Analysis
-
max time kernel
158s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
25-11-2022 20:22
General
-
Target
ChromSetup.exe
-
Size
1.6MB
-
MD5
5fa5cb39bf102d13ff7d2f3e62b8405f
-
SHA1
a1574604b05fcec794a0a718108daad1c852b2e0
-
SHA256
766b6899cf34e1b56e01a6c9e00842f3855febb8fb2148a3f542c57c40038367
-
SHA512
f02864a53368052225c334c30ea2c17a78218484fae88c1122053c99d2fa0147ebe42be20d662ba344a8b40851744f4c0527c6174f33eafd9d0a93665655f7ac
-
SSDEEP
24576:s7FUDowAyrTVE3U5FRQBx6/pBh2FQ7iiqW4OzV5wf:sBuZrEUaoB0FQOxWXe
Score
8/10
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 22 IoCs
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 8 IoCs
-
Suspicious use of SendNotifyMessage 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ChromSetup.exe"C:\Users\Admin\AppData\Local\Temp\ChromSetup.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-0NTAG.tmp\ChromSetup.tmp"C:\Users\Admin\AppData\Local\Temp\is-0NTAG.tmp\ChromSetup.tmp" /SL5="$3002E,799144,786944,C:\Users\Admin\AppData\Local\Temp\ChromSetup.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-CVEDA.tmp\chrome.bat" install"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\is-CVEDA.tmp\\chrome.ps14⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallAllowlist" /v "1" /t REG_SZ /d pejhfhcoekcajgokallhmklcjkkeemgj /f4⤵
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Google\Chrome\Extensions\pejhfhcoekcajgokallhmklcjkkeemgj" /v "path" /t REG_SZ /d C:\\apps.crx /f4⤵
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Google\Chrome\Extensions\pejhfhcoekcajgokallhmklcjkkeemgj" /v "version" /t REG_SZ /d 2.0 /f4⤵
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\WOW6432Node\Policies\Google\Chrome\ExtensionInstallAllowlist" /v "1" /t REG_SZ /d pejhfhcoekcajgokallhmklcjkkeemgj /f4⤵
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\WOW6432Node\Google\Chrome\Extensions\pejhfhcoekcajgokallhmklcjkkeemgj" /v "path" /t REG_SZ /d C:\\apps.crx /f4⤵
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\WOW6432Node\Google\Chrome\Extensions\pejhfhcoekcajgokallhmklcjkkeemgj" /v "version" /t REG_SZ /d 2.0 /f4⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --load-extension="C:\apps-helper" --no-startup-window4⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffea7104f50,0x7ffea7104f60,0x7ffea7104f705⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1592,11623432063593246356,1472218929655299713,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1696 /prefetch:25⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1592,11623432063593246356,1472218929655299713,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2028 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1592,11623432063593246356,1472218929655299713,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2324 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,11623432063593246356,1472218929655299713,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2952 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,11623432063593246356,1472218929655299713,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2956 /prefetch:15⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,11623432063593246356,1472218929655299713,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2960 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,11623432063593246356,1472218929655299713,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3088 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,11623432063593246356,1472218929655299713,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2964 