e36962c7613c7cec9e09e4e20d044d59f48fd5b7f969bdc0251703f2dd0998bd

Analysis

max time kernel
150s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
16/03/2025, 11:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

R.E.P.O/REPO.exe
Size

651KB
MD5

37e2e7e012343ccef500133286fcbf27
SHA1

4b7e66039d04b14ddcfb580a6e6a395ea52222be
SHA256

1643ff9ed131adde7a22363f26d36308b4b4fb8f9ba61e5afce3b6803c5cb302
SHA512

418dcb69e506f42248c00459eb3fa5a576006fead83cb5372e5710a8e95265654c316bbb314e4b8afa69e393a7cdf01219b7e17095d1990ab418f0aed68c687e
SSDEEP

12288:c/744aOD8GVma8Vk2WbYq5qL7Lp4SKpRUzfBI4xa7iKXS:m9aO/Vma72z9KY7BID7iKi

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
111	api.gofile.io
113	api.gofile.io

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133866002965256962"	chrome.exe

Modifies registry class 29 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = ffffffff	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000f68a1cf2a994db014049ec5cb194db01d1713dae6b96db0114000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\NodeSlot = "3"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616193"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1432	chrome.exe
Token: SeCreatePagefilePrivilege	1432	chrome.exe
Token: SeShutdownPrivilege	1432	chrome.exe
Token: SeCreatePagefilePrivilege	1432	chrome.exe
Token: SeShutdownPrivilege	1432	chrome.exe
Token: SeCreatePagefilePrivilege	1432	chrome.exe
Token: SeShutdownPrivilege	1432	chrome.exe
Token: SeCreatePagefilePrivilege	1432	chrome.exe
Token: SeShutdownPrivilege	1432	chrome.exe
Token: SeCreatePagefilePrivilege	1432	chrome.exe
Token: SeShutdownPrivilege	1432	chrome.exe
Token: SeCreatePagefilePrivilege	1432	chrome.exe
Token: SeShutdownPrivilege	1432	chrome.exe
Token: SeCreatePagefilePrivilege	1432	chrome.exe
Token: SeShutdownPrivilege	1432	chrome.exe
Token: SeCreatePagefilePrivilege	1432	chrome.exe
Token: SeShutdownPrivilege	1432	chrome.exe
Token: SeCreatePagefilePrivilege	1432	chrome.exe
Token: SeShutdownPrivilege	1432	chrome.exe
Token: SeCreatePagefilePrivilege	1432	chrome.exe
Token: SeShutdownPrivilege	1432	chrome.exe
Token: SeCreatePagefilePrivilege	1432	chrome.exe
Token: SeShutdownPrivilege	1432	chrome.exe
Token: SeCreatePagefilePrivilege	1432	chrome.exe
Token: SeShutdownPrivilege	1432	chrome.exe
Token: SeCreatePagefilePrivilege	1432	chrome.exe
Token: SeShutdownPrivilege	1432	chrome.exe
Token: SeCreatePagefilePrivilege	1432	chrome.exe
Token: SeShutdownPrivilege	1432	chrome.exe
Token: SeCreatePagefilePrivilege	1432	chrome.exe
Token: SeShutdownPrivilege	1432	chrome.exe
Token: SeCreatePagefilePrivilege	1432	chrome.exe
Token: SeShutdownPrivilege	1432	chrome.exe
Token: SeCreatePagefilePrivilege	1432	chrome.exe
Token: SeShutdownPrivilege	1432	chrome.exe
Token: SeCreatePagefilePrivilege	1432	chrome.exe
Token: SeShutdownPrivilege	1432	chrome.exe
Token: SeCreatePagefilePrivilege	1432	chrome.exe
Token: SeShutdownPrivilege	1432	chrome.exe
Token: SeCreatePagefilePrivilege	1432	chrome.exe
Token: SeShutdownPrivilege	1432	chrome.exe
Token: SeCreatePagefilePrivilege	1432	chrome.exe
Token: SeShutdownPrivilege	1432	chrome.exe
Token: SeCreatePagefilePrivilege	1432	chrome.exe
Token: SeShutdownPrivilege	1432	chrome.exe
Token: SeCreatePagefilePrivilege	1432	chrome.exe
Token: SeShutdownPrivilege	1432	chrome.exe
Token: SeCreatePagefilePrivilege	1432	chrome.exe
Token: SeShutdownPrivilege	1432	chrome.exe
Token: SeCreatePagefilePrivilege	1432	chrome.exe
Token: SeShutdownPrivilege	1432	chrome.exe
Token: SeCreatePagefilePrivilege	1432	chrome.exe
Token: SeShutdownPrivilege	1432	chrome.exe
Token: SeCreatePagefilePrivilege	1432	chrome.exe
Token: SeShutdownPrivilege	1432	chrome.exe
Token: SeCreatePagefilePrivilege	1432	chrome.exe
Token: SeShutdownPrivilege	1432	chrome.exe
Token: SeCreatePagefilePrivilege	1432	chrome.exe
Token: SeShutdownPrivilege	1432	chrome.exe
Token: SeCreatePagefilePrivilege	1432	chrome.exe
Token: SeShutdownPrivilege	1432	chrome.exe
Token: SeCreatePagefilePrivilege	1432	chrome.exe
Token: SeShutdownPrivilege	1432	chrome.exe
Token: SeCreatePagefilePrivilege	1432	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe
1432	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5880	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1432 wrote to memory of 2736	1432	chrome.exe	96
PID 1432 wrote to memory of 2736	1432	chrome.exe	96
PID 1432 wrote to memory of 3680	1432	chrome.exe	97
PID 1432 wrote to memory of 3680	1432	chrome.exe	97
PID 1432 wrote to memory of 3680	1432	chrome.exe	97
PID 1432 wrote to memory of 3680	1432	chrome.exe	97
PID 1432 wrote to memory of 3680	1432	chrome.exe	97
PID 1432 wrote to memory of 3680	1432	chrome.exe	97
PID 1432 wrote to memory of 3680	1432	chrome.exe	97
PID 1432 wrote to memory of 3680	1432	chrome.exe	97
PID 1432 wrote to memory of 3680	1432	chrome.exe	97
PID 1432 wrote to memory of 3680	1432	chrome.exe	97
PID 1432 wrote to memory of 3680	1432	chrome.exe	97
PID 1432 wrote to memory of 3680	1432	chrome.exe	97
PID 1432 wrote to memory of 3680	1432	chrome.exe	97
PID 1432 wrote to memory of 3680	1432	chrome.exe	97
PID 1432 wrote to memory of 3680	1432	chrome.exe	97
PID 1432 wrote to memory of 3680	1432	chrome.exe	97
PID 1432 wrote to memory of 3680	1432	chrome.exe	97
PID 1432 wrote to memory of 3680	1432	chrome.exe	97
PID 1432 wrote to memory of 3680	1432	chrome.exe	97
PID 1432 wrote to memory of 3680	1432	chrome.exe	97
PID 1432 wrote to memory of 3680	1432	chrome.exe	97
PID 1432 wrote to memory of 3680	1432	chrome.exe	97
PID 1432 wrote to memory of 3680	1432	chrome.exe	97
PID 1432 wrote to memory of 3680	1432	chrome.exe	97
PID 1432 wrote to memory of 3680	1432	chrome.exe	97
PID 1432 wrote to memory of 3680	1432	chrome.exe	97
PID 1432 wrote to memory of 3680	1432	chrome.exe	97
PID 1432 wrote to memory of 3680	1432	chrome.exe	97
PID 1432 wrote to memory of 3680	1432	chrome.exe	97
PID 1432 wrote to memory of 3680	1432	chrome.exe	97
PID 1432 wrote to memory of 1388	1432	chrome.exe	98
PID 1432 wrote to memory of 1388	1432	chrome.exe	98
PID 1432 wrote to memory of 4388	1432	chrome.exe	99
PID 1432 wrote to memory of 4388	1432	chrome.exe	99
PID 1432 wrote to memory of 4388	1432	chrome.exe	99
PID 1432 wrote to memory of 4388	1432	chrome.exe	99
PID 1432 wrote to memory of 4388	1432	chrome.exe	99
PID 1432 wrote to memory of 4388	1432	chrome.exe	99
PID 1432 wrote to memory of 4388	1432	chrome.exe	99
PID 1432 wrote to memory of 4388	1432	chrome.exe	99
PID 1432 wrote to memory of 4388	1432	chrome.exe	99
PID 1432 wrote to memory of 4388	1432	chrome.exe	99
PID 1432 wrote to memory of 4388	1432	chrome.exe	99
PID 1432 wrote to memory of 4388	1432	chrome.exe	99
PID 1432 wrote to memory of 4388	1432	chrome.exe	99
PID 1432 wrote to memory of 4388	1432	chrome.exe	99
PID 1432 wrote to memory of 4388	1432	chrome.exe	99
PID 1432 wrote to memory of 4388	1432	chrome.exe	99
PID 1432 wrote to memory of 4388	1432	chrome.exe	99
PID 1432 wrote to memory of 4388	1432	chrome.exe	99
PID 1432 wrote to memory of 4388	1432	chrome.exe	99
PID 1432 wrote to memory of 4388	1432	chrome.exe	99
PID 1432 wrote to memory of 4388	1432	chrome.exe	99
PID 1432 wrote to memory of 4388	1432	chrome.exe	99
PID 1432 wrote to memory of 4388	1432	chrome.exe	99
PID 1432 wrote to memory of 4388	1432	chrome.exe	99
PID 1432 wrote to memory of 4388	1432	chrome.exe	99
PID 1432 wrote to memory of 4388	1432	chrome.exe	99
PID 1432 wrote to memory of 4388	1432	chrome.exe	99
PID 1432 wrote to memory of 4388	1432	chrome.exe	99
PID 1432 wrote to memory of 4388	1432	chrome.exe	99
PID 1432 wrote to memory of 4388	1432	chrome.exe	99

C:\Users\Admin\AppData\Local\Temp\R.E.P.O\REPO.exe
"C:\Users\Admin\AppData\Local\Temp\R.E.P.O\REPO.exe"
1⤵
PID:4724

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffb5fcddcf8,0x7ffb5fcddd04,0x7ffb5fcddd10
  2⤵
  PID:2736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2012,i,2524264077478441906,14899425169542633650,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2004 /prefetch:2
  2⤵
  PID:3680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1628,i,2524264077478441906,14899425169542633650,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  PID:1388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2444,i,2524264077478441906,14899425169542633650,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2604 /prefetch:8
  2⤵
  PID:4388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3204,i,2524264077478441906,14899425169542633650,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:5712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2796,i,2524264077478441906,14899425169542633650,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4472,i,2524264077478441906,14899425169542633650,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4496 /prefetch:2
  2⤵
  PID:4384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4748,i,2524264077478441906,14899425169542633650,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4712 /prefetch:1
  2⤵
  PID:4376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5408,i,2524264077478441906,14899425169542633650,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5336 /prefetch:8
  2⤵
  PID:5492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5496,i,2524264077478441906,14899425169542633650,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5508 /prefetch:8
  2⤵
  PID:4264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5432,i,2524264077478441906,14899425169542633650,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:2364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5560,i,2524264077478441906,14899425169542633650,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5548 /prefetch:1
  2⤵
  PID:3136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4780,i,2524264077478441906,14899425169542633650,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  PID:768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4808,i,2524264077478441906,14899425169542633650,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4824 /prefetch:8
  2⤵
  PID:3312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4784,i,2524264077478441906,14899425169542633650,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5436 /prefetch:8
  2⤵
  PID:2948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4500,i,2524264077478441906,14899425169542633650,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4492 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:5880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4920,i,2524264077478441906,14899425169542633650,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4852 /prefetch:1
  2⤵
  PID:1808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=6060,i,2524264077478441906,14899425169542633650,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4448 /prefetch:1
  2⤵
  PID:3984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=4576,i,2524264077478441906,14899425169542633650,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3668 /prefetch:1
  2⤵
  PID:4060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5984,i,2524264077478441906,14899425169542633650,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4772 /prefetch:1
  2⤵
  PID:5616

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:1648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
414B

MD5
b4c1d7b331d799643b1d5758752a459d

SHA1
c253d231fe6012c72af4abf80fa59d66aaa19631

SHA256
4c67bb12bb4725015f79ad46347c2360de1c409c3b50762e7688a643d50ad594

SHA512
56bc6ff9e9e43c25fc7ff7a5b6737772e575138a3c05245506702ea136c9193e1e5d9b3c9b57d1e3755a2980237a0d1a95ee77ebdcb3c0e1582f93fa1b6993c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
a53886b9d455133dbf10bc003d9335b4

SHA1
745784677d291815239e05d456d313068ac406ea

SHA256
329d2a7201c8012e93e8dd066a21a68f9edd1e9b0e05b89e6d9bc7ee5c72aeb3

SHA512
01cd9b5b0812ce05a4ec6fd133e127265af8c74304a84ba182bb5a4214523a2e51aece2f54e4c04184cbad0a2bd02c2181df35dccb944cd820ff6d16eab0cc0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
164b82053dcd96c07ffb70d7156d3ae4

SHA1
7ddcdb119bbcdb19a0d5aefc6b6b29abe4bb0258

SHA256
77fd155862d8363b78562b417bfa43af3b1c9456e7320dd2f754b0624769ae3d

SHA512
6f66a58240937fe3da4bb25697f6a512adddbc640382a56fef7202cd59660f383f5f00f97aeda3908f086031cd756133a1651fb52864d428b8baf3a5c54928e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d190944d32ea2dcd7ce290cf0065ce26

SHA1
380a457c63f4709d1292d4a8ac090d1368cc7181

SHA256
bbd3ec8e175d9c03be238103ae732910006d34043e5e28b3edf8834875a33d2d

SHA512
7221aa94a9f82c515c3454e52ffbb6380e86e985648cd1626a5a129d2fffa6792ebdb0160d3ac0d3678886a4d27ef48f26e8d9ff4adb6313039351023bd61b26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
9e8bf29b68afdc40cfa46fe527770062

SHA1
aa18f9eebbc1b16bd5d5762dac9711266962ec2b

SHA256
00dbdb4fad33b053dda7143e54f8fe74a0d4649257e0746d1bc7690ea0be8c2d

SHA512
e29fea227f6a505033fda9a54a0eab22d361434ea7e0308ca745f5d3683e6cc6dc5c5a41695433b9a0790736101bb83a78e9585136b7bae22c2a3488ffba1a59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ab19c9c8b9bec0fd8ed96c90d2937077

SHA1
839684ce6922f356f49ecbc69c65efefab005041

SHA256
cb051870f423e3b074f27919bc4188f24e1f8c6c597afb2f8d146c5f72db4ce0

SHA512
cb41c5b60f35c3b46c264b1d374cf031b50e5289a7fc90f9c44992826cc379e5e21062037d13e6958c135cd9bbb45f4c6bc683581c665d7138cb771fcd129b2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
fd3b97001602cb7497de726cb718dea9

SHA1
0fd79b78c1672953ffa1fac8e638924bf812ca0c

SHA256
1c038b5ec993e92be94236b89fc5725d6e7a0fb1800a63a4a7a7d401d71a937f

SHA512
f180ec2382bf7beeb604cb500adc02f8cee0ccceeb685d5f94da0b41efb0605557eaae65d8e073dbd80c410cb2236d2b884f60e48924ccd3a91fa4c0e312e435

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
c5b7756fba2abb210dec0eee02989791

SHA1
e84235b2467d18070cd2dd008b478a65c9eeecbc

SHA256
3087617f9c864cd79fe11ea5cff08fd60ced19d8695672e1429759ce41ace213

SHA512
cee8ad45d89bf73e1d7c455675defb7bed127eea0150f44e8927f225aec5562b9011ba4e405811b83181b4e5cd268124550919d6b5ba608103bcc66d96fd0236

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
c165f702a3f0da9fa698a9ae830e87e4

SHA1
d80686db424841a9b08238f50ad149cb329fefcd

SHA256
b8984d2cad0a97817289a698ce95d1e559738bcc924d655cd0496663723f5a19

SHA512
7ad4d73ef1319082e32789e9112cd2a65d31503a9536480b8ce9e173ef5f0b6d11fbcd5ed12d864e93b93f2cf8539f0b7143559b99d7d6f28fa475a0c1dfef74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe593927.TMP

Filesize
48B

MD5
8f44e0b7f93d958551c143e9d7c30918

SHA1
b33cab5a59a63f420b9e626dee3684bd4259ef7f

SHA256
580f952d75a393cdb5d61a41ef87ecd659bdbf200a6a812478bc980c0f5ce445

SHA512
e04385372966b0d759027435333a244385d222d691e87d6a7c42bb0c62fa5d2acd80b82791a17211667b41606f1352b445176116922f6c96ac8fba9dd0414fed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
156KB

MD5
1fe6a9fcac9d5412c2594e368bdeb9c5

SHA1
f34a131d212b170b9f85902fbb7753eb79f6f86a

SHA256
2f864b09f5ac661333e0e94b43c296ac43c7c771d0c14ca487329b20a27bd746

SHA512
dbd08388e6796e7683818510c004deefff91eeacf4ace2910bab38f99a176e864d6b29d5f152ed0fc42c6db683ce51d618b22ef28586f50491b8d93bd945a495

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ebe70550-db12-4062-ad74-defb4ff38612.tmp

Filesize
80KB

MD5
cec8258e6ca7cbe5e849db9663e21e2a

SHA1
f8533d206230b55b4dde8217b4d57738aaa59164

SHA256
65dcfb26827f54f41263a52ec9b5bea449b9c7284a3f5b0eb899d9f205c9e9e4

SHA512
9d9e744941484762bee44bc33b10350a59c10d82559024f16e0495ca84b2859116177d7a29a2ccf813a00310390d0aaaeef24479e08cb68868f555990fa38146

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

Filesize
28KB

MD5
232f51fd2676b4c89f8c2a22f3bb1ecb

SHA1
90f0f91fe7dd95c5fbeb98fa35fbe456620027be

SHA256
dbb5e08e9049a73445978b425ea8d29bb083a26e41e31383befc33eba38eb2ed

SHA512
9f7137762e6acc83ba42ffb15ab2802a44b60063b28517be00d8c00505364a3ea19992c0f799f64ca30027ac0ed5feab53ff2141c74aaac23018b017e0ec81df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit