9ddcf3eed4a29ef0050c9b77bd628e28cfc3588ec945ded0bf8b88459397521a

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-11-2024 10:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Server.exe
Size

37KB
MD5

33a6d4422ab7fca37fda9fba8dbb17ed
SHA1

a1d5dc523efc2f4628e108d74b1dc20e94538b4b
SHA256

9ddcf3eed4a29ef0050c9b77bd628e28cfc3588ec945ded0bf8b88459397521a
SHA512

925066affa561283f4be08b5be479d4b7bc847000a0c31945bc00e961bec252532ae61fea2e2536c90aa9a45e2fd0967a6a5b4e5a75e0b67de461fd9f6f706ba
SSDEEP

384:O+OIiu/jtD+P3V+y0bFwRktv7ms2cPPrAF+rMRTyN/0L+EcoinblneHQM3epzXos:nXmV10bFwRktalc3rM+rMRa8NuaEt

Score

8^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4456	netsh.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133756221522187937"	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe
2292	Server.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2292	Server.exe
Token: 33	2292	Server.exe
Token: SeIncBasePriorityPrivilege	2292	Server.exe
Token: 33	2292	Server.exe
Token: SeIncBasePriorityPrivilege	2292	Server.exe
Token: 33	2292	Server.exe
Token: SeIncBasePriorityPrivilege	2292	Server.exe
Token: 33	2292	Server.exe
Token: SeIncBasePriorityPrivilege	2292	Server.exe
Token: SeShutdownPrivilege	3324	chrome.exe
Token: SeCreatePagefilePrivilege	3324	chrome.exe
Token: SeShutdownPrivilege	3324	chrome.exe
Token: SeCreatePagefilePrivilege	3324	chrome.exe
Token: SeShutdownPrivilege	3324	chrome.exe
Token: SeCreatePagefilePrivilege	3324	chrome.exe
Token: SeShutdownPrivilege	3324	chrome.exe
Token: SeCreatePagefilePrivilege	3324	chrome.exe
Token: 33	2292	Server.exe
Token: SeIncBasePriorityPrivilege	2292	Server.exe
Token: SeShutdownPrivilege	3324	chrome.exe
Token: SeCreatePagefilePrivilege	3324	chrome.exe
Token: SeShutdownPrivilege	3324	chrome.exe
Token: SeCreatePagefilePrivilege	3324	chrome.exe
Token: SeShutdownPrivilege	3324	chrome.exe
Token: SeCreatePagefilePrivilege	3324	chrome.exe
Token: SeShutdownPrivilege	3324	chrome.exe
Token: SeCreatePagefilePrivilege	3324	chrome.exe
Token: SeShutdownPrivilege	3324	chrome.exe
Token: SeCreatePagefilePrivilege	3324	chrome.exe
Token: SeShutdownPrivilege	3324	chrome.exe
Token: SeCreatePagefilePrivilege	3324	chrome.exe
Token: SeShutdownPrivilege	3324	chrome.exe
Token: SeCreatePagefilePrivilege	3324	chrome.exe
Token: SeShutdownPrivilege	3324	chrome.exe
Token: SeCreatePagefilePrivilege	3324	chrome.exe
Token: 33	2292	Server.exe
Token: SeIncBasePriorityPrivilege	2292	Server.exe
Token: SeShutdownPrivilege	3324	chrome.exe
Token: SeCreatePagefilePrivilege	3324	chrome.exe
Token: SeShutdownPrivilege	3324	chrome.exe
Token: SeCreatePagefilePrivilege	3324	chrome.exe
Token: SeShutdownPrivilege	3324	chrome.exe
Token: SeCreatePagefilePrivilege	3324	chrome.exe
Token: SeShutdownPrivilege	3324	chrome.exe
Token: SeCreatePagefilePrivilege	3324	chrome.exe
Token: SeShutdownPrivilege	3324	chrome.exe
Token: SeCreatePagefilePrivilege	3324	chrome.exe
Token: SeShutdownPrivilege	3324	chrome.exe
Token: SeCreatePagefilePrivilege	3324	chrome.exe
Token: 33	2696	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2696	AUDIODG.EXE
Token: SeShutdownPrivilege	3324	chrome.exe
Token: SeCreatePagefilePrivilege	3324	chrome.exe
Token: SeShutdownPrivilege	3324	chrome.exe
Token: SeCreatePagefilePrivilege	3324	chrome.exe
Token: 33	2292	Server.exe
Token: SeIncBasePriorityPrivilege	2292	Server.exe
Token: SeShutdownPrivilege	3324	chrome.exe
Token: SeCreatePagefilePrivilege	3324	chrome.exe
Token: SeShutdownPrivilege	3324	chrome.exe
Token: SeCreatePagefilePrivilege	3324	chrome.exe
Token: SeShutdownPrivilege	3324	chrome.exe
