redtiger | 781a9255db93078bb36ea38c2b9a073eacf03f142693b51b7f257d7f8f1fb76e

Analysis

max time kernel
78s
max time network
79s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2024, 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NiceRAT.pyc
Size

16B
MD5

3a0d4309583f2f5b242e352130abcc01
SHA1

f69758b7687c4337f7235fdd9e8723c49d254287
SHA256

bf8b7ac42546a146f1ebf72707d283fef6ec43b82522f07d39ca1251a9cf0ef0
SHA512

e966a8aa2752a3054cbc5fdb0a05e4edcd5e379f3536d074151e5f9034408cf7b70260f2d1bcf7d4e8bcf633264850d76696164d49b4d2de64d06ed699745d55

Score

10^/10

redtiger discovery stealer

Malware Config

Signatures

Detects RedTiger Stealer 56 IoCs

stealer

resource	yara_rule
behavioral2/files/0x000b000000023b8b-34.dat	redtigerv122
behavioral2/files/0x000b000000023b8b-34.dat	redtigerv22
behavioral2/files/0x000b000000023b8b-34.dat	redtiger_stealer_detection
behavioral2/files/0x000b000000023b8b-34.dat	redtiger_stealer_detection_v2
behavioral2/files/0x000b000000023b8b-34.dat	staticSred
behavioral2/files/0x000b000000023b8b-34.dat	staticred
behavioral2/files/0x000b000000023b8b-34.dat	redtiger_stealer_detection_v1
behavioral2/files/0x0007000000023d82-468.dat	redtigerv122
behavioral2/files/0x0007000000023d82-468.dat	redtigerv22
behavioral2/files/0x0007000000023d82-468.dat	redtiger_stealer_detection
behavioral2/files/0x0007000000023d82-468.dat	redtiger_stealer_detection_v2
behavioral2/files/0x0007000000023d82-468.dat	staticSred
behavioral2/files/0x0007000000023d82-468.dat	staticred
behavioral2/files/0x0007000000023d82-468.dat	redtiger_stealer_detection_v1
behavioral2/files/0x0004000000023278-471.dat	redtigerv122
behavioral2/files/0x0004000000023278-471.dat	redtigerv22
behavioral2/files/0x0004000000023278-471.dat	redtiger_stealer_detection
behavioral2/files/0x0004000000023278-471.dat	redtiger_stealer_detection_v2
behavioral2/files/0x0004000000023278-471.dat	staticSred
behavioral2/files/0x0004000000023278-471.dat	staticred
behavioral2/files/0x0004000000023278-471.dat	redtiger_stealer_detection_v1
behavioral2/files/0x0004000000023265-478.dat	redtigerv122
behavioral2/files/0x0004000000023265-478.dat	redtigerv22
behavioral2/files/0x0004000000023265-478.dat	redtiger_stealer_detection
behavioral2/files/0x0004000000023265-478.dat	redtiger_stealer_detection_v2
behavioral2/files/0x0004000000023265-478.dat	staticSred
behavioral2/files/0x0004000000023265-478.dat	staticred
behavioral2/files/0x0004000000023265-478.dat	redtiger_stealer_detection_v1
behavioral2/files/0x000a000000023d83-484.dat	redtigerv122
behavioral2/files/0x000a000000023d83-484.dat	redtigerv22
behavioral2/files/0x000a000000023d83-484.dat	redtiger_stealer_detection
behavioral2/files/0x000a000000023d83-484.dat	redtiger_stealer_detection_v2
behavioral2/files/0x000a000000023d83-484.dat	staticSred
behavioral2/files/0x000a000000023d83-484.dat	staticred
behavioral2/files/0x000a000000023d83-484.dat	redtiger_stealer_detection_v1
behavioral2/files/0x0007000000023d8c-513.dat	redtigerv122
behavioral2/files/0x0007000000023d8c-513.dat	redtigerv22
behavioral2/files/0x0007000000023d8c-513.dat	redtiger_stealer_detection
behavioral2/files/0x0007000000023d8c-513.dat	redtiger_stealer_detection_v2
behavioral2/files/0x0007000000023d8c-513.dat	staticSred
behavioral2/files/0x0007000000023d8c-513.dat	staticred
behavioral2/files/0x0007000000023d8c-513.dat	redtiger_stealer_detection_v1
behavioral2/files/0x0002000000022187-529.dat	redtigerv122
behavioral2/files/0x0002000000022187-529.dat	redtigerv22
behavioral2/files/0x0002000000022187-529.dat	redtiger_stealer_detection
behavioral2/files/0x0002000000022187-529.dat	redtiger_stealer_detection_v2
behavioral2/files/0x0002000000022187-529.dat	staticSred
behavioral2/files/0x0002000000022187-529.dat	staticred
behavioral2/files/0x0002000000022187-529.dat	redtiger_stealer_detection_v1
behavioral2/files/0x0002000000022188-538.dat	redtigerv122
behavioral2/files/0x0002000000022188-538.dat	redtigerv22
behavioral2/files/0x0002000000022188-538.dat	redtiger_stealer_detection
behavioral2/files/0x0002000000022188-538.dat	redtiger_stealer_detection_v2
behavioral2/files/0x0002000000022188-538.dat	staticSred
behavioral2/files/0x0002000000022188-538.dat	staticred
behavioral2/files/0x0002000000022188-538.dat	redtiger_stealer_detection_v1

