Drops file in Program Files directory
    PID:64
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4988,i,3361550909473949558,18326640324883815645,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4544 /prefetch:1
  2⤵
  PID:2700

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
8960b3e6c43accafd1a3d021e110ef60

SHA1
bc0fda1e21dff188e1bb6249adea30317ea4e441

SHA256
ed36ca3b842a83997260ec10f6f90ffe3d4bba09c5841504448d47c8e48871cf

SHA512
c14bb0a3d5e56a3c8df0a3471e0e444ea917852bba512209f6d9fa5821a179d5c80dbc5ae5d52825e4ffb893d736f14ad88a34d5dfcdd7ed6524ec1383d03e52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
212KB

MD5
2257803a7e34c3abd90ec6d41fd76a5a

SHA1
f7a32e6635d8513f74bd225f55d867ea56ae4803

SHA256
af23860fb3a448f2cc6107680078402555a345eb45bc5efb750f541fe5d7c174

SHA512
e9f4dc90d0829885f08879e868aa62041150b500f62682fc108da258eee26ad9509dcbf6e8a55f2d0bdba7aa9118dd149a70a7d851820d4ea683db7808c48540

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
67916571fb787903f9b365729737159f

SHA1
59ecf62f77205d136271859dd5efdfb9f6b59625

SHA256
f48b17236d764f4f55ffcf09ccfe162df7eac3df8959c169a8a7da63a673502d

SHA512
2866a57cf74c808e8f0354515bcfa329181926d25f366eb5fb2262ae1e59e168a8b2dc29d424b3891250a7b0e4d3d2e13634b55c0e5da1623f39d6bd3a62a7cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
6109ea2e58cf1e07d0ec3d8369f9d72a

SHA1
44341653e26aa15221a3a9f08a15a38621236a2e

SHA256
3cc82c03bb72963a4c28ed9ad8cab707ac65420059bf90544eb584faf31f3168

SHA512
183800fa71de6c0bad47ddc565cec08d1c13ed188a3a4fb5effaf506ef9d7216caa345a547443a88c28783fdcde9ac27fd4a1a1e56a2a23f5554af3448260941

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
7c722b30cc3a42cd6067039764a50bcb

SHA1
8d97b64e6ac9adf39d305e3d9e2800658cc5a6eb

SHA256
f41ad45fbd6b5fd38cecd5ff10d59937c7cfa27f0e75dd5c6f148677f65a7246

SHA512
55d7c3f8d1a0c0a08b22209d2c1a89d80c75cc1c95e4f7fc77766c833ef38d459b8fb533bbfab0cb65c769affe26d4dc83684d9dff2a3e07cb7a9f35ad06b47f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
fda31fc4c0497025ca0329c2c65b0003

SHA1
51d84133936ef3f98b3909480530149e658f0deb

SHA256
00b9e90e7872de8c4a056fdcff56ddab30ca85948f37d9f507a1a65eae6be5f7

SHA512
4a920b5dcbbd657edef75bcfc6ca139105a3bc5a0fdd88adba3a8f405911871d344b58bed4a21092e390b8c891fe98d003632c456c956edd27bd98f6042559c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
071e68d5a6ee3dd3fafdf0cd583ed36b

SHA1
64eeddefec51d5110f21112bd0617d210757ebd5

SHA256
3802c5bd7bcb6f238721db2420ea64443de9361bb5512e808b09dd6e25ac8c76

SHA512
f7db77728060f1ec982695f04b02100026246d4cdd99aff904752f83ab7c6d02683aed837caa8e208468496febffdfb7fca91e642f10c651cf474c836efe7b64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4344122de7c59bebcee2ae21473cdf43

SHA1
eea9e315c5476826fad1d5b7af26a8d9d43f9c9f

SHA256
49677021dfc049d0486d4f1f61fb43a61240b4cb8e12c4729e20b61a7bf47b4c

SHA512
5de2b37da4b12708717cff322695f117508343ffa3a8ad9619323ab0618b0137a84338b86430eb18e86e3d0c506090304986ab428009056fddcbf43c790c65c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a9c83288caad05d69b9cf5d67e8457c6

SHA1
46b15ff926ad69eb2aa7a97797b05c5b9d7bf25f

SHA256
d78cf34c7ebacce90a66dda310a99b457136637a72a09e5a81cb07d97d390dc7

SHA512
4c5168cf46b8f0ddae67df31193e3cbe84db602fb3865be19c20cf5b51f9b4898779d5678c878fa5e6c8d88e8f82db29417e33f3e791029c8aac1fd3025e5ffc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
68764412036662369ff9987860146180

SHA1
f839586592c78f39974045cdd419bbea5e1bf17e

SHA256
f187730939d327696732b7cd0ad8fe0239d043b23845889d45222ccc84f630ac

SHA512
9d16d8c176376cffc8e80a6e0cf3b29ddab059a2eeb7dba48a81c794a101c1c27f9c5f6208a2cd7f015b94f51c05fe0435aaf4eb7873c4e498cadf6a7577b2a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fee8cb83209cc18027d73ca2c375ce6a

