revengerat | 6362ba2e4d039d0b00f3768c2206e6a1f62880362a7da9738c2c64ca57440850

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-01-2025 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_630b6174d80e21dff1d7e2c801b05650.exe
Size

602KB
MD5

630b6174d80e21dff1d7e2c801b05650
SHA1

cd700fa1e81486b82623b2cbb14c53bbdd7fe79b
SHA256

6362ba2e4d039d0b00f3768c2206e6a1f62880362a7da9738c2c64ca57440850
SHA512

3d7e913d2fe8d699cca4c90250b95ed844517f3cbba2846ec49fd7e4f170984fa1d272762c70acc5eacd9b7205a869608047ab98e32690f6e7843ae2667d43c0
SSDEEP

12288:d7lw1Dx2plwfX9F59l3N8aF7ysgfBnnl2n:d7m1DSuFDl3maF7ysgpnncn

Score

10^/10

revengerat discovery stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral2/files/0x0007000000023ca1-7.dat	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	ocs_v7d.exe

Executes dropped EXE 1 IoCs

pid	Process
2836	ocs_v7d.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_630b6174d80e21dff1d7e2c801b05650.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133802707887561050"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4240	chrome.exe
4240	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2836	ocs_v7d.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe
Token: SeCreatePagefilePrivilege	4240	chrome.exe
Token: SeShutdownPrivilege	4240	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe
4240	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2012	JaffaCakes118_630b6174d80e21dff1d7e2c801b05650.exe
2836	ocs_v7d.exe
2836	ocs_v7d.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2836	2012	JaffaCakes118_630b6174d80e21dff1d7e2c801b05650.exe	83
PID 2012 wrote to memory of 2836	2012	JaffaCakes118_630b6174d80e21dff1d7e2c801b05650.exe	83
PID 2836 wrote to memory of 4240	2836	ocs_v7d.exe	84
PID 2836 wrote to memory of 4240	2836	ocs_v7d.exe	84
PID 4240 wrote to memory of 1968	4240	chrome.exe	85
PID 4240 wrote to memory of 1968	4240	chrome.exe	85
PID 4240 wrote to memory of 552	4240	chrome.exe	86
PID 4240 wrote to memory of 552	4240	chrome.exe	86
PID 4240 wrote to memory of 552	4240	chrome.exe	86
PID 4240 wrote to memory of 552	4240	chrome.exe	86
PID 4240 wrote to memory of 552	4240	chrome.exe	86
PID 4240 wrote to memory of 552	4240	chrome.exe	86
PID 4240 wrote to memory of 552	4240	chrome.exe	86
PID 4240 wrote to memory of 552	4240	chrome.exe	86
PID 4240 wrote to memory of 552	4240	chrome.exe	86
PID 4240 wrote to memory of 552	4240	chrome.exe	86
PID 4240 wrote to memory of 552	4240	chrome.exe	86
PID 4240 wrote to memory of 552	4240	chrome.exe	86
PID 4240 wrote to memory of 552	4240	chrome.exe	86
PID 4240 wrote to memory of 552	4240	chrome.exe	86
PID 4240 wrote to memory of 552	4240	chrome.exe	86
PID 4240 wrote to memory of 552	4240	chrome.exe	86
PID 4240 wrote to memory of 552	4240	chrome.exe	86
PID 4240 wrote to memory of 552	4240	chrome.exe	86
PID 4240 wrote to memory of 552	4240	chrome.exe	86
PID 4240 wrote to memory of 552	4240	chrome.exe	86
PID 4240 wrote to memory of 552	4240	chrome.exe	86
PID 4240 wrote to memory of 552	4240	chrome.exe	86
PID 4240 wrote to memory of 552	4240	chrome.exe	86
PID 4240 wrote to memory of 552	4240	chrome.exe	86
PID 4240 wrote to memory of 552	4240	chrome.exe	86
PID 4240 wrote to memory of 552	4240	chrome.exe	86
PID 4240 wrote to memory of 552	4240	chrome.exe	86
PID 4240 wrote to memory of 552	4240	chrome.exe	86
PID 4240 wrote to memory of 552	4240	chrome.exe	86
PID 4240 wrote to memory of 552	4240	chrome.exe	86
PID 4240 wrote to memory of 860	4240	chrome.exe	87
PID 4240 wrote to memory of 860	4240	chrome.exe	87
PID 4240 wrote to memory of 4276	4240	chrome.exe	88
PID 4240 wrote to memory of 4276	4240	chrome.exe	88
PID 4240 wrote to memory of 4276	4240	chrome.exe	88
PID 4240 wrote to memory of 4276	4240	chrome.exe	88
PID 4240 wrote to memory of 4276	4240	chrome.exe	88
PID 4240 wrote to memory of 4276	4240	chrome.exe	88
PID 4240 wrote to memory of 4276	4240	chrome.exe	88
PID 4240 wrote to memory of 4276	4240	chrome.exe	88
PID 4240 wrote to memory of 4276	4240	chrome.exe	88
PID 4240 wrote to memory of 4276	4240	chrome.exe	88
PID 4240 wrote to memory of 4276	4240	chrome.exe	88
PID 4240 wrote to memory of 4276	4240	chrome.exe	88
PID 4240 wrote to memory of 4276	4240	chrome.exe	88
PID 4240 wrote to memory of 4276	4240	chrome.exe	88
PID 4240 wrote to memory of 4276	4240	chrome.exe	88
PID 4240 wrote to memory of 4276	4240	chrome.exe	88
PID 4240 wrote to memory of 4276	4240	chrome.exe	88
PID 4240 wrote to memory of 4276	4240	chrome.exe	88
PID 4240 wrote to memory of 4276	4240	chrome.exe	88
PID 4240 wrote to memory of 4276	4240	chrome.exe	88
PID 4240 wrote to memory of 4276	4240	chrome.exe	88
PID 4240 wrote to memory of 4276	4240	chrome.exe	88
PID 4240 wrote to memory of 4276	4240	chrome.exe	88
PID 4240 wrote to memory of 4276	4240	chrome.exe	88
PID 4240 wrote to memory of 4276	4240	chrome.exe	88
PID 4240 wrote to memory of 4276	4240	chrome.exe	88

