e434889a91f948654d30f9333b334c7cbd9169ab8f5c8b72e445a105a3261d0d

Analysis

max time kernel
600s
max time network
595s
platform
windows11-21h2_x64
resource
win11-20241007-uk
resource tags

arch:x64arch:x86image:win11-20241007-uklocale:uk-uaos:windows11-21h2-x64systemwindows
submitted
03/12/2024, 15:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Server.exe
Size

93KB
MD5

997c314aa305bf6cf42f3d9a17fa18af
SHA1

b1252e606043a1a37a84472f9ed715cab85ac3fb
SHA256

e434889a91f948654d30f9333b334c7cbd9169ab8f5c8b72e445a105a3261d0d
SHA512

55b7f1ae7bc640871c95ca516fcb84150fcbf9bc65260efdf5bda7167b04a2137e33a5710a94bb1c9fc0ca6cb741220e29295db1e89c46c6a9f1d98ef0966272
SSDEEP

1536:2hkJGOdXj/u1ByN/49jEwzGi1dDaDhgS:2hkjj/u1B6gKi1dMe

Score

8^/10

discovery evasion persistence phishing privilege_escalation

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
976	netsh.exe

A potential corporate email address has been identified in the URL: [email protected]
phishing

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	Server.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Explower.exe	Server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	Server.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Explower.exe	Server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	Server.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133777136441900041"	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe
2332	Server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2332	Server.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2332	Server.exe
Token: 33	2332	Server.exe
Token: SeIncBasePriorityPrivilege	2332	Server.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: 33	2332	Server.exe
Token: SeIncBasePriorityPrivilege	2332	Server.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: 33	2332	Server.exe
Token: SeIncBasePriorityPrivilege	2332	Server.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: 33	2332	Server.exe
Token: SeIncBasePriorityPrivilege	2332	Server.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: SeShutdownPrivilege	3424	chrome.exe
Token: SeCreatePagefilePrivilege	3424	chrome.exe
Token: 33	2332	Server.exe
Token: SeIncBasePriorityPrivilege	2332	Server.exe
Token: SeShutdownPrivilege	3424	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe
3424	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 976	2332	Server.exe	77
PID 2332 wrote to memory of 976	2332	Server.exe	77
PID 2332 wrote to memory of 976	2332	Server.exe	77
PID 3424 wrote to memory of 1536	3424	chrome.exe	82
PID 3424 wrote to memory of 1536	3424	chrome.exe	82
PID 3424 wrote to memory of 1408	3424	chrome.exe	83
PID 3424 wrote to memory of 1408	3424	chrome.exe	83
PID 3424 wrote to memory of 1408	3424	chrome.exe	83
PID 3424 wrote to memory of 1408	3424	chrome.exe	83
PID 3424 wrote to memory of 1408	3424	chrome.exe	83
PID 3424 wrote to memory of 1408	3424	chrome.exe	83
PID 3424 wrote to memory of 1408	3424	chrome.exe	83
PID 3424 wrote to memory of 1408	3424	chrome.exe	83
PID 3424 wrote to memory of 1408	3424	chrome.exe	83
PID 3424 wrote to memory of 1408	3424	chrome.exe	83
PID 3424 wrote to memory of 1408	3424	chrome.exe	83
PID 3424 wrote to memory of 1408	3424	chrome.exe	83
PID 3424 wrote to memory of 1408	3424	chrome.exe	83
PID 3424 wrote to memory of 1408	3424	chrome.exe	83
PID 3424 wrote to memory of 1408	3424	chrome.exe	83
PID 3424 wrote to memory of 1408	3424	chrome.exe	83
PID 3424 wrote to memory of 1408	3424	chrome.exe	83
PID 3424 wrote to memory of 1408	3424	chrome.exe	83
PID 3424 wrote to memory of 1408	3424	chrome.exe	83
PID 3424 wrote to memory of 1408	3424	chrome.exe	83
PID 3424 wrote to memory of 1408	3424	chrome.exe	83
PID 3424 wrote to memory of 1408	3424	chrome.exe	83
PID 3424 wrote to memory of 1408	3424	chrome.exe	83
PID 3424 wrote to memory of 1408	3424	chrome.exe	83
PID 3424 wrote to memory of 1408	3424	chrome.exe	83
PID 3424 wrote to memory of 1408	3424	chrome.exe	83
PID 3424 wrote to memory of 1408	3424	chrome.exe	83
PID 3424 wrote to memory of 1408	3424	chrome.exe	83
PID 3424 wrote to memory of 1408	3424	chrome.exe	83
PID 3424 wrote to memory of 1408	3424	chrome.exe	83
PID 3424 wrote to memory of 928	3424	chrome.exe	84
PID 3424 wrote to memory of 928	3424	chrome.exe	84
PID 3424 wrote to memory of 4680	3424	chrome.exe	85
PID 3424 wrote to memory of 4680	3424	chrome.exe	85
PID 3424 wrote to memory of 4680	3424	chrome.exe	85
PID 3424 wrote to memory of 4680	3424	chrome.exe	85
PID 3424 wrote to memory of 4680	3424	chrome.exe	85
PID 3424 wrote to memory of 4680	3424	chrome.exe	85
PID 3424 wrote to memory of 4680	3424	chrome.exe	85
PID 3424 wrote to memory of 4680	3424	chrome.exe	85
PID 3424 wrote to memory of 4680	3424	chrome.exe	85
PID 3424 wrote to memory of 4680	3424	chrome.exe	85
PID 3424 wrote to memory of 4680	3424	chrome.exe	85
PID 3424 wrote to memory of 4680	3424	chrome.exe	85
PID 3424 wrote to memory of 4680	3424	chrome.exe	85
PID 3424 wrote to memory of 4680	3424	chrome.exe	85
PID 3424 wrote to memory of 4680	3424	chrome.exe	85
PID 3424 wrote to memory of 4680	3424	chrome.exe	85
PID 3424 wrote to memory of 4680	3424	chrome.exe	85
PID 3424 wrote to memory of 4680	3424	chrome.exe	85
PID 3424 wrote to memory of 4680	3424	chrome.exe	85
PID 3424 wrote to memory of 4680	3424	chrome.exe	85
PID 3424 wrote to memory of 4680	3424	chrome.exe	85
PID 3424 wrote to memory of 4680	3424	chrome.exe	85
PID 3424 wrote to memory of 4680	3424	chrome.exe	85
PID 3424 wrote to memory of 4680	3424	chrome.exe	85
PID 3424 wrote to memory of 4680	3424	chrome.exe	85
PID 3424 wrote to memory of 4680	3424	chrome.exe	85
PID 3424 wrote to memory of 4680	3424	chrome.exe	85