Token: SeCreatePagefilePrivilege	3324	chrome.exe
Token: SeShutdownPrivilege	3324	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe
3324	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 4456	2292	Server.exe	94
PID 2292 wrote to memory of 4456	2292	Server.exe	94
PID 2292 wrote to memory of 4456	2292	Server.exe	94
PID 3324 wrote to memory of 4520	3324	chrome.exe	111
PID 3324 wrote to memory of 4520	3324	chrome.exe	111
PID 3324 wrote to memory of 2244	3324	chrome.exe	112
PID 3324 wrote to memory of 2244	3324	chrome.exe	112
PID 3324 wrote to memory of 2244	3324	chrome.exe	112
PID 3324 wrote to memory of 2244	3324	chrome.exe	112
PID 3324 wrote to memory of 2244	3324	chrome.exe	112
PID 3324 wrote to memory of 2244	3324	chrome.exe	112
PID 3324 wrote to memory of 2244	3324	chrome.exe	112
PID 3324 wrote to memory of 2244	3324	chrome.exe	112
PID 3324 wrote to memory of 2244	3324	chrome.exe	112
PID 3324 wrote to memory of 2244	3324	chrome.exe	112
PID 3324 wrote to memory of 2244	3324	chrome.exe	112
PID 3324 wrote to memory of 2244	3324	chrome.exe	112
PID 3324 wrote to memory of 2244	3324	chrome.exe	112
PID 3324 wrote to memory of 2244	3324	chrome.exe	112
PID 3324 wrote to memory of 2244	3324	chrome.exe	112
PID 3324 wrote to memory of 2244	3324	chrome.exe	112
PID 3324 wrote to memory of 2244	3324	chrome.exe	112
PID 3324 wrote to memory of 2244	3324	chrome.exe	112
PID 3324 wrote to memory of 2244	3324	chrome.exe	112
PID 3324 wrote to memory of 2244	3324	chrome.exe	112
PID 3324 wrote to memory of 2244	3324	chrome.exe	112
PID 3324 wrote to memory of 2244	3324	chrome.exe	112
PID 3324 wrote to memory of 2244	3324	chrome.exe	112
PID 3324 wrote to memory of 2244	3324	chrome.exe	112
PID 3324 wrote to memory of 2244	3324	chrome.exe	112
PID 3324 wrote to memory of 2244	3324	chrome.exe	112
PID 3324 wrote to memory of 2244	3324	chrome.exe	112
PID 3324 wrote to memory of 2244	3324	chrome.exe	112
PID 3324 wrote to memory of 2244	3324	chrome.exe	112
PID 3324 wrote to memory of 2244	3324	chrome.exe	112
PID 3324 wrote to memory of 2596	3324	chrome.exe	113
PID 3324 wrote to memory of 2596	3324	chrome.exe	113
PID 3324 wrote to memory of 3964	3324	chrome.exe	114
PID 3324 wrote to memory of 3964	3324	chrome.exe	114
PID 3324 wrote to memory of 3964	3324	chrome.exe	114
PID 3324 wrote to memory of 3964	3324	chrome.exe	114
PID 3324 wrote to memory of 3964	3324	chrome.exe	114
PID 3324 wrote to memory of 3964	3324	chrome.exe	114
PID 3324 wrote to memory of 3964	3324	chrome.exe	114
PID 3324 wrote to memory of 3964	3324	chrome.exe	114
PID 3324 wrote to memory of 3964	3324	chrome.exe	114
PID 3324 wrote to memory of 3964	3324	chrome.exe	114
PID 3324 wrote to memory of 3964	3324	chrome.exe	114
PID 3324 wrote to memory of 3964	3324	chrome.exe	114
PID 3324 wrote to memory of 3964	3324	chrome.exe	114
PID 3324 wrote to memory of 3964	3324	chrome.exe	114
PID 3324 wrote to memory of 3964	3324	chrome.exe	114
PID 3324 wrote to memory of 3964	3324	chrome.exe	114
PID 3324 wrote to memory of 3964	3324	chrome.exe	114
PID 3324 wrote to memory of 3964	3324	chrome.exe	114
PID 3324 wrote to memory of 3964	3324	chrome.exe	114
PID 3324 wrote to memory of 3964	3324	chrome.exe	114
PID 3324 wrote to memory of 3964	3324	chrome.exe	114
PID 3324 wrote to memory of 3964	3324	chrome.exe	114
PID 3324 wrote to memory of 3964	3324	chrome.exe	114
PID 3324 wrote to memory of 3964	3324	chrome.exe	114
PID 3324 wrote to memory of 3964	3324	chrome.exe	114
PID 3324 wrote to memory of 3964	3324	chrome.exe	114
PID 3324 wrote to memory of 3964	3324	chrome.exe	114

