766b6899cf34e1b56e01a6c9e00842f3855febb8fb2148a3f542c57c40038367

Analysis

max time kernel
271s
max time network
294s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ChromSetup.exe
Size

1.6MB
MD5

5fa5cb39bf102d13ff7d2f3e62b8405f
SHA1

a1574604b05fcec794a0a718108daad1c852b2e0
SHA256

766b6899cf34e1b56e01a6c9e00842f3855febb8fb2148a3f542c57c40038367
SHA512

f02864a53368052225c334c30ea2c17a78218484fae88c1122053c99d2fa0147ebe42be20d662ba344a8b40851744f4c0527c6174f33eafd9d0a93665655f7ac
SSDEEP

24576:s7FUDowAyrTVE3U5FRQBx6/pBh2FQ7iiqW4OzV5wf:sBuZrEUaoB0FQOxWXe

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

ChromSetup.tmp

pid process

1916 ChromSetup.tmp
Loads dropped DLL 5 IoCs

Processes:

ChromSetup.exeChromSetup.tmp

pid process

276 ChromSetup.exe
1916 ChromSetup.tmp
1916 ChromSetup.tmp
1916 ChromSetup.tmp
1916 ChromSetup.tmp
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
276	ChromSetup.exe
1916	ChromSetup.tmp
1916	ChromSetup.tmp
1916	ChromSetup.tmp
1916	ChromSetup.tmp

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleChromeAutoLaunch_A5B343D047FD8BD2F268B0EA0F8DBD7C = "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --no-startup-window /prefetch:5"	chrome.exe

Delays execution with timeout.exe 8 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

1596 timeout.exe
1348 timeout.exe
1556 timeout.exe
872 timeout.exe
1752 timeout.exe
1468 timeout.exe
1684 timeout.exe
1300 timeout.exe

pid	process
1596	timeout.exe
1348	timeout.exe
1556	timeout.exe
872	timeout.exe
1752	timeout.exe
1468	timeout.exe
1684	timeout.exe
1300	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

ChromSetup.tmppowershell.exechrome.exechrome.exepowershell.exechrome.exechrome.exe

pid	process
1916	ChromSetup.tmp
1916	ChromSetup.tmp
524	powershell.exe
524	powershell.exe
1784	chrome.exe
1508	chrome.exe
1508	chrome.exe
1912	powershell.exe
1912	powershell.exe
624	chrome.exe
1508	chrome.exe
1508	chrome.exe
1636	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

ChromSetup.tmp

pid process

1916 ChromSetup.tmp
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 524 powershell.exe
Token: SeDebugPrivilege 1912 powershell.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

ChromSetup.tmpchrome.exe

pid process

1916 ChromSetup.tmp
1508 chrome.exe
1508 chrome.exe
1508 chrome.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

chrome.exe

pid process

1508 chrome.exe
1508 chrome.exe
1508 chrome.exe

description	pid	process
Token: SeDebugPrivilege	524	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe

pid	process
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ChromSetup.exeChromSetup.tmpcmd.exechrome.exe

