aurora | eb94f26dac1f7c898651fbb8e301bbff8633614a561359ac7bca7a58e358ac58

General

Target

Setup.exe
Size

10.4MB
MD5

3a074786e039c85614cef159998f0b6a
SHA1

1d84450186359d35ce582aefce6fe72c5995737d
SHA256

eb94f26dac1f7c898651fbb8e301bbff8633614a561359ac7bca7a58e358ac58
SHA512

470e9036ac1754d9406063999649c490a4d99002723f2e9734b7eece694c0ff5b8a3898cc0f795a9a3519f817e4219a587a1700fbd0904b9fb62e26d724786d8
SSDEEP

24576:XnTBn2pOPmCliE/y0AB0CWB3a9OKHwVXXylBTSViHzcqjn3aMfIS/NDnE7kBy3z6:XTBn2pOeC//y0tC7gk+lKcTQcAz1

Score

10^/10

aurora spyware stealer

Malware Config

Extracted

Family

aurora

C2

94.142.138.18:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

Setup.exe

description pid process target process

PID 1208 set thread context of 1664 1208 Setup.exe Setup.exe

description	pid	process	target process
PID 1208 set thread context of 1664	1208	Setup.exe	Setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Setup.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Setup.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

chrome.exechrome.exe

pid process

568 chrome.exe
1676 chrome.exe
1676 chrome.exe

pid	process
568	chrome.exe
1676	chrome.exe
1676	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	520	wmic.exe
Token: SeSecurityPrivilege	520	wmic.exe
Token: SeTakeOwnershipPrivilege	520	wmic.exe
Token: SeLoadDriverPrivilege	520	wmic.exe
Token: SeSystemProfilePrivilege	520	wmic.exe
Token: SeSystemtimePrivilege	520	wmic.exe
Token: SeProfSingleProcessPrivilege	520	wmic.exe
Token: SeIncBasePriorityPrivilege	520	wmic.exe
Token: SeCreatePagefilePrivilege	520	wmic.exe
Token: SeBackupPrivilege	520	wmic.exe
Token: SeRestorePrivilege	520	wmic.exe
Token: SeShutdownPrivilege	520	wmic.exe
Token: SeDebugPrivilege	520	wmic.exe
Token: SeSystemEnvironmentPrivilege	520	wmic.exe
Token: SeRemoteShutdownPrivilege	520	wmic.exe
Token: SeUndockPrivilege	520	wmic.exe
Token: SeManageVolumePrivilege	520	wmic.exe
Token: 33	520	wmic.exe
Token: 34	520	wmic.exe
Token: 35	520	wmic.exe
Token: SeIncreaseQuotaPrivilege	520	wmic.exe
Token: SeSecurityPrivilege	520	wmic.exe
Token: SeTakeOwnershipPrivilege	520	wmic.exe
Token: SeLoadDriverPrivilege	520	wmic.exe
Token: SeSystemProfilePrivilege	520	wmic.exe
Token: SeSystemtimePrivilege	520	wmic.exe
Token: SeProfSingleProcessPrivilege	520	wmic.exe
Token: SeIncBasePriorityPrivilege	520	wmic.exe
Token: SeCreatePagefilePrivilege	520	wmic.exe
Token: SeBackupPrivilege	520	wmic.exe
Token: SeRestorePrivilege	520	wmic.exe
Token: SeShutdownPrivilege	520	wmic.exe
Token: SeDebugPrivilege	520	wmic.exe
Token: SeSystemEnvironmentPrivilege	520	wmic.exe
Token: SeRemoteShutdownPrivilege	520	wmic.exe
Token: SeUndockPrivilege	520	wmic.exe
Token: SeManageVolumePrivilege	520	wmic.exe
Token: 33	520	wmic.exe
Token: 34	520	wmic.exe
Token: 35	520	wmic.exe
Token: SeIncreaseQuotaPrivilege	1212	