nanocore | 3a7b3e8f648eef95b7eb3a702d6d5e3dc02c3071837fbcd9f10e06881e4b8022

Analysis

max time kernel
149s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/09/2024, 11:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

aa.exe
Size

202KB
MD5

ff2a52bb3dc9b6b725e725ab64ee2a4f
SHA1

78176de490ef034c8d3e9fd47682c8d1388be486
SHA256

3a7b3e8f648eef95b7eb3a702d6d5e3dc02c3071837fbcd9f10e06881e4b8022
SHA512

8f6d7ae22d8b59876b845d2013f4b6a9ffa5f6a5785d964faf9fb5d06955483787fe669177d1f9787b68596e58395fa4c81a1fcbdfe902f9aab26d76ba09f98e
SSDEEP

3072:gzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIRtPl1W4F0MpeCWBxwEJce:gLV6Bta6dtJmakIM5KlY4yMpeCoxwET

Score

10^/10

nanocore discovery evasion keylogger spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	aa.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 18 IoCs

Web Service

T1102

flow	ioc
148	2.tcp.eu.ngrok.io
39	2.tcp.eu.ngrok.io
66	2.tcp.eu.ngrok.io
139	2.tcp.eu.ngrok.io
115	2.tcp.eu.ngrok.io
142	2.tcp.eu.ngrok.io
56	2.tcp.eu.ngrok.io
68	2.tcp.eu.ngrok.io
100	2.tcp.eu.ngrok.io
63	2.tcp.eu.ngrok.io
146	2.tcp.eu.ngrok.io
3	2.tcp.eu.ngrok.io
25	2.tcp.eu.ngrok.io
50	2.tcp.eu.ngrok.io
150	2.tcp.eu.ngrok.io
18	2.tcp.eu.ngrok.io
113	2.tcp.eu.ngrok.io
144	2.tcp.eu.ngrok.io

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aa.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133720828119531926"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2356	aa.exe
2356	aa.exe
2356	aa.exe
2356	aa.exe
2356	aa.exe
2356	aa.exe
2356	aa.exe
2356	aa.exe
2356	aa.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
2356	aa.exe
2356	aa.exe
2356	aa.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
2356	aa.exe
2356	aa.exe
2356	aa.exe
3480	taskmgr.exe
3480	taskmgr.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
2356	aa.exe
2356	aa.exe
2356	aa.exe
2356	aa.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2356	aa.exe
3480	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2356	aa.exe
Token: SeDebugPrivilege	3480	taskmgr.exe
Token: SeSystemProfilePrivilege	3480	taskmgr.exe
Token: SeCreateGlobalPrivilege	3480	taskmgr.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe
Token: SeShutdownPrivilege	1676	chrome.exe
Token: SeCreatePagefilePrivilege	1676	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
3480	taskmgr.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 820	1676	chrome.exe	100
PID 1676 wrote to memory of 820	1676	chrome.exe	100
PID 1676 wrote to memory of 1376	1676	chrome.exe	101
PID 1676 wrote to memory of 1376	1676	chrome.exe	101
PID 1676 wrote to memory of 1376	1676	chrome.exe	101
PID 1676 wrote to memory of 1376	1676	chrome.exe	101
PID 1676 wrote to memory of 1376	1676	chrome.exe	101
PID 1676 wrote to memory of 1376	1676	chrome.exe	101
PID 1676 wrote to memory of 1376	1676	chrome.exe	101
PID 1676 wrote to memory of 1376	1676	chrome.exe	101
PID 1676 wrote to memory of 1376	1676	chrome.exe	101
PID 1676 wrote to memory of 1376	1676	chrome.exe	101
PID 1676 wrote to memory of 1376	1676	chrome.exe	101
PID 1676 wrote to memory of 1376	1676	chrome.exe	101
PID 1676 wrote to memory of 1376	1676	chrome.exe	101
PID 1676 wrote to memory of 1376	1676	chrome.exe	101
PID 1676 wrote to memory of 1376	1676	chrome.exe	101
PID 1676 wrote to memory of 1376	1676	chrome.exe	101
PID 1676 wrote to memory of 1376	1676	chrome.exe	101
PID 1676 wrote to memory of 1376	1676	chrome.exe	101
PID 1676 wrote to memory of 1376	1676	chrome.exe	101
PID 1676 wrote to memory of 1376	1676	chrome.exe	101
PID 1676 wrote to memory of 1376	1676	chrome.exe	101
PID 1676 wrote to memory of 1376	1676	chrome.exe	101
PID 1676 wrote to memory of 1376	1676	chrome.exe	101
PID 1676 wrote to memory of 1376	1676	chrome.exe	101
PID 1676 wrote to memory of 1376	1676	chrome.exe	101
PID 1676 wrote to memory of 1376	1676	chrome.exe	101
PID 1676 wrote to memory of 1376	1676	chrome.exe	101
PID 1676 wrote to memory of 1376	1676	chrome.exe	101
PID 1676 wrote to memory of 1376	1676	chrome.exe	101
PID 1676 wrote to memory of 1376	1676	chrome.exe	101
PID 1676 wrote to memory of 2236	1676	chrome.exe	102
PID 1676 wrote to memory of 2236	1676	chrome.exe	102
PID 1676 wrote to memory of 4244	1676	chrome.exe	103
PID 1676 wrote to memory of 4244	1676	chrome.exe	103
PID 1676 wrote to memory of 4244	1676	chrome.exe	103
PID 1676 wrote to memory of 4244	1676	chrome.exe	103
PID 1676 wrote to memory of 4244	1676	chrome.exe	103
PID 1676 wrote to memory of 4244	1676	chrome.exe	103
PID 1676 wrote to memory of 4244	1676	chrome.exe	103
PID 1676 wrote to memory of 4244	1676	chrome.exe	103
PID 1676 wrote to memory of 4244	1676	chrome.exe	103
PID 1676 wrote to memory of 4244	1676	chrome.exe	103
PID 1676 wrote to memory of 4244	1676	chrome.exe	103
PID 1676 wrote to memory of 4244	1676	chrome.exe	103
PID 1676 wrote to memory of 4244	1676	chrome.exe	103
PID 1676 wrote to memory of 4244	1676	chrome.exe	103
PID 1676 wrote to memory of 4244	1676	chrome.exe	103
PID 1676 wrote to memory of 4244	1676	chrome.exe	103
PID 1676 wrote to memory of 4244	1676	chrome.exe	103
PID 1676 wrote to memory of 4244	1676	chrome.exe	103
PID 1676 wrote to memory of 4244	1676	chrome.exe	103
PID 1676 wrote to memory of 4244	1676	chrome.exe	103
PID 1676 wrote to memory of 4244	1676	chrome.exe	103
PID 1676 wrote to memory of 4244	1676	chrome.exe	103
PID 1676 wrote to memory of 4244	1676	chrome.exe	103
PID 1676 wrote to memory of 4244	1676	chrome.exe	103
PID 1676 wrote to memory of 4244	1676	chrome.exe	103
PID 1676 wrote to memory of 4244	1676	chrome.exe	103
PID 1676 wrote to memory of 4244	1676	chrome.exe	103
PID 1676 wrote to memory of 4244	1676	chrome.exe	103
PID 1676 wrote to memory of 4244	1676	chrome.exe	103
PID 1676 wrote to memory of 4244	1676	chrome.exe	103

C:\Users\Admin\AppData\Local\Temp\aa.exe
"C:\Users\Admin\AppData\Local\Temp\aa.exe"
1⤵
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3480

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1184

C:\Users\Admin\AppData\Local\Temp\aa.exe
"C:\Users\Admin\AppData\Local\Temp\aa.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffa774ecc40,0x7ffa774ecc4c,0x7ffa774ecc58
  2⤵
  PID:820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1952,i,13066517365089923642,12595425282682575775,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1948 /prefetch:2
  2⤵
  PID:1376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2104,i,13066517365089923642,12595425282682575775,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2124 /prefetch:3
  2⤵
  PID:2236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2300,i,13066517365089923642,12595425282682575775,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2440 /prefetch:8
  2⤵
  PID:4244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,13066517365089923642,12595425282682575775,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:3016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3328,i,13066517365089923642,12595425282682575775,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3704,i,13066517365089923642,12595425282682575775,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4620 /prefetch:1
  2⤵
  PID:736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4768,i,13066517365089923642,12595425282682575775,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4808 /prefetch:8
  2⤵
  PID:3324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4824,i,13066517365089923642,12595425282682575775,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4560 /prefetch:8
  2⤵
  PID:2080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4924,i,13066517365089923642,12595425282682575775,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5056 /prefetch:8
  2⤵
  PID:4728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4728,i,13066517365089923642,12595425282682575775,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5056 /prefetch:8
  2⤵
  PID:2396
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Program Files directory
  PID:1664
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x7ff7f8024698,0x7ff7f80246a4,0x7ff7f80246b0
    3⤵
    - Drops file in Program Files directory
    PID:3524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5144,i,13066517365089923642,12595425282682575775,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4900 /prefetch:1
  2⤵
  PID:4576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4612,i,13066517365089923642,12595425282682575775,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5148 /prefetch:1
  2⤵
  PID:3236

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
468a848a30db1d7f5f6fd17ec8071c38

SHA1
a273f91853e98959987b7466912d430e7c508d44

SHA256
594de0a89a8abc11e1ae5e525954703f4f48698a6ede6ab449972b57a3f5eaba

SHA512
aa62c7371f8e2d96ef57fd465b387647b7a08660932b68e0be05c2e728e66340f87b7d16eb85d6eca7e9aabd21de3ebf4fb2ddb770b981452bb72b5ff0507363

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
56fa9f3ab914d38264e324a09ed8a051

SHA1
b0e3c1d12d2603b53d774c6b8657d5dc974afd08

SHA256
72610bb6f64c4412baa9a04752c9e1772d52d14e9f5bf33fb66c8a5d6f51fcf4

SHA512
e85bc6d512c5c704a7d461fd65bf0a04acded9917092fe9ef8e7f3c876b19a732cff4fc396e5f10b0fb540b981e8b23a0feded43732be6e42955203052cf52fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\593c1280-8d6f-434c-b64c-2696cac51f72.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
e9abeee2bf5762820b4717f04eeabecd

SHA1
20b6a29c8864bbb0cc6cc8dbd8090e7185306717

SHA256
8df9c608531b2793a8e83adb39b30ba7ebd67a8714e03efed21df8b09edcdd77

SHA512
802954e135590de3c55a172b64eadb576cb9fb7692c8607923675f0e87b25a2db51b17e37e78662ea5dd7b27f4e779c5cbfb7f64a41035101daf48dbfa0cebd7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
684B

MD5
447424e482bee977f6e34826f0c4abe7

SHA1
26b52798ee6dfe7a249686373161cb59411b1fc8

SHA256
5c3c903f49ab6dc0e2a00cd65a199c034ea1581f408988a177d5691687af65d3

SHA512
8a06bc60261944990b8e238194848677ff5cad0c736119f53db9d0cc15f4b28bff316d4d1f9558363982f2dcfb3d50120a95e34fdac579092334c4f88c478eb8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
684B

MD5
a656a4b94d36d2c839c01a3e8f60cdb6

SHA1
048705331feaaa50d96175700112b2bc74e8a656

SHA256
ae4daeb968bf9e3dc1599781ba1ed1f8ad0a0ce326484255a0bf2663b3b9a985

SHA512
134344fed876d2359b456b8fb1f2c2a0994ee0b8548d4440c4cb25b112981ce416bcbb40782dd6b01aa4cd95712721702fead57160cc9a2ba1b6e44582c28646

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ceb4dcebbabc4ff1162627a14402ff11

SHA1
ddff419bd8f4ec504886dc6a349f4a7e32b063b4

SHA256
5faa58231db5ae10769332a3d52d771ba863917f8db3dea706ebb7efdfee4a30

SHA512
6749c50c38aeb87396a7d821ae7c1b1a10f9e604f97b3e460264085a095b1493586d37be4f5103d159400493a0c99c80b5fa5e0e507c0c5f61580d3fafcf6815

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a086c7b353c61e02844568139268ba13

SHA1
57235051c32eaeb0e913faf989c7e6643fe097c3

SHA256
19f7c57ca9b50ebb07857bce217f027126109087f9376b0744bd6591f232bf37

SHA512
f3adf9507b39ed8622330cd997784703c9629957e0577c5f90812605e70760465b1cae4a6c436270c3fec0e3982969bde893825a9ecbf291c979aeecf884b32a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2737e052b9bcdb2df013eed43380f140

SHA1
831b33e0f8f0b9d975bc0e9634a24e2362a22768

SHA256
5fd2597d09d83d0fa2147121043dee6526c420c458bf06f59f992e7d8ec63691

SHA512
55aee0d2bf3976d270651954f2d45c419105cad63d2a719b024ba0eafe6b6baee6cd88e324c593b5b3d5fbde5c32733c93fb6d06249e16a923b4f9ea75229138

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ed44e10e12ecb1df1e577e7bfcbe3283

SHA1
342d6f48fd5af12457e40ccda93ecff6fb4bc673

SHA256
c8ffffca85038f519534358547fb765fdccb2ba6161698433961568c30740368

SHA512
09fd0b54ec84386eee3df7f9b579d3271747b194e7dda20e014fa2c2203348cdddb630d945255a3c1dd443da6ebb5c33d78c8f2b10b0d91e13e3bfab97b465c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
86cfe45c05f60b6ba59309a29010c7cc

SHA1
4ec80aae145461fed589a303c598bf0e6d956379

SHA256
0ae3dfb3dca27aa71f0220c4a9fdd298e2f74d10362a6d4227a75c971cdc0c39

SHA512
65b1ecd6b94a1d632231994f3f6c2ce58cc5a0b5e7afa9da0df5f68ebb5dc77dca5488942ab29ee7993e8ca36272d76014c8960f93d883764b086e3500c7bc76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
0a72d86f804274b3fd954ee8e251b870

SHA1
eef5f29b1d7675b8daf9235b56e0012d60252c5a

SHA256
641c0e978801003dcee692cd97a56247544559963cacd6cc9e5c7536be6ed4cc

SHA512
180d0be2896eb1feddc08b0b46e4dd406f506b9d184a980de5499299b77976c3988b7948765c529001cf715d5a613490b51b81fea02d04263a5061fd14382b81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
212KB

MD5
d4d94d2aeba1510f0e55b48dc9f6bd63

SHA1
636cceb7ebafef9e17f972830e363518b7959842

SHA256
1787a0c9175e55a9f4cd8405b163b9280dd422430ca100aa26365c889741c752

SHA512
8f451d24ad4b16ae3fc2a233b246ba8b53dd249d2a5444c4b5e77ae1cfd2b0095b5cd07400948744e4a638ee92bcee6713d1627c72a93f41e5cacceaf057cd9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
212KB

MD5
4ddb620351fe8d5b0634f8b258b1484d

SHA1
3253e20ce9928784b39b422f12bf6238b29ac409

SHA256
d39b58ec9a0551aeb2106c6f25e2847d8254041a2e7f40e88713928d76e7cd0d

SHA512
cb24336d65ee759e12a05a747540b2d642b535cc5db08d5a52f54ec14c08d6e8beb818e21d7942b4c25211a1d52bbd6457deb646e63aad4398885dc88a3a9489

Download Submit
memory/2356-0-0x0000000074FA2000-0x0000000074FA3000-memory.dmp

Filesize
4KB

Download
memory/2356-8-0x0000000074FA0000-0x0000000075551000-memory.dmp

Filesize
5.7MB

Download
memory/2356-7-0x0000000074FA0000-0x0000000075551000-memory.dmp

Filesize
5.7MB

Download
memory/2356-6-0x0000000074FA0000-0x0000000075551000-memory.dmp

Filesize
5.7MB

Download
memory/2356-5-0x0000000074FA2000-0x0000000074FA3000-memory.dmp

Filesize
4KB

Download
memory/2356-4-0x0000000074FA0000-0x0000000075551000-memory.dmp

Filesize
5.7MB

Download
memory/2356-2-0x0000000074FA0000-0x0000000075551000-memory.dmp

Filesize
5.7MB

Download
memory/2356-1-0x0000000074FA0000-0x0000000075551000-memory.dmp

Filesize
5.7MB

Download
memory/3480-9-0x000001FAB9750000-0x000001FAB9751000-memory.dmp

Filesize
4KB

Download
memory/3480-15-0x000001FAB9750000-0x000001FAB9751000-memory.dmp

Filesize
4KB

Download
memory/3480-17-0x000001FAB9750000-0x000001FAB9751000-memory.dmp

Filesize
4KB

Download
memory/3480-16-0x000001FAB9750000-0x000001FAB9751000-memory.dmp

Filesize
4KB

Download
memory/3480-19-0x000001FAB9750000-0x000001FAB9751000-memory.dmp

Filesize
4KB

Download
memory/3480-20-0x000001FAB9750000-0x000001FAB9751000-memory.dmp

Filesize
4KB

Download
memory/3480-21-0x000001FAB9750000-0x000001FAB9751000-memory.dmp

Filesize
4KB

Download
memory/3480-18-0x000001FAB9750000-0x000001FAB9751000-memory.dmp

Filesize
4KB

Download
memory/3480-10-0x000001FAB9750000-0x000001FAB9751000-memory.dmp

Filesize
4KB

Download
memory/3480-11-0x000001FAB9750000-0x000001FAB9751000-memory.dmp

Filesize
4KB

Download