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
1⤵
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffc2e32cc40,0x7ffc2e32cc4c,0x7ffc2e32cc58
  2⤵
  PID:1536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1976,i,9979503221156285633,17708058423453099867,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:1408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1748,i,9979503221156285633,17708058423453099867,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2016 /prefetch:3
  2⤵
  PID:928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2232,i,9979503221156285633,17708058423453099867,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2136 /prefetch:8
  2⤵
  PID:4680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3076,i,9979503221156285633,17708058423453099867,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:4260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3160,i,9979503221156285633,17708058423453099867,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:4952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4420,i,9979503221156285633,17708058423453099867,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4292 /prefetch:1
  2⤵
  PID:3892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4128,i,9979503221156285633,17708058423453099867,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4672 /prefetch:1
  2⤵
  PID:3652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3368,i,9979503221156285633,17708058423453099867,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3356 /prefetch:8
  2⤵
  PID:4012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3208,i,9979503221156285633,17708058423453099867,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  PID:4740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=224,i,9979503221156285633,17708058423453099867,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:4300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=3300,i,9979503221156285633,17708058423453099867,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4984 /prefetch:1
  2⤵
  PID:1492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4360,i,9979503221156285633,17708058423453099867,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5028 /prefetch:1
  2⤵
  PID:4036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4660,i,9979503221156285633,17708058423453099867,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4352 /prefetch:1
  2⤵
  PID:3500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5256,i,9979503221156285633,17708058423453099867,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5264 /prefetch:1
  2⤵
  PID:3840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5216,i,9979503221156285633,17708058423453099867,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  PID:2320

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4180

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C8 0x00000000000004D8
1⤵
PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
dda71529b958ba8e1d7374e6606affbd

SHA1
27edf74856453bc044a22c719f0f954b1ef1172c

SHA256
e399a2a727e34479824246b24ef49ecc9021fa7fefffe9a610d00f0e6a4a3d09

SHA512
45b100c16722508caedb1d8440d43ae8a860fdd4b3f87b35835e0726c9d7dbd4ca79cd1312c20ab4b8cbe7df0fd2b767c1b758bfc8b6e307a661c331618f0c90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000017

Filesize
27KB

MD5
cacfb74b6db8ec937cadbd7a4e239694

SHA1
059f1501f9536c549448169c293d0fa1e3d00031

SHA256
3c21c8fd28579bd102c6d48522db328a689c5c8c6048453bb736a1f0d27567cc

SHA512
4765d09795339da2afcd22f305b9c595921b6071f8766bfc0285ab6e8e1589a0c262bd86f20caed7258bc2fedfe6e81a1f649dfe25bbaa75569340c8c7ba0c1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000018

Filesize
65KB

MD5
b4e11be8051b7f5c65376e20de7eebd0

SHA1
6c507313d4fa1c2d182c93168cf94c99d229c069

SHA256
694659728781ee694c06d697ec3907b36a72d1cf17d98eb74ce8acd64006d14f

SHA512
0e756e415653674a071333ccbd21ef2562418594645a61d2eb597075360652366de96a7dc03294ce7db19d5c7619de1e785d8dd5fdfe2970723dcc56140d4c5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001c

Filesize
86KB

MD5
15e9f76bbf8ffe774c97d1bb45500dab

SHA1
d4320a5709ee2d10afbe48ad68a7ce2037a96977

SHA256
fe5dca1839fe5f210fcd727b599f57b616c87d14d6c401efbd8dba3388ed959a

SHA512
4e2158a147aa9e14b8f932ead3b9cc54bcae71d3501da70899e34eca1ec06955538f71ee7eab469165cd736750d9df90ff1aeae2df92e8a3ec98f2ec9e22cd7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002b

Filesize
105KB

MD5
19c6076c9cc4ffd213973bd1cece0c87

SHA1
d82dcb7104dc61dbbeaf4212511bc0535b5ee644

SHA256
0bbfc3c33a3ba7111434344d45c1a629ff4bb647cab2b7659df3be1fdb61524f

SHA512
8dc11abe54bcdb49d3492b755b46a1ae847de563b9f99c22db4ae382762616dc1365dbdff1d92321ff5fcdde24e331c77fe4d55e1dff1258b74b89a8da5bca52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002f

Filesize
29KB

MD5
f85e85276ba5f87111add53684ec3fcb

SHA1
ecaf9aa3c5dd50eca0b83f1fb9effad801336441

SHA256
4b0beec41cb9785652a4a3172a4badbdaa200b5e0b17a7bcc81af25afd9b2432

SHA512
1915a2d4218ee2dbb73c490b1acac722a35f7864b7d488a791c96a16889cd86eee965174b59498295b3491a9783facce5660d719133e9c5fb3b96df47dde7a53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00005a

Filesize
16KB

MD5
48c80c7c28b5b00a8b4ff94a22b72fe3

SHA1
d57303c2ad2fd5cedc5cb20f264a6965a7819cee

SHA256
6e9be773031b3234fb9c2d6cf3d9740db1208f4351beca325ec34f76fd38f356

SHA512
c7381e462c72900fdbb82b5c365080efa009287273eb5109ef25c8d0a5df33dd07664fd1aed6eb0d132fa6a3cb6a3ff6b784bffeeca9a2313b1e6eb6e32ab658

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
a13c6bc2b2a27c7c640e06be6e381d2c

SHA1
d2f260365274a6ead3fa2c1543e5db18a0aafd29

SHA256
106585f8eb04834582396df2238d9d3a292486c77d4702853950207dd358f1c3

SHA512
cae656d8cd0551b4b885b3f59c117f75498e10c4a081bbfb9cd91ad91acf15061d165ad16fed4806d853618c6b9005cdde2663e288c6c2465f98325d324487d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
beea6f29f08e0536c2de3d4011a27e62

SHA1
06bf7135e0c18cb8e9371c0eef957619dda07e86

SHA256
670292ee6b50ad913d1db85cbc21f584fd32363077179cb419e6b5236f142f47

SHA512
c6f3192f1621ca0803b418c8ae3403940ca96f210972dbc9575f6321effd13a53afa110accc1e3d321b700f4cee59ea26e85ae37be447a3a4017043b917009ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
1d43cd818bd27e1aff7628eaa27c77ea

SHA1
a3cf120c9569175883e3baec60d6fc6fa8a71eae

SHA256
0370826d066cd31c0a8cadb4d2bb881c3fcb1d6324956c591480f5411f0bdc9f

SHA512
a5702d56afd2b9ed77411663bc43264d960a2a6d8f68f185c1d03dcedb6de9cb315a0b190ffb30d01d6786f170cee9c3fc7e6781dfafe47bf99524f9e93acf66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
9KB

MD5
4dff30fb5c2144e0c30cb744e1a47365

SHA1
fab9d69250054c04aaf74775c589bdb131df2141

SHA256
140424de3d46d6e5184854936a85aad0c1e138bcc0d4b6e7412147c3090abcb6

SHA512
04c1a6d9fbbc2212bb93c561ee1c85ea2c6a6a9c99942aaf9f4d4f552818127fd3ded7a2dca717784b7facb0d933052df62ce4198869e63801c7067e741c8bd6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
8KB