Redtiger family
redtiger
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133795197733246264"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
940	chrome.exe
940	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
940	chrome.exe
940	chrome.exe
940	chrome.exe
940	chrome.exe
940	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	940	chrome.exe
Token: SeCreatePagefilePrivilege	940	chrome.exe
Token: SeShutdownPrivilege	940	chrome.exe
Token: SeCreatePagefilePrivilege	940	chrome.exe
Token: SeShutdownPrivilege	940	chrome.exe
Token: SeCreatePagefilePrivilege	940	chrome.exe
Token: SeShutdownPrivilege	940	chrome.exe
Token: SeCreatePagefilePrivilege	940	chrome.exe
Token: SeShutdownPrivilege	940	chrome.exe
Token: SeCreatePagefilePrivilege	940	chrome.exe
Token: SeShutdownPrivilege	940	chrome.exe
Token: SeCreatePagefilePrivilege	940	chrome.exe
Token: SeShutdownPrivilege	940	chrome.exe
Token: SeCreatePagefilePrivilege	940	chrome.exe
Token: SeShutdownPrivilege	940	chrome.exe
Token: SeCreatePagefilePrivilege	940	chrome.exe
Token: SeShutdownPrivilege	940	chrome.exe
Token: SeCreatePagefilePrivilege	940	chrome.exe
Token: SeShutdownPrivilege	940	chrome.exe
Token: SeCreatePagefilePrivilege	940	chrome.exe
Token: SeShutdownPrivilege	940	chrome.exe
Token: SeCreatePagefilePrivilege	940	chrome.exe
Token: SeShutdownPrivilege	940	chrome.exe
Token: SeCreatePagefilePrivilege	940	chrome.exe
Token: SeShutdownPrivilege	940	chrome.exe
Token: SeCreatePagefilePrivilege	940	chrome.exe
Token: SeShutdownPrivilege	940	chrome.exe
Token: SeCreatePagefilePrivilege	940	chrome.exe
Token: SeShutdownPrivilege	940	chrome.exe
Token: SeCreatePagefilePrivilege	940	chrome.exe
Token: SeShutdownPrivilege	940	chrome.exe
Token: SeCreatePagefilePrivilege	940	chrome.exe
Token: SeShutdownPrivilege	940	chrome.exe
Token: SeCreatePagefilePrivilege	940	chrome.exe
Token: SeShutdownPrivilege	940	chrome.exe
Token: SeCreatePagefilePrivilege	940	chrome.exe
Token: SeShutdownPrivilege	940	chrome.exe
Token: SeCreatePagefilePrivilege	940	chrome.exe
Token: SeShutdownPrivilege	940	chrome.exe
Token: SeCreatePagefilePrivilege	940	chrome.exe
Token: SeShutdownPrivilege	940	chrome.exe
Token: SeCreatePagefilePrivilege	940	chrome.exe
Token: SeShutdownPrivilege	940	chrome.exe
Token: SeCreatePagefilePrivilege	940	chrome.exe
Token: SeShutdownPrivilege	940	chrome.exe
Token: SeCreatePagefilePrivilege	940	chrome.exe
Token: SeShutdownPrivilege	940	chrome.exe
Token: SeCreatePagefilePrivilege	940	chrome.exe
Token: SeShutdownPrivilege	940	chrome.exe
Token: SeCreatePagefilePrivilege	940	chrome.exe
Token: SeShutdownPrivilege	940	chrome.exe
Token: SeCreatePagefilePrivilege	940	chrome.exe
Token: SeShutdownPrivilege	940	chrome.exe
Token: SeCreatePagefilePrivilege	940	chrome.exe
Token: SeShutdownPrivilege	940	chrome.exe
Token: SeCreatePagefilePrivilege	940	chrome.exe
Token: SeShutdownPrivilege	940	chrome.exe
Token: SeCreatePagefilePrivilege	940	chrome.exe
Token: SeShutdownPrivilege	940	chrome.exe
Token: SeCreatePagefilePrivilege	940	chrome.exe
Token: SeShutdownPrivilege	940	chrome.exe
Token: SeCreatePagefilePrivilege	940	chrome.exe
Token: SeShutdownPrivilege	940	chrome.exe
Token: SeCreatePagefilePrivilege	940	chrome.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
940	chrome.exe
940	chrome.exe
940	chrome.exe
940	chrome.exe
940	chrome.exe
940	chrome.exe
940	chrome.exe
940	chrome.exe
940	chrome.exe
940	chrome.exe
940	chrome.exe
940	chrome.exe
940	chrome.exe
940	chrome.exe
940	chrome.exe
940	chrome.exe
940	chrome.exe
940	chrome.exe
940	chrome.exe
940	chrome.exe
940	chrome.exe
940	chrome.exe
940	chrome.exe
940	chrome.exe
940	chrome.exe
940	chrome.exe
940	chrome.exe
940	chrome.exe
940	chrome.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
940	chrome.exe
