cobaltstrike | fe3848b53bf6701306cb0fa9618527dbad319a882d2d1307f8693f005c61c772

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-12-2024 00:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lee.exe
Size

281KB
MD5

a7fcb5ec6dfef33922b57a9fb7251743
SHA1

95caf01828c0e39528e02309081ac752bb6624b6
SHA256

fe3848b53bf6701306cb0fa9618527dbad319a882d2d1307f8693f005c61c772
SHA512

f155c88c428ca22180982f7108bf7bba0629c55fbde142962b05763dce715101d93451312a49f9552af249c0ee0840e3d2240775f4c6d5152d392ec50bb11a32
SSDEEP

6144:GCvy+QJCWgFnl0ql59dHjNvSLjAdkKzTbXx4utYhFK:RyVJCrl0qLPHjsPzmTbBu

Score

10^/10

cobaltstrike 0 305419896 backdoor discovery trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

305419896

http://101.133.156.69:7001/fwlink

Attributes

access_type
512
host
101.133.156.69,/fwlink
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
7001
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2xMNNgKam92LQZPTpk+O5ByDU9W21a1O7RHFYVFF1t694BN3Y8KC3LowBUlZD1+kdSa3jIXSnWgqkpDjXtmAOrt93R8/3Scp2MK/8GOX3FJCITOuL/7DTquD1ctl3Coex5zELDxKST3KVN1c7GsLIx3df4L8BD9VMD1KKrgdrHwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; FunWebProducts; IE0006_ver1;EN_GB)
watermark
305419896