description	pid	process	target process
PID 276 wrote to memory of 1916	276	ChromSetup.exe	ChromSetup.tmp
PID 276 wrote to memory of 1916	276	ChromSetup.exe	ChromSetup.tmp
PID 276 wrote to memory of 1916	276	ChromSetup.exe	ChromSetup.tmp
PID 276 wrote to memory of 1916	276	ChromSetup.exe	ChromSetup.tmp
PID 276 wrote to memory of 1916	276	ChromSetup.exe	ChromSetup.tmp
PID 276 wrote to memory of 1916	276	ChromSetup.exe	ChromSetup.tmp
PID 276 wrote to memory of 1916	276	ChromSetup.exe	ChromSetup.tmp
PID 1916 wrote to memory of 900	1916	ChromSetup.tmp	cmd.exe
PID 1916 wrote to memory of 900	1916	ChromSetup.tmp	cmd.exe
PID 1916 wrote to memory of 900	1916	ChromSetup.tmp	cmd.exe
PID 1916 wrote to memory of 900	1916	ChromSetup.tmp	cmd.exe
PID 900 wrote to memory of 524	900	cmd.exe	powershell.exe
PID 900 wrote to memory of 524	900	cmd.exe	powershell.exe
PID 900 wrote to memory of 524	900	cmd.exe	powershell.exe
PID 900 wrote to memory of 932	900	cmd.exe	reg.exe
PID 900 wrote to memory of 932	900	cmd.exe	reg.exe
PID 900 wrote to memory of 932	900	cmd.exe	reg.exe
PID 900 wrote to memory of 288	900	cmd.exe	reg.exe
PID 900 wrote to memory of 288	900	cmd.exe	reg.exe
PID 900 wrote to memory of 288	900	cmd.exe	reg.exe
PID 900 wrote to memory of 1896	900	cmd.exe	reg.exe
PID 900 wrote to memory of 1896	900	cmd.exe	reg.exe
PID 900 wrote to memory of 1896	900	cmd.exe	reg.exe
PID 900 wrote to memory of 1824	900	cmd.exe	reg.exe
PID 900 wrote to memory of 1824	900	cmd.exe	reg.exe
PID 900 wrote to memory of 1824	900	cmd.exe	reg.exe
PID 900 wrote to memory of 304	900	cmd.exe	reg.exe
PID 900 wrote to memory of 304	900	cmd.exe	reg.exe
PID 900 wrote to memory of 304	900	cmd.exe	reg.exe
PID 900 wrote to memory of 284	900	cmd.exe	reg.exe
PID 900 wrote to memory of 284	900	cmd.exe	reg.exe
PID 900 wrote to memory of 284	900	cmd.exe	reg.exe
PID 900 wrote to memory of 1508	900	cmd.exe	chrome.exe
PID 900 wrote to memory of 1508	900	cmd.exe	chrome.exe
PID 900 wrote to memory of 1508	900	cmd.exe	chrome.exe
PID 900 wrote to memory of 872	900	cmd.exe	timeout.exe
PID 900 wrote to memory of 872	900	cmd.exe	timeout.exe
PID 900 wrote to memory of 872	900	cmd.exe	timeout.exe
PID 1508 wrote to memory of 1828	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1828	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1828	1508	chrome.exe	chrome.exe
PID 900 wrote to memory of 1752	900	cmd.exe	timeout.exe
PID 900 wrote to memory of 1752	900	cmd.exe	timeout.exe
PID 900 wrote to memory of 1752	900	cmd.exe	timeout.exe
PID 900 wrote to memory of 1468	900	cmd.exe	timeout.exe
PID 900 wrote to memory of 1468	900	cmd.exe	timeout.exe
PID 900 wrote to memory of 1468	900	cmd.exe	timeout.exe
PID 900 wrote to memory of 1684	900	cmd.exe	timeout.exe
PID 900 wrote to memory of 1684	900	cmd.exe	timeout.exe
PID 900 wrote to memory of 1684	900	cmd.exe	timeout.exe
PID 900 wrote to memory of 1300	900	cmd.exe	timeout.exe
PID 900 wrote to memory of 1300	900	cmd.exe	timeout.exe
PID 900 wrote to memory of 1300	900	cmd.exe	timeout.exe
PID 1508 wrote to memory of 1656	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1656	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1656	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1656	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1656	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1656	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1656	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1656	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1656	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1656	1508	chrome.exe	chrome.exe
PID 1508 wrote to memory of 1656	1508	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\ChromSetup.exe
"C:\Users\Admin\AppData\Local\Temp\ChromSetup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:276

C:\Users\Admin\AppData\Local\Temp\is-7MJPB.tmp\ChromSetup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-7MJPB.tmp\ChromSetup.tmp" /SL5="$60158,799144,786944,C:\Users\Admin\AppData\Local\Temp\ChromSetup.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-60CAT.tmp\chrome.bat" install"
3⤵
- Suspicious use of WriteProcessMemory
PID:900

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell.exe -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\is-60CAT.tmp\\chrome.ps1
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:524

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallAllowlist" /v "1" /t REG_SZ /d pejhfhcoekcajgokallhmklcjkkeemgj /f
4⤵
PID:932

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Google\Chrome\Extensions\pejhfhcoekcajgokallhmklcjkkeemgj" /v "path" /t REG_SZ /d C:\\apps.crx /f
4⤵
PID:288

