5764fed31b533e202f88d735a531f70a4ee3f66bb856afa4277872a758e6b578

Analysis

max time kernel
100s
max time network
102s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
04-10-2024 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.html
Size

299B
MD5

66b56e5161f020eb41a31adcb0ed2c0e
SHA1

8d4297d99520825f3012334e6d30613b6d2df462
SHA256

5764fed31b533e202f88d735a531f70a4ee3f66bb856afa4277872a758e6b578
SHA512

1241b0fcd9ec6d581be40f956187ddfa04ec646cd3bdef0e82753c6fc7a8910b64cc71deeed1185f1e2401dc7e2f622337caf7b3a2639c0622cc777289282597

Score

8^/10

defense_evasion discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1436	ReShade_Setup_6.3.1.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\ReShade_Setup_6.3.1.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133725535550837734"	chrome.exe

Modifies registry class 26 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings	ReShade_Setup_6.3.1.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	ReShade_Setup_6.3.1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	ReShade_Setup_6.3.1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	ReShade_Setup_6.3.1.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	ReShade_Setup_6.3.1.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	ReShade_Setup_6.3.1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	ReShade_Setup_6.3.1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	ReShade_Setup_6.3.1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	ReShade_Setup_6.3.1.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	ReShade_Setup_6.3.1.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	ReShade_Setup_6.3.1.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	ReShade_Setup_6.3.1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	ReShade_Setup_6.3.1.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	ReShade_Setup_6.3.1.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	ReShade_Setup_6.3.1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	ReShade_Setup_6.3.1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	ReShade_Setup_6.3.1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	ReShade_Setup_6.3.1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	ReShade_Setup_6.3.1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	ReShade_Setup_6.3.1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	ReShade_Setup_6.3.1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	ReShade_Setup_6.3.1.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	ReShade_Setup_6.3.1.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	ReShade_Setup_6.3.1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	ReShade_Setup_6.3.1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	ReShade_Setup_6.3.1.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\ReShade_Setup_6.3.1.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5300	chrome.exe
5300	chrome.exe
5300	chrome.exe
5300	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
5300	chrome.exe
5300	chrome.exe
5300	chrome.exe
5300	chrome.exe
5300	chrome.exe
5300	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5300	chrome.exe
Token: SeCreatePagefilePrivilege	5300	chrome.exe
Token: SeShutdownPrivilege	5300	chrome.exe
Token: SeCreatePagefilePrivilege	5300	chrome.exe
Token: SeShutdownPrivilege	5300	chrome.exe
Token: SeCreatePagefilePrivilege	5300	chrome.exe
Token: SeShutdownPrivilege	5300	chrome.exe
Token: SeCreatePagefilePrivilege	5300	chrome.exe
Token: SeShutdownPrivilege	5300	chrome.exe
Token: SeCreatePagefilePrivilege	5300	chrome.exe
Token: SeShutdownPrivilege	5300	chrome.exe
Token: SeCreatePagefilePrivilege	5300	chrome.exe
Token: SeShutdownPrivilege	5300	chrome.exe
Token: SeCreatePagefilePrivilege	5300	chrome.exe
Token: SeShutdownPrivilege	5300	chrome.exe
Token: SeCreatePagefilePrivilege	5300	chrome.exe
Token: SeShutdownPrivilege	5300	chrome.exe
Token: SeCreatePagefilePrivilege	5300	chrome.exe
Token: SeShutdownPrivilege	5300	chrome.exe
Token: SeCreatePagefilePrivilege	5300	chrome.exe
Token: SeShutdownPrivilege	5300	chrome.exe
Token: SeCreatePagefilePrivilege	5300	chrome.exe
Token: SeShutdownPrivilege	5300	chrome.exe
Token: SeCreatePagefilePrivilege	5300	chrome.exe
Token: SeShutdownPrivilege	5300	chrome.exe
Token: SeCreatePagefilePrivilege	5300	chrome.exe
Token: SeShutdownPrivilege	5300	chrome.exe
Token: SeCreatePagefilePrivilege	5300	chrome.exe
Token: SeShutdownPrivilege	5300	chrome.exe
Token: SeCreatePagefilePrivilege	5300	chrome.exe
Token: SeShutdownPrivilege	5300	chrome.exe
Token: SeCreatePagefilePrivilege	5300	chrome.exe
Token: SeShutdownPrivilege	5300	chrome.exe
Token: SeCreatePagefilePrivilege	5300	chrome.exe
Token: SeShutdownPrivilege	5300	chrome.exe
Token: SeCreatePagefilePrivilege	5300	chrome.exe
Token: SeShutdownPrivilege	5300	chrome.exe
Token: SeCreatePagefilePrivilege	5300	chrome.exe
Token: SeShutdownPrivilege	5300	chrome.exe
Token: SeCreatePagefilePrivilege	5300	chrome.exe
Token: SeShutdownPrivilege	5300	chrome.exe
Token: SeCreatePagefilePrivilege	5300	chrome.exe
Token: SeShutdownPrivilege	5300	chrome.exe
Token: SeCreatePagefilePrivilege	5300	chrome.exe
Token: SeShutdownPrivilege	5300	chrome.exe