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,11623432063593246356,1472218929655299713,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3548 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,11623432063593246356,1472218929655299713,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3876 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,11623432063593246356,1472218929655299713,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4232 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1592,11623432063593246356,1472218929655299713,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4380 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,11623432063593246356,1472218929655299713,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4440 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1592,11623432063593246356,1472218929655299713,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4228 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,11623432063593246356,1472218929655299713,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4220 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,11623432063593246356,1472218929655299713,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4488 /prefetch:15⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1592,11623432063593246356,1472218929655299713,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4476 /prefetch:15⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1592,11623432063593246356,1472218929655299713,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3276 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1592,11623432063593246356,1472218929655299713,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1592,11623432063593246356,1472218929655299713,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2804 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1592,11623432063593246356,1472218929655299713,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1592,11623432063593246356,1472218929655299713,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4264 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout 84⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-CVEDA.tmp\edge.bat" install"3⤵
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\is-CVEDA.tmp\\edge.ps14⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallAllowlist" /v "1" /t REG_SZ /d pejhfhcoekcajgokallhmklcjkkeemgj /f4⤵
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Edge\Extensions\pejhfhcoekcajgokallhmklcjkkeemgj" /v "path" /t REG_SZ /d C:\\apps.crx /f4⤵
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Edge\Extensions\pejhfhcoekcajgokallhmklcjkkeemgj" /v "version" /t REG_SZ /d 2.0 /f4⤵
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\WOW6432Node\Policies\Microsoft\Edge\ExtensionInstallAllowlist" /v "1" /t REG_SZ /d pejhfhcoekcajgokallhmklcjkkeemgj /f4⤵
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\WOW6432Node\Microsoft\Edge\Extensions\pejhfhcoekcajgokallhmklcjkkeemgj" /v "path" /t REG_SZ /d C:\\apps.crx /f4⤵