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Google\Chrome\Extensions\pejhfhcoekcajgokallhmklcjkkeemgj" /v "version" /t REG_SZ /d 2.0 /f
4⤵
PID:1896

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\WOW6432Node\Policies\Google\Chrome\ExtensionInstallAllowlist" /v "1" /t REG_SZ /d pejhfhcoekcajgokallhmklcjkkeemgj /f
4⤵
PID:1824

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\WOW6432Node\Google\Chrome\Extensions\pejhfhcoekcajgokallhmklcjkkeemgj" /v "path" /t REG_SZ /d C:\\apps.crx /f
4⤵
PID:304

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\WOW6432Node\Google\Chrome\Extensions\pejhfhcoekcajgokallhmklcjkkeemgj" /v "version" /t REG_SZ /d 2.0 /f
4⤵
PID:284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --load-extension="C:\apps-helper" --no-startup-window
4⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fefae04f50,0x7fefae04f60,0x7fefae04f70
5⤵
PID:1828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1104,15653875466550693964,12447021768740762787,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1348 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1104,15653875466550693964,12447021768740762787,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1120 /prefetch:2
5⤵
PID:1656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1104,15653875466550693964,12447021768740762787,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1860 /prefetch:8
5⤵
PID:1704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1104,15653875466550693964,12447021768740762787,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2052 /prefetch:8
5⤵
PID:1960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1104,15653875466550693964,12447021768740762787,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2160 /prefetch:1
5⤵
PID:1912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1104,15653875466550693964,12447021768740762787,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1856 /prefetch:8
5⤵
PID:1556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1104,15653875466550693964,12447021768740762787,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
5⤵
PID:1036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1104,15653875466550693964,12447021768740762787,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2416 /prefetch:8
5⤵
PID:1372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1104,15653875466550693964,12447021768740762787,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
5⤵
PID:1940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1104,15653875466550693964,12447021768740762787,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2032 /prefetch:1
5⤵
PID:1924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1104,15653875466550693964,12447021768740762787,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 /prefetch:8
5⤵
PID:872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1104,15653875466550693964,12447021768740762787,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1292 /prefetch:2
5⤵
PID:2020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1104,15653875466550693964,12447021768740762787,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1484 /prefetch:8
5⤵
PID:1656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1104,15653875466550693964,12447021768740762787,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1740 /prefetch:8
5⤵
PID:1548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1104,15653875466550693964,12447021768740762787,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=908 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1104,15653875466550693964,12447021768740762787,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
5⤵
PID:900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1104,15653875466550693964,12447021768740762787,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2952 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1104,15653875466550693964,12447021768740762787,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2992 /prefetch:8
5⤵
PID:2028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1104,15653875466550693964,12447021768740762787,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=508 /prefetch:8
5⤵
PID:1716

C:\Windows\system32\timeout.exe
timeout 1
4⤵
- Delays execution with timeout.exe
PID:872

C:\Windows\system32\timeout.exe
timeout 1
4⤵
- Delays execution with timeout.exe
PID:1752

C:\Windows\system32\timeout.exe
timeout 1
4⤵
- Delays execution with timeout.exe
PID:1468

C:\Windows\system32\timeout.exe
timeout 1
4⤵
- Delays execution with timeout.exe
PID:1684

C:\Windows\system32\timeout.exe
timeout 1
4⤵
- Delays execution with timeout.exe
PID:1300

C:\Windows\system32\timeout.exe
timeout 1
4⤵
- Delays execution with timeout.exe
PID:1596

C:\Windows\system32\timeout.exe
timeout 1
4⤵
- Delays execution with timeout.exe
PID:1348

C:\Windows\system32\timeout.exe
timeout 8
4⤵
- Delays execution with timeout.exe
PID:1556

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-60CAT.tmp\edge.bat" install"
3⤵
PID:988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell.exe -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\is-60CAT.tmp\\edge.ps1
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallAllowlist" /v "1" /t REG_SZ /d pejhfhcoekcajgokallhmklcjkkeemgj /f
4⤵
PID:1768

