fa4da01ef3e3d6eca87a36ba135e9b2084461a68e975895bc57050f6ab472def

Analysis

max time kernel
85s
max time network
87s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
04/10/2024, 05:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

noclip_[unknowncheats.me]_.exe
Size

556KB
MD5

e84e4da0f16e40521247870311efd7ac
SHA1

30683171aae1e7dd7288e3b1ad7ef1fbde632365
SHA256

fa4da01ef3e3d6eca87a36ba135e9b2084461a68e975895bc57050f6ab472def
SHA512

0b763636a40bf7bb09521859db1b78ea205bc17a6fe685851a1dce8d3f64a101267c56f706742a7c2dab0e61709924126793853ffa3f84bb706145e6817dbb2b
SSDEEP

12288:VRSNhZBlfA8/C8sSoC+PZE9O2bJIC0fDNNr:VsfA8K8J+O93l0fZF

Score

8^/10

discovery persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NalDrv\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\NalDrv.sys"	aIL9o.exe

Executes dropped EXE 1 IoCs

pid	Process
2804	aIL9o.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SoftwareDistribution\Download\aIL9o.sys	noclip_[unknowncheats.me]_.exe
File created	C:\Windows\SoftwareDistribution\Download\aIL9o.exe	noclip_[unknowncheats.me]_.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133724917503025329"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe
2156	noclip_[unknowncheats.me]_.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
2804	aIL9o.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSystemEnvironmentPrivilege	2804	aIL9o.exe
Token: SeDebugPrivilege	2804	aIL9o.exe
Token: SeLoadDriverPrivilege	2804	aIL9o.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe
Token: SeCreatePagefilePrivilege	2664	chrome.exe
Token: SeShutdownPrivilege	2664	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe
2664	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2804	2156	noclip_[unknowncheats.me]_.exe	80
PID 2156 wrote to memory of 2804	2156	noclip_[unknowncheats.me]_.exe	80
PID 2664 wrote to memory of 1228	2664	chrome.exe	85
PID 2664 wrote to memory of 1228	2664	chrome.exe	85
PID 2664 wrote to memory of 3916	2664	chrome.exe	86
PID 2664 wrote to memory of 3916	2664	chrome.exe	86
PID 2664 wrote to memory of 3916	2664	chrome.exe	86
PID 2664 wrote to memory of 3916	2664	chrome.exe	86
PID 2664 wrote to memory of 3916	2664	chrome.exe	86
PID 2664 wrote to memory of 3916	2664	chrome.exe	86
PID 2664 wrote to memory of 3916	2664	chrome.exe	86
PID 2664 wrote to memory of 3916	2664	chrome.exe	86
PID 2664 wrote to memory of 3916	2664	chrome.exe	86
PID 2664 wrote to memory of 3916	2664	chrome.exe	86
PID 2664 wrote to memory of 3916	2664	chrome.exe	86
PID 2664 wrote to memory of 3916	2664	chrome.exe	86
PID 2664 wrote to memory of 3916	2664	chrome.exe	86
PID 2664 wrote to memory of 3916	2664	chrome.exe	86
PID 2664 wrote to memory of 3916	2664	chrome.exe	86
PID 2664 wrote to memory of 3916	2664	chrome.exe	86
PID 2664 wrote to memory of 3916	2664	chrome.exe	86
PID 2664 wrote to memory of 3916	2664	chrome.exe	86
PID 2664 wrote to memory of 3916	2664	chrome.exe	86
PID 2664 wrote to memory of 3916	2664	chrome.exe	86
PID 2664 wrote to memory of 3916	2664	chrome.exe	86
PID 2664 wrote to memory of 3916	2664	chrome.exe	86
PID 2664 wrote to memory of 3916	2664	chrome.exe	86
PID 2664 wrote to memory of 3916	2664	chrome.exe	86
PID 2664 wrote to memory of 3916	2664	chrome.exe	86
PID 2664 wrote to memory of 3916	2664	chrome.exe	86
PID 2664 wrote to memory of 3916	2664	chrome.exe	86
PID 2664 wrote to memory of 3916	2664	chrome.exe	86
PID 2664 wrote to memory of 3916	2664	chrome.exe	86
PID 2664 wrote to memory of 3916	2664	chrome.exe	86
PID 2664 wrote to memory of 1200	2664	chrome.exe	87
PID 2664 wrote to memory of 1200	2664	chrome.exe	87
PID 2664 wrote to memory of 2028	2664	chrome.exe	88
PID 2664 wrote to memory of 2028	2664	chrome.exe	88
PID 2664 wrote to memory of 2028	2664	chrome.exe	88
PID 2664 wrote to memory of 2028	2664	chrome.exe	88
PID 2664 wrote to memory of 2028	2664	chrome.exe	88
PID 2664 wrote to memory of 2028	2664	chrome.exe	88
PID 2664 wrote to memory of 2028	2664	chrome.exe	88
PID 2664 wrote to memory of 2028	2664	chrome.exe	88
PID 2664 wrote to memory of 2028	2664	chrome.exe	88
PID 2664 wrote to memory of 2028	2664	chrome.exe	88
PID 2664 wrote to memory of 2028	2664	chrome.exe	88
PID 2664 wrote to memory of 2028	2664	chrome.exe	88
PID 2664 wrote to memory of 2028	2664	chrome.exe	88
PID 2664 wrote to memory of 2028	2664	chrome.exe	88
PID 2664 wrote to memory of 2028	2664	chrome.exe	88
PID 2664 wrote to memory of 2028	2664	chrome.exe	88
PID 2664 wrote to memory of 2028	2664	chrome.exe	88
PID 2664 wrote to memory of 2028	2664	chrome.exe	88
PID 2664 wrote to memory of 2028	2664	chrome.exe	88
PID 2664 wrote to memory of 2028	2664	chrome.exe	88
PID 2664 wrote to memory of 2028	2664	chrome.exe	88
PID 2664 wrote to memory of 2028	2664	chrome.exe	88
PID 2664 wrote to memory of 2028	2664	chrome.exe	88
PID 2664 wrote to memory of 2028	2664	chrome.exe	88
PID 2664 wrote to memory of 2028	2664	chrome.exe	88
PID 2664 wrote to memory of 2028	2664	chrome.exe	88
PID 2664 wrote to memory of 2028	2664	chrome.exe	88
PID 2664 wrote to memory of 2028	2664	chrome.exe	88

