nanocore | hxxps://file[.]kiwi/bfb4f853#vMAGRg5cF5TUCP7j-tdeZw

Analysis

max time kernel
346s
max time network
349s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
01-01-2025 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://file.kiwi/bfb4f853#vMAGRg5cF5TUCP7j-tdeZw

Score

10^/10

nanocore discovery evasion keylogger persistence phishing spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore
A potential corporate email address has been identified in the URL: [email protected]
phishing

Executes dropped EXE 1 IoCs

pid	Process
5364	Microsoft Crash Handler.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Manager = "C:\\Program Files (x86)\\TCP Manager\\tcpmgr.exe"	Microsoft Crash Handler.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Microsoft Crash Handler.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\TCP Manager\tcpmgr.exe	Microsoft Crash Handler.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Microsoft Crash Handler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133802378055760245"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000_Classes\Local Settings	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5520	schtasks.exe
5600	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
4516	chrome.exe
4516	chrome.exe
5364	Microsoft Crash Handler.exe
5364	Microsoft Crash Handler.exe
5364	Microsoft Crash Handler.exe
5364	Microsoft Crash Handler.exe
5364	Microsoft Crash Handler.exe
5364	Microsoft Crash Handler.exe
5364	Microsoft Crash Handler.exe
5364	Microsoft Crash Handler.exe
5364	Microsoft Crash Handler.exe
5364	Microsoft Crash Handler.exe
5364	Microsoft Crash Handler.exe
5364	Microsoft Crash Handler.exe
5364	Microsoft Crash Handler.exe
5364	Microsoft Crash Handler.exe
5364	Microsoft Crash Handler.exe
5364	Microsoft Crash Handler.exe
5536	chrome.exe
5536	chrome.exe
5536	chrome.exe
5536	chrome.exe
5364	Microsoft Crash Handler.exe
5364	Microsoft Crash Handler.exe
5364	Microsoft Crash Handler.exe
5364	Microsoft Crash Handler.exe
5364	Microsoft Crash Handler.exe
5364	Microsoft Crash Handler.exe
5364	Microsoft Crash Handler.exe
5364	Microsoft Crash Handler.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5364	Microsoft Crash Handler.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4516	chrome.exe
4516	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4516	chrome.exe
Token: SeCreatePagefilePrivilege	4516	chrome.exe
Token: SeShutdownPrivilege	4516	chrome.exe
Token: SeCreatePagefilePrivilege	4516	chrome.exe
Token: SeShutdownPrivilege	4516	chrome.exe
Token: SeCreatePagefilePrivilege	4516	chrome.exe
Token: SeShutdownPrivilege	4516	chrome.exe
Token: SeCreatePagefilePrivilege	4516	chrome.exe
Token: SeShutdownPrivilege	4516	chrome.exe
Token: SeCreatePagefilePrivilege	4516	chrome.exe
Token: SeShutdownPrivilege	4516	chrome.exe
Token: SeCreatePagefilePrivilege	4516	chrome.exe
Token: SeShutdownPrivilege	4516	chrome.exe
Token: SeCreatePagefilePrivilege	4516	chrome.exe
Token: SeShutdownPrivilege	4516	chrome.exe
Token: SeCreatePagefilePrivilege	4516	chrome.exe
Token: SeShutdownPrivilege	4516	chrome.exe
Token: SeCreatePagefilePrivilege	4516	chrome.exe
Token: SeShutdownPrivilege	4516	chrome.exe
Token: SeCreatePagefilePrivilege	4516	chrome.exe
Token: SeShutdownPrivilege	4516	chrome.exe
Token: SeCreatePagefilePrivilege	4516	chrome.exe
Token: SeShutdownPrivilege	4516	chrome.exe
Token: SeCreatePagefilePrivilege	4516	chrome.exe
Token: SeShutdownPrivilege	4516	chrome.exe
Token: SeCreatePagefilePrivilege	4516	chrome.exe
Token: SeShutdownPrivilege	4516	chrome.exe
Token: SeCreatePagefilePrivilege	4516	chrome.exe
Token: SeShutdownPrivilege	4516	chrome.exe
Token: SeCreatePagefilePrivilege	4516	chrome.exe
Token: SeShutdownPrivilege	4516	chrome.exe