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffa80f8cc40,0x7ffa80f8cc4c,0x7ffa80f8cc58
  2⤵
  PID:4520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1952,i,18304829062011503263,7388793141568189741,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1948 /prefetch:2
  2⤵
  PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2108,i,18304829062011503263,7388793141568189741,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2092 /prefetch:3
  2⤵
  PID:2596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2280,i,18304829062011503263,7388793141568189741,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2304 /prefetch:8
  2⤵
  PID:3964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,18304829062011503263,7388793141568189741,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:1596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3432,i,18304829062011503263,7388793141568189741,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:2296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4488,i,18304829062011503263,7388793141568189741,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4592 /prefetch:1
  2⤵
  PID:2256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4752,i,18304829062011503263,7388793141568189741,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4760 /prefetch:8
  2⤵
  PID:3500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3764,i,18304829062011503263,7388793141568189741,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4724 /prefetch:8
  2⤵
  PID:3104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5016,i,18304829062011503263,7388793141568189741,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5024 /prefetch:8
  2⤵
  PID:3876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4824,i,18304829062011503263,7388793141568189741,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4960 /prefetch:8
  2⤵
  PID:1484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5044,i,18304829062011503263,7388793141568189741,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5048 /prefetch:8
  2⤵
  PID:3016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5024,i,18304829062011503263,7388793141568189741,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5052 /prefetch:8
  2⤵
  PID:2224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5308,i,18304829062011503263,7388793141568189741,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5040 /prefetch:8
  2⤵
  PID:4460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5320,i,18304829062011503263,7388793141568189741,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2960 /prefetch:8
  2⤵
  PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5444,i,18304829062011503263,7388793141568189741,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5416 /prefetch:2
  2⤵
  PID:1852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5692,i,18304829062011503263,7388793141568189741,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4524 /prefetch:1
  2⤵
  PID:4120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5536,i,18304829062011503263,7388793141568189741,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3552 /prefetch:1
  2⤵
  PID:1156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3192,i,18304829062011503263,7388793141568189741,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4108 /prefetch:8
  2⤵
  PID:4576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5656,i,18304829062011503263,7388793141568189741,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5648 /prefetch:1
  2⤵
  PID:1032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=3516,i,18304829062011503263,7388793141568189741,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3556 /prefetch:1
  2⤵
  PID:4008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=4916,i,18304829062011503263,7388793141568189741,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5228 /prefetch:1
  2⤵
  PID:4028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4052,i,18304829062011503263,7388793141568189741,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5872 /prefetch:8
  2⤵
  PID:4024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4076,i,18304829062011503263,7388793141568189741,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5456 /prefetch:8
  2⤵
  PID:4748

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1380

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x350 0x318
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
35878baec3fe58943584cf68224d0643