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Edge\Extensions\pejhfhcoekcajgokallhmklcjkkeemgj" /v "path" /t REG_SZ /d C:\\apps.crx /f
4⤵
PID:1968

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Edge\Extensions\pejhfhcoekcajgokallhmklcjkkeemgj" /v "version" /t REG_SZ /d 2.0 /f
4⤵
PID:1572

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\WOW6432Node\Policies\Microsoft\Edge\ExtensionInstallAllowlist" /v "1" /t REG_SZ /d pejhfhcoekcajgokallhmklcjkkeemgj /f
4⤵
PID:956

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\WOW6432Node\Microsoft\Edge\Extensions\pejhfhcoekcajgokallhmklcjkkeemgj" /v "path" /t REG_SZ /d C:\\apps.crx /f
4⤵
PID:936

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\WOW6432Node\Microsoft\Edge\Extensions\pejhfhcoekcajgokallhmklcjkkeemgj" /v "version" /t REG_SZ /d 2.0 /f
4⤵
PID:1656

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-60CAT.tmp\chrome.bat
Filesize
2KB

MD5
b76dfde6bb451b8655962bcb63215b67

SHA1
dbb3facda3b8452b35e4a27e7340fe55f9b0edca

SHA256
8afdc4e4099aaac78ee811fe431450adc3a4408bf15f16e11a2c50981a041d51

SHA512
95dc213104ba69ceac3acac56813d890221707ae511cec1ef16acc8b15714f8559e4ce4c4a45933950770fc1ae50f7edc9ffe44c1a816dde3918867dd1633e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-60CAT.tmp\chrome.ps1
Filesize
27B

MD5
c774ee6f456444fcadd09dc5e27a501b

SHA1
3b49a20623ff5968b24dac1bcd1a57125e111341

SHA256
d3477d17f918bc82462191dee88fe57f25d19173a8361d94580e2dfae3b503df

SHA512
a2b8f0ce3dd8b3c9d7e1bd468953eb4a03f0f11511cf65531497056d7ad9a8134d628cf1e1a5e2baafbe05a1a47ffa4673d1fcdc915e7aa9e7da12de4644674d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-60CAT.tmp\edge.bat
Filesize
2KB

MD5
3418ff01a8b23938233683deecd6775b

SHA1
ed1e0e9646b92ffc43a1912bc0230824f1849627

SHA256
387c4db484e9f089d92c8042482015b81eda67da9dc0a87fb49fef8f05b38171

SHA512
4ce6a531f0d9087e53ed3cf2c899f4ba48d0bd2bbee7439a03146218293e78cfab9d3c1fdee4122fe960a003717e81045d91e3d985c6c0b25d86f7e117ae8666

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-60CAT.tmp\edge.ps1
Filesize
27B

MD5
c2325eb340fbf3ac139dad081449f643

SHA1
51f767c9d7c8b823983932e0c6821fa94b6791d4

SHA256
1fbcca088a4e94dd4bcf72c74051c621185b9c12397d927cc63452399f4ed8b3

SHA512
e68bcdcba878e35804c164437ea07d42228adc60f7d3e5e046d56009965282119e691a2398f09749e11c457055f2aeb9e87c4157553358e957ea26f5baf9ef6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7MJPB.tmp\ChromSetup.tmp
Filesize
3.0MB

MD5
104684b539640daef74e717e02abcf98

SHA1
3dbe093bbe92ab27c23610795358a763eab1b11b

SHA256
c46d28f68af133e26dcb5f60564e4e31896c7917b68baf5d0c11fc2dd5bad7f3

SHA512
3eaa956d34ec3d98fcb9cb28a08d8832314140f0ac9f7e3266a75831ea7e99041090fd98ff69a221ce8a0a5615767b34cd3555c182d069e3a1bbd02e1a5e54c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
783a4fbd78c7681544fc33a2aeea4977

SHA1
97eb8cdd6a6a28e8379b6c33610226748f9e730e

SHA256
db669a820bc9885aea471d08b3ce1aa23c807ec62be8b980d43d24b75d445dcf

SHA512
aaf3bdd986db29276a6c4c3ba7103f22b04ebd1245fb93a65a19b316b0b67731963ea3b013a94a8cbb35fb1a49a80de90db0e8e4cc8e8bc93562e7ee244996c5

Download Submit
C:\apps-helper\manifest.json
Filesize
219B

MD5
8cb0aca2b1457ccdffe28f9843bed9f5

SHA1
dcff694b3f2eac4bca4a6b96f32026d1cad9fb83

SHA256
15db2b5b55e74489dd4ad623328fbc10022bde652c6099dd07d93f6263663c62

SHA512
07e99c3684c9952d1cd9ad42ba147b934023392b1abd2fd688c585505c197fef9eaa5804f6413d9be8217f6c66cfd3f09e05d1ace57230380c0f9b4ad333e670

Download Submit
C:\apps-helper\service.js
Filesize
164B

MD5
637b35d87a311e04cd5cd8784f86e0b4

SHA1
1002135b3306d7f5c7dcf37afe7e0d536cc3e642

SHA256
f5cec8e00eda7960d48299c44d4196f9de3a7907c68913585b656759eba82bfc

SHA512
990fbf0b42e561af98c481646df327b5a693d327c08c3cb6bf5484e6a446b7844167988bf4aa74c92efb277b05536583bdea0703f7158a8b35405098e53b224b

Download Submit
C:\apps.crx
Filesize
11KB

MD5
a39854068da130881de76784fac06c01

SHA1
5b773675fbc657d45e30f13374f1de3035387bcc

SHA256
d5321219eec9e67e011da28fed0675ddb2727eb2e2a22215b6cb1d6ec19c9e07

SHA512
968e84c7dedc997da3e09ca340f88950663f69f6e69b832ce12e1eff388f2b4ede406b33b805dbccb5ef2376116a118565b06ca2a472cfa5e0046d66eae5c539

Download Submit
\??\pipe\crashpad_1508_NMSITQANJPJNEHNE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\is-60CAT.tmp\64.exe
Filesize
75.6MB

MD5
50ef0aa32cae622ac1956f7816db39c7

SHA1
daf36ccde7487d40e71a4d7c779341ad971a240a

SHA256
2238baf7ede60dbf557c4d7757c2f0dc968f079ad021e1413046e9fc810c3542

SHA512
7b492c47545cfb94346177e660b4f6f08fd289bdaf6a0da4c9accb45b6172490d8b3bf965726d9f1ddfcb44229c3a9b317bcdae275bab7bfda9e621f48071307

Download Submit
\Users\Admin\AppData\Local\Temp\is-60CAT.tmp\64.exe
Filesize
75.6MB

MD5
50ef0aa32cae622ac1956f7816db39c7

SHA1
daf36ccde7487d40e71a4d7c779341ad971a240a

SHA256
2238baf7ede60dbf557c4d7757c2f0dc968f079ad021e1413046e9fc810c3542

SHA512
7b492c47545cfb94346177e660b4f6f08fd289bdaf6a0da4c9accb45b6172490d8b3bf965726d9f1ddfcb44229c3a9b317bcdae275bab7bfda9e621f48071307

Download Submit
\Users\Admin\AppData\Local\Temp\is-60CAT.tmp\64.exe
Filesize
75.6MB

MD5
50ef0aa32cae622ac1956f7816db39c7

SHA1
daf36ccde7487d40e71a4d7c779341ad971a240a

SHA256
2238baf7ede60dbf557c4d7757c2f0dc968f079ad021e1413046e9fc810c3542

SHA512
7b492c47545cfb94346177e660b4f6f08fd289bdaf6a0da4c9accb45b6172490d8b3bf965726d9f1ddfcb44229c3a9b317bcdae275bab7bfda9e621f48071307

Download Submit
\Users\Admin\AppData\Local\Temp\is-60CAT.tmp\64.exe
Filesize
75.6MB

MD5
50ef0aa32cae622ac1956f7816db39c7

SHA1
daf36ccde7487d40e71a4d7c779341ad971a240a

SHA256
2238baf7ede60dbf557c4d7757c2f0dc968f079ad021e1413046e9fc810c3542

SHA512
7b492c47545cfb94346177e660b4f6f08fd289bdaf6a0da4c9accb45b6172490d8b3bf965726d9f1ddfcb44229c3a9b317bcdae275bab7bfda9e621f48071307