Token: SeCreatePagefilePrivilege	4516	chrome.exe
Token: SeShutdownPrivilege	4516	chrome.exe
Token: SeCreatePagefilePrivilege	4516	chrome.exe
Token: SeShutdownPrivilege	4516	chrome.exe
Token: SeCreatePagefilePrivilege	4516	chrome.exe
Token: SeShutdownPrivilege	4516	chrome.exe
Token: SeCreatePagefilePrivilege	4516	chrome.exe
Token: SeShutdownPrivilege	4516	chrome.exe
Token: SeCreatePagefilePrivilege	4516	chrome.exe
Token: SeDebugPrivilege	5364	Microsoft Crash Handler.exe
Token: SeShutdownPrivilege	4516	chrome.exe
Token: SeCreatePagefilePrivilege	4516	chrome.exe
Token: SeShutdownPrivilege	4516	chrome.exe
Token: SeCreatePagefilePrivilege	4516	chrome.exe
Token: SeShutdownPrivilege	4516	chrome.exe
Token: SeCreatePagefilePrivilege	4516	chrome.exe
Token: SeShutdownPrivilege	4516	chrome.exe
Token: SeCreatePagefilePrivilege	4516	chrome.exe
Token: SeShutdownPrivilege	4516	chrome.exe
Token: SeCreatePagefilePrivilege	4516	chrome.exe
Token: SeShutdownPrivilege	4516	chrome.exe
Token: SeCreatePagefilePrivilege	4516	chrome.exe
Token: SeShutdownPrivilege	4516	chrome.exe
Token: SeCreatePagefilePrivilege	4516	chrome.exe
Token: SeShutdownPrivilege	4516	chrome.exe
Token: SeCreatePagefilePrivilege	4516	chrome.exe
Token: SeShutdownPrivilege	4516	chrome.exe
Token: SeCreatePagefilePrivilege	4516	chrome.exe
Token: SeShutdownPrivilege	4516	chrome.exe
Token: SeCreatePagefilePrivilege	4516	chrome.exe
Token: SeShutdownPrivilege	4516	chrome.exe
Token: SeCreatePagefilePrivilege	4516	chrome.exe
Token: SeShutdownPrivilege	4516	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe
4516	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4516 wrote to memory of 2516	4516	chrome.exe	91
PID 4516 wrote to memory of 2516	4516	chrome.exe	91
PID 4516 wrote to memory of 1528	4516	chrome.exe	92
PID 4516 wrote to memory of 1528	4516	chrome.exe	92
PID 4516 wrote to memory of 1528	4516	chrome.exe	92
PID 4516 wrote to memory of 1528	4516	chrome.exe	92
PID 4516 wrote to memory of 1528	4516	chrome.exe	92
PID 4516 wrote to memory of 1528	4516	chrome.exe	92
PID 4516 wrote to memory of 1528	4516	chrome.exe	92
PID 4516 wrote to memory of 1528	4516	chrome.exe	92
PID 4516 wrote to memory of 1528	4516	chrome.exe	92
PID 4516 wrote to memory of 1528	4516	chrome.exe	92
PID 4516 wrote to memory of 1528	4516	chrome.exe	92
PID 4516 wrote to memory of 1528	4516	chrome.exe	92
PID 4516 wrote to memory of 1528	4516	chrome.exe	92
PID 4516 wrote to memory of 1528	4516	chrome.exe	92
PID 4516 wrote to memory of 1528	4516	chrome.exe	92
PID 4516 wrote to memory of 1528	4516	chrome.exe	92
PID 4516 wrote to memory of 1528	4516	chrome.exe	92
PID 4516 wrote to memory of 1528	4516	chrome.exe	92
PID 4516 wrote to memory of 1528	4516	chrome.exe	92
PID 4516 wrote to memory of 1528	4516	chrome.exe	92
PID 4516 wrote to memory of 1528	4516	chrome.exe	92
PID 4516 wrote to memory of 1528	4516	chrome.exe	92
PID 4516 wrote to memory of 1528	4516	chrome.exe	92
PID 4516 wrote to memory of 1528	4516	chrome.exe	92
PID 4516 wrote to memory of 1528	4516	chrome.exe	92
PID 4516 wrote to memory of 1528	4516	chrome.exe	92
PID 4516 wrote to memory of 1528	4516	chrome.exe	92
PID 4516 wrote to memory of 1528	4516	chrome.exe	92
PID 4516 wrote to memory of 1528	4516	chrome.exe	92
PID 4516 wrote to memory of 1528	4516	chrome.exe	92
PID 4516 wrote to memory of 2416	4516	chrome.exe	93
PID 4516 wrote to memory of 2416	4516	chrome.exe	93
PID 4516 wrote to memory of 1284	4516	chrome.exe	94
PID 4516 wrote to memory of 1284	4516	chrome.exe	94
PID 4516 wrote to memory of 1284	4516	chrome.exe	94
PID 4516 wrote to memory of 1284	4516	chrome.exe	94
PID 4516 wrote to memory of 1284	4516	chrome.exe	94
PID 4516 wrote to memory of 1284	4516	chrome.exe	94