SHA1
f190226f7e7fc002330e5ee7754a3cb9a36a0a58

SHA256
90bfe26a6d182b24e30e281acbe5e5cdb06449a85eac7af29a1abaa4c794a1c7

SHA512
8fdb3f9129a26cc18c9c0a338530f0a2079c7fae5ce2d65f4e3fc42df54d95f010e644d53d15e47ae4ea958f2b78cf03dbe21aa65ce9ce34cfe7979e694d4694

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
9c168c24e2927b0b2e6cc7ab6a372c94

SHA1
70344078d22983bcfd09355cc5a94566c382838c

SHA256
754f276e0e122cc99bdbe34630ff70cf0f2688ac78c2d4a8038794e941a49172

SHA512
75ba6abcc9fe374643310f8338976d7fe7b672e63a2c4de0fd8e26cb88b49d46ce96fff7b39a1e7ebb8e831c0688c67616d414de244a3a75266254e0c5e92ec9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
11bcfa25aca4bbe8b143fe1d3c4a0d8b

SHA1
7c8c525e2c21d3ba5ad62c9a28a1b2c50dfd68c9

SHA256
1e6f2f36863aa659d6b4e7f322a33a0fe286edba4a90b4af10161beaefba438f

SHA512
163a71d75b3fde23642334f58e15e57c75f4d55fb1fad0d51fc685d8b9d41d1aece787d787ac9d8db86d87d30aadc5f2998d4c3a29b4a6d573fe7e97375c88a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
372227c61340a14bd9a65701d5cbb3d9

SHA1
a42ed408880b774c33c7106aeb0b4877297a243a

SHA256
46889d1292181c581c6b459ccb195a1631e940ae6276f4e16d961f469dff8c03

SHA512
0dfe1360a69b9ee1fb9c694749004d7b8eb78c0957ed580892e59c21bb2bd5644e155d860a3eb45cb4b33872a89bef66cbcc480ae637b472b5115995515a8a53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
857B

MD5
78e0119defae874f2df672784a1953e8

SHA1
3d7560a4486c00e3a60b606b26c6550355900220

SHA256
f2837db4b3dbc2f26cfdf7189d1aafb99c730c5801b444d8d29394e174587f54

SHA512
a654626139f94ebe9740d4df3fa2e1babaf60e98d6fc07a00d01ed98cf3d14cda759389bfc7e3c314bc4818ab765a7347fa704be973910d53afba587a42495fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
75b78c7d0677ffcda868293ca8d42e0a

SHA1
4617bcd07f8516f3f79e7f6fab2a6d6f3f62b19a

SHA256
73edf94f3cc73c19fe7f8c1205550a1ace8cc70dd8709375bfa186e33469c026

SHA512
07b174db62f23f6b6ba666df3f3f534dd1d8d04101b01d39dabcf21659eb70c8d399d79eec72913d24c76996942989db8084ba827d9ed642f93b1e9d64c4bbe7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5a2d987dafef914673a976203fa0594e

SHA1
557c8173243f28b6cc52447b8b19ddb271efefdd

SHA256
52ad06114d55511e80f70954224d91b6f81403629f3eb446f69cb578cad397d2

SHA512
8efa9bf169c332f9fb758c262afe7dbf185164d59ac20f41d93f48d73e15088781855b5543d943a3483efb1ed7f27ec3fed3174ddbd60b5fcc5829a7b0ae0c7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
857B

MD5
d206614f8d315d70951ca3811206817d

SHA1
cece467faaeaee8513592392db2621c4194a97c9

SHA256
d48b832f28bcd2cc97f4298e30cb0401f1f45ab241a40faea9d7509682dcc872

SHA512
714f4231722c18ddda3e431bdc9e95cf524cdfff0f0f0c006543098eb0d47a65742d74aac7159d7848789423807c8639f3e3f6ad60d1e5aa22bae09e6f448dfc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
857B

MD5
c39d2d7cf63360675ccf05a08f892204

SHA1
1627ecd356ae9f8bc8ea7a8333d261aa7d853ff2

SHA256
83b1c55851ffcf4f51f24cfd1a80213fd325f76d63fc297aa5bde215045b79e5

SHA512
0f66df508afffdda303ef61dae2bf21ac1c7796ce023c7679680b8ddb412ff33849869a52d4b8bdb5ef795c61175b4307d3d9c4586eb8b8b05b47d6276bb39dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ad7348a1aee4f207225f255ac01e6255

