c4d74e49c44c880ec1b4cdede24423872f931e617b33d6bdba31e0534a12b809

Resubmissions

09/11/2024, 22:49

241109-2r2veatfrl 10

09/11/2024, 22:47

09/11/2024, 22:46

09/11/2024, 22:44

07/11/2024, 16:00

10/02/2024, 17:17

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/11/2024, 22:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ggpermV3/woof.bat
Size

1KB
MD5

9dfe4e730dcc5e0d3951038ad2a095a1
SHA1

e033d9a40234b9544606ec4d603add264cb38841
SHA256

bfffd2faf6710e02912de0eec63b593f35a8bebef114932b4a4bc9c67fad59b8
SHA512

297e9950fd207687af957a94c5fb7d073bb89dcebdd6ee047fa0465f55bb95b42563c7310980bf1e41ca671a1f8c824e86dfe515b844f99f307965d199d8dbfd

Score

8^/10

discovery evasion execution

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\repository\OBJECTS.DATA	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\INDEX.BTR	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\OBJECTS.DATA	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\INDEX.BTR	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\WRITABLE.TST	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING2.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\WRITABLE.TST	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING3.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING3.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING1.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING1.MAP	svchost.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING2.MAP	svchost.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
692	sc.exe
4084	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
216	ipconfig.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133756662585331155"	chrome.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4780	chrome.exe
4780	chrome.exe