PID 4516 wrote to memory of 1284	4516	chrome.exe	94
PID 4516 wrote to memory of 1284	4516	chrome.exe	94
PID 4516 wrote to memory of 1284	4516	chrome.exe	94
PID 4516 wrote to memory of 1284	4516	chrome.exe	94
PID 4516 wrote to memory of 1284	4516	chrome.exe	94
PID 4516 wrote to memory of 1284	4516	chrome.exe	94
PID 4516 wrote to memory of 1284	4516	chrome.exe	94
PID 4516 wrote to memory of 1284	4516	chrome.exe	94
PID 4516 wrote to memory of 1284	4516	chrome.exe	94
PID 4516 wrote to memory of 1284	4516	chrome.exe	94
PID 4516 wrote to memory of 1284	4516	chrome.exe	94
PID 4516 wrote to memory of 1284	4516	chrome.exe	94
PID 4516 wrote to memory of 1284	4516	chrome.exe	94
PID 4516 wrote to memory of 1284	4516	chrome.exe	94
PID 4516 wrote to memory of 1284	4516	chrome.exe	94
PID 4516 wrote to memory of 1284	4516	chrome.exe	94
PID 4516 wrote to memory of 1284	4516	chrome.exe	94
PID 4516 wrote to memory of 1284	4516	chrome.exe	94
PID 4516 wrote to memory of 1284	4516	chrome.exe	94
PID 4516 wrote to memory of 1284	4516	chrome.exe	94
PID 4516 wrote to memory of 1284	4516	chrome.exe	94
PID 4516 wrote to memory of 1284	4516	chrome.exe	94
PID 4516 wrote to memory of 1284	4516	chrome.exe	94
PID 4516 wrote to memory of 1284	4516	chrome.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://file.kiwi/bfb4f853#vMAGRg5cF5TUCP7j-tdeZw
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffd0055cc40,0x7ffd0055cc4c,0x7ffd0055cc58
  2⤵
  PID:2516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1936,i,3040182449971832634,8397921602437896824,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  PID:1528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2132,i,3040182449971832634,8397921602437896824,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  PID:2416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2228,i,3040182449971832634,8397921602437896824,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2248 /prefetch:8
  2⤵
  PID:1284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,3040182449971832634,8397921602437896824,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:1104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3120,i,3040182449971832634,8397921602437896824,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:3532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4660,i,3040182449971832634,8397921602437896824,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4652 /prefetch:8
  2⤵
  PID:3444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4428,i,3040182449971832634,8397921602437896824,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4840 /prefetch:8
  2⤵
  PID:3320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4608,i,3040182449971832634,8397921602437896824,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5336 /prefetch:8
  2⤵
  PID:1068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5652,i,3040182449971832634,8397921602437896824,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5672 /prefetch:8
  2⤵
  PID:5156
- C:\Users\Admin\Downloads\Microsoft Crash Handler.exe
  "C:\Users\Admin\Downloads\Microsoft Crash Handler.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:5364
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "TCP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpAF36.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:5520
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "TCP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpAFD4.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:5600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=836,i,3040182449971832634,8397921602437896824,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5740 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5536

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations=is-enterprise-managed=no --field-trial-handle=3980,i,6673326894638893842,871609780509303087,262144 --variations-seed-version --mojo-platform-channel-handle=5260 /prefetch:8
1⤵
PID:3200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4668

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations=is-enterprise-managed=no --field-trial-handle=3212,i,6673326894638893842,871609780509303087,262144 --variations-seed-version --mojo-platform-channel-handle=5244 /prefetch:8
1⤵
PID:5812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\96b37685-02ad-4aff-859c-713e06209574.tmp

Filesize
10KB

MD5
783a824f77c822ebb1c8c0349d8608c5

SHA1
954967a62de385c9977f210f046ac7b783d76126

SHA256
8a7446da53c4fd51037c8f80973e61343d8a5e1a6e8bb42823a26a89ae5029f4

SHA512
6f381d66cd3a65a9f22a91b55d4a2a7a22a531ec67c02092f76189a7c2ca7d21f0747edd7b31004f8958a96f59b3b4a0c1a35bdae2c3396e298fbc0e3be34795

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
35507f1de7fd5b370c71bdbe3c702cd5

SHA1
4caa487cf6af4f5e988c8f4408dd21655e93ddc0

SHA256
8d614ad720722de3092832b8026fa0dfe40fdba72e7d87129a39f020e2d39106

SHA512
014125062f35a0b409fff73190e9e5a2170ec3a825b2caecacb587fc8cb68e5da6164339718da55bc9196e60bfa79fee0cee7863cfa1f72f99f94ad9ef9d2d1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
840B

MD5
2ad765eb0d985d65b066edfe336a9a68

SHA1
6784b46029ad384d04b6c76b28709ef9993eab14

SHA256
822b910ab9c00377dc3282580a4a1a06b481e03d936eacb575c0fdf9a2baa3df

SHA512
226e76a4f67e0adcc9bc8584e37ce948d72071254e176fee98540226e5e4f57f4045cfa442e492f58f9446d72ec5af0469e372151b6b0dad34482b9eb28ac472

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\00\00000001

Filesize
203KB

MD5
b7d7019d5c10823d0979097f85e15030

SHA1
af2f00a2a2c3f440dda747adb52e84f16d95c8cf

SHA256
a9331157126f4c64f76bc24822806b8b36ef217aa8390e459e0685ea63dcdfbd

SHA512
c5118f254333711ebeb95bdb60cf0cecf3f5443c87ee8009024d794286b556a9b1f3fb74e3f19fa06bf28a19b65ae7439b64d52fd04ef211abac277700b89c3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_file.kiwi_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\8a30816c-4340-416b-990c-a2d05f88759f.tmp

Filesize
858B

MD5
35aa4fa2f54ce0020500823796d5e2f6

SHA1
f9f1e9c3c6579b8795ee665f84c3f6e81d3eb692

SHA256
816ad729e9d66496ba73b69131dc80d1646f3821679ec28d6f56bad3da5dffbf

SHA512
be6f7443516957aed3f301049fbe0f5b7c733219f1f5c8e95b19601bfb597dcf54ba89c3ca812a70757215faf468f1b2839dd0de2d842236c48b1b546bbd478d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
85ca8754c3a19743fcc38e9030dbad24