Extracted

Family

cobaltstrike

Botnet

Attributes

watermark
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133781790165443590"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2164	chrome.exe
2164	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2164	chrome.exe
Token: SeCreatePagefilePrivilege	2164	chrome.exe
Token: SeShutdownPrivilege	2164	chrome.exe
Token: SeCreatePagefilePrivilege	2164	chrome.exe
Token: SeShutdownPrivilege	2164	chrome.exe
Token: SeCreatePagefilePrivilege	2164	chrome.exe
Token: SeShutdownPrivilege	2164	chrome.exe
Token: SeCreatePagefilePrivilege	2164	chrome.exe
Token: SeShutdownPrivilege	2164	chrome.exe
Token: SeCreatePagefilePrivilege	2164	chrome.exe
Token: SeShutdownPrivilege	2164	chrome.exe
Token: SeCreatePagefilePrivilege	2164	chrome.exe
Token: SeShutdownPrivilege	2164	chrome.exe
Token: SeCreatePagefilePrivilege	2164	chrome.exe
Token: SeShutdownPrivilege	2164	chrome.exe
Token: SeCreatePagefilePrivilege	2164	chrome.exe
Token: SeShutdownPrivilege	2164	chrome.exe
Token: SeCreatePagefilePrivilege	2164	chrome.exe
Token: SeShutdownPrivilege	2164	chrome.exe
Token: SeCreatePagefilePrivilege	2164	chrome.exe
Token: SeShutdownPrivilege	2164	chrome.exe
Token: SeCreatePagefilePrivilege	2164	chrome.exe
Token: SeShutdownPrivilege	2164	chrome.exe
Token: SeCreatePagefilePrivilege	2164	chrome.exe
Token: SeShutdownPrivilege	2164	chrome.exe
Token: SeCreatePagefilePrivilege	2164	chrome.exe
Token: SeShutdownPrivilege	2164	chrome.exe
Token: SeCreatePagefilePrivilege	2164	chrome.exe
Token: SeShutdownPrivilege	2164	chrome.exe
Token: SeCreatePagefilePrivilege	2164	chrome.exe
Token: SeShutdownPrivilege	2164	chrome.exe
Token: SeCreatePagefilePrivilege	2164	chrome.exe
Token: SeShutdownPrivilege	2164	chrome.exe
Token: SeCreatePagefilePrivilege	2164	chrome.exe
Token: SeShutdownPrivilege	2164	chrome.exe
Token: SeCreatePagefilePrivilege	2164	chrome.exe
Token: SeShutdownPrivilege	2164	chrome.exe
Token: SeCreatePagefilePrivilege	2164	chrome.exe
Token: SeShutdownPrivilege	2164	chrome.exe
Token: SeCreatePagefilePrivilege	2164	chrome.exe
Token: SeShutdownPrivilege	2164	chrome.exe
Token: SeCreatePagefilePrivilege	2164	chrome.exe
Token: SeShutdownPrivilege	2164	chrome.exe
Token: SeCreatePagefilePrivilege	2164	chrome.exe
Token: SeShutdownPrivilege	2164	chrome.exe
Token: SeCreatePagefilePrivilege	2164	chrome.exe
Token: SeShutdownPrivilege	2164	chrome.exe
Token: SeCreatePagefilePrivilege	2164	chrome.exe
Token: SeShutdownPrivilege	2164	chrome.exe
Token: SeCreatePagefilePrivilege	2164	chrome.exe
Token: SeShutdownPrivilege	2164	chrome.exe
Token: SeCreatePagefilePrivilege	2164	chrome.exe
Token: SeShutdownPrivilege	2164	chrome.exe
Token: SeCreatePagefilePrivilege	2164	chrome.exe
Token: SeShutdownPrivilege	2164	chrome.exe
Token: SeCreatePagefilePrivilege	2164	chrome.exe
Token: SeShutdownPrivilege	2164	chrome.exe
Token: SeCreatePagefilePrivilege	2164	chrome.exe
Token: SeShutdownPrivilege	2164	chrome.exe
Token: SeCreatePagefilePrivilege	2164	chrome.exe
Token: SeShutdownPrivilege	2164	chrome.exe
Token: SeCreatePagefilePrivilege	2164	chrome.exe
Token: SeShutdownPrivilege	2164	chrome.exe
Token: SeCreatePagefilePrivilege	2164	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe
2164	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 4900	2164	chrome.exe	94
PID 2164 wrote to memory of 4900	2164	chrome.exe	94
PID 2164 wrote to memory of 916	2164	chrome.exe	95
PID 2164 wrote to memory of 916	2164	chrome.exe	95
PID 2164 wrote to memory of 916	2164	chrome.exe	95
PID 2164 wrote to memory of 916	2164	chrome.exe	95
PID 2164 wrote to memory of 916	2164	chrome.exe	95
PID 2164 wrote to memory of 916	2164	chrome.exe	95
PID 2164 wrote to memory of 916	2164	chrome.exe	95
PID 2164 wrote to memory of 916	2164	chrome.exe	95
PID 2164 wrote to memory of 916	2164	chrome.exe	95
PID 2164 wrote to memory of 916	2164	chrome.exe	95
PID 2164 wrote to memory of 916	2164	chrome.exe	95
PID 2164 wrote to memory of 916	2164	chrome.exe	95
PID 2164 wrote to memory of 916	2164	chrome.exe	95
PID 2164 wrote to memory of 916	2164	chrome.exe	95
PID 2164 wrote to memory of 916	2164	chrome.exe	95
PID 2164 wrote to memory of 916	2164	chrome.exe	95
PID 2164 wrote to memory of 916	2164	chrome.exe	95
PID 2164 wrote to memory of 916	2164	chrome.exe	95
PID 2164 wrote to memory of 916	2164	chrome.exe	95
PID 2164 wrote to memory of 916	2164	chrome.exe	95
PID 2164 wrote to memory of 916	2164	chrome.exe	95
PID 2164 wrote to memory of 916	2164	chrome.exe	95
PID 2164 wrote to memory of 916	2164	chrome.exe	95
PID 2164 wrote to memory of 916	2164	chrome.exe	95
PID 2164 wrote to memory of 916	2164	chrome.exe	95
PID 2164 wrote to memory of 916	2164	chrome.exe	95
PID 2164 wrote to memory of 916	2164	chrome.exe	95
PID 2164 wrote to memory of 916	2164	chrome.exe	95
PID 2164 wrote to memory of 916	2164	chrome.exe	95
PID 2164 wrote to memory of 916	2164	chrome.exe	95
PID 2164 wrote to memory of 1736	2164	chrome.exe	96
PID 2164 wrote to memory of 1736	2164	chrome.exe	96
PID 2164 wrote to memory of 3704	2164	chrome.exe	97
PID 2164 wrote to memory of 3704	2164	chrome.exe	97
PID 2164 wrote to memory of 3704	2164	chrome.exe	97
PID 2164 wrote to memory of 3704	2164	chrome.exe	97
PID 2164 wrote to memory of 3704	2164	chrome.exe	97
PID 2164 wrote to memory of 3704	2164	chrome.exe	97
PID 2164 wrote to memory of 3704	2164	chrome.exe	97
PID 2164 wrote to memory of 3704	2164	chrome.exe	97
PID 2164 wrote to memory of 3704	2164	chrome.exe	97
PID 2164 wrote to memory of 3704	2164	chrome.exe	97
PID 2164 wrote to memory of 3704	2164	chrome.exe	97
PID 2164 wrote to memory of 3704	2164	chrome.exe	97
PID 2164 wrote to memory of 3704	2164	chrome.exe	97
PID 2164 wrote to memory of 3704	2164	chrome.exe	97
PID 2164 wrote to memory of 3704	2164	chrome.exe	97
PID 2164 wrote to memory of 3704	2164	chrome.exe	97
PID 2164 wrote to memory of 3704	2164	chrome.exe	97
PID 2164 wrote to memory of 3704	2164	chrome.exe	97
PID 2164 wrote to memory of 3704	2164	chrome.exe	97
PID 2164 wrote to memory of 3704	2164	chrome.exe	97
PID 2164 wrote to memory of 3704	2164	chrome.exe	97
PID 2164 wrote to memory of 3704	2164	chrome.exe	97
PID 2164 wrote to memory of 3704	2164	chrome.exe	97
PID 2164 wrote to memory of 3704	2164	chrome.exe	97
PID 2164 wrote to memory of 3704	2164	chrome.exe	97
PID 2164 wrote to memory of 3704	2164	chrome.exe	97
PID 2164 wrote to memory of 3704	2164	chrome.exe	97
PID 2164 wrote to memory of 3704	2164	chrome.exe	97
PID 2164 wrote to memory of 3704	2164	chrome.exe	97
PID 2164 wrote to memory of 3704	2164	chrome.exe	97