Suspicious behavior: LoadsDriver 26 IoCs

pid	Process
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	4420	svchost.exe
Token: SeIncreaseQuotaPrivilege	4420	svchost.exe
Token: SeSecurityPrivilege	4420	svchost.exe
Token: SeTakeOwnershipPrivilege	4420	svchost.exe
Token: SeLoadDriverPrivilege	4420	svchost.exe
Token: SeBackupPrivilege	4420	svchost.exe
Token: SeRestorePrivilege	4420	svchost.exe
Token: SeShutdownPrivilege	4420	svchost.exe
Token: SeSystemEnvironmentPrivilege	4420	svchost.exe
Token: SeManageVolumePrivilege	4420	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	4420	svchost.exe
Token: SeIncreaseQuotaPrivilege	4420	svchost.exe
Token: SeSecurityPrivilege	4420	svchost.exe
Token: SeTakeOwnershipPrivilege	4420	svchost.exe
Token: SeLoadDriverPrivilege	4420	svchost.exe
Token: SeSystemtimePrivilege	4420	svchost.exe
Token: SeBackupPrivilege	4420	svchost.exe
Token: SeRestorePrivilege	4420	svchost.exe
Token: SeShutdownPrivilege	4420	svchost.exe
Token: SeSystemEnvironmentPrivilege	4420	svchost.exe
Token: SeUndockPrivilege	4420	svchost.exe
Token: SeManageVolumePrivilege	4420	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	4420	svchost.exe
Token: SeIncreaseQuotaPrivilege	4420	svchost.exe
Token: SeSecurityPrivilege	4420	svchost.exe
Token: SeTakeOwnershipPrivilege	4420	svchost.exe
Token: SeLoadDriverPrivilege	4420	svchost.exe
Token: SeSystemtimePrivilege	4420	svchost.exe
Token: SeBackupPrivilege	4420	svchost.exe
Token: SeRestorePrivilege	4420	svchost.exe
Token: SeShutdownPrivilege	4420	svchost.exe
Token: SeSystemEnvironmentPrivilege	4420	svchost.exe
Token: SeUndockPrivilege	4420	svchost.exe
Token: SeManageVolumePrivilege	4420	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	4420	svchost.exe
Token: SeIncreaseQuotaPrivilege	4420	svchost.exe
Token: SeSecurityPrivilege	4420	svchost.exe
Token: SeTakeOwnershipPrivilege	4420	svchost.exe
Token: SeLoadDriverPrivilege	4420	svchost.exe
Token: SeSystemtimePrivilege	4420	svchost.exe
Token: SeBackupPrivilege	4420	svchost.exe
Token: SeRestorePrivilege	4420	svchost.exe
Token: SeShutdownPrivilege	4420	svchost.exe
Token: SeSystemEnvironmentPrivilege	4420	svchost.exe
Token: SeUndockPrivilege	4420	svchost.exe
Token: SeManageVolumePrivilege	4420	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	4420	svchost.exe
Token: SeIncreaseQuotaPrivilege	4420	svchost.exe
Token: SeSecurityPrivilege	4420	svchost.exe
Token: SeTakeOwnershipPrivilege	4420	svchost.exe
Token: SeLoadDriverPrivilege	4420	svchost.exe
Token: SeSystemtimePrivilege	4420	svchost.exe
Token: SeBackupPrivilege	4420	svchost.exe
Token: SeRestorePrivilege	4420	svchost.exe
Token: SeShutdownPrivilege	4420	svchost.exe
Token: SeSystemEnvironmentPrivilege	4420	svchost.exe
Token: SeUndockPrivilege	4420	svchost.exe
Token: SeManageVolumePrivilege	4420	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	4420	svchost.exe
Token: SeIncreaseQuotaPrivilege	4420	svchost.exe
Token: SeSecurityPrivilege	4420	svchost.exe
Token: SeTakeOwnershipPrivilege	4420	svchost.exe
Token: SeLoadDriverPrivilege	4420	svchost.exe
Token: SeSystemtimePrivilege	4420	svchost.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1000 wrote to memory of 3956	1000	cmd.exe	84
PID 1000 wrote to memory of 3956	1000	cmd.exe	84
PID 1000 wrote to memory of 3996	1000	cmd.exe	85
PID 1000 wrote to memory of 3996	1000	cmd.exe	85
PID 1000 wrote to memory of 5000	1000	cmd.exe	86
PID 1000 wrote to memory of 5000	1000	cmd.exe	86
PID 1000 wrote to memory of 3612	1000	cmd.exe	87
PID 1000 wrote to memory of 3612	1000	cmd.exe	87
PID 1000 wrote to memory of 4480	1000	cmd.exe	88
PID 1000 wrote to memory of 4480	1000	cmd.exe	88
PID 1000 wrote to memory of 468	1000	cmd.exe	89
PID 1000 wrote to memory of 468	1000	cmd.exe	89
PID 1000 wrote to memory of 2500	1000	cmd.exe	90
PID 1000 wrote to memory of 2500	1000	cmd.exe	90
PID 1000 wrote to memory of 4792	1000	cmd.exe	91
PID 1000 wrote to memory of 4792	1000	cmd.exe	91
PID 1000 wrote to memory of 224	1000	cmd.exe	92
PID 1000 wrote to memory of 224	1000	cmd.exe	92
PID 1000 wrote to memory of 1336	1000	cmd.exe	93
PID 1000 wrote to memory of 1336	1000	cmd.exe	93
PID 1000 wrote to memory of 1156	1000	cmd.exe	95
PID 1000 wrote to memory of 1156	1000	cmd.exe	95
PID 1000 wrote to memory of 3672	1000	cmd.exe	96
PID 1000 wrote to memory of 3672	1000	cmd.exe	96
PID 1000 wrote to memory of 5108	1000	cmd.exe	97
PID 1000 wrote to memory of 5108	1000	cmd.exe	97
PID 1000 wrote to memory of 3480	1000	cmd.exe	98
PID 1000 wrote to memory of 3480	1000	cmd.exe	98
PID 1000 wrote to memory of 2596	1000	cmd.exe	99
PID 1000 wrote to memory of 2596	1000	cmd.exe	99
PID 1000 wrote to memory of 4980	1000	cmd.exe	101
PID 1000 wrote to memory of 4980	1000	cmd.exe	101
PID 1000 wrote to memory of 2716	1000	cmd.exe	102
PID 1000 wrote to memory of 2716	1000	cmd.exe	102
PID 1000 wrote to memory of 3380	1000	cmd.exe	103
PID 1000 wrote to memory of 3380	1000	cmd.exe	103
PID 1000 wrote to memory of 3384	1000	cmd.exe	104
PID 1000 wrote to memory of 3384	1000	cmd.exe	104
PID 1000 wrote to memory of 4192	1000	cmd.exe	105
PID 1000 wrote to memory of 4192	1000	cmd.exe	105
PID 1000 wrote to memory of 3100	1000	cmd.exe	106
PID 1000 wrote to memory of 3100	1000	cmd.exe	106
PID 1000 wrote to memory of 4960	1000	cmd.exe	107
PID 1000 wrote to memory of 4960	1000	cmd.exe	107
PID 1000 wrote to memory of 3376	1000	cmd.exe	109
PID 1000 wrote to memory of 3376	1000	cmd.exe	109
PID 1000 wrote to memory of 4328	1000	cmd.exe	110
PID 1000 wrote to memory of 4328	1000	cmd.exe	110
PID 1000 wrote to memory of 1528	1000	cmd.exe	111
PID 1000 wrote to memory of 1528	1000	cmd.exe	111
PID 1000 wrote to memory of 3000	1000	cmd.exe	112
PID 1000 wrote to memory of 3000	1000	cmd.exe	112
PID 1000 wrote to memory of 4572	1000	cmd.exe	113
PID 1000 wrote to memory of 4572	1000	cmd.exe	113
PID 4572 wrote to memory of 4948	4572	net.exe	114
PID 4572 wrote to memory of 4948	4572	net.exe	114
PID 1000 wrote to memory of 3048	1000	cmd.exe	123
PID 1000 wrote to memory of 3048	1000	cmd.exe	123
PID 3048 wrote to memory of 1964	3048	net.exe	124
PID 3048 wrote to memory of 1964	3048	net.exe	124
PID 1000 wrote to memory of 692	1000	cmd.exe	125
PID 1000 wrote to memory of 692	1000	cmd.exe	125
PID 1000 wrote to memory of 4084	1000	cmd.exe	126
PID 1000 wrote to memory of 4084	1000	cmd.exe	126

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ggpermV3\woof.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1000
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SS 1472220496896426815
  2⤵
  PID:3956
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SS 5244123983207531244
  2⤵
  PID:3996
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BS 18798315552944923644
  2⤵
  PID:5000
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SV 131262801673714615
  2⤵
  PID:3612
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BV 2685229712670512820
  2⤵
  PID:4480
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CS 270829626909518198
  2⤵
  PID:468
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /PSN 12306140952597413463
  2⤵
  PID:2500
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SU AUTO
  2⤵
  PID:4792
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /PAT 27911235221812228
  2⤵
  PID:224
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /PPN 195301068110969160
  2⤵
  PID:1336
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /IV 852487612693821581
  2⤵
  PID:1156
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SM 149766800265212368
  2⤵
  PID:3672
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SP 2270484852654010197
  2⤵
  PID:5108
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BS 4559254542128023756
  2⤵
  PID:3480
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SF 2513594123045615346
  2⤵
  PID:2596
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BM 24052312452472730954
  2⤵
  PID:4980
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BP 58332677643797469
  2⤵
  PID:2716
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BT 2513277203146924400
  2⤵
  PID:3380
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /BLC 10720104853215032646
  2⤵
  PID:3384
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CM 23020192152146119813
  2⤵
  PID:4192
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CT 27582234281022215085
  2⤵
  PID:3100
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CV 304452788169648390
  2⤵
  PID:4960
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CA 71811427615786089
  2⤵
  PID:3376
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CO 208413408125353010
  2⤵
  PID:4328
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /CSK 195493972392827508
  2⤵
  PID:1528
- C:\Users\Admin\AppData\Local\Temp\ggpermV3\AMIDEWINx64.EXE
  AMIDEWINx64.EXE /SK 240652577274036622
  2⤵
  PID:3000
- C:\Windows\system32\net.exe
  net stop winmgmt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop winmgmt /y
    3⤵
    PID:4948
- C:\Windows\system32\net.exe
  net start winmgmt /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start winmgmt /y
    3⤵
    PID:1964
- C:\Windows\system32\sc.exe
  sc stop winmgmt
  2⤵
  - Launches sc.exe
  PID:692
- C:\Windows\system32\sc.exe
  sc start winmgmt
  2⤵
  - Launches sc.exe
  PID:4084
- C:\Windows\system32\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - Gathers network information
  PID:216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Drops file in System32 directory
PID:228

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffa80fecc40,0x7ffa80fecc4c,0x7ffa80fecc58
  2⤵
  PID:3968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1840,i,13835455619779213663,14275303448485508886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1764 /prefetch:2
  2⤵
  PID:3036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2096,i,13835455619779213663,14275303448485508886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  PID:2940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2228,i,13835455619779213663,14275303448485508886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2504 /prefetch:8
  2⤵
  PID:4432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,13835455619779213663,14275303448485508886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:2764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3408,i,13835455619779213663,14275303448485508886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:1764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4576,i,13835455619779213663,14275303448485508886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4620 /prefetch:1
  2⤵
  PID:3856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4740,i,13835455619779213663,14275303448485508886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4564 /prefetch:8
  2⤵
  PID:3804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4752,i,13835455619779213663,14275303448485508886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4896 /prefetch:8
  2⤵
  PID:4228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5016,i,13835455619779213663,14275303448485508886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4920 /prefetch:1
  2⤵
  PID:5064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3536,i,13835455619779213663,14275303448485508886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3480 /prefetch:8
  2⤵
  PID:2300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3412,i,13835455619779213663,14275303448485508886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3404 /prefetch:8
  2⤵
  PID:1264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5052,i,13835455619779213663,14275303448485508886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3420 /prefetch:8
  2⤵
  PID:4960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4828,i,13835455619779213663,14275303448485508886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4644 /prefetch:8
  2⤵
  PID:3488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3472,i,13835455619779213663,14275303448485508886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3856 /prefetch:8
  2⤵
  PID:4440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3364,i,13835455619779213663,14275303448485508886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4536 /prefetch:8
  2⤵
  PID:4960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5136,i,13835455619779213663,14275303448485508886,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3188 /prefetch:2
  2⤵
  PID:5404

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
37954a874759640564a80805adbbdb2b

SHA1
571025a3d5238b0c8a3f59217af1f4b3496c3f29

SHA256
32ea21d86fb1b5d9911dadee0b2b3f0b496c779d76fcd9520291e8a8f9a9723b

SHA512
0061df8ec50cc6bbbb59db940121872a8b603ccba12e1c1836393660b1b50cde7eedc34e34340f336246e62e1dc2d2a1d2cebc1f67dc2521d320ef5be15ce60a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
f0be9996e0c639acd25119c393a8860d

SHA1
0d0e1de674979a41557432e4c6f3ef18a4be09fd

SHA256
b7305f03959c5e647fadbd30224cda95e82815a6ddc475370e1272eb13c6c3d1

SHA512
271162096bfad6e28ca0b80beab1e50d829166a56e37948c933332d6f2cd5d913227cbcb6a02659240e025c65671f0656e4408517df3113a3f1838fe6611b83b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
11c383f51935f0da8bbf53c8e78efa14

SHA1
c558f9bc173bbf67663f842bbe8450bc84a86d14

SHA256
dfdbd2c61c96a1de73a3a394f10601101e15fe725b138894748449f3a83ec76a

SHA512
64ee3ed47d9229e8349b8d098c0fc4245300036aeb6678ec4b59254c11b2b9036e50604fa3a2a3a6e09edb575c98bf1127824b61e51e55a37b52ccc6eaf79fd9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
a6a584f72c2cb91853872490b3cab14b

SHA1
e6b983bea153cd2cca29562ae395b24b2e814d77

SHA256
1946d8747ebfc9486f36d08505af469bf4b3b6d35c48ad5dfad7f0e3e422c31f

SHA512
383c18f4e29ab98e25ffd6c28ee00ae4292a4f344df5069ee7f3e583313eabc8adec591ddfc3f810960eb519fdc2b865c4b5af481dafb06c40dd4a0e28c26bf0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0060f7f02f7cc607cb014430a2123f97

SHA1
6a7e83f27db1952a6d54d155680cae6884a56b49

SHA256
9b1f67a47cef8161ecb8ab7d45a43205c9f10ac4b5e95d9f73962bc48d3a865c

SHA512
200282b1d09b6cface478fc07a9b11e29d09892c84b81834597f2e60ac38164197e34c2001d570706fe987c93ad20bfd92c74732815546e1b30f6eb0175fd363

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
723380098025ce88086ce3b53679fc83

SHA1
309168b0012a09415272729b2a8003c7c87d233f

SHA256
ba76bce64cc22f8b9a4f2c276aa5214af7be910b21715746f927570abb18f18b

SHA512
8ce44dd2a5b1e7125d4e35d55b1888292f3d92ecc41e692b07b08620567fa60dfd3a38ad4b78b151e5ae68b241fb512228152a954f5d2da7b57f65ae43b04295

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9b24238512c849437580281e1abc6a0e

SHA1
b5cc31beb55cda7b1052815b3f3f71f5b0f0a168

SHA256
0d5b149ce48aa8ac4c0cfe34e324e18b3f65f9ccce634147c2af2f45317462ec

SHA512
5a44b061b9377a82de36300f2305d3ce26e96c2b59edb4979e03b92a71382a4012a5480ad811d4e6478ae9d11825cf507e045e2e6c2c9d3ec0083fa9e1834cfb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
da745f4acad5bcb9043230ac566cb5ba