SHA1
668f19640267e0e029e442c6857eb559ae2b3ac3

SHA256
3584f1980d338c0eea916812722ab53393df807c3aa22a40190d8536bc4d363d

SHA512
7307e78b4cd3aa25b0d5552f1adf8951c53a7c1ea3e19a1f571bc09fe65f05b4044e58ad9e537a648a549d6d4bdd144f419dfd758f56f66a50e584267d94b723

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c83e9368ebbd555e9e01ff9c02df8b16

SHA1
240357889f4be2c7adc132ac4f99f622d7aa6896

SHA256
a658ee90370de3c9939b647d557716dc83e8b0833465eca9a4d55073b2d04210

SHA512
0c6a7ab097422d690469e59b81e38a5f10f650a6e32239945fe491484ebd1dc69449a2205f95eaa6b9a897e34e00f23ae4ff630888c235533cbbcb2f97c10b18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ce4de7de51909d6f05f50f14cef15e93

SHA1
605ef17eafe0986c093c429ab396c843bba2842a

SHA256
645ea11f3289a9154a11379cda69a44e11fa49a1948a1a1edab8589d03552a7e

SHA512
b72da819769f492f833803f375568b73c106214ee21e586b8269f8eb0e3c6e53f27fb06b4482b1302220d4dbfe502510819e9c0e610809f853367f1cddaecda7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
146140cf286bc85ed9d219076bbf5063

SHA1
96208c50d390231214643f0cb0202156c5757561

SHA256
2d2ec03ce554d33190348047160e58bec9480a8f1e4703de86b5dcce4cf2174f

SHA512
8da692a9cc6bd3a1239fa34deba8cb83e954588967fbb30c0e14b14632d4b014040b14f0f116f558ed493267b4ab51d3c371971abde24ff24213569b7a5db797

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7f56864851b390bc203393e2d6a01e3e

SHA1
672d65d2a3bab463042b604d38cc92fd9e27af71

SHA256
88f4c8b40e4afae46edfa39796601f4e47dd04adbb2d6e31306737bad1702820

SHA512
6cc15a89a097c98804574ba16c857e5a2ffdf15687b826f3a6f96b8ea859ff93f72b27f160d1c9d717db1cde8c1265c1cf7e8332d7777e90403dee32d48642ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f2e7b85105acd5542743651aa79d7f1d

SHA1
a7ab495cda60d2717e03508c4ded7fffb787c281

SHA256
f8d5c24fa1a7323456c97b19141ed9de874382bb6466528510e8354cfc6f5d3b

SHA512
b105bd342b6b1e8526d23bd184b00b0190253fa8a6426bfba688dc6282752e9daf0cc80b07ec636bf453ef1416c286e8758c38f5abb9f791e5f875fdb9533017

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c18a8d4b7a113be7a441f115141d7a44

SHA1
fa7c044d54fd1c38222aa14f240a619df36bccbe

SHA256
4a5360b89748042d241677b6c52cfacf5f542275ca95009c2047f5627117e991

SHA512
81fcd0a566643fbfe0763675475fa38c2878f5a4ed8c5c7515971c8f887847bd12112749c4492353e16e517dab23b20dd63b493c497d08b77d42a73fb95ebe44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
81f0ebf52febf12bab29772f9dd36799

SHA1
fefc9944d8f00f5145c6454147300e85224e527d

SHA256
65c859a59882510aa8488ce07a37d6d27e30e4c9afe6199b83e01eb557ee05b7

SHA512
36f1c772c0232116f3502c8fb4c57a03c73b9d0f48d60275ea335ee0c5e2df7d7399df845d2fc97e76d26aaac96aed597794c6fc775016c1b98e85d925b175fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7cde10381fdda2a5bb03e363d8badb7f

SHA1
3a291f82c33c7d88c7bca8f28f9fbec2cf0e1afe

SHA256
ddb60f5469bcfef161b304726e6a9554efa3358319430a9334099d87d00d8660

SHA512
088358328edc5405140f83ad268b073fcf5c5f72b14ad5cc44366082bd3aaed58da8a124b761195cfac5fd790ad9018e5fa489bf87cec1e63bb8c66ab8c02a54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
31c81179f4d81a6c4a5f74ffc058f93c