940	chrome.exe
940	chrome.exe
940	chrome.exe
940	chrome.exe
940	chrome.exe
940	chrome.exe
940	chrome.exe
940	chrome.exe
940	chrome.exe
940	chrome.exe
940	chrome.exe
940	chrome.exe
940	chrome.exe
940	chrome.exe
940	chrome.exe
940	chrome.exe
940	chrome.exe
940	chrome.exe
940	chrome.exe
940	chrome.exe
940	chrome.exe
940	chrome.exe
940	chrome.exe
940	chrome.exe
940	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4688	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 940 wrote to memory of 1436	940	chrome.exe	108
PID 940 wrote to memory of 1436	940	chrome.exe	108
PID 940 wrote to memory of 4860	940	chrome.exe	109
PID 940 wrote to memory of 4860	940	chrome.exe	109
PID 940 wrote to memory of 4860	940	chrome.exe	109
PID 940 wrote to memory of 4860	940	chrome.exe	109
PID 940 wrote to memory of 4860	940	chrome.exe	109
PID 940 wrote to memory of 4860	940	chrome.exe	109
PID 940 wrote to memory of 4860	940	chrome.exe	109
PID 940 wrote to memory of 4860	940	chrome.exe	109
PID 940 wrote to memory of 4860	940	chrome.exe	109
PID 940 wrote to memory of 4860	940	chrome.exe	109
PID 940 wrote to memory of 4860	940	chrome.exe	109
PID 940 wrote to memory of 4860	940	chrome.exe	109
PID 940 wrote to memory of 4860	940	chrome.exe	109
PID 940 wrote to memory of 4860	940	chrome.exe	109
PID 940 wrote to memory of 4860	940	chrome.exe	109
PID 940 wrote to memory of 4860	940	chrome.exe	109
PID 940 wrote to memory of 4860	940	chrome.exe	109
PID 940 wrote to memory of 4860	940	chrome.exe	109
PID 940 wrote to memory of 4860	940	chrome.exe	109
PID 940 wrote to memory of 4860	940	chrome.exe	109
PID 940 wrote to memory of 4860	940	chrome.exe	109
PID 940 wrote to memory of 4860	940	chrome.exe	109
PID 940 wrote to memory of 4860	940	chrome.exe	109
PID 940 wrote to memory of 4860	940	chrome.exe	109
PID 940 wrote to memory of 4860	940	chrome.exe	109
PID 940 wrote to memory of 4860	940	chrome.exe	109
PID 940 wrote to memory of 4860	940	chrome.exe	109
PID 940 wrote to memory of 4860	940	chrome.exe	109
PID 940 wrote to memory of 4860	940	chrome.exe	109
PID 940 wrote to memory of 4860	940	chrome.exe	109
PID 940 wrote to memory of 2720	940	chrome.exe	110
PID 940 wrote to memory of 2720	940	chrome.exe	110
PID 940 wrote to memory of 3972	940	chrome.exe	111
PID 940 wrote to memory of 3972	940	chrome.exe	111
PID 940 wrote to memory of 3972	940	chrome.exe	111
PID 940 wrote to memory of 3972	940	chrome.exe	111
PID 940 wrote to memory of 3972	940	chrome.exe	111
PID 940 wrote to memory of 3972	940	chrome.exe	111
PID 940 wrote to memory of 3972	940	chrome.exe	111
PID 940 wrote to memory of 3972	940	chrome.exe	111
PID 940 wrote to memory of 3972	940	chrome.exe	111
PID 940 wrote to memory of 3972	940	chrome.exe	111
PID 940 wrote to memory of 3972	940	chrome.exe	111
PID 940 wrote to memory of 3972	940	chrome.exe	111
PID 940 wrote to memory of 3972	940	chrome.exe	111
PID 940 wrote to memory of 3972	940	chrome.exe	111
PID 940 wrote to memory of 3972	940	chrome.exe	111
PID 940 wrote to memory of 3972	940	chrome.exe	111
PID 940 wrote to memory of 3972	940	chrome.exe	111
PID 940 wrote to memory of 3972	940	chrome.exe	111
PID 940 wrote to memory of 3972	940	chrome.exe	111
PID 940 wrote to memory of 3972	940	chrome.exe	111
PID 940 wrote to memory of 3972	940	chrome.exe	111
PID 940 wrote to memory of 3972	940	chrome.exe	111
PID 940 wrote to memory of 3972	940	chrome.exe	111
PID 940 wrote to memory of 3972	940	chrome.exe	111
PID 940 wrote to memory of 3972	940	chrome.exe	111
PID 940 wrote to memory of 3972	940	chrome.exe	111
PID 940 wrote to memory of 3972	940	chrome.exe	111
PID 940 wrote to memory of 3972	940	chrome.exe	111
PID 940 wrote to memory of 3972	940	chrome.exe	111
PID 940 wrote to memory of 3972	940	chrome.exe	111