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\WOW6432Node\Microsoft\Edge\Extensions\pejhfhcoekcajgokallhmklcjkkeemgj" /v "version" /t REG_SZ /d 2.0 /f4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory="Default" --load-extension="C:\apps-helper" --no-startup-window4⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffea47046f8,0x7ffea4704708,0x7ffea47047185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,11517199564152807735,15441435408555960945,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,11517199564152807735,15441435408555960945,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,11517199564152807735,15441435408555960945,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2168,11517199564152807735,15441435408555960945,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3276 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,11517199564152807735,15441435408555960945,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2168,11517199564152807735,15441435408555960945,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4468 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2168,11517199564152807735,15441435408555960945,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4660 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2168,11517199564152807735,15441435408555960945,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3440 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2168,11517199564152807735,15441435408555960945,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4976 /prefetch:85⤵
-
C:\Windows\system32\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout 14⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout 84⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\is-CVEDA.tmp\64.exe"C:\Users\Admin\AppData\Local\Temp\is-CVEDA.tmp\64.exe" --system-level3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\is-CVEDA.tmp\CR_420E7.tmp\setup.exe"C:\Users\Admin\AppData\Local\Temp\is-CVEDA.tmp\CR_420E7.tmp\setup.exe" --install-archive="C:\Users\Admin\AppData\Local\Temp\is-CVEDA.tmp\CR_420E7.tmp\CHROME.PACKED.7Z" --system-level4⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\Temp\is-CVEDA.tmp\CR_420E7.tmp\setup.exeC:\Users\Admin\AppData\Local\Temp\is-CVEDA.tmp\CR_420E7.tmp\setup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --annotation=plat=Win64 --annotation=prod=Chromnius --annotation=ver=109.0.5386.0 --initial-client-data=0x25c,0x260,0x264,0x238,0x268,0x7ff747917f80,0x7ff747917f90,0x7ff747917fa05⤵
- Executes dropped EXE
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
103KB
MD55ee15ab2fa4e7fd52ffa2f70cfa33549
SHA1cffc0095a9a0756f73617f8af67d590f94d45503
SHA256a1e52c31bc5ce070a0b42a808a97dba548110b6a7f94c4a873d9e4f5d5e8982f
SHA51285e14497e36b9b28c1aecb4dc0715ec663c122d18d3e2e510e20ceb8468c8fabdb1c01878058340abea51a12219fd6accb3d120af250701e946b4ca4ab8487a8
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\CachesMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5b0a78e60bfb279d18fd3d6e7a67411f5
SHA19344fe3654a14bc66afb9dc6ea215fabfbe5c906
SHA256a28890c82033d3deaf5770ecd1b0239c77321acc93704b1d4b1e167b91e30aeb
SHA5129548be23bec645cd705482f78d43b63659e38cf879c34f7071f42fd86ee02039379a5e92fbe0f1c74c12aaebabdd8002f57eba111d3e855cbd0c89a110e346f2
-
C:\Users\Admin\AppData\Local\Temp\is-0NTAG.tmp\ChromSetup.tmpFilesize
3.0MB
MD5104684b539640daef74e717e02abcf98
SHA13dbe093bbe92ab27c23610795358a763eab1b11b
SHA256c46d28f68af133e26dcb5f60564e4e31896c7917b68baf5d0c11fc2dd5bad7f3
SHA5123eaa956d34ec3d98fcb9cb28a08d8832314140f0ac9f7e3266a75831ea7e99041090fd98ff69a221ce8a0a5615767b34cd3555c182d069e3a1bbd02e1a5e54c1
-
C:\Users\Admin\AppData\Local\Temp\is-CVEDA.tmp\64.exeFilesize
75.6MB
MD550ef0aa32cae622ac1956f7816db39c7
SHA1daf36ccde7487d40e71a4d7c779341ad971a240a
SHA2562238baf7ede60dbf557c4d7757c2f0dc968f079ad021e1413046e9fc810c3542
SHA5127b492c47545cfb94346177e660b4f6f08fd289bdaf6a0da4c9accb45b6172490d8b3bf965726d9f1ddfcb44229c3a9b317bcdae275bab7bfda9e621f48071307