SHA1
1380da7c4c37cd7ffd9c428c76230fa860fdd22d

SHA256
55a6fe580ffc6244798938e8c7aee529686b6c5a070d39abe96be5d5fbf93fb6

SHA512
b852a37835dfec509967efd1b4819711624f11765528ca0204308b455f9040388180084ff547ada9fc625640fb01dade82034766afe561d0be7b8fc9a17b6449

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6dac46dc821115de230a0dcc617cf5ed

SHA1
bfbd68c2852815df25ca6ea0f796aa0bd7ff7d97

SHA256
41a83131f6b1a200862085f458a746ea8ff3986f252df0a20204f5d4c1f924bc

SHA512
19436ddc245b047255887b359aea7546993744680fed72fea6bacb31144851711f685eff539d85e066280d5cd70ee25c580afa94df0c360c887586795547862f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
9b161bd191f455d02713824a3216adee

SHA1
c7d79767728d9a0f46f5ea91127a9ade0599f44e

SHA256
fe2e9a7e873eb6dc79635ee90ffeea732836a9fe4eaba70081682847c01b1777

SHA512
288f49adec66f2caef05b1d57f845bdcac9e9e34b46221850c12d522875a771de7d35d597d7dcda36b280f15d949566652f91f5c34c26ec0c1b0b11d493da162

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
be7b9bd0c5f5bf5131a8106fa828ce50

SHA1
2bee5e9c60942a0e362d215173f510eec2b0d26e

SHA256
11653ee96cbc98b78c000b96760e8aca0fc2c249e23c12a5824c3b7d4215f34b

SHA512
c4e3c3ab5a174404b9da66ddb4db8c9886934f9270f70820a5233738a7b3c637c2c83099545c4926dee7abb8ebadbef8628484736bdabd2975387a47270f90f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2287cdb2ff6a66fc25ad2db3d9ba8bd7

SHA1
e3d784aa3a515243591500630509f6480f124a81

SHA256
fe92515771a7d078c938c67af2f59844f8de5c6c26345460fc67737850cf95d8

SHA512
4ea1b55f0c80b3d209ff04ab63c3002c7c617316af000cd6831614d0b67ac63a739660df5b6f92ec9d1b7c7782f66947db5fbe0e7e62ee91eb745f20050d1949

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
704982700e7eb7c4f990abb5883a1f51

SHA1
20d3525279ecbabf49ee1fced1576a1de9f5a016

SHA256
385a535fdd856d03860852d9775071acdf81f6e970febe08219e1d457577cda4

SHA512
dea610137b08282adaecd0cf21d408feb8c3bd38781dfd08f8b276cb7b307e5ad7e754eec4a0393743fc841489e60fd79514a65b6683bd4c688036a80771dac6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
107afac97e4cd7d385f3174747ecfa85

SHA1
9b3a378bbd4bdef228e50e165c983da8ada24a41

SHA256
8dcdc99aa35c93d8009a5b4293ec9858a762ce96696588c4c44395ad0546698c

SHA512
8fc7aa0f486dc9671b47801e15be19d44f99444267446b03ce31c023d0c71afef1416f38a5587eee57bd6ca223cdcd4078e80841dc7e15f1f54fa6508ae7c109

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c60bcf07d0c81c1d4bd8fb941c7c1aaa

SHA1
3495a44825db0199279b46c5a50c5492471206a9

SHA256
0524a5a4c3683599682c16e0e5180a3ac27335a290e854df1c83bba25f214fd4

SHA512
e81352fc37abb2f7036a81bc5dbfa8710ccb227a024779863e8296ec57373944fcb1e210d56717e93acc7badf5f247a4cad9639823ccc5089ad2158e881d6e4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d86059d6307784b3fe8a86411aa86be5