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_630b6174d80e21dff1d7e2c801b05650.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_630b6174d80e21dff1d7e2c801b05650.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v7d.exe
  C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v7d.exe -install -570223 -dcu -39304838c07942dd8c1c1120ad6137f2 - -hu -gxijgkncnqeigeqz -393320
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" http://www.download-sponsor.de/exitdownload/thankyou.php?pid=dcu&cid=570223&appname=[APPNAME]&cbstate=&uid=001cd303-365a-48df-835e-d0251225ee51&sid=39304838c07942dd8c1c1120ad6137f2&scid=&source=hu&language=en-cl&cdata=utyp-31.userid-386563636566353136656666313765376331393236613863.ua-6368726f6d652e657865
    3⤵
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4240
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe7726cc40,0x7ffe7726cc4c,0x7ffe7726cc58
      4⤵
      PID:1968
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1984,i,3629386267163510574,11896811789291233121,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1976 /prefetch:2
      4⤵
      PID:552
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1592,i,3629386267163510574,11896811789291233121,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2088 /prefetch:3
      4⤵
      PID:860
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,3629386267163510574,11896811789291233121,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2200 /prefetch:8
      4⤵
      PID:4276
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2996,i,3629386267163510574,11896811789291233121,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3096 /prefetch:1
      4⤵
      PID:4960
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2988,i,3629386267163510574,11896811789291233121,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3116 /prefetch:1
      4⤵
      PID:4856
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3824,i,3629386267163510574,11896811789291233121,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3684 /prefetch:1
      4⤵
      PID:3384
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5148,i,3629386267163510574,11896811789291233121,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5200 /prefetch:8
      4⤵
      PID:3192
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5204,i,3629386267163510574,11896811789291233121,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5160 /prefetch:8
      4⤵
      PID:4288
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4632,i,3629386267163510574,11896811789291233121,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5108 /prefetch:8
      4⤵
      PID:1744
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5160,i,3629386267163510574,11896811789291233121,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4932 /prefetch:8
      4⤵
      PID:8
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5100,i,3629386267163510574,11896811789291233121,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4928 /prefetch:8
      4⤵
      PID:1820
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4756,i,3629386267163510574,11896811789291233121,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5008 /prefetch:8
      4⤵
      PID:3220
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5460,i,3629386267163510574,11896811789291233121,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5436 /prefetch:2
      4⤵
      PID:3660
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5132,i,3629386267163510574,11896811789291233121,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5444 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1616

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\981e5e6d-6466-473a-97c4-8d9696cc716c.tmp

Filesize
9KB

MD5
5a596ab4498d619d0e37e4abe2f55095

SHA1
cb61fc30f725a7c5a7ff54e169f321103c5f47e0

SHA256
a33544a155d691da4916a8fa8b316411d7395f61049454af8dc28efcd3ca0b62

SHA512
31bd4d614819a6575df4f28dac56181584f1275c31186f459334a70e6eccb00bec2021f4dc6ae984ee4c10db94205bd68f0aebb4f43e15976bfefb3a6de82b91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
1489a05d10684cf6f7a3637ef7d89d41

SHA1
5434f7cdda47efb3964d05da82624eb85723de2a

SHA256
822c2ab135caa3b52056a3a26bffd25590701af0f3d7085389afe150a7819723

SHA512
37b3f863dcea79feff0db01f2b8d2d4890495d5ed810715c6e0208052b0e308cc00c00e2c1993c745b96c9a8bf697943a1e5797647fdca77f4da3ed60279ca13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
0a02ba4c3db79a05a8ba010e06ff5719

SHA1
6fcdecfaea73277a7467b20248a44c51aaa71369

SHA256
e7c1e88b062c69fa59f5957d65f92dbfef1696c26862972d24e75de04dc64a38

SHA512
312f1b40e184c23a5615d3ee29d887285f3eec39edc8af9e4b00931bddc58cad4e830b80efdcaff0416f77c94bea118716a27bf8b793311882c8ec41ebd790a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
14515def22b2af6dab59d30aec5d0d6f

SHA1
7bee9784f32fefdcf3a19a5366e52f44717a1a9b

SHA256
6e763bc67529f9ae0285fe0c7e1d1c7f906e37fe529b13bf4de4546aa7539d5b

SHA512
ec592c5fca6d45355fdfc74e3418b02bf2229526788217381f998a4ab7a43f5dacd557baf1a71e970ef9e4dc7bbe273a5e5df24f0695c07ccead580111a0e46e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c4bb0f59ca23cd7f39855dcb15f17403

SHA1
9180c9a2e5a3c2ad0cc4cac9992565365ef2c87f

SHA256
1bf7f67de48f6fcc8d7239596c48cd72419c0ac8c22703a0c96ed7d301c2faa5

SHA512
7e06e4257d40a1de42aa50bcc05c4feffd7a9b6b9e22e0c9353daa24dd798e3fd521047427a3e7ea7b1fbc7e2c9b2973d1d499207da3958c2854231d72db66c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
eeb053e7e151504c76c986e7558b5400

SHA1
d80c339d913509845ca45dad19700cc749d520a9

SHA256
121ca22c9ec46d1301c162d6c2c38bdd03c137d0aef56d2ce5e494584b4f3c67

SHA512
2e493e8f89425c857e25b7a5aff1a1e911b0a1bbff71ecb238a26db01feaac8a4c94d3ed38d3e7984033a1050f099d91abf242499155d5f3d7dce4b53d0da6f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
07f55171e5f1bf56788ab887ae2e799c

SHA1
29cd56507aaf0fb3eabe4ed7426649f427e51821

SHA256
e57129c96f01caf5ddbb8fb0a79c278d951726c7ca7b3c79c0bdb174af89830e

SHA512
839c3b7d91d719b5c53bbcae0114145bfe01e7d9fedf751bc956f54460859c79c43852846ed1604fe9ded5f02bb0576d29b98d0372a2179da29eba0463dd7546

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0a17ff45742685e8d1f0da4570f72a10

SHA1
6ecf7cf9b0b7dfaca2236149c8396c7296bce724

SHA256
fafbebbf90e070d90c5796fe607962c165f1be2b547fef36ad755bc0bcaca82e

SHA512
e341b7e0067395fbf92a3ad9de16bba1b293c3d1cf69a45ae6984ead51a3f29a722c2d6ae3375f58707776d66636a03fd28ec712ef8640871c6811997a8e409d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
7d9b7aff9de4d87bc7ab51cbd6a8bf8e

SHA1
3ba77610fa40cc474742509aa2d5cf4a88f2e5ac

SHA256
e207e0e5d6da6e9186429db0ef70440274476a9902be199da10c29a88cdbe5d2

SHA512
a586245449bca6c51574238b227d3b8de477e34465e9c438fcbb94b76507d7ba81003979bbbca2a05c17ff7f30f3eab473c20f2cb4c2ad7e1a43714b474410a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
205dd6ea8725711746b4a0880aa3fcfe