Download Submit
\Users\Admin\AppData\Local\Temp\is-7MJPB.tmp\ChromSetup.tmp
Filesize
3.0MB

MD5
104684b539640daef74e717e02abcf98

SHA1
3dbe093bbe92ab27c23610795358a763eab1b11b

SHA256
c46d28f68af133e26dcb5f60564e4e31896c7917b68baf5d0c11fc2dd5bad7f3

SHA512
3eaa956d34ec3d98fcb9cb28a08d8832314140f0ac9f7e3266a75831ea7e99041090fd98ff69a221ce8a0a5615767b34cd3555c182d069e3a1bbd02e1a5e54c1

Download Submit
memory/276-63-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/276-54-0x00000000753C1000-0x00000000753C3000-memory.dmp

Filesize
8KB

Download
memory/276-58-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/276-55-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/284-83-0x0000000000000000-mapping.dmp

Download
memory/288-79-0x0000000000000000-mapping.dmp

Download
memory/304-82-0x0000000000000000-mapping.dmp

Download
memory/524-70-0x0000000000000000-mapping.dmp

Download
memory/524-74-0x0000000002270000-0x00000000022F0000-memory.dmp

Filesize
512KB

Download
memory/524-71-0x000007FEFBA01000-0x000007FEFBA03000-memory.dmp

Filesize
8KB

Download
memory/524-72-0x000007FEF3FB0000-0x000007FEF49D3000-memory.dmp

Filesize
10.1MB

Download
memory/524-76-0x0000000002270000-0x00000000022F0000-memory.dmp

Filesize
512KB

Download
memory/524-75-0x000000001B750000-0x000000001BA4F000-memory.dmp

Filesize
3.0MB

Download
memory/524-73-0x000007FEF3450000-0x000007FEF3FAD000-memory.dmp

Filesize
11.4MB

Download
memory/872-84-0x0000000000000000-mapping.dmp

Download
memory/900-68-0x0000000000000000-mapping.dmp

Download
memory/932-78-0x0000000000000000-mapping.dmp

Download
memory/936-112-0x0000000000000000-mapping.dmp

Download
memory/956-111-0x0000000000000000-mapping.dmp

Download
memory/988-96-0x0000000000000000-mapping.dmp

Download
memory/1300-88-0x0000000000000000-mapping.dmp

Download
memory/1348-93-0x0000000000000000-mapping.dmp

Download
memory/1468-86-0x0000000000000000-mapping.dmp

Download
memory/1556-95-0x0000000000000000-mapping.dmp

Download
memory/1572-110-0x0000000000000000-mapping.dmp

Download
memory/1596-89-0x0000000000000000-mapping.dmp

Download
memory/1656-113-0x0000000000000000-mapping.dmp

Download
memory/1684-87-0x0000000000000000-mapping.dmp

Download
memory/1752-85-0x0000000000000000-mapping.dmp

Download
memory/1768-108-0x0000000000000000-mapping.dmp

Download
memory/1824-81-0x0000000000000000-mapping.dmp

Download
memory/1896-80-0x0000000000000000-mapping.dmp

Download
memory/1912-106-0x00000000025D4000-0x00000000025D7000-memory.dmp

Filesize
12KB

Download
memory/1912-107-0x00000000025DB000-0x00000000025FA000-memory.dmp

Filesize
124KB

Download
memory/1912-104-0x000000001B6F0000-0x000000001B9EF000-memory.dmp

Filesize
3.0MB

Download
memory/1912-98-0x0000000000000000-mapping.dmp

Download
memory/1912-103-0x00000000025D4000-0x00000000025D7000-memory.dmp

Filesize
12KB

Download
memory/1912-102-0x000007FEF2130000-0x000007FEF2C8D000-memory.dmp

Filesize
11.4MB

Download
memory/1912-101-0x000007FEF2D50000-0x000007FEF3773000-memory.dmp

Filesize
10.1MB

Download
memory/1916-59-0x0000000000000000-mapping.dmp

Download
memory/1916-62-0x0000000074281000-0x0000000074283000-memory.dmp

Filesize
8KB

Download
memory/1968-109-0x0000000000000000-mapping.dmp

Download