013dcd3f617a3554900884d4474aa47eeb81bf8ac1f8baea466569fdee508729

Resubmissions

16/04/2025, 23:13

250416-27slns1ly3 5

16/04/2025, 23:07

250416-24eweawzc1 6

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
16/04/2025, 23:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HalfSwordModInstaller.exe
Size

411KB
MD5

aacfeb77f2412d04dd8fe61851025f8d
SHA1

100d5a9c82cc39026487492b368689b81cb1386e
SHA256

013dcd3f617a3554900884d4474aa47eeb81bf8ac1f8baea466569fdee508729
SHA512

659bbcd8255a58e6353956ca113bf998af5fe9a08a1f6566ffe769d1381999b65d7bd95c417d7f93a68f7248201edbad6ae36841c8c0c7263dce92c69a0d6d32
SSDEEP

3072:VQlEhwqK1e6lS0P3aUHkjhXaUHkjhlQdo0WRzJ3rUHkjhR:Ktd9XoXuQdczhC

Score

5^/10

steam discovery phishing

Malware Config

Signatures

Detected potential entity reuse from brand STEAM. 1 IoCs

phishing steam

flow	pid	Process
101	5652	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HalfSwordModInstaller.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133893188498300980"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4848	chrome.exe
4848	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 4516	4480	chrome.exe	98
PID 4480 wrote to memory of 4516	4480	chrome.exe	98
PID 4480 wrote to memory of 5652	4480	chrome.exe	99
PID 4480 wrote to memory of 5652	4480	chrome.exe	99
PID 4480 wrote to memory of 4564	4480	chrome.exe	100
PID 4480 wrote to memory of 4564	4480	chrome.exe	100
PID 4480 wrote to memory of 4564	4480	chrome.exe	100
PID 4480 wrote to memory of 4564	4480	chrome.exe	100
PID 4480 wrote to memory of 4564	4480	chrome.exe	100
PID 4480 wrote to memory of 4564	4480	chrome.exe	100
PID 4480 wrote to memory of 4564	4480	chrome.exe	100
PID 4480 wrote to memory of 4564	4480	chrome.exe	100
PID 4480 wrote to memory of 4564	4480	chrome.exe	100
PID 4480 wrote to memory of 4564	4480	chrome.exe	100
PID 4480 wrote to memory of 4564	4480	chrome.exe	100
PID 4480 wrote to memory of 4564	4480	chrome.exe	100
PID 4480 wrote to memory of 4564	4480	chrome.exe	100
PID 4480 wrote to memory of 4564	4480	chrome.exe	100
PID 4480 wrote to memory of 4564	4480	chrome.exe	100
PID 4480 wrote to memory of 4564	4480	chrome.exe	100
PID 4480 wrote to memory of 4564	4480	chrome.exe	100
PID 4480 wrote to memory of 4564	4480	chrome.exe	100
PID 4480 wrote to memory of 4564	4480	chrome.exe	100
PID 4480 wrote to memory of 4564	4480	chrome.exe	100
PID 4480 wrote to memory of 4564	4480	chrome.exe	100
PID 4480 wrote to memory of 4564	4480	chrome.exe	100
PID 4480 wrote to memory of 4564	4480	chrome.exe	100
PID 4480 wrote to memory of 4564	4480	chrome.exe	100
PID 4480 wrote to memory of 4564	4480	chrome.exe	100
PID 4480 wrote to memory of 4564	4480	chrome.exe	100
PID 4480 wrote to memory of 4564	4480	chrome.exe	100
PID 4480 wrote to memory of 4564	4480	chrome.exe	100
PID 4480 wrote to memory of 4564	4480	chrome.exe	100
PID 4480 wrote to memory of 4564	4480	chrome.exe	100
PID 4480 wrote to memory of 4456	4480	chrome.exe	101
PID 4480 wrote to memory of 4456	4480	chrome.exe	101
PID 4480 wrote to memory of 4456	4480	chrome.exe	101
PID 4480 wrote to memory of 4456	4480	chrome.exe	101
PID 4480 wrote to memory of 4456	4480	chrome.exe	101
PID 4480 wrote to memory of 4456	4480	chrome.exe	101
PID 4480 wrote to memory of 4456	4480	chrome.exe	101
PID 4480 wrote to memory of 4456	4480	chrome.exe	101
PID 4480 wrote to memory of 4456	4480	chrome.exe	101
PID 4480 wrote to memory of 4456	4480	chrome.exe	101
PID 4480 wrote to memory of 4456	4480	chrome.exe	101
PID 4480 wrote to memory of 4456	4480	chrome.exe	101
PID 4480 wrote to memory of 4456	4480	chrome.exe	101
PID 4480 wrote to memory of 4456	4480	chrome.exe	101
PID 4480 wrote to memory of 4456	4480	chrome.exe	101
PID 4480 wrote to memory of 4456	4480	chrome.exe	101
PID 4480 wrote to memory of 4456	4480	chrome.exe	101
PID 4480 wrote to memory of 4456	4480	chrome.exe	101
PID 4480 wrote to memory of 4456	4480	chrome.exe	101
PID 4480 wrote to memory of 4456	4480	chrome.exe	101
PID 4480 wrote to memory of 4456	4480	chrome.exe	101
PID 4480 wrote to memory of 4456	4480	chrome.exe	101
PID 4480 wrote to memory of 4456	4480	chrome.exe	101
PID 4480 wrote to memory of 4456	4480	chrome.exe	101
PID 4480 wrote to memory of 4456	4480	chrome.exe	101
PID 4480 wrote to memory of 4456	4480	chrome.exe	101
PID 4480 wrote to memory of 4456	4480	chrome.exe	101
PID 4480 wrote to memory of 4456	4480	chrome.exe	101
PID 4480 wrote to memory of 4456	4480	chrome.exe	101
PID 4480 wrote to memory of 4456	4480	chrome.exe	101

C:\Users\Admin\AppData\Local\Temp\HalfSwordModInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\HalfSwordModInstaller.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:5684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb0104dcf8,0x7ffb0104dd04,0x7ffb0104dd10
  2⤵
  PID:4516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1928,i,5529349243860326719,9202792758982237697,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2032 /prefetch:3
  2⤵
  - Detected potential entity reuse from brand STEAM.
  PID:5652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2000,i,5529349243860326719,9202792758982237697,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=1996 /prefetch:2
  2⤵
  PID:4564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2392,i,5529349243860326719,9202792758982237697,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2544 /prefetch:8
  2⤵
  PID:4456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3176,i,5529349243860326719,9202792758982237697,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3200,i,5529349243860326719,9202792758982237697,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:2448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4508,i,5529349243860326719,9202792758982237697,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4536 /prefetch:2
  2⤵
  PID:2584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4756,i,5529349243860326719,9202792758982237697,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4688 /prefetch:1
  2⤵
  PID:3336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5348,i,5529349243860326719,9202792758982237697,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5356 /prefetch:8
  2⤵
  PID:3444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5572,i,5529349243860326719,9202792758982237697,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5544 /prefetch:8
  2⤵
  PID:1792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5648,i,5529349243860326719,9202792758982237697,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5760 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3156,i,5529349243860326719,9202792758982237697,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3316 /prefetch:8
  2⤵
  PID:5232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3980,i,5529349243860326719,9202792758982237697,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5692 /prefetch:8
  2⤵
  PID:3084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3972,i,5529349243860326719,9202792758982237697,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5628 /prefetch:8
  2⤵
  PID:5268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4516,i,5529349243860326719,9202792758982237697,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4644 /prefetch:1
  2⤵
  PID:4768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3300,i,5529349243860326719,9202792758982237697,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4624 /prefetch:8
  2⤵
  PID:1908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=3420,i,5529349243860326719,9202792758982237697,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3408 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4848

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:2040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2736

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x504 0x50c
1⤵
PID:1108

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
414B

MD5
b7adbb30b5e13c28b79f80f25ce535c4

SHA1
1962fb194fd999b26e0f6c1763d900a7afe81c80

SHA256
6a2f6e0d6f1d3b3fba7828f8122bcfd151b94ac1854ad7f8751d9f3930d1b3eb

SHA512
6256e679f2d5c4db7c9c3cebfcd34fa14e67d32c840408dbfaaa640f9792761351982eddb9f741c2ebc43bb932a27b302d4216415e9db39c86f6a33a61bf89e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
216KB

MD5
50a7159ff34dea151d624f07e6cb1664

SHA1
e13fe30db96dcee328efda5cc78757b6e5b9339c

SHA256
e990d9d31c4c7d57dd4795e43baea05501fb6ea8b7760f89001be660425dd01b

SHA512
a7768dd7e315b07754a305080e0fc023765e5a224b2c3824e8e10f29286df63bbdefef379e069941fd8cd9c7c3befce976779ae2efdfb6e7da697b09d7f07250

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
798f71a21f10202f309e6a89a8c91225

SHA1
33e7ffffa48f3eec6729f1d4953c5675b042da33

SHA256
4cefd001827aa235c83de2dda9446d3845f488de34d58c909656a3f439a8d5c5

SHA512
e26e74814fd0904c78f2c62c721259a0706b295ac0d5bdced9155074de52674e0f5f8e71b952e99797b7d5ad00a1970be2ab47ab557ca86f993fc271dd73842d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
6be07691490741f8a70bb3fd213d9f35

SHA1
dbfed998b359ff88d71da1bfcb891d1ec1f5b87c

SHA256
913c289ae41f187bec1768523f8462c118f1a672f3e55e627de405adfcfa956b

SHA512
999c33fc1ddd96077715b916580b055c8a40fd93a91df65bd6d4127c6cc01956348e59bcf05a4184eb5cedb867fe62d0797904b78a080091377c24ecfbebfad9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
92f049739e98bb65fc5420b43698d07a

SHA1
d5ed7016964d9a6865dbba92af749cbd7e779bb7

SHA256
2ce2877c627bef2d7ef69b62033e4a2168f667735e06d0c3680819783adeada9

SHA512
1a9e1b5d33a3e882bc391b422c23917d7ae91ac419cc5cc497597c86be7beb13788439e5fac23c76f14d7b2529b9380a6e1e715e5dbf69ea33f55ec4a338bd5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
4a289713a7b9048f97e904a39909bb15

SHA1
ea8e30a7ba33de2288d7326994bef7c1ff8898bd

SHA256
d417dfb5dc75b41074f1155a0f13787d41fa1ae2fdf5b087ac4650b90ce587e9

SHA512
9f4a7a75fcce6a71d7f52f4a967db190b2cc86009173b3cd0ff7924e06747366cdd10a6d63a2c7f07b2bcaac49bf338a9bb425a23373c79ef0dfedf7e530f868

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
9c3f01948c73d1bce1f1d2aa8b8a5b3f

SHA1
5c69bd33b424e6adcedd4f823006e184369f4188

SHA256
36ffa349e8dad98311d24d43fad9fa783875ee1d64a54212c2738c0b297d186e

SHA512
e618ac4e4e975c8c85689da6c1f2a8ca1074dc5387b223cfcc50096e776218325a149b17f09533246add2d4101ea2df415f5352018aa33a6015ee699f8d2f0e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
50b856cc20b2a44273c027c5d13f42be

SHA1
dddb05a605dbe69f65aeb612f95d62794d75e933

SHA256
ef11110036d1e4d475eba89c81d2a701452f5225c94c3eee34afcaf3e0333926

SHA512
577b329ca408d31f00baa39deb2578d496624f7852e1a58b37366b3ff4af8a6c399300a5dc5958e61246dc9871dc911d556a9ad0c6025ae0f8a12f11a59617f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0508719106a3becf97d44ebb03f08da4

SHA1
89154b5119b2543f36cda44f7fa991c70c508571

SHA256
979e659ed976b01e4dbb56c64fef49e30631b15cbe07132ff60b906cd09014ef

SHA512
3fbe510ead40be0a23d66be0128bd935df852c939f59f66d3a216bec442561162e5ffb93c429f7084851a0427d9813ec9b19579e03fd9fe007a014f7500ff340

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
15e1ad685b61363f69ff95223daa3b25

SHA1
a644fd6fe8a98194409a5ce1646d8e78174a9612

SHA256
5296668d319f5e52b4fdc9a5a86aecfb3fe595de8f7a5ead7c1948bd27f26af6

SHA512
3a554f3829fbed8d16f127d5a068a714c942cd86ae666b5113ce4cbbd758e2ec72f0f62e9c058ea1c850c30e37dcc5bc381956dd58ea8543baa7f4a0ebf7a5e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
2acf893865e735acaa604d60ea49ed58

SHA1
2facae7954c36a2bba5dda1c551043ac498f757c

SHA256
fa64b3ddaa830e9c04b93c6b898b5da5ca826914df974632c7a99ba5d79a0ca9

SHA512
c95f176597003ddefd99e4c88c52035955699b5ba52e4ab76c8cf76399d6a7e9346f43d216cc7d211e448c6f3ee87c98e5dd92e70f1a7ebb0d7d12582eb3c996

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
e35e980b1f0f940c262fd3e5f127339d

SHA1
2dae2db80e717773d1f03fa4f84592bdf77e3368

SHA256
e0c2598f8ecf37265021ef4df87479c3ab86ca658d8bcbf5bb5c21fbf34abe0e

SHA512
2cd07671d01a8fdaa396872e67ce64d43a9fa86008651c19b5f1165149a65b7e5a039d63babb8231209443251db9c4389e96696c0148d1a509291f1154d74ecc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
55f1d3e2b1ab777c6f830fd4ffc37a1b

SHA1
1ea225d9857b92fb0d86bf4f6c99a13c69536030

SHA256
16434d6c737628b1ea664b3f92ebad4c1c269326e37c9297086a745a7cad9f04

SHA512
bb42d4d89a3016f58fc095a522ab5469ac6548acdd1cdccd9bf3a44cee518ca8091e7c6630fd422701e00ea1fbf7773255f348939e1fb826d68a5660c130c126

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57d9b6.TMP

Filesize
48B

MD5
1281f4f5335f0d414df3f3b7ae816ad5

SHA1
c4de698b01a3b53d50b236f9d930c2ef575fdb0f

SHA256
0b99b59661d2760ffe966d2746faa9daa825ad4b485d42c64ce02c3dccd2ee35

SHA512
f46d3bfdd164765d69d68c410ec6e5bca23c3ef44d2e434588cd2c31dc863d25e0a72b2d04f7f9ea4a91f8c555dc5ff3317f944c25b54153f611adde6f0a07fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
79KB

MD5
e5e2f2c699a3f18396de8257697fe81f

SHA1
12ceff44b98ddbe057ad0574edd3a92ef065f594

SHA256
b29f9344bbc9d429f508d253140df839127a128d847732bb9dec564431b10109

SHA512
91ea9cb4640d0429c84089bd51249f7915a6cfd7a1003162341614e947a14aeaf98b4f1cbd03ea4a9e7805548a7c63d10d2c4fed6086509559d22270ff4c95ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
153KB

MD5
e0ec7ede01e2633919e771e46723eea6

SHA1
609973f45f92229b748afd60faec9b1b6afe33a1

SHA256
3ad53ed4fe02e1910f6d6e96d401157e3ec9989c6c594621f2cbaefe10eeff51

SHA512
a697528c92fd0ec9881db21c052ed3aa10955b3bcd6c4a2be6b419be4ef2f0fdc47333e14886b0e2799bb316ec4ac99d3114ff8ad0b9e77852640cd209f2b267

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
153KB

MD5
e875ce6b34b4ecab43d9692fd6ad8a2b

SHA1
ac56cace307b3d2f1fec0945a6f558d1d8f7d494

SHA256
e328c8e8915cd9d890fb24c2334f6c405b8fe56d82219d2c97464226c55e94a7

SHA512
b120f49a047b0fe92e715248baa0e8dbaabb5bf624d4ba5428a11f21fcd23cf1ec8862c0a27054ff2cddab80017e6910036d43d1fad621358be48046276f2fe6

Download Submit
memory/5684-0-0x0000000074E2E000-0x0000000074E2F000-memory.dmp

Filesize
4KB

Download
memory/5684-15-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/5684-14-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/5684-4-0x0000000004F50000-0x0000000004F5A000-memory.dmp

Filesize
40KB

Download
memory/5684-5-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/5684-2-0x0000000005360000-0x0000000005904000-memory.dmp

Filesize
5.6MB

Download
memory/5684-3-0x0000000004E90000-0x0000000004F22000-memory.dmp

Filesize
584KB

Download
memory/5684-1-0x00000000004A0000-0x000000000050C000-memory.dmp

Filesize
432KB

Download