Token: SeCreatePagefilePrivilege	5300	chrome.exe
Token: SeShutdownPrivilege	5300	chrome.exe
Token: SeCreatePagefilePrivilege	5300	chrome.exe
Token: SeShutdownPrivilege	5300	chrome.exe
Token: SeCreatePagefilePrivilege	5300	chrome.exe
Token: SeShutdownPrivilege	5300	chrome.exe
Token: SeCreatePagefilePrivilege	5300	chrome.exe
Token: SeShutdownPrivilege	5300	chrome.exe
Token: SeCreatePagefilePrivilege	5300	chrome.exe
Token: SeShutdownPrivilege	5300	chrome.exe
Token: SeCreatePagefilePrivilege	5300	chrome.exe
Token: SeShutdownPrivilege	5300	chrome.exe
Token: SeCreatePagefilePrivilege	5300	chrome.exe
Token: SeShutdownPrivilege	5300	chrome.exe
Token: SeCreatePagefilePrivilege	5300	chrome.exe
Token: SeShutdownPrivilege	5300	chrome.exe
Token: SeCreatePagefilePrivilege	5300	chrome.exe
Token: SeShutdownPrivilege	5300	chrome.exe
Token: SeCreatePagefilePrivilege	5300	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
5300	chrome.exe
5300	chrome.exe
5300	chrome.exe
5300	chrome.exe
5300	chrome.exe
5300	chrome.exe
5300	chrome.exe
5300	chrome.exe
5300	chrome.exe
5300	chrome.exe
5300	chrome.exe
5300	chrome.exe
5300	chrome.exe
5300	chrome.exe
5300	chrome.exe
5300	chrome.exe
5300	chrome.exe
5300	chrome.exe
5300	chrome.exe
5300	chrome.exe
5300	chrome.exe
5300	chrome.exe
5300	chrome.exe
5300	chrome.exe
5300	chrome.exe
5300	chrome.exe
5300	chrome.exe
5300	chrome.exe
5300	chrome.exe
5300	chrome.exe
5300	chrome.exe
5300	chrome.exe
5300	chrome.exe
5300	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
5300	chrome.exe
5300	chrome.exe
5300	chrome.exe
5300	chrome.exe
5300	chrome.exe
5300	chrome.exe
5300	chrome.exe
5300	chrome.exe
5300	chrome.exe
5300	chrome.exe
5300	chrome.exe
5300	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1436	ReShade_Setup_6.3.1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5300 wrote to memory of 2808	5300	chrome.exe	78
PID 5300 wrote to memory of 2808	5300	chrome.exe	78
PID 5300 wrote to memory of 4940	5300	chrome.exe	79
PID 5300 wrote to memory of 4940	5300	chrome.exe	79
PID 5300 wrote to memory of 4940	5300	chrome.exe	79
PID 5300 wrote to memory of 4940	5300	chrome.exe	79
PID 5300 wrote to memory of 4940	5300	chrome.exe	79
PID 5300 wrote to memory of 4940	5300	chrome.exe	79
PID 5300 wrote to memory of 4940	5300	chrome.exe	79
PID 5300 wrote to memory of 4940	5300	chrome.exe	79
PID 5300 wrote to memory of 4940	5300	chrome.exe	79
PID 5300 wrote to memory of 4940	5300	chrome.exe	79
PID 5300 wrote to memory of 4940	5300	chrome.exe	79
PID 5300 wrote to memory of 4940	5300	chrome.exe	79
PID 5300 wrote to memory of 4940	5300	chrome.exe	79
PID 5300 wrote to memory of 4940	5300	chrome.exe	79
PID 5300 wrote to memory of 4940	5300	chrome.exe	79
PID 5300 wrote to memory of 4940	5300	chrome.exe	79
PID 5300 wrote to memory of 4940	5300	chrome.exe	79
PID 5300 wrote to memory of 4940	5300	chrome.exe	79
PID 5300 wrote to memory of 4940	5300	chrome.exe	79
PID 5300 wrote to memory of 4940	5300	chrome.exe	79
PID 5300 wrote to memory of 4940	5300	chrome.exe	79
PID 5300 wrote to memory of 4940	5300	chrome.exe	79
PID 5300 wrote to memory of 4940	5300	chrome.exe	79
PID 5300 wrote to memory of 4940	5300	chrome.exe	79
PID 5300 wrote to memory of 4940	5300	chrome.exe	79
PID 5300 wrote to memory of 4940	5300	chrome.exe	79
PID 5300 wrote to memory of 4940	5300	chrome.exe	79
PID 5300 wrote to memory of 4940	5300	chrome.exe	79
PID 5300 wrote to memory of 4940	5300	chrome.exe	79
PID 5300 wrote to memory of 4940	5300	chrome.exe	79
PID 5300 wrote to memory of 2996	5300	chrome.exe	80
PID 5300 wrote to memory of 2996	5300	chrome.exe	80
PID 5300 wrote to memory of 5148	5300	chrome.exe	81
PID 5300 wrote to memory of 5148	5300	chrome.exe	81
PID 5300 wrote to memory of 5148	5300	chrome.exe	81
PID 5300 wrote to memory of 5148	5300	chrome.exe	81
PID 5300 wrote to memory of 5148	5300	chrome.exe	81
PID 5300 wrote to memory of 5148	5300	chrome.exe	81
PID 5300 wrote to memory of 5148	5300	chrome.exe	81
PID 5300 wrote to memory of 5148	5300	chrome.exe	81
PID 5300 wrote to memory of 5148	5300	chrome.exe	81
PID 5300 wrote to memory of 5148	5300	chrome.exe	81
PID 5300 wrote to memory of 5148	5300	chrome.exe	81
PID 5300 wrote to memory of 5148	5300	chrome.exe	81
PID 5300 wrote to memory of 5148	5300	chrome.exe	81
PID 5300 wrote to memory of 5148	5300	chrome.exe	81
PID 5300 wrote to memory of 5148	5300	chrome.exe	81
PID 5300 wrote to memory of 5148	5300	chrome.exe	81
PID 5300 wrote to memory of 5148	5300	chrome.exe	81
PID 5300 wrote to memory of 5148	5300	chrome.exe	81
PID 5300 wrote to memory of 5148	5300	chrome.exe	81
PID 5300 wrote to memory of 5148	5300	chrome.exe	81
PID 5300 wrote to memory of 5148	5300	chrome.exe	81
PID 5300 wrote to memory of 5148	5300	chrome.exe	81
PID 5300 wrote to memory of 5148	5300	chrome.exe	81
PID 5300 wrote to memory of 5148	5300	chrome.exe	81
PID 5300 wrote to memory of 5148	5300	chrome.exe	81
PID 5300 wrote to memory of 5148	5300	chrome.exe	81
PID 5300 wrote to memory of 5148	5300	chrome.exe	81
PID 5300 wrote to memory of 5148	5300	chrome.exe	81
PID 5300 wrote to memory of 5148	5300	chrome.exe	81
PID 5300 wrote to memory of 5148	5300	chrome.exe	81