SHA1
8de065262024f7cbeb7d8278c4aadd2014ba75fa

SHA256
f5d24f3e7dd813084a86f1e2423a3de3612b347a5832cbdbdf10fce2a29a18ec

SHA512
b1b5f15abb963e584759c5528bafff62168d807abb745962b0dfee7250be9e524fee30ab3ceeab8ebb1052e248ce8d813b7cb68e042261ed2c09da61f9996a57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
908a14f35b0ede3ba01d70f68d258b4a

SHA1
13fcb446601f5f4fc09d81a28a879ef1e46e7b58

SHA256
e538164040d95797482f6e77b447abe9d691d90fbb534be1f0d0d68ffb11b7e0

SHA512
7d79bf93e2d553102e2c54127e67a1d5c6e732763044c8c0acc432b3ee9719d1093b3e4975bc151cdb3f7cd71a3618555d641b871b0989d6fc0c399019bd84ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
51dc2c46dd80a49431f46c28a9c0fd7e

SHA1
1c2a56d7b4d877167cce5c3294f47f0e1a2e7cb3

SHA256
488e51dde8048b4ba153764dab946cbdd6ac981bb1c3ddbfceb5ecd84ef52029

SHA512
56a8ec1ea29c306cbca38e4bdaa41087489c89ef4014e7c6053923a07c16a36d1d17ede5f35e81b653c415bd13ad98380f86004f705f885e1f44bdacc189d7fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
d20005455906d55e26c8dc5cf7329cef

SHA1
52e277ea28cda1a56491942b37ed2add7b0f9ce6

SHA256
7c2723d311ce46e34f093267c6b05eeaed1a8bb63af27c88117b320c02b8db59

SHA512
28b2ec9e43ebf4ae1688c66ab0fdfcb61825a70b7cd98b777d35bb7fd53f8b3eaafadfb046c7c85970f6194f8b6cf3201830193b688e795f2f3b0202c67b3627

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
b009bf62281e4e5d1425fb45dc1ee852

SHA1
271967ff95e5d3c2f0c6b594face58cb03fbe46e

SHA256
9b9d475742fef9fc1de77521b316893df927ac27d77af1271883724d3ca173b4

SHA512
ff3c270671da15bec82d27a7e90f20a53fdc7209966df9d4c9c47cb5e8769c3e5bc3c9873154043c7807c16955f386974157fa7ef779c474727300590d930ba5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
9eb4c14fce741e343c4b11a60b89ffb4

SHA1
01a5376bdc0f6082256a3b65a4bd06ab755ebdf8

SHA256
3e8c120972e270ca9c923e1162d204b6cd5a28c4362ba1e5653eda010188b00f

SHA512
7b175ab503b9b2f0541163c4a64d9bb130a8a5ad148196dc13a641991f5cd29bf5aa189f0e87cbf060627fd64ada05fc15cfb007e0cb653e2faac3a2765d4bb6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
9167d559fa77158992e539724ad6d4ff

SHA1
1cdc1c922318479955c32120a8f20f31dc291c01

SHA256
c4e9183c9cf985020cbcc130843cd9eaf71542b54d95be3a115b3cd58b7e0c7f

SHA512
0b40a431cb3e6078d9dee8c62f0a02660f386be7a15a0ceaf83d96c7719457d3a22a20b55accd3cc2450a2ab3106b718cfea4a7e4b6dab00ba9bd661cf9928f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4780_123729234\5c3c7068-fbef-4453-949e-aab248180248.tmp

Filesize
132KB

MD5
da75bb05d10acc967eecaac040d3d733

SHA1
95c08e067df713af8992db113f7e9aec84f17181

SHA256
33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2

SHA512
56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4780_123729234\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Windows\system32\wbem\repository\MAPPING3.MAP

Filesize
207KB

MD5
2c531a328aec92a2ad7cc3df962e6cb7

SHA1
bf520a935b348814c9bf03c8c19d031d809e6bf6

SHA256
107a982b263a72d867c2199a3a2940bc30334bc9e4cd319033456fc55a4bd425

SHA512
497c38385d6a1c0a4046b5b03eba4f3289570b5c0b75e4d8b0d84db3f7142976bf42a0fa9474fae798a8ca604326b1e1817620ac429c158d41288867f5cfed22

Download Submit