-
C:\Users\Admin\AppData\Local\Temp\is-CVEDA.tmp\CR_420E7.tmp\CHROME.PACKED.7ZFilesize
74.4MB
MD5b23ccdd2d36df5c8fefcc4cc447f9e9a
SHA18bf9c4020016e9c7fbcd98d4c97cccf23db19798
SHA2565bdae0113c0030ad7357005ff95e4d5261886651152033a1b01072296591f696
SHA512c94238f290f21d3cb44f7c375010fe86657acd30fcd7e47c0ff13fb9941d3ea0379e45c51450cb928ba30a8974d77eb1ab3ad84536e77d170d1f536b1e8a0b59
-
C:\Users\Admin\AppData\Local\Temp\is-CVEDA.tmp\CR_420E7.tmp\setup.exeFilesize
2.5MB
MD5a61e5238fb82a089c1700e48c0aa59e3
SHA148d7e43345684a33cc9edaaf1fb1e79d86a9717b
SHA256e6cebddefb658bf4e291089bbed5c62c225453b6920865995025796524e350b8
SHA512cc910d4f1ca4f45a6c5361084ffc474b5eed4ccc8b1877d5702e4df061957e570a00d96847d77516072289712a8e268999f40b3b910f17a6aa2df69bcc4fe912
-
C:\Users\Admin\AppData\Local\Temp\is-CVEDA.tmp\CR_420E7.tmp\setup.exeFilesize
2.5MB
MD5a61e5238fb82a089c1700e48c0aa59e3
SHA148d7e43345684a33cc9edaaf1fb1e79d86a9717b
SHA256e6cebddefb658bf4e291089bbed5c62c225453b6920865995025796524e350b8
SHA512cc910d4f1ca4f45a6c5361084ffc474b5eed4ccc8b1877d5702e4df061957e570a00d96847d77516072289712a8e268999f40b3b910f17a6aa2df69bcc4fe912
-
C:\Users\Admin\AppData\Local\Temp\is-CVEDA.tmp\chrome.batFilesize
2KB
MD5b76dfde6bb451b8655962bcb63215b67
SHA1dbb3facda3b8452b35e4a27e7340fe55f9b0edca
SHA2568afdc4e4099aaac78ee811fe431450adc3a4408bf15f16e11a2c50981a041d51
SHA51295dc213104ba69ceac3acac56813d890221707ae511cec1ef16acc8b15714f8559e4ce4c4a45933950770fc1ae50f7edc9ffe44c1a816dde3918867dd1633e37
-
C:\Users\Admin\AppData\Local\Temp\is-CVEDA.tmp\chrome.ps1Filesize
27B
MD5c774ee6f456444fcadd09dc5e27a501b
SHA13b49a20623ff5968b24dac1bcd1a57125e111341
SHA256d3477d17f918bc82462191dee88fe57f25d19173a8361d94580e2dfae3b503df
SHA512a2b8f0ce3dd8b3c9d7e1bd468953eb4a03f0f11511cf65531497056d7ad9a8134d628cf1e1a5e2baafbe05a1a47ffa4673d1fcdc915e7aa9e7da12de4644674d
-
C:\Users\Admin\AppData\Local\Temp\is-CVEDA.tmp\edge.batFilesize
2KB
MD53418ff01a8b23938233683deecd6775b
SHA1ed1e0e9646b92ffc43a1912bc0230824f1849627
SHA256387c4db484e9f089d92c8042482015b81eda67da9dc0a87fb49fef8f05b38171
SHA5124ce6a531f0d9087e53ed3cf2c899f4ba48d0bd2bbee7439a03146218293e78cfab9d3c1fdee4122fe960a003717e81045d91e3d985c6c0b25d86f7e117ae8666
-
C:\Users\Admin\AppData\Local\Temp\is-CVEDA.tmp\edge.ps1Filesize
27B
MD5c2325eb340fbf3ac139dad081449f643
SHA151f767c9d7c8b823983932e0c6821fa94b6791d4
SHA2561fbcca088a4e94dd4bcf72c74051c621185b9c12397d927cc63452399f4ed8b3
SHA512e68bcdcba878e35804c164437ea07d42228adc60f7d3e5e046d56009965282119e691a2398f09749e11c457055f2aeb9e87c4157553358e957ea26f5baf9ef6f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnkFilesize
2KB
MD5735537a1bfeb4ac2e622bac362c39005
SHA1b08b6079cc6db5e20acba6f5b2e5bf23e5e13df0
SHA2561f3e5d283878969e2662c252ce0d909eae8d2bc2742cc5ea5f44b984091232c6
SHA5120b35b52e38f64744573e61e0fd2d9faa5892c37b2cbf25497d71f85a4f686c2c58be9fd800f5d7fad44e33bc5390aec9260e16494b21b12547e8400a834004aa
-
C:\apps-helper\manifest.jsonFilesize
219B
MD58cb0aca2b1457ccdffe28f9843bed9f5
SHA1dcff694b3f2eac4bca4a6b96f32026d1cad9fb83
SHA25615db2b5b55e74489dd4ad623328fbc10022bde652c6099dd07d93f6263663c62
SHA51207e99c3684c9952d1cd9ad42ba147b934023392b1abd2fd688c585505c197fef9eaa5804f6413d9be8217f6c66cfd3f09e05d1ace57230380c0f9b4ad333e670
-
C:\apps-helper\service.jsFilesize
164B
MD5637b35d87a311e04cd5cd8784f86e0b4
SHA11002135b3306d7f5c7dcf37afe7e0d536cc3e642
SHA256f5cec8e00eda7960d48299c44d4196f9de3a7907c68913585b656759eba82bfc
SHA512990fbf0b42e561af98c481646df327b5a693d327c08c3cb6bf5484e6a446b7844167988bf4aa74c92efb277b05536583bdea0703f7158a8b35405098e53b224b