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\NiceRAT.pyc
1⤵
- Modifies registry class
PID:3084

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4688

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffd0b89cc40,0x7ffd0b89cc4c,0x7ffd0b89cc58
  2⤵
  PID:1436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2092,i,14757997611204951718,1553199502452481931,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2088 /prefetch:2
  2⤵
  PID:4860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1736,i,14757997611204951718,1553199502452481931,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  PID:2720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2288,i,14757997611204951718,1553199502452481931,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2436 /prefetch:8
  2⤵
  PID:3972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,14757997611204951718,1553199502452481931,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:1968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3192,i,14757997611204951718,1553199502452481931,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:2392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4540,i,14757997611204951718,1553199502452481931,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4564 /prefetch:1
  2⤵
  PID:4728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4876,i,14757997611204951718,1553199502452481931,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4884 /prefetch:8
  2⤵
  PID:996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4916,i,14757997611204951718,1553199502452481931,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4900 /prefetch:8
  2⤵
  PID:4796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5180,i,14757997611204951718,1553199502452481931,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5176 /prefetch:8
  2⤵
  PID:3364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5312,i,14757997611204951718,1553199502452481931,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5320 /prefetch:8
  2⤵
  PID:2920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4412,i,14757997611204951718,1553199502452481931,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5172 /prefetch:8
  2⤵
  PID:3092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4500,i,14757997611204951718,1553199502452481931,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5192 /prefetch:8
  2⤵
  PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5536,i,14757997611204951718,1553199502452481931,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4512 /prefetch:2
  2⤵
  PID:3896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5152,i,14757997611204951718,1553199502452481931,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5300 /prefetch:1
  2⤵
  PID:5084

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\57b3e566-2774-4b59-b22a-ab6066517002.tmp

Filesize
9KB

MD5
addee6593566070708b5dcbffaabde02

SHA1
031a5bf185ff60610bf73ca5f4b1f1cbc7f4b5ae

SHA256
cc63aa05a3bbd139ca70a8c6baf544a97bda0fa0ce76dfd188bd319baea12bd0

SHA512
89158a215e68baa7849f8b1cfc2af557c669f7739acb13222f1086e9dfd9249a82f110c68b59d17538ec5ff5c0278fc58b03bb515933f00e0c7dcce1567e0231

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
b32baa14ec62efc4f6133ed22c697db2

