hxxp://Google[.]com

max time kernel
184s
max time network
183s
platform
windows11-21h2_x64
resource
win11-20250314-en
resource tags

arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
submitted
25/03/2025, 03:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://Google.com

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
50	raw.githubusercontent.com
10	raw.githubusercontent.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BadApple(gdip).exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133873474543571808"	chrome.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\DisplayName = "Chrome Sandbox"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Moniker = "cr.sb.odm3E4D1A088C1F6D498C84F3C86DE73CE49F82A104"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Children	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\BadAppleAHK.zip:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
2172	chrome.exe
2172	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5848	BadApple(gdip).exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1972	chrome.exe
Token: SeCreatePagefilePrivilege	1972	chrome.exe
Token: SeShutdownPrivilege	1972	chrome.exe
Token: SeCreatePagefilePrivilege	1972	chrome.exe
Token: SeShutdownPrivilege	1972	chrome.exe
Token: SeCreatePagefilePrivilege	1972	chrome.exe
Token: SeShutdownPrivilege	1972	chrome.exe
Token: SeCreatePagefilePrivilege	1972	chrome.exe
Token: SeShutdownPrivilege	1972	chrome.exe
Token: SeCreatePagefilePrivilege	1972	chrome.exe
Token: SeShutdownPrivilege	1972	chrome.exe
Token: SeCreatePagefilePrivilege	1972	chrome.exe
Token: SeShutdownPrivilege	1972	chrome.exe
Token: SeCreatePagefilePrivilege	1972	chrome.exe
Token: SeShutdownPrivilege	1972	chrome.exe
Token: SeCreatePagefilePrivilege	1972	chrome.exe
Token: SeShutdownPrivilege	1972	chrome.exe
Token: SeCreatePagefilePrivilege	1972	chrome.exe
Token: SeShutdownPrivilege	1972	chrome.exe
Token: SeCreatePagefilePrivilege	1972	chrome.exe
Token: SeShutdownPrivilege	1972	chrome.exe
Token: SeCreatePagefilePrivilege	1972	chrome.exe
Token: SeShutdownPrivilege	1972	chrome.exe
Token: SeCreatePagefilePrivilege	1972	chrome.exe
Token: SeShutdownPrivilege	1972	chrome.exe
Token: SeCreatePagefilePrivilege	1972	chrome.exe
Token: SeShutdownPrivilege	1972	chrome.exe
Token: SeCreatePagefilePrivilege	1972	chrome.exe
Token: SeShutdownPrivilege	1972	chrome.exe
Token: SeCreatePagefilePrivilege	1972	chrome.exe
Token: SeShutdownPrivilege	1972	chrome.exe
Token: SeCreatePagefilePrivilege	1972	chrome.exe
Token: SeShutdownPrivilege	1972	chrome.exe
Token: SeCreatePagefilePrivilege	1972	chrome.exe
Token: SeShutdownPrivilege	1972	chrome.exe
Token: SeCreatePagefilePrivilege	1972	chrome.exe
Token: SeShutdownPrivilege	1972	chrome.exe
Token: SeCreatePagefilePrivilege	1972	chrome.exe
Token: SeShutdownPrivilege	1972	chrome.exe
Token: SeCreatePagefilePrivilege	1972	chrome.exe
Token: SeShutdownPrivilege	1972	chrome.exe
Token: SeCreatePagefilePrivilege	1972	chrome.exe
Token: SeShutdownPrivilege	1972	chrome.exe
Token: SeCreatePagefilePrivilege	1972	chrome.exe
Token: SeShutdownPrivilege	1972	chrome.exe
Token: SeCreatePagefilePrivilege	1972	chrome.exe
Token: SeShutdownPrivilege	1972	chrome.exe
Token: SeCreatePagefilePrivilege	1972	chrome.exe
Token: SeShutdownPrivilege	1972	chrome.exe
Token: SeCreatePagefilePrivilege	1972	chrome.exe
Token: SeShutdownPrivilege	1972	chrome.exe
Token: SeCreatePagefilePrivilege	1972	chrome.exe
Token: SeShutdownPrivilege	1972	chrome.exe
Token: SeCreatePagefilePrivilege	1972	chrome.exe
Token: SeShutdownPrivilege	1972	chrome.exe
Token: SeCreatePagefilePrivilege	1972	chrome.exe
Token: SeShutdownPrivilege	1972	chrome.exe
Token: SeCreatePagefilePrivilege	1972	chrome.exe
Token: SeShutdownPrivilege	1972	chrome.exe
Token: SeCreatePagefilePrivilege	1972	chrome.exe
Token: SeShutdownPrivilege	1972	chrome.exe
Token: SeCreatePagefilePrivilege	1972	chrome.exe
Token: SeShutdownPrivilege	1972	chrome.exe
Token: SeCreatePagefilePrivilege	1972	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
5848	BadApple(gdip).exe

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
1972	chrome.exe
5848	BadApple(gdip).exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 3028	1972	chrome.exe	77
PID 1972 wrote to memory of 3028	1972	chrome.exe	77
PID 1972 wrote to memory of 1424	1972	chrome.exe	78
PID 1972 wrote to memory of 1424	1972	chrome.exe	78
PID 1972 wrote to memory of 1424	1972	chrome.exe	78
PID 1972 wrote to memory of 1424	1972	chrome.exe	78
PID 1972 wrote to memory of 1424	1972	chrome.exe	78
PID 1972 wrote to memory of 1424	1972	chrome.exe	78
PID 1972 wrote to memory of 1424	1972	chrome.exe	78
PID 1972 wrote to memory of 1424	1972	chrome.exe	78
PID 1972 wrote to memory of 1424	1972	chrome.exe	78
PID 1972 wrote to memory of 1424	1972	chrome.exe	78
PID 1972 wrote to memory of 1424	1972	chrome.exe	78
PID 1972 wrote to memory of 1424	1972	chrome.exe	78
PID 1972 wrote to memory of 1424	1972	chrome.exe	78
PID 1972 wrote to memory of 1424	1972	chrome.exe	78
PID 1972 wrote to memory of 1424	1972	chrome.exe	78
PID 1972 wrote to memory of 1424	1972	chrome.exe	78
PID 1972 wrote to memory of 1424	1972	chrome.exe	78
PID 1972 wrote to memory of 1424	1972	chrome.exe	78
PID 1972 wrote to memory of 1424	1972	chrome.exe	78
PID 1972 wrote to memory of 1424	1972	chrome.exe	78
PID 1972 wrote to memory of 1424	1972	chrome.exe	78
PID 1972 wrote to memory of 1424	1972	chrome.exe	78
PID 1972 wrote to memory of 1424	1972	chrome.exe	78
PID 1972 wrote to memory of 1424	1972	chrome.exe	78
PID 1972 wrote to memory of 1424	1972	chrome.exe	78
PID 1972 wrote to memory of 1424	1972	chrome.exe	78
PID 1972 wrote to memory of 1424	1972	chrome.exe	78
PID 1972 wrote to memory of 1424	1972	chrome.exe	78
PID 1972 wrote to memory of 1424	1972	chrome.exe	78
PID 1972 wrote to memory of 1424	1972	chrome.exe	78
PID 1972 wrote to memory of 4660	1972	chrome.exe	79
PID 1972 wrote to memory of 4660	1972	chrome.exe	79
PID 1972 wrote to memory of 5908	1972	chrome.exe	80
PID 1972 wrote to memory of 5908	1972	chrome.exe	80
PID 1972 wrote to memory of 5908	1972	chrome.exe	80
PID 1972 wrote to memory of 5908	1972	chrome.exe	80
PID 1972 wrote to memory of 5908	1972	chrome.exe	80
PID 1972 wrote to memory of 5908	1972	chrome.exe	80
PID 1972 wrote to memory of 5908	1972	chrome.exe	80
PID 1972 wrote to memory of 5908	1972	chrome.exe	80
PID 1972 wrote to memory of 5908	1972	chrome.exe	80
PID 1972 wrote to memory of 5908	1972	chrome.exe	80
PID 1972 wrote to memory of 5908	1972	chrome.exe	80
PID 1972 wrote to memory of 5908	1972	chrome.exe	80
PID 1972 wrote to memory of 5908	1972	chrome.exe	80
PID 1972 wrote to memory of 5908	1972	chrome.exe	80
PID 1972 wrote to memory of 5908	1972	chrome.exe	80
PID 1972 wrote to memory of 5908	1972	chrome.exe	80
PID 1972 wrote to memory of 5908	1972	chrome.exe	80
PID 1972 wrote to memory of 5908	1972	chrome.exe	80
PID 1972 wrote to memory of 5908	1972	chrome.exe	80
PID 1972 wrote to memory of 5908	1972	chrome.exe	80
PID 1972 wrote to memory of 5908	1972	chrome.exe	80
PID 1972 wrote to memory of 5908	1972	chrome.exe	80
PID 1972 wrote to memory of 5908	1972	chrome.exe	80
PID 1972 wrote to memory of 5908	1972	chrome.exe	80
PID 1972 wrote to memory of 5908	1972	chrome.exe	80
PID 1972 wrote to memory of 5908	1972	chrome.exe	80
PID 1972 wrote to memory of 5908	1972	chrome.exe	80
PID 1972 wrote to memory of 5908	1972	chrome.exe	80
PID 1972 wrote to memory of 5908	1972	chrome.exe	80
PID 1972 wrote to memory of 5908	1972	chrome.exe	80

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://Google.com
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff99a72dcf8,0x7ff99a72dd04,0x7ff99a72dd10
  2⤵
  PID:3028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1964,i,17760733905892903545,7174130837909927463,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1960 /prefetch:2
  2⤵
  PID:1424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2220,i,17760733905892903545,7174130837909927463,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2252 /prefetch:11
  2⤵
  PID:4660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2360,i,17760733905892903545,7174130837909927463,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2504 /prefetch:13
  2⤵
  PID:5908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,17760733905892903545,7174130837909927463,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,17760733905892903545,7174130837909927463,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:5104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4196,i,17760733905892903545,7174130837909927463,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4240 /prefetch:9
  2⤵
  PID:3728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4632,i,17760733905892903545,7174130837909927463,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4644 /prefetch:1
  2⤵
  PID:2392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5160,i,17760733905892903545,7174130837909927463,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5172 /prefetch:14
  2⤵
  PID:1692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5236,i,17760733905892903545,7174130837909927463,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5424 /prefetch:14
  2⤵
  PID:980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5468,i,17760733905892903545,7174130837909927463,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5488 /prefetch:14
  2⤵
  PID:5344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5476,i,17760733905892903545,7174130837909927463,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5416 /prefetch:14
  2⤵
  PID:5848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5424,i,17760733905892903545,7174130837909927463,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4352 /prefetch:1
  2⤵
  PID:4904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5656,i,17760733905892903545,7174130837909927463,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5668 /prefetch:14
  2⤵
  - NTFS ADS
  PID:1380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=5564,i,17760733905892903545,7174130837909927463,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5624 /prefetch:10
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5592,i,17760733905892903545,7174130837909927463,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5324 /prefetch:14
  2⤵
  PID:656

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:6132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3520

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1296

C:\Users\Admin\Downloads\BadAppleAHK\BadAppleAHK\BadApple(gdip).exe
"C:\Users\Admin\Downloads\BadAppleAHK\BadAppleAHK\BadApple(gdip).exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5848

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004D4
1⤵
PID:1864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
2edc2f597e1e2629fb1fd046111023c6

SHA1
8353810a5a79ebc028c207d5539ae576aac680e3

SHA256
8d33ad0efa2108a74da0bd8f481f60d50d4e2b6b6e0ef6414036341c345e6d45

SHA512
f186280a7e10b56d2d58ea561b7b5f990ccf90ba8075d53c01c82a98c35116eb7b29a6806aec94b3273285d9c7b65bdc04b55bc78fd7ff717b1554443cebf117

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
883b7c7cbf0452eaa56b6c41352ac643

SHA1
cb1390793bf1c0694fcffbc95580f986bbb46435

SHA256
1af8639be5e779dbb9e117f78a59c8ad2a115716da33d7859b207bc936a977fb

SHA512
a2c3d3d5bcbe0dc1f5dc0980da73f0b747e02a85e8c16bd03f027a822636e793bfab2ba86fd583aa96325b1a4e6b561181d31167c8fb09cec40ed4288d660463

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
19ee9dc6fc09cde5d257b48d5e61b27f

SHA1
38f4fefc5642d12efee2e34027b0a605f3e90bf1

SHA256
99f082533d8dacedf0faf452d3951adac2f0a5a6c99251fe6b52546467fcb780

SHA512
8936b96b00b0f5629944124e1e2bd21d58d22709fe87789fe4f56b3cb8353423a1d85982560a7ed77962ace875ab42a1452e39f989330ef1eec770f7893bceaa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
974aacc95ab95daf2446227b3ecd63c1

SHA1
108d701bd5984495b5101953003d475e6c46b835

SHA256
c304100d224fe71863d86dd4cb3bc142e76ef8e96c6f463d414474495fbd62fb

SHA512
0479d3bcebc8292c9d1f982c5be93eb82972fd1136a8d9d8e0a836866cd754f6ae0868fc12874aa6d8e009d82cd899a948b9de155ad11a276040a19f1fa2e3b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\a648cc88-efb6-4493-a5b5-022b6fdb60f7.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
22155d1f649adf9e3dc1fb87d973eb70

SHA1
8f5c167c3b1476b43d705f21b8e7f56e68c1cf21

SHA256
25f71ea40efa8bd4f938f3cdfb0ad7aa07e9d4c1d9deb65e8c418a70ef11100e

SHA512
840ecbdbc26d2398bf821ed9b536a38c811318521ca565771ed5ff02bdc75b5985849dd5ae790c6997d433ec09845827bf9c386f746d88dcd0a4cb87e01aac19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
bd69cc3fbcca4b0b67694d1b027bfd71

SHA1
df3cfd35a251055b1734bdcad86c54597eb37d7e

SHA256
37e0992e54cb2d00d8aff5e3982149e45df05cbc9b98902c4b7615efb5cf9288

SHA512
20f578c2b0ca6860cf7a05dbaa8a667b00eeffd08146b49712b211be3b5412cfb2171fdb2357335f3563761519cc92cac011f62a0c75a1321d2da3dca561d274

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
868e47c20255fbffb85361f74ae112c2

SHA1
4e9c4dcc52156b4b892ffe1afb450ec94db329ae

SHA256
f4b0fba8f921b069dbf76e689f67ca81966e175885221156ac10290f22b0a9fe

SHA512
0eb679cafe3e668266536ef26551c09b8cfbbe042de5dd45bcad8a4d203a7e87c076430c44dfba8e304e5c3ec547ee3e0b287076ab8b6095bb8bff157a335e84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8b7c7adb879a658eba9727b4b50d7dcf

SHA1
b1d42f73b50586a7c13fb524e724fcbfc89a52fb

SHA256
68dd86c549eccafe0a3728172b616f949954cb82452b18f39f931b6c92f26d09

SHA512
b7dc9343201e89918a689010ea9ab38f457938b39b314604e1d8166f77432729f5aa5b0fe7e4296e252dffe600b6504beb9a89d4bfa1c72e91707f2483f613d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
049123b782022622224f318056842354

SHA1
a412982afd05cb84eab8db678cfdafe912d6099b

SHA256
6983dd15e495c101dc6b77019a96ea40d9f47a24d606de2d893f9708c41202ef

SHA512
2c45eac0e382ef0a6fdfd423e6efb67400ec945fcd8a8d3c972bde8100bfccfd3fe594f69ba49ae1d84ee97a1fc29bad21bd52088bfef418551485d1548fca6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
6ea30f119a8c4be02726aa6b9b67f3e1

SHA1
e1bd9c96a478626f1438ea623d731433ebef4c74

SHA256
1d919f6377028b424cc54256d532f5783c079998e0b0bbaf7c99f6a8809f6e0b

SHA512
2609d75ba24a237d8d6e908a36186d871793ea07c22cad889f6cdd5441f53fcc59a839aa918ecf94ff625fffa1330cd0aa90563a91ab3869dc4c6b6e27b971dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5826ec.TMP

Filesize
48B

MD5
10324a7693bae0fa8d87cefeb682b03c

SHA1
df53172608be66357561ace489dc07b69162389c

SHA256
ac4ca918c73670c7500df25967b8955e688eac519aaa561d4b1ebcee3d1a5011

SHA512
9bc94427d73ab6f94ec825f67ad198d2d0e414872110bdf37cacdb46c2067539ebd102274eb42fde33fc44ee43aedb12fcd5df502c7a8846e4f8ef8d2ff6d9c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
37cd736917473fc1be70d01793a8986f

SHA1
1ba8daef4045a5b3d152fbef23c2e009261f3da5

SHA256
ade0094e3765658302441e36cff3c7cc0a859d515b9a0a0b87875414550b83c0

SHA512
9d0287a1f419b30c7431c0d8c09d62acedadd686e51f3623cdf0f2d3da7a4bf38c6407b6d73aea0d569319ca75c5b6f85521a4f80aec44ac8c0e99bfd159a91f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
ab38b01229d3da9183c778840284657f

SHA1
61d68c9bd0a720fb359064bb347d5c65327ba7d6

SHA256
0d37eb72e72488a106d122909f691a1fe117bdf76c06b32eefb4621812f3d564

SHA512
cf89cb8253df72d8454d7bd5f3d43b6a55cf9bba007189e0c3eb85f109bf98c80cd25fe5c031c1abd16d48ae2bf9320169392f274a30fe07647f67e320075be3

Download Submit
C:\Users\Admin\Downloads\BadAppleAHK.zip.crdownload

Filesize
11.3MB

MD5
6ce071d5500861ff7060c3a56c194a41

SHA1
099404607e440b8c212c5da7d15150944278c53b

SHA256
6b17266aaa860d405fa38d67adec66d5cab628d5e294847b468a76c513ac0d48

SHA512
47919f4bd86175d7d909421ac0c0aa7b4a54c53af68a64e0ded37bd434cad9b0dc75f3ca166d3f0808f63be834e0fbcc3b3f22f1e26ef83cd7c70f5d34219f09

Download Submit
C:\Users\Admin\Downloads\BadAppleAHK.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/5848-559-0x0000000005ED0000-0x0000000005EE0000-memory.dmp

Filesize
64KB

Download
memory/5848-574-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/5848-560-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/5848-561-0x0000000005ED0000-0x0000000005EE0000-memory.dmp

Filesize
64KB

Download
memory/5848-563-0x0000000005ED0000-0x0000000005EE0000-memory.dmp

Filesize
64KB

Download
memory/5848-562-0x0000000005ED0000-0x0000000005EE0000-memory.dmp

Filesize
64KB

Download
memory/5848-564-0x0000000005ED0000-0x0000000005EE0000-memory.dmp

Filesize
64KB

Download
memory/5848-565-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/5848-570-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/5848-572-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/5848-571-0x00000000004DB000-0x00000000004DC000-memory.dmp

Filesize
4KB

Download
memory/5848-558-0x00000000004DB000-0x00000000004DC000-memory.dmp

Filesize
4KB

Download
memory/5848-573-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/5848-575-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/5848-577-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/5848-576-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/5848-557-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/5848-587-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/5848-588-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/5848-589-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/5848-590-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/5848-591-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download