SHA1
692fdb7bdd3a6de2cf683814969e2a5715c2103e

SHA256
7ad99ff0d46d2a09768d7f3a7d147eb53316dbd853a20b08631f46bddbecdb18

SHA512
538c235bdcfe1070e39868b992eded2ce5729dfb7e7a985657b0600bb61023b3a4417a4282ee4a8a8afbbba8b82c1ee636bdbc722d97a74456445a07c9a0ffa5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
f0ddffc0bb2eae9f1dfa0c233e62605b

SHA1
959af988297017d5e4b4d6d3d0f5bbea84559d30

SHA256
435e19c7b40aeaf0f9772a502bd2391203a958f5ae573bf46879bde97a66e4d0

SHA512
2e0ed705fbf7203a95d884f133d4259fee0da7999f395f7ec55e65e8dad62645f6bb3a3386fe4f54c888a170322385ed19f9fbfdc176c47f7bd836f5c06e124d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
b35e41956329826229ded564a8b89e84

SHA1
517ede3e64dfef8e1f43ccd5f3067259515dafe8

SHA256
a906b1e9d3d3616e2535d02863c78032c29187f5919fe5ed4004ca97a20a5071

SHA512
ca1a5ca3eb135c2381abc0546449b2769dc53ce9f743ec857ace72bcd164eba73bdbbc922d2c12e8edf29c237165a5f9335df578e287d0c10351e33092e447f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\OCS\gxijgkncnqeigeqz.dat

Filesize
89B

MD5
9edc972f271cc86370b52aed43224581

SHA1
15ba6cf28d42af9e3785a7ea6e0f2694969dee94

SHA256
d277d53dcb3d2b766778f50b1e00a58a2829ca18404c922229fa059ebb467b94

SHA512
859a9a7ce8bb586c400f35ac68ad0c4bd277f4f397bee27b666c0d2f759fb7734ba249575accfbd1d09b060d72116fe6e543cd655a41bfb83ba7ed0ce21db2c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v7d.exe

Filesize
292KB

MD5
0f152d15cd6845999b6fe329e87ca52b

SHA1
34bcde11a22683ec42f88cf11a55df978a1ca53b

SHA256
6b0c155bd3f1129d78dc8e076841211963d05f0ec41db5fbbe28199531f611b2

SHA512
966f9388dfc106b1e2aed752ec3b2003ed9dc3371098a349232e9aaa47e7e1a58cbba3a85d95334511ebfebe3a14a4429bb354106de72a592c1b8462ca005a5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4240_397815586\75d2488d-2597-4ce2-9c57-43b20bc143de.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4240_397815586\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
memory/2836-27-0x00007FFE76560000-0x00007FFE76F01000-memory.dmp

Filesize
9.6MB

Download
memory/2836-23-0x00007FFE76560000-0x00007FFE76F01000-memory.dmp

Filesize
9.6MB

Download
memory/2836-22-0x00007FFE76815000-0x00007FFE76816000-memory.dmp

Filesize
4KB

Download
memory/2836-21-0x00007FFE76560000-0x00007FFE76F01000-memory.dmp

Filesize
9.6MB

Download
memory/2836-20-0x00007FFE76560000-0x00007FFE76F01000-memory.dmp

Filesize
9.6MB

Download
memory/2836-19-0x00007FFE76560000-0x00007FFE76F01000-memory.dmp

Filesize
9.6MB

Download
memory/2836-18-0x00007FFE76560000-0x00007FFE76F01000-memory.dmp

Filesize
9.6MB

Download
memory/2836-17-0x00007FFE76560000-0x00007FFE76F01000-memory.dmp

Filesize
9.6MB

Download
memory/2836-16-0x00007FFE76560000-0x00007FFE76F01000-memory.dmp

Filesize
9.6MB

Download
memory/2836-14-0x0000000001250000-0x0000000001258000-memory.dmp

Filesize
32KB

Download
memory/2836-13-0x000000001C390000-0x000000001C42C000-memory.dmp

Filesize
624KB

Download
memory/2836-12-0x000000001B850000-0x000000001B8F6000-memory.dmp

Filesize
664KB

Download
memory/2836-11-0x00007FFE76560000-0x00007FFE76F01000-memory.dmp

Filesize
9.6MB

Download
memory/2836-10-0x000000001BE20000-0x000000001C2EE000-memory.dmp

Filesize
4.8MB

Download
memory/2836-9-0x00007FFE76560000-0x00007FFE76F01000-memory.dmp

Filesize
9.6MB

Download
memory/2836-8-0x00007FFE76815000-0x00007FFE76816000-memory.dmp

Filesize
4KB

Download