C:\Users\Admin\AppData\Local\Temp\noclip_[unknowncheats.me]_.exe
"C:\Users\Admin\AppData\Local\Temp\noclip_[unknowncheats.me]_.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\SoftwareDistribution\Download\aIL9o.exe
  "C:\Windows\SoftwareDistribution\Download\aIL9o.exe" -map C:\Windows\SoftwareDistribution\Download\aIL9o.sys
  2⤵
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:2804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeb123cc40,0x7ffeb123cc4c,0x7ffeb123cc58
  2⤵
  PID:1228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1896,i,16689809092256446594,16870054525214374526,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1892 /prefetch:2
  2⤵
  PID:3916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1392,i,16689809092256446594,16870054525214374526,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1928 /prefetch:3
  2⤵
  PID:1200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2188,i,16689809092256446594,16870054525214374526,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2344 /prefetch:8
  2⤵
  PID:2028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3052,i,16689809092256446594,16870054525214374526,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:2132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,16689809092256446594,16870054525214374526,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:2212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4248,i,16689809092256446594,16870054525214374526,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4368 /prefetch:8
  2⤵
  PID:2112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4516,i,16689809092256446594,16870054525214374526,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4544 /prefetch:1
  2⤵
  PID:2920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4684,i,16689809092256446594,16870054525214374526,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4676 /prefetch:8
  2⤵
  PID:4920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4804,i,16689809092256446594,16870054525214374526,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4820 /prefetch:8
  2⤵
  PID:4788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4896,i,16689809092256446594,16870054525214374526,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4868 /prefetch:8
  2⤵
  PID:3964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=212,i,16689809092256446594,16870054525214374526,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4476 /prefetch:8
  2⤵
  PID:4748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4712,i,16689809092256446594,16870054525214374526,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4236 /prefetch:8
  2⤵
  PID:996

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
cb8dd84145ac80dd6e7913a6c4d47aec

SHA1
0d2ea4dcdab6e39f115934cb11bc4a5e5e8c3d15

SHA256
983625c356ee1022f5eec3c615cdbe4f699512007d408716cfac78b4e7fb87e8

SHA512
10fe01675f0e47515bb12c04b1b1523aff8e9ced256e6bde15cad6f28c6d4140f3a640599ace7a772c5314167648eb76b8cb53f1f1256362e91adc46d8b29021

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\2ae3b3cd-4fce-4a4e-a8c9-94d32febcfc3.tmp

Filesize
356B

MD5
3d4a3a3021f28607745930e820161cc3

SHA1
fcef4779239205ea6c1e2a246fe9fd9d289ffe85

SHA256
8709b68c11695f49191e26f6b11e1177865c670e03544e2d87d8aa494d9f0d6c

SHA512
5670da2b482f8d2c7cfc4b009f14c0357c3db880925127c38e86e4979c05c0f63480354c38d9a7da74083d78152e9abf773a5e70b747016b75f1cfab82727284

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
51636236f04d18b18f6e0a1c3524dc8b

SHA1
d27cce04c4d74cf8124fc18f70877b5c17707a13

SHA256
93f4f0c643276708dc435eaabe12b64354d28426c6e18b220a87054294245411

SHA512
aaa9319d30f7f537cb7158990d360ef21c437b1190832f650bfc644d17f21e4e1cfd64a659b8a49d5961b529f1d75de0c678892defaea2209e0d227a03fee7df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e24bd7cfc22e6a28c7249221d786f0ce