SHA1
f5e54231a7f6ae5943b438d8a9102d9c8c3d57ff

SHA256
a54550c758b9e23b1c77c7f240df4fafec33e2db5b562011e1954a27a7ad02fd

SHA512
a2cbd008cd3387477fcb2b2c80fdf4aa6fdf5307d7e9484551824507b244d9d7c8fe7421bf4b9a8fc8d138d77e8c273ae3546baf762f84f6195e60b08b7e4e62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3dd6d8a8398df68f2e3bc9640208b073

SHA1
a4d5976a5e6370b2f37a43b1ebf5136f4f140bca

SHA256
547b3e4fccf224f74ccb9590d65794eed3079f7dcf818401e89fd29d22383394

SHA512
7d8fbf711b15a6f5f8d2030b015aad9e361277f7257babf3764ff15a8eb59549d6fd0a270662564e5e22ef15e2c1f3e5b2fab66f5ced62de34fc9d11488f6fe8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
db99a431fcc8dad0498a69bdde4d590a

SHA1
fb9da827b66985eb375cacfbb9510cfa45023bea

SHA256
d9deb516f8d7c96192b3168b387341e28274b1a08542d627c5132165e8d9e13e

SHA512
84aace3148054d927059cc60ce62953824306eb6a8274881e6ac2b897fdb97b337d901855837bf3f7ea4bf2753124db350ae213375afc9b388a2bfb93461293e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b3f6ca36032512cbbfd9a0d830690f95

SHA1
4ccf1d6b65d188bc1bed56058b9b7045275e2528

SHA256
93b07c43f69b5be3107922dab2b194d773a0b3d6f4f06fac48ed0db0c567c5c7

SHA512
853e464096b3613bd0eb5fd42f65a02dfce32b82cecaf9f1a3c4c6ca00565133850801b2c03a2c56d918d4344e1e2ef758028fc3b9e1ae38fbd1118626796222

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
86171f928416a603f1f81766b323c421

SHA1
0989e8eb8c84e7040378468163f8e8162e4961ab

SHA256
c7fea4ee55e7c1335ea45178bd3e29db1913c09fc54c479f0343e5a38a20b10d

SHA512
f33db40262e79d8b9e6b8a2002b7d09597d21c9d57202d947366e7e5dab7f164b720877f54d4997876ddc41e97f6fbfe6aa74954fe5dc2a4d4f79e0e2f5bb3ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e55ed7d16e99d26e28e5ea7648a0ff30

SHA1
ecf1bd3984953b9379c58ba0da7076399fe59f25

SHA256
bfb46c75cee0d57d0a2502a3aa64ebcc0974327e14725c728d6d3acf25828694

SHA512
d513d9e60b777687e931f4b45d2abe5d6cc67584e7db9674943b353c667248c619d5911468ace4a96772b40d2ed9718f1c58531246c3244001fecb1ba9efa522

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7691a8289e969ffc54d6e2fa3c81aad4

SHA1
757b4d2abf83d457d5d4902bce20ee81639086b7

SHA256
45bd8298aa2eba32d0698b9bede042790a46876d4f47ec0fff202e534ceb6262

SHA512
dfc36c78551811a6ab09ec5505fa56cdcae1736011d993c5416fb0ad53172a5b627e957c7919e4dd16a38c85e1af065a50ed569bbc2f4ad3935a1588641aaf60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
67739b10981f6ec2f3662d585df41e24

SHA1
86d90a0ddae42f9c9a9d4c3747c0c784005631c6

SHA256
638c2aa0a97e2cc0974f73af429a26bd781f76a1c008e7a0e1a4ea2b6344a556

SHA512
c35d773fccbe0e01da5fd0fe2f254a0c94b33e449d53674e16876792b333893a1c1d7d3f0da70a57735cb6e7fd9cd8cee50cf0edd830db992280e998c0536927