SHA1
268bd55b99686d2efcb47f51a51dba5d306cc55f

SHA256
583ece567a62eac005985153d96232faca3c9ddb22f2f82d0b5ec9cc0da1f98c

SHA512
e94f43371498dd23c84ee3d5a7d54638dcab2747db9e15b6bf9d8f81edad57d937059430ea071ac5ddedcb305f3d40c41d1f4fd59f01c73c183ad85e13cf8338

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
bfada9f80701f1252cce3d661bb0e88b

SHA1
9f7d536d64c3c63fc9738fb059bbcd825e0d61c3

SHA256
b26a8606e931a11738ddea3a3c0cf515f8dd8249664af264ccd306d0f5d176ae

SHA512
ce3156a8cc8fdc04ab9ed2a151a1d5e86fdebb33f222fd86357f52d0aa1e3f3b810ecb3bdc079ec1c58d0e941e3dffb9b8bf4fa9722250f59aca783f77801681

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
aad7367f2a62dc6bb86d5747cc0a0166

SHA1
9f81879ea828432f82134567de1466f71674a300

SHA256
29a630a3d371e69b186c22b65419d0f5c1aca74afb2f40a38200a1b6fbdf3bd6

SHA512
351c9e246facf0b7a02f6077c8ce85cc0ee294a4891659602be52d802aeec4db23aca76d926c764e38ef9ce3656914372770f68c6f5b834ef7fc38582713a449

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
611c8943e334e96f6b665dbe5eeb87db

SHA1
392c0502034e7d731937402f6321fb55a1abfd2f

SHA256
2e0b3ab43f015f4bfad61697b4171028fc73b487d04fc1a7fe4f08002618f211

SHA512
0557f91dc87616478218114e7273be8acd641f6797714ba15104363ab0fb9b82c5f569cc15e467a70d639f660174acc9bcc8bb9ac4c7c105da59cd006cc633d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAF36.tmp

Filesize
1KB

MD5
89d9ee4cf29e9203d6b534859956ce0b

SHA1
a8baf78d0939b0f82f3f1831aa952885e1fc863f

SHA256
6a51a600c1d3386951331d2be6f7f66fff8c74b56509051d92192e26eab69f4f

SHA512
1662d3e88e1c8cc39edeec108fdc53b746d951711a40c295baa1641d5ce503c8f434b005f606b46d220840e19814809970357333a1a7c93c9d224338a70bb01d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAFD4.tmp

Filesize
1KB

MD5
9ef09eeae52de0c7c7f111b945ba440c

SHA1
e5243c92416fd37f7b50c5ea741a97cd2ad9e85e

SHA256
8099de047cf1922f883b400d6a032d93e6f88ede5e4f7c12d81cbe66ed5627dc

SHA512
89f421d149cab49aa828f2bef79769152001dc8ca3fc65d79a824a9d9d1cfe1a38c3f9ee2f228b079f44cae6ff421a7672e059df13f855061e970b664513d6a2

Download Submit
memory/5364-142-0x00000000746A0000-0x0000000074C51000-memory.dmp

Filesize
5.7MB

Download
memory/5364-170-0x00000000746A0000-0x0000000074C51000-memory.dmp

Filesize
5.7MB

Download
memory/5364-141-0x00000000746A0000-0x0000000074C51000-memory.dmp

Filesize
5.7MB

Download
memory/5364-140-0x00000000746A2000-0x00000000746A3000-memory.dmp

Filesize
4KB

Download
memory/5364-153-0x00000000746A0000-0x0000000074C51000-memory.dmp

Filesize
5.7MB

Download
memory/5364-167-0x00000000746A2000-0x00000000746A3000-memory.dmp

Filesize
4KB

Download
memory/5364-168-0x00000000746A0000-0x0000000074C51000-memory.dmp

Filesize
5.7MB

Download
memory/5364-169-0x00000000746A0000-0x0000000074C51000-memory.dmp

Filesize
5.7MB

Download
memory/5364-195-0x00000000746A0000-0x0000000074C51000-memory.dmp

Filesize
5.7MB

Download
memory/5364-189-0x00000000746A0000-0x0000000074C51000-memory.dmp

Filesize
5.7MB

Download