-
C:\apps.crxFilesize
11KB
MD5a39854068da130881de76784fac06c01
SHA15b773675fbc657d45e30f13374f1de3035387bcc
SHA256d5321219eec9e67e011da28fed0675ddb2727eb2e2a22215b6cb1d6ec19c9e07
SHA512968e84c7dedc997da3e09ca340f88950663f69f6e69b832ce12e1eff388f2b4ede406b33b805dbccb5ef2376116a118565b06ca2a472cfa5e0046d66eae5c539
-
\??\pipe\LOCAL\crashpad_4512_XOSYOGOTGGICDXQMMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\crashpad_4736_LTRKOLVTEDTFEDREMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/32-145-0x0000000000000000-mapping.dmp
-
memory/176-202-0x0000000000000000-mapping.dmp
-
memory/208-146-0x0000000000000000-mapping.dmp
-
memory/228-175-0x0000000000000000-mapping.dmp
-
memory/268-204-0x0000000000000000-mapping.dmp
-
memory/368-143-0x00007FFEA5B80000-0x00007FFEA6641000-memory.dmpFilesize
10.8MB
-
memory/368-141-0x000001BD74C50000-0x000001BD74C72000-memory.dmpFilesize
136KB
-
memory/368-140-0x0000000000000000-mapping.dmp
-
memory/408-149-0x0000000000000000-mapping.dmp
-
memory/532-182-0x0000000000000000-mapping.dmp
-
memory/536-214-0x0000000000000000-mapping.dmp
-
memory/728-134-0x0000000000000000-mapping.dmp
-
memory/1040-169-0x0000000000000000-mapping.dmp
-
memory/1128-178-0x0000000000000000-mapping.dmp
-
memory/1136-188-0x0000000000000000-mapping.dmp
-
memory/1176-156-0x0000000000000000-mapping.dmp
-
memory/1276-165-0x00007FFEA3C60000-0x00007FFEA4721000-memory.dmpFilesize
10.8MB
-
memory/1276-161-0x0000000000000000-mapping.dmp
-
memory/1332-210-0x0000000000000000-mapping.dmp
-
memory/1584-192-0x0000000000000000-mapping.dmp
-
memory/1984-199-0x0000000000000000-mapping.dmp
-
memory/2052-171-0x0000000000000000-mapping.dmp
-
memory/2148-166-0x0000000000000000-mapping.dmp
-
memory/2288-212-0x0000000000000000-mapping.dmp
-
memory/2356-186-0x0000000000000000-mapping.dmp
-
memory/2720-209-0x0000000000000000-mapping.dmp
-
memory/2968-181-0x0000000000000000-mapping.dmp
-
memory/2976-187-0x0000000000000000-mapping.dmp
-
memory/2980-196-0x0000000000000000-mapping.dmp
-
memory/3116-206-0x0000000000000000-mapping.dmp
-
memory/3116-177-0x0000000000000000-mapping.dmp
-
memory/3360-174-0x0000000000000000-mapping.dmp
-
memory/3388-144-0x0000000000000000-mapping.dmp
-
memory/3432-189-0x0000000000000000-mapping.dmp
-
memory/3520-184-0x0000000000000000-mapping.dmp
-
memory/3572-159-0x0000000000000000-mapping.dmp
-
memory/3584-173-0x0000000000000000-mapping.dmp
-
memory/3592-153-0x0000000000000000-mapping.dmp
-
memory/3924-168-0x0000000000000000-mapping.dmp
-
memory/3944-197-0x0000000000000000-mapping.dmp
-
memory/3960-158-0x0000000000000000-mapping.dmp
-
memory/4144-193-0x0000000000000000-mapping.dmp
-
memory/4244-151-0x0000000000000000-mapping.dmp
-
memory/4244-180-0x0000000000000000-mapping.dmp
-
memory/4444-137-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/4444-136-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/4444-132-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/4496-138-0x0000000000000000-mapping.dmp
-
memory/4512-172-0x0000000000000000-mapping.dmp
-
memory/4664-179-0x0000000000000000-mapping.dmp
-
memory/4700-148-0x0000000000000000-mapping.dmp
-
memory/4720-208-0x0000000000000000-mapping.dmp
-
memory/4772-176-0x0000000000000000-mapping.dmp
-
memory/4808-183-0x0000000000000000-mapping.dmp
-
memory/4888-170-0x0000000000000000-mapping.dmp
-
memory/4956-150-0x0000000000000000-mapping.dmp
-
memory/4988-167-0x0000000000000000-mapping.dmp
-
memory/5000-147-0x0000000000000000-mapping.dmp
-
memory/5092-201-0x0000000000000000-mapping.dmp