MD5
996b88dcf942d2c66f2754ac481758cb

SHA1
1c2d3fdd2b27cff09a1e53c42a5a2228cab1e2ce

SHA256
974825b9031aaeda9b177196dd45a777284b48c94efc8929b5516b148c748d69

SHA512
71cbf6b79b495913342dbd348f8a65d99ac332db46c0a7c1216f0f481fe61870e2dc26519302e8aa9353027da5d2992a3443d257a849c2640d51dce879a9fe2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
b70a634a9bd2d687e57cd1b0596fd7cb

SHA1
bf7854135bbe5c63968e01987c2179dd54fd6d48

SHA256
4fa0952b135a1297183540ec0890a156affcbc8640e61240c48f5f7aae91750e

SHA512
205b76a933cb8e797c39c759503bb8b01f39979003ce61371ab46b96855774b72e4633fee01c5bb67407183e706efad8194423cc33d699b9a0c58aa0f899c45a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
684B

MD5
8ae5eac58de78cbe14cad554791adc25

SHA1
d09f82c5679ba892d3c38b501dbba66e668dd94a

SHA256
025ddccaa8bf10c1bdd5ccf3aa4e0df7b1357a17ade16e11f20b614736cf8ce9

SHA512
28b44fb54ed26a1055ff3a694e1598ec6afe5de78f7902277274fd0005b49ac95976502805ae7439c9d9ac514b10944c92a14affbe6a0a6de702a883ac5c7fa2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
684B

MD5
9880435582dde2388ae9bcc1460d0129

SHA1
be6155f85686dc00c2ea7f8961cddf49a15b60a5

SHA256
11f08b1ceb5132daa5e5c9c8147a0b97b8e2ae51da04b24ab8b30df9b6a7ce54

SHA512
dbc6dabf006b6d62fc4e5e20d1aa586b694f878df44fc4b148f4c939b8ac9bcdb253dd4e730ca9fc63259a93df1eb855cccea95868a33b8e0d9793c17ef599de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
686B

MD5
506740b0d409403d65cb58ef8ab69ee6

SHA1
759e71ff5f107acbe137a24cae5b8a7f773dd9ae

SHA256
1d28bcd037490d5c0063411e73de09f183d18499e915e4770f88018e38bed496

SHA512
537056152398ae235299f7de1c5f2a455259e8420229873bf2a2ba92e05de977bbc64b54d1eea8031501e0e874ae210f7e1d7689dcdfd3d58ab41c3eaf09133a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
853B

MD5
352cc70542178cdac4e8863000d5d864

SHA1
bcdfc3ed920b55995517b0314148f63d501fb923

SHA256
bd69977b29ae2b63568f8ff23182ef4f722c2e0e5b37622b8f0ec67fcafb86d6

SHA512
9ff55993973e14abf20b37bdc58b4b22ee2fa48169c24472ad8afddc39bfdc1014036f97817af4bc81dfe95a436df0cbb02f82b9a5a361705c7bb16b67a1877a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
df0eaf2bf8943f0b58edf94273c55641

SHA1
4e5c0eb91f43cba22b15a61fe6ac07f898f75517

SHA256
2d720a407f74b0cd3a4319f99aeb240bb64dde52e9b33dae7da0a6dd13c415b4

SHA512
fdc1751822d095debb9d25764c495853ce13a623aaf55d0b4fe2a925945e6e541cdf0d29f685040c0188bb8633b436bf26f6708806e4c82105811ebda512d431

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
855b838ae37929929a6fdbe0b430c434

SHA1
c7625b929ec0f4abc39a3485da0d0fd7461822d0

SHA256
7f64ed19d5f80ab5f4a2ef53297c47c0082ee33ff73964445ff0d35a036ae6ab

SHA512
15f50ad9d354255d28e9b290b819769c68b88170001aa0000bed41be589ccb8456dcfcc1ba438ca417e2179fbf62efb3499bb891c014aff6d12093a80b65fc41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
fdd61098c78c7435aebe0f54ce90338f

SHA1
b266c3fdb0a9e4f29239a276ed99e2615ea8f843

SHA256
9edd20e2c5c03c62c1790d1d80b850fd0c5f870fea78a4dd373f4ee6d1dffca4

SHA512
cb5813d8de907c8097ac5e79057cd74ced3c0ced18ffb891d771680384dac9642674b96925bf692d14d63d6fa3a72104ed58439743a7bd2c0bebb03fd0db016c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3b5ed6fcf4be592bc731658f4446c1fb