SHA1
5d0f97b49dc179c959dcefaae5d1eaea38d46705

SHA256
5692262c34a8536796b51ca01f52788289d076747310ef9dd4450df4982057f7

SHA512
d1c3cb6fb4d442223acfbb4353fb2a0acbd73740d846458be00b52db5d81bdd0237e93d71c2f396131b08d914ef69f567dacaba25ad004be0d4db64264fce8b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cd5c159462f65b04f30c94168ccba742

SHA1
b53320d4afe64d16012b58f20e4e74a91a4dab38

SHA256
e8f9b1f3031a4548d4342802714a1504fab725ef4744fbce344f4821b8e37009

SHA512
775f270a62e40b4311a21515fe19e4a5f14c8410349c9e04843c1672c76c9ed5e69d95bf9e0912b25618c91391ee4d16160579f36b24cee0e7e70ae91ff61c06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
ddee53989557cc26231f7722b03d6415

SHA1
3c9f99f0cbc4c094968c097452127e66f9a63221

SHA256
843bb8d6632369af0b2e32b852d81755696c8bf538897e1854deb7e904a352c7

SHA512
ecf12ae36ae0c0326d6363b8609c594756ecc95d0e9101f438b0604bbf250e821dfaf4e1745fccf63fade2f056aa9c335ec2799a2e0f8e53109c1d83bef58287

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
198KB

MD5
d808e99da7e258c4469b41e96e3b37fc

SHA1
70aa2eea97d705ad6b298861d9c817a66cf9117d

SHA256
afc5c24f51001c25cf83e5e9bfa478ece34a5dc29057811ef8831ac322364677

SHA512
8d63ba4e77013ed6c62da05ec8455483977c30d74c3ac0318c189fdf3d9011db2b714650e3791669c140b404ba72e32f5cf861b052a8aa744064394ce30000f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
198KB

MD5
49883f1adab8c48d4b2f2215ee516cb8

SHA1
d0ecd1b9d4a9f6dd0439e28dadf3ee6baa33c3e5

SHA256
c4cd301667c02f0c7a61a44b7669306c3e34d0e0a3a84f65e0ba9442a5e68801

SHA512
611c3191649acb8b5a8ce83eec589c48ca3f91fb5be3affd5a66e9183b98b3781258be0476aaf2df86474b23982666f0173a17aed341c42eed4ebeb95fa6a859

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bff5e17619e744a8d4e35fb505d6814c

SHA1
c2e6594add8dc672815346f47ff837525ddca91e

SHA256
42d12016668a2863b048b69a50ac9dda50b51e48682beedf26d5cd945109df3e

SHA512
c289e0945e1ee8c722f321b097ea0aace0b2ee1a72f66105eabe5b208261c659006c53fe7cc3888b90308ab17a3daf85ec16ec7f4f59ecea420b22a49e42dcb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
902521b40e6fc2fa00225c380ec773f6

SHA1
d9b05cae5edd79efa9da62e1b0298ea026fe910d

SHA256
0bef8a2bcdce6fee7a4f882077cc802f0a7bf31a3ed2408c7914d99220b36a46

SHA512
ae6372fa22b16295a0f3cf16adf3c6ed8cfe938894d753b4e9bfd05fe1b307034385f5cd85666d99f8709738dbf5e04479ad564926585f70e5c218495e75666a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3IKA8.tmp\Setup RealStrat 6 v6.1.0.7549.tmp

Filesize
1.1MB

MD5
34acc2bdb45a9c436181426828c4cb49

SHA1
5adaa1ac822e6128b8d4b59a54d19901880452ae

SHA256
9c81817acd4982632d8c7f1df3898fca1477577738184265d735f49fc5480f07

SHA512
134ff4022571efd46f7a62e99b857ebe834e9916c786345908010f9e1fb90be226b740ddee16ae9290fe45c86be7238c4555e422abe66a461d11545e19734beb

Download Submit
memory/3044-10-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/3044-12-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/3044-6-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/3044-9-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/4044-8-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4044-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4044-14-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4044-2-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/4860-83-0x0000018A9B9D0000-0x0000018A9B9D1000-memory.dmp

Filesize
4KB

Download
memory/4860-82-0x0000018A9B9D0000-0x0000018A9B9D1000-memory.dmp

Filesize
4KB

Download
memory/4860-81-0x0000018A9B9C0000-0x0000018A9B9C1000-memory.dmp

Filesize
4KB

Download
memory/4860-68-0x0000018A92D60000-0x0000018A92D70000-memory.dmp

Filesize
64KB

Download
memory/4860-79-0x0000018A9B930000-0x0000018A9B931000-memory.dmp

Filesize
4KB

Download
memory/4860-64-0x0000018A925C0000-0x0000018A925D0000-memory.dmp

Filesize
64KB

Download
memory/4860-77-0x0000018A9B930000-0x0000018A9B931000-memory.dmp

Filesize
4KB

Download
memory/4860-75-0x0000018A9B8B0000-0x0000018A9B8B1000-memory.dmp

Filesize
4KB

Download
memory/4860-80-0x0000018A9B9C0000-0x0000018A9B9C1000-memory.dmp

Filesize
4KB

Download