C:\Users\Admin\AppData\Local\Temp\Lee.exe
"C:\Users\Admin\AppData\Local\Temp\Lee.exe"
1⤵
PID:4596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fffccb6cc40,0x7fffccb6cc4c,0x7fffccb6cc58
  2⤵
  PID:4900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2040,i,11640954569677447824,9361058595454360122,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2036 /prefetch:2
  2⤵
  PID:916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1904,i,11640954569677447824,9361058595454360122,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1752 /prefetch:3
  2⤵
  PID:1736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2280,i,11640954569677447824,9361058595454360122,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2404 /prefetch:8
  2⤵
  PID:3704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3176,i,11640954569677447824,9361058595454360122,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:4076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3204,i,11640954569677447824,9361058595454360122,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4596,i,11640954569677447824,9361058595454360122,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4616 /prefetch:1
  2⤵
  PID:2228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4868,i,11640954569677447824,9361058595454360122,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4912 /prefetch:8
  2⤵
  PID:4956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4916,i,11640954569677447824,9361058595454360122,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4876 /prefetch:8
  2⤵
  PID:2448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4468,i,11640954569677447824,9361058595454360122,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4472 /prefetch:8
  2⤵
  PID:2400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1724,i,11640954569677447824,9361058595454360122,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4448 /prefetch:8
  2⤵
  PID:4120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5108,i,11640954569677447824,9361058595454360122,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4388 /prefetch:8
  2⤵
  PID:640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5412,i,11640954569677447824,9361058595454360122,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4400 /prefetch:8
  2⤵
  PID:2940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5612,i,11640954569677447824,9361058595454360122,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5428 /prefetch:2
  2⤵
  PID:2640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5668,i,11640954569677447824,9361058595454360122,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5712,i,11640954569677447824,9361058595454360122,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:3928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4608,i,11640954569677447824,9361058595454360122,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:1480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5488,i,11640954569677447824,9361058595454360122,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:1544

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
a7e2dc33ff8b2a38d74d583dba5c95f2

SHA1
5568ea3cc9495e832faade70405191f174a0f3ad

SHA256
cf0f50bad875fdd4b43d7c30ffc170f5ade1341417fcd837e1a60701420bb325

SHA512
32d7b77aa015d650eea65323ab174a9c9c31711cce59d3553bd7a462483d335c8b7051b13715404231416b1ded97cfd091181c82dffa7ca13a11b5cadf7026a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\8fedcabb-8ab8-475b-a703-c2fc185f4b61.tmp

Filesize
1KB

MD5
1ae5bc67c28a3b69b7656f6e16ece17e

SHA1
d2ba4510b897b5ab062afc034af6680dfec73c72

SHA256
f411a42f0ab0ea773682d27e2702acf5559c1d3c0bd7cfa1bd00337fd1b85491

SHA512
33095195d9ffa87dcc79b4a0197d3837873017e5a5b502e5a585792ee0497efdbf8df29ec6e6796e92e29bfd797425f0cb1359f142b1807db207626ddeafdd35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
370f75e5dcb962cdaf3e222a595c9be0

SHA1
b0cef72a532136d744e591f755d91d42490c14d9

SHA256
1e90da75542f5a1cfea475e6c85aa19adad9007597f34a4fe6e3e946b54581dc

SHA512
8eefeaaae6accaf46a5b8b264d0daf8e9cc9016faaddddd46d28e4ae8d94480abe3c1dcd76a46831c61cfaf10d7ae548063d150a7e33511667055909fb62317e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
83f15877adfbfc519f2d5fad4cffbb3e

SHA1
bd0ca13618c4d4da1a3b10fbbe60625cc78abb93

SHA256
4a1343617123d7c30b95dcfb7c06947bd202b4816f3efcc10559f705b4fb3dd0

SHA512
1fcfc7223d4b5aa0dd7a285754460cd674e9a4f8c4219ad2ee7cb9ebb7e61e50a6cad631f169bfe36c7e85a2eaec3fa2a255bbeed79b69311e8b488742c6fd88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0feccaea13cb227ce53618c90fc8c9a4

SHA1
019bbc741a65d989b162cd949f75f1d313bc2f6b

SHA256
2d04dac6f851af472652affe8d5df30b5da77ade93265ba7607944be957b3d6b

SHA512
17da1efe73542f861234af10d14b93d6ee88d6eaf7df3330ca4174ea3885ff93c37c548f56ca5e26ac7662fe77affd71b46cfa257bff9195ab0d217fe511c79b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3407aa29cc4af9d1735608a9c1a89d94

SHA1
2954258222bfb26b17500547109c3ba716a655ce

SHA256
6820730ded02bd53cd9acf2bd8ff4f0e0049f387b0a6ad6e459dda7679491c83

SHA512
22463c0f8848802665e1cc76557cee82d1726bf0d98344ce7f914aa6c872ffe1391863b3e4c85648bdb534504cf3e0e1a700ad5a6549dd7c89f9a4a76b077aa2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ce572e68bfbd13cbd7c7498f7590ddc2

SHA1
c27cf37147625ef3164f0c95cac74b73426bb747

SHA256
1445bf586094a8bf479e0b5ab0515435bcf19bccf92f0ccf7c6c705b444eb336

SHA512
f643a00ada5e4594d0af20429bad1c3b4767c6b6b584826240f55e5b79f1dccd89c260ab0fff0be6c11425b4a5662f31d2a7cc6b77c517bed54442c45f5995b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c774a6a1d167724cd1e54eb51c9acc44

SHA1
679bef9a24c9b0e1781dbf8656a815d4b6d1123f

SHA256
b2f78f999a66fb9f49e83e31e23d5e171d94cc27be24701e92b35fba58a92b51

SHA512
19a50768ef770f8adfe8e3f55024b68b2d0502e4cc9755ba8fa0180431b8b726301a4e73bab2722fbbcf9b984ce776ffbc64a5644fa53c7bb4df651b5567044f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
85a92fc4f58d82c412052427a93d1aec

SHA1
f177efb992b07b61b8c9e08aaea0c05091c8d5f4

SHA256
eb722c2c954fe51ccb0bd78a9abf902dea6a4a792993034ded20e2b9a9ca1f3f

SHA512
930048d84a7d4127aa3782bc88dd5869ff6b11bd5ef79aac302fa3202ff7945811e772536f78dd7189d09d2e5f0d51ec1ec2eec5619676a8d50efd6cd9aeb09f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
888308b4d5ebf7373834bca8b17c056d

SHA1
dbea89aa2a24ec1ddbc6ce23319dced3b2e97a72

SHA256
73d5a09e0e8dd6232005cb719de6f938de8ce94d324f496a5790dc18d4d02516

SHA512
711e0d88c7fd628a0bb02749cb4a1614b8796650a2ee5cf352c613003131ccf89a043820580943b418e0df352934c1822648e0f1fbb6c5ec3b003ec401c97409

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
a58234ff731b7f0a4f6a8fcbe144f021

SHA1
6dee064dd1704c11324711d121358efcc18ba02d

SHA256
4431c770ca0f9d63234750e0891fc074e231babb9221a94a0262928abc3c7128

SHA512
02813782bc311937bcab268878f89d8e11ba2b8c3ce8fb339ca30690c6178bffc7ec78c0242c89db56231b54c622689e40927dc418532af9ea36df8d7223f372

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
e2371a82c64babceafc8f7dd529c4c58

SHA1
694c79ed48bb3565c5b9d3ad59f6e98409aeb43f

SHA256
37e2ba4bb2c666a4352cde915927e4192e10310f565be641b2da74d1edcd8f65

SHA512
53fea69038ca244d2af10d44955831015e1d3c735ba2b30f1a47e121f5fe5cc354d9a40b2026eeb5d497bde227f3931e71abf81657d225e443ecb199ed8e9121

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
d84a05e63809194948ce0c670cda4540

SHA1
58429a83738023fe0ed4e96b1730c5eebb822868

SHA256
99d6210387d4d7ef051662811dc49edcbea23f9ee9f786f8f0c6c012c303a5ba

SHA512
71f7fc26bafb86415bfbeefadbfd23c6dc7eef875975f2c5f6baeb4772ccb2b5e70f7759c1d2a9adee5f1be6f29250fd111266cd6dbe605da11e1934bca16c37

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2164_1843067221\6f1a048e-318f-4cb3-9dc4-feba98828dc2.tmp

Filesize
135KB

MD5
3f6f93c3dccd4a91c4eb25c7f6feb1c1

SHA1
9b73f46adfa1f4464929b408407e73d4535c6827

SHA256
19f05352cb4c6e231c1c000b6c8b7e9edcc1e8082caf46fff16b239d32aa7c9e

SHA512
d488fa67e3a29d0147e9eaf2eabc74d9a255f8470cf79a4aea60e3b3b5e48a3fcbc4fc3e9ce58dff8d7d0caa8ae749295f221e1fe1ba5d20deb2d97544a12ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2164_1843067221\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
memory/4596-0-0x0000000000750000-0x0000000000791000-memory.dmp

Filesize
260KB

Download
memory/4596-2-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4596-3-0x00000000007B0000-0x00000000007FE000-memory.dmp

Filesize
312KB

Download
memory/4596-1-0x00000000007B0000-0x00000000007FE000-memory.dmp

Filesize
312KB

Download