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
120B

MD5
862ab9ddb36e3034258a0f3d824f08c3

SHA1
9837c30632981be5424f006ca72662f542b9adb9

SHA256
87524f17be4ee1eecb16b828f03eb3537477aaf8de4322cd8ea850abc55a20d2

SHA512
bb6779c826d8aa73a9020b7fd2155157f4465a061bb0e296aac68aafc84d8a1bcd6d0dff756e74f39c23fc00d1ebd4a1aa9960d8076d4f69e5d826dcdbb62c19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
033b025259c82fdbbcb67068f505cd1f

SHA1
d319fbec17163303a17c446f0fddb9739c8b36fa

SHA256
2fe912902df7ca650b9459d7ec30ff9a0e9e4930bfb9e9bf743bd8b895df9d19

SHA512
e445d76ed248b6bf1417e4da19c74627b47a42a2171fd58be9aceaa79ec063ecb89adbee83e2e29aa58b642fe9e4d4c30b196ff3c93ab0f3aa9ea4d826312c77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
66ebe07f76e1b53b32e0f4c95e2ef7bf

SHA1
59b3281f90349da421fc1a2cd0d57e9413f42ca4

SHA256
cef25149f2e9b29bb2e807e055c676659a88a3de41374bbbee9813bda040dea6

SHA512
e82eaed23adabc0dd834a3aca32e7311b49eeec7fdd47205649de71cc2e1f91d8acc60ac86eedeea3e3f59f4c7db0b1d50a1306155defae16345f997dca7e88b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
657d63d675bc16de44aed43eefdacc37

SHA1
942422375275415f2149ae9beef2c01abf5da26d

SHA256
26b66032fe07f7ad2db5b96838e7d6c9e890c84b4b3e8436b90b1856a8e383be

SHA512
36397e83a62bf71566ca60242dfce1a2c2495e4c316f607c162c8dceaac018c87709f2cd3227fa983d85e8f59a8341221118be76ebf10eaf86487ad999265703

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3324_912816903\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3324_912816903\e3f83422-a9c5-4521-b62c-eb99d7789f9e.tmp

Filesize
132KB

MD5
da75bb05d10acc967eecaac040d3d733

SHA1
95c08e067df713af8992db113f7e9aec84f17181

SHA256
33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2

SHA512
56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
12KB

MD5
393c0ababff580b22e32dc8316568dc7

SHA1
570060543f99650c4376060a1a094ac4e70bbf99

SHA256
15bafe8ee819df2f0634c71dc15493ff473eef66e1bf8b01fde52fd7f5e3cf8f

SHA512
c107388af1d57942cf01e11d28cbb61ee42eb0b16d95588451bece5b5aabfeda73127c051fffb7db90eebbc1093b6c3b00d5fc03c3125f41263335cd427445ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
15KB

MD5
8f14ffb404cd958d69f31212c9f07817

SHA1
ca3095ec4f989be58428c5f9d7517855129f9cd8

SHA256
b6ce7addad37001e8f4eaf3c49faf9c05191ee6415023342758ff9d44bcf45d2

SHA512
993ce1bbe78fe3e82ce3b28687a586833b6e088341118f5039d5e959965059e66e82158b53de31141b4f620257c6c5979e7f7db6ba59fca7da8ae3359b063b66

Download Submit
memory/2292-549-0x00000000748B0000-0x0000000074E61000-memory.dmp

Filesize
5.7MB

Download
memory/2292-0-0x00000000748B2000-0x00000000748B3000-memory.dmp

Filesize
4KB

Download
memory/2292-38-0x00000000748B0000-0x0000000074E61000-memory.dmp

Filesize
5.7MB

Download
memory/2292-5-0x00000000748B0000-0x0000000074E61000-memory.dmp

Filesize
5.7MB

Download
memory/2292-4-0x00000000748B0000-0x0000000074E61000-memory.dmp

Filesize
5.7MB

Download
memory/2292-3-0x00000000748B2000-0x00000000748B3000-memory.dmp

Filesize
4KB

Download
memory/2292-2-0x00000000748B0000-0x0000000074E61000-memory.dmp

Filesize
5.7MB

Download
memory/2292-1-0x00000000748B0000-0x0000000074E61000-memory.dmp

Filesize
5.7MB

Download