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff3be0cc40,0x7fff3be0cc4c,0x7fff3be0cc58
  2⤵
  PID:2808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1876,i,238033507605570188,3490207797367610048,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1872 /prefetch:2
  2⤵
  PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1384,i,238033507605570188,3490207797367610048,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2144 /prefetch:3
  2⤵
  PID:2996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2164,i,238033507605570188,3490207797367610048,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2376 /prefetch:8
  2⤵
  PID:5148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,238033507605570188,3490207797367610048,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3088 /prefetch:1
  2⤵
  PID:2312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3092,i,238033507605570188,3490207797367610048,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3128 /prefetch:1
  2⤵
  PID:4192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4528,i,238033507605570188,3490207797367610048,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4540 /prefetch:8
  2⤵
  PID:3368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4536,i,238033507605570188,3490207797367610048,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4552 /prefetch:1
  2⤵
  PID:2844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4948,i,238033507605570188,3490207797367610048,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4960 /prefetch:1
  2⤵
  PID:2208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4912,i,238033507605570188,3490207797367610048,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4964 /prefetch:8
  2⤵
  PID:5392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5216,i,238033507605570188,3490207797367610048,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3284 /prefetch:8
  2⤵
  PID:3040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4880,i,238033507605570188,3490207797367610048,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5196 /prefetch:1
  2⤵
  PID:1368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3680,i,238033507605570188,3490207797367610048,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:5808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5500,i,238033507605570188,3490207797367610048,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4832 /prefetch:8
  2⤵
  PID:3988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3176,i,238033507605570188,3490207797367610048,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5516 /prefetch:8
  2⤵
  PID:5732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=212,i,238033507605570188,3490207797367610048,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5532 /prefetch:8
  2⤵
  PID:5548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4980,i,238033507605570188,3490207797367610048,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5580 /prefetch:8
  2⤵
  PID:3992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5424,i,238033507605570188,3490207797367610048,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5388 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:6052

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2152

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:6004

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1460

C:\Users\Admin\Downloads\ReShade_Setup_6.3.1.exe
"C:\Users\Admin\Downloads\ReShade_Setup_6.3.1.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
4b35e0a9786fc0f858d6576f5aae0a3f

SHA1
36e3cc2074b6ebcb56a8e1af983aa1d6475cc411

SHA256
1185de6ab526d6bcc37f9c1d288b168cb4b2a0cb20abea931ff2fb6ae8159fd4

SHA512
805ce4015e021125cb6d05f78b82ba1174f14b6306dcbfea88c9e14e80e8e7062296176ac8458f629c119a3e6085f6497eacaeeb2b0e38b54c2de78bcea54d8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000017

Filesize
16KB

MD5
87962d4980fb1872501f664d35490f20

SHA1
a2792fa3fd1ca5c26565687f0b2fbde51427d09e

SHA256
d1abb9a58094123d136c77d654642cb557e0286a7bd83bb789009fd0186d8d9f

SHA512
9e513c870458c65fedac2afe52197ca2052aca35741a517d60eb5ceadca89d046c3b47fb5d3ecc4aff8d14b19630a7ff5be0d3a13f06af75abd85e2ec2f6c72e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
960B

MD5
5ea85c1835b1ee5bfa937e4efe0b9913

SHA1
befe495a898a095cd90f73b4bdc5f8a03788f6f4

SHA256
8870bb048d6cdd026c9dccd717f16980e03f6a0248b653aaa5895df243e02c94

SHA512
e049021d8b1ed179cb38a84acef1288957be035f19ac424d66bc5b2ec02ae61d4ca1cd42d408227184745ef7dc299925a01d2bafe3ee1d5f688013c0a3331658

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
8183510f6e3a520fa49369b020f84b19

SHA1
632e877cf3b405b6c80eb18781dbe9cdfb8f0455

SHA256
cfe95b188d33bc3fe55c74d3966d395fb04227f5970b46d738678c3a089f1825

SHA512
f09cd1c5c6283e6fcb0d4b9e4ea1ac85677ea44459dc5575e612325cd63ec24c29fa6344f0d2f17ee3746ae316a216b9ad52ec19606f65c169eafb50a645479c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
691B

MD5
9e23201b298b5f6a387ed32e3cc1bfc2

SHA1
51002eddc5d3d742d580dd2a00b4acd101e91d6a

SHA256
939b0c969a7c1f46a16590d39b02a2bbc0de7753670a461698733d957633d097

SHA512
313e4219de65e01399645ed7944344b5a27da36a3e01191813f8e1ccae472459d934a952484b568b5626f39bc8b14301f77ca2d2db23e1490e047fe5f07472a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
691B

MD5
0c9e6cb99dcd2a65aa065d7a2177f21b

SHA1
23435faf7bcf03037539afd2e3874663e5036158

SHA256
e89fc560ae9a2f3802d009a719422d798d90c514c861db823673c7c89f36d044

SHA512
638b25c84970a3feadbe7447947a18558ddeb28efd31ca61f0d39a15fc2bc8a76d974f026b86c4d610c100a92e0211377df6ca8737f5db63d613d52cb2cb1ec2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
39ca33125bd445199b2ce255d8c997cc

SHA1
b61039545c08b9b49b2c8123f7a387164b6e59c3

SHA256
3b625f471330f81a19e9fb38111cbbce05f9cc915e49a829b67be14776782e9b

SHA512
e342fd3b3bd770c8aede3e175c208b8474f873000882c7b81eae67bf283dc9cb92dacdf6ced1ebaf3c916b1cf0d68b6cb9e2d79313f04d06279fce14b6fc41d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e8ac845ede06d11b7f42967a975793cb

SHA1
ea5c00279626179af3163bd9706142bd078ea885

SHA256
8ae2d148381e5be9eba2fcf551dbe336a5d3d5fde4a038081991e9dcfda6bc58

SHA512
2a94dab680e0567e93093bcdca03fb0f38481323f3572722c0e00007a40e0286c01e89a8857aca7f25fbb3fa5e03b2b5dd1971f86882a6742a14957459d36590

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bb9e4adcb74e2d1a5b667c45b0a53ef4

SHA1
18d0d1c19f25ff23d6b8207bea576fee96d5c70b

SHA256
b319514ba0f06474333f979c3d7d3815a46d2e0a28a29a02dd7526d5a5e89a6d

SHA512
3480f8b6b3a3d0346b7c035c3f5621efcdeb50912c3b2255d5d69d359d4bc5d776ef2598c9a5c581abdff9873471badcaa80bb50e6dd7d41ce430cf332cc6c11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
aaee209997d19751f5c96a0aa5c24043

SHA1
5357258669ef4ad6057dabb36d745f0d018956b1

SHA256
5d5c74860e25317752533e5827c590fbae5b7b6176243d320e12bf2b480cdbd1

SHA512
473d850e699ded11dae178de2dc6977ac02e7d2328a468ca6302c988bf633acc4cf6346b9f60754d6bd190636b5b2d4bb92ec85c653fde8dde3b33c5c9883a0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c3effa81299ffd37077a3a599f653609

SHA1
a9f9bb8720f552f53d23cbd74e67854fb2d22f41

SHA256
5fa1a0516d28bc2d3e2638d44291a4c1497bddccb492a49ec3ea7a76dfb6e3a8

SHA512
8203843bb447ee6efed6a983617b6c6eb9c380a0483053c40f9d95759e58f2ceee5d880185c406ef2c5f877e2836a9e3527c3806ac0cbcc79c157e993798e349

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\f77284a1-12fe-4042-b077-6434a59ca461.tmp

Filesize
9KB

MD5
37552e0232b9bf96ce0398a9007084f3

SHA1
d0dc97afac659c68633c2450ba66652cd0ccbffd

SHA256
8721837db7626f7145fba527be1d2a24214b31391d78e10537c6ab87222e47fa

SHA512
769549ba441ef75319b64e68a3d78cbafe4c7cfaf6ea4218f786ddfc64c15bc12419121044c8c087e1f6a9bef502665d132b893d8a16b0d8f86f2b5adfc85da0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
100KB

MD5
a970b3bb5f26b4ec71601001a0d75652

SHA1
91c3c2766e35b0fef08adf97324805eb424237db

SHA256
e69628050e8666fff235cd5071a6ad28afe3d3ce3d7228b5d9c9074e0e5a77b7

SHA512
465d64baf19148965a505d60c43cdce18014c47070b36248160b92240c4c8f4bfb7d1b3fc5ea044c7d2e1f967d0d98ee342cda10115f893501ebe43c04074490

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
300b9069ad9f46348471c85d00566780

SHA1
23fa2752330f0cc448355811c5fa945ce80a8dbe

SHA256
e48a664cb612404f6b1f3babaa4d3b5d70c41fd4a0fc3f4d4b1f4b3719ab57b1

SHA512
ef2d3223c88e3c9a680a7800b18e53569bc4907f7ec61328740be927d737145ca7946cd35a7283f6c2565489c6d5fb7547aa7ec8c5d21ac9b1815d3b2c9a5bda

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
f14c97a7a1471f8742478cef709d1adc

SHA1
ad28fd8c05c34877e2aa20cd6b6758c37722f411

SHA256
51b462a154005acdfc17b0e222b53384164f627e048e15014195b8b7de7dd046

SHA512
b82ded227aa10364ead52242e49f45e70b387141dd44e1e86b4c9b3d2d55ea78e8f337a5a03c8d688af80923e7e9b7bdf52c9796e0deb68e198d4b901bc9aae6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
798f34129741b3a81d6ba6da90565a46

SHA1
efb907d5811dbfbfb54fb3266c556e60e5a39433

SHA256
3e0afb250c48a8dfe2c99bef951488d0f1195584fbadff6685db6ba0c366eae6

SHA512
5361ddeabdc6a04aa6cc102c701d5c8fb124f9a15ebd805440cfa7a7506e35aca5b09832353f0f64768607595e0029713099aa66c9e4ad5284d6e7aa3abf90df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
30e947fd55c26d16503ac0bd7e977eeb

SHA1
f8ae28115b18a9bae6b0234cb927eb82d6e1349a

SHA256
8059f48bbda8791c870a6b95e18c66237390c94f3cab1d529f15055f3e27505a

SHA512
a13e3c3f6892af0d21b3e94e2d26f763541d47f15ec3b8fc9533e83d80a372c9fb61862a8675767fa7b254b049ced19b13743b0c266655dcf121445727cb6a8d

Download Submit
C:\Users\Admin\Downloads\ReShade_Setup_6.3.1.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 433115.crdownload

Filesize
3.4MB

MD5
5cc5d58f29766c7db8789d2a7d1cebce

SHA1
18dc7a5aaed5ecd7592061a8965ac94edf8cfa0a

SHA256
7365deb5da99f948e94230bcf7dd763fe449e8fdc04004845c29aee1c73a4d10

SHA512
09644074ea90be26c427e2f57660b6a3e2758c66e76a1e2c80bcb604e8abc0c0c3b088fb5acf1d24c660c22edf96e607d18b947b25b81a7cc92cd31624fa51ce

Download Submit
memory/1436-292-0x00007FFF26F03000-0x00007FFF26F05000-memory.dmp

Filesize
8KB

Download
memory/1436-298-0x00007FFF26F00000-0x00007FFF279C2000-memory.dmp

Filesize
10.8MB

Download
memory/1436-293-0x000001FB9F540000-0x000001FB9F56A000-memory.dmp

Filesize
168KB

Download
memory/1436-294-0x00007FFF26F00000-0x00007FFF279C2000-memory.dmp

Filesize
10.8MB

Download
memory/1436-296-0x000001FBA12F0000-0x000001FBA1328000-memory.dmp

Filesize
224KB

Download
memory/1436-322-0x00007FFF26F03000-0x00007FFF26F05000-memory.dmp

Filesize
8KB

Download
memory/1436-323-0x00007FFF26F00000-0x00007FFF279C2000-memory.dmp

Filesize
10.8MB

Download
memory/1436-324-0x00007FFF26F00000-0x00007FFF279C2000-memory.dmp

Filesize
10.8MB

Download
memory/1436-326-0x00007FFF26F00000-0x00007FFF279C2000-memory.dmp

Filesize
10.8MB

Download
memory/1436-297-0x000001FB9FAD0000-0x000001FB9FADE000-memory.dmp

Filesize
56KB

Download
memory/1436-295-0x000001FB9FA30000-0x000001FB9FA38000-memory.dmp

Filesize
32KB

Download