SHA1
cb238cf33506441f10f5fb5836d60541e010bbe8

SHA256
e64dd92f973fa4df7dd13272b899f975069ecbacf4d98b8a5943fcc7e4c39d23

SHA512
d8adf39c677fd79f6f020378ab8c66cb2a4e9dae2331284581728be23e53edd0910511c08ec6205915ccc54ad45ccdddd59a96cbf010b89c1141874bfb1c78e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
fb0f7c11024849cea993bc640849cab9

SHA1
8416d7056491a66a01cc84a624e4309426a79dc6

SHA256
82acdd33dbfdaadf6d72e969eabd818e42d5201253fbbf7349ee891a4555e105

SHA512
360dc582c152c862b629e78d589ed58b12e367d62143624364177311af43c81803ca082af1c095f0da3b3b6fcd7fe8841d2bf085c1ac270d9e62236f1328d430

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7d8e97c7747f3a869d3c7531794c07c7

SHA1
981e59587f28acb0ddfde158052923fa97462a3e

SHA256
f53e1a14c4c768510511ada916009e018bf98d471172da7c971c104d69ef84b3

SHA512
f7869d2f7a7daf241181c12e5871c34f8905403a43fc3c8ef63f1505c961ff4bf54bc4cc00a9625de8f41a41e5aa3d0929d329c6e56a62258137c11e2630e816

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
d39b8333be45f3c6188eb76043eb9d13

SHA1
13f6a9a3f530b75b1787733f6b3fc865880b20ca

SHA256
38f221423de1a4b5617725ed97beb33c681d2f7edf59cad9e95d4190e3a8c5e4

SHA512
bbd8e7fbaa6d60741533520c5f6c717ba24fd1e391452235c89e76f75e8eb71d28e149f0a5dda8f2c4107d8e52c608fa75893769ae3f9eb2457309bf1e3008c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
120B

MD5
348174bca1fd537e66fa075fc7d0ea9e

SHA1
b6f7527c1995f465a1cfec0a2725437a0fd9352c

SHA256
b11ab930c7175ac8e8da3a216445429c99768152f95d07002f2adc7bd18144b4

SHA512
4a472af9f5d5f5955c32d84f32678665a5d4d6d4de91808d6e072ffd16960d93ffa634c6ecbebee3959c6e2f9fa12b30862721c789da900d0b6cdfec86da79da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
11b8e6087d0e81ea60234ac318b82427

SHA1
cde528cc612cbec39e3bf7050155055d1448acb1

SHA256
a5689384ce599ecae01d15f6c616a637b86d9319a2d06d16769e6278a3c57bb3

SHA512
3ef149d71f44d415728e020efd7232223437682dd24d6359e54dfb742a40f554429e3fe106ca6ed4385867ca8dfe3e79765e4bdf50e73c88ede0795bbfaf0b72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
c360d942d2872124ec8f998230ecf229

SHA1
8a810fdbbeaa345bc27a292c6525fb35336a3ec1

SHA256
4eac5ce6a70d0add7ce0a4cd8d4eb1da7faed74e29cea4b9f81b5917d5dd4085

SHA512
95aef6bea55578594446f93712902f0079bc89434b93631eefe3a575aa4c62d8ee99ddfbf22eba7de173970f03be60419f684a4e081b66ef010709aa0be522d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
d957b6ab05889b93d4857c19da1a662b

SHA1
9c5375983956a6e98c1f910e8d16dcf008c08a8c

SHA256
341568528fece6fc111c997ca9cb4964e40a63be90b276795fb98ed16f5c53f7

SHA512
3133c6d178cfc6e714e303e0e19d180098342869e30195d3129dfd4d91d10370e52b71ee3f767d8dbd54546db60196f4190555f42aa3afcc609dd54b3213539d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe

Filesize
93KB

MD5
997c314aa305bf6cf42f3d9a17fa18af

SHA1
b1252e606043a1a37a84472f9ed715cab85ac3fb

SHA256
e434889a91f948654d30f9333b334c7cbd9169ab8f5c8b72e445a105a3261d0d

SHA512
55b7f1ae7bc640871c95ca516fcb84150fcbf9bc65260efdf5bda7167b04a2137e33a5710a94bb1c9fc0ca6cb741220e29295db1e89c46c6a9f1d98ef0966272

Download Submit
memory/2332-9-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download
memory/2332-10-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download
memory/2332-2-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download
memory/2332-0-0x0000000074C51000-0x0000000074C52000-memory.dmp

Filesize
4KB

Download
memory/2332-1-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download