SHA1
7d2b2d24336011fbe58b2cdd88a61e14201ae9ce

SHA256
d3d2c4edcd3a5fbc8b99895e9c97569cc6f7d993e4329ee69c6e0e218f300490

SHA512
2c116566b551c0c45c7c3b1a41b6c9b3919676b58b39875bf772c3d236d88fc9838ed7a78cdc7dbdc36b3158feffdab5b1af3a402a68d257c142a468a727f0e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ae6ae3618932fd863824a36f43c0d8d2

SHA1
91edd816b091b22ebb7bf0e83c0f782dbcd45c9c

SHA256
acbdbad7b1b10c858dc04aeb3d6956cac035dc3eb4e2bd02bdbb2f99f5305dbf

SHA512
20aaf83c7487097b9b9236d70b7d1e0d4049b64c6da768a00848ee6d1fcceb8587504ff1d487edf2f190f38a90cc9498329436cdbfc81e479f7d3f417e12f05f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
62613b3a251e886ae165b08f4f51e4c9

SHA1
4ff049eee8991bfdb8b011e4400d0b3dedca0273

SHA256
cc214170d0584188cae7c7a45a70a14b80e6cbca753317cffbaa09aa4888d723

SHA512
5d4e5f4ee9891cb5561f068d265526d3f6c016d524eb8f052e914415b9f5afc5ffad573565d700881ca971aa41ae810b332491c63d57fa085e4457f1f820aa8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a2899af74f83bfbf57ca66669d3d0838

SHA1
130ce292c74f932390ffa469aec0de3c23dd3b05

SHA256
ee30403abe2265bcdfdd6d5df8a0b6b265d44f3b46e526742ee8719032207af7

SHA512
03f2fba4326e122ab18bf16af02c03506dbcd49556ecaa2b8e0e85fc91a49b0b6dbac23bfb639d8186717345ca314d282141599344f19786a9fe50d45409a7fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1529c17627a76061684f2ac156b6e285

SHA1
b72e151050f0a4ba0eb2f8367554a4a9befef39c

SHA256
acd8a09b318dbc0b4f77cae518e195d3f30b6e1f69cb401c9204f9647776d4a4

SHA512
c0eab8c33c48b0f3149c701ceadec446830879b0b56ae6eef712112f10fad62fbbcb62dac86f5cd13cc76a155cdd3b74a5f9b9129b1f6be056962005511bb828

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
13KB

MD5
14c60dbe68f3883ebd104c18d070521d

SHA1
08bfa11ae9cac8509555f854f4461ec375b992e6

SHA256
062e9f37a3baba2276ea137c8ddf7857d4c17c73d8603723d26cc77eb1ba77b4

SHA512
63c11deef51d3ca994dc1e4a0821f56561893fa4817f1799cf45b2091e939e1e004871db2c15f7675370d1185c3ad47743cf72767aefddb358010ef14226bbe7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
b57691b237143ae4754ca83516605466

SHA1
369b578029f5481672895448e5fe1c4562c08695

SHA256
c9e643d3992550e464a86b22109d6e8113007cc560b6ac68e0eaebb95cf4ca6f

SHA512
a0185bf5a4079a08f51912820bf03b3111fce207eccb708d9e7de35cf9cb3a505f2ad0e9125eaf8ed499a28c4650511e4fec839b24fce2e62854263d7800a340

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
213KB

MD5
ddefae888386e98c91f24bfc688ced1e

SHA1
9a7518d1af05be6e1aeea6dec43dd18653fe7f93

SHA256
d29dd55e6da07156b8242be6008bcf934fb77ca1ce6f23e394ceb1437d5fda44

SHA512
771533965a6fabfab97a5c094fdb6fb47c2c3c0e32c3d8aceb26e9a905d04978c80465c8d7c2a9c64d97b8fe64465accfccfa1b253a85ca495117dce3cc516af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
242KB

MD5
31329b7c827fcd89e77eec948b99ca33

SHA1
dc66aa30f057a309b1b261a68efb353d9bc69c0a

SHA256
e6d6e885cbdcfe664a3a653eb1aae3dfa815a4f44ebe30e0e605dd114b8e4cb8

SHA512
e72b81e320c5a57f43a2699e0485cc17449fb7c5b9d9122a642b252e5112b78548fca6cfffef2e050da0d53a9aa50d89ef82c4849c4b33b74dd24d548702146e

Download Submit
C:\Windows\SoftwareDistribution\Download\aIL9o.exe

Filesize
260KB

MD5
083c6c05ac5875d0b6e997e894ca07bc

SHA1
69d0116998e8a70db5852fccb86d45975ce88a9a

SHA256
03aefd40698cafbd48138784f362fb9a36f726fb50f262ca40695729f7b553ca

SHA512
fb0b9994f9ddadd825476ed19a8299ef90536dae58b4f3087145ca4033a63d4ae0da944ac8bf4e71324e1b63af755ab1d82019e55de6377b00c9812ed57f3fdf

Download Submit