SHA1
0ac0427107f3d977e37e332427a1f587d4d40d69

SHA256
a6604ae0786d0252104991b568f2b4e15f724c66c7d10fc0796b29b28e6a3a0c

SHA512
156bc2b5b76f09a169034df0e83b7f1722dfecf9bb29e4495b466b7cc182caa644c601b0f063d54301fb7b3b4889e34c7298dcd340aab4777106c9f71af91d6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
cc05ba4b98354d9b2809e6e9f6c225c8

SHA1
5e117964f07db68fbaf0a6c08414ea5a1b718142

SHA256
af76f096a7b6dc64f60c66068089a65a905eea5c8dc21de0e0bf85936c9e92b3

SHA512
9020c0f15825c86c9dbe4fa239ebda83573ee28bc36b0d03807e7c56e8c0445c5f9bc8716edf358741020b0ed9b657fc869ef051e548216208d268d4c31556d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
a6bb5a07cbc8e1f655f9fc838e415d55

SHA1
b0f2f35e92750af73c05e386160605df28e3fb80

SHA256
5737e02bf982a7b7bf00ea213aeb3f623a99fca9e370c8142f50ff410e58396f

SHA512
98e9e7884e3e9855a92f205412781e6df325c685867843b00954860792736cdcd9e61ccf18ba9b9a54b12d40a91e649be33c249570eee9707c7dfb630d9d5afa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
aed051b6bc167fb66d95bc3004c88edf

SHA1
24b3eac2b316e421172b9893b47bd9ab236176a8

SHA256
fc25babd15ff0b997020e09885a19bec59c76b72e9e4a48c11875467c30528d5

SHA512
be68bebaf658d520cfd5c875ad96dde912c5a162df091c49085602f275232cde60858e6db1fefaf43c50e0bfbb50d8af688c4f5a53c5fc0890a8ccdc49cfb1d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
05f0291984609bfaff5187516f48856c

SHA1
f312cd368bb0fe728aa006e2c6a881e9532ceb4d

SHA256
94b2e4c9165f65312a43cb1ac72a50e4fa42f8bccebe586426da1a5776cd6338

SHA512
200f80abddc263d34dc4f4ec9b7ea0c519e58a2d6b05c956fb64d7e196d4fff02e9bf76216a5d63183eeb8f01186a100feed3425faf1085ee7c8741ebf8e97a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
69da2a414a7dc9d0ed324353ce51a01c

SHA1
22c7f3de800ee6dd096c3bf4a628d078a5d4d4c8

SHA256
3bd17d07ab2a6dcbf6c0245a0a504f86fb08fe84c022e473854c342fb0828fc3

SHA512
f0e471def7eb050348b15860bbeb16f8dbcb6ae6464cc551ce316c4c1390e0746b7bd13fe1d70e20b4b4e848eb886e9f0b785fe252c0ca6f3eee271f339e5149

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
869bac689f2d230def3bc4a4375bb9df

SHA1
781441e824faf72edf4cded60f67cd206016b7db

SHA256
f6a933f96f6c9492d7a46115d4308fd4e7dfd7a4ff3e268873b8e402d264a51a

SHA512
8fe2d6268d5ffe3530a17f0ef02f34ba15df7d39b4d055bef71e20af29f3fb6071f86587e60d258aad95ca93a8e83870b4f1a943f5a1d506e8b8a80166774747

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
4a15fc80d78cb2f18325512c443b1abc

SHA1
1b637f646e1ab8d91e6dbe8b3a65069738d6dcac

SHA256
4a143ffe6d6d5cc9b3817d19497168d095ab5263899bb01a495fff0541f649fe

SHA512
1063490b2cbd62bebf5541e316ff035989110fc86604f906a00310e65d8a0abad3111207df994b3e87825cb322cc5bb1563c853aabaaf2a4fa248d74e99781d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
f6dde20ff8f1c58a7b02bfe46083d94c

SHA1
96a26b1f028fba2d997a6538186dc33f6df01fc0

SHA256
7d67477a0a68b9fbb5a8da1220563b91717fc5686dd99096e6d5c6df463fd815

SHA512
f16e9e6a6e02e5dea9663896abe45d8ba18549e1c5e547dcbac64350d863f300282f15cc8c9555e2d9dcd1361b821a75cd15f1dd75bc6428ed33707ba2806577

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir940_599763411\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir940_599763411\a2e0b4ee-81cd-4fb5-8c8c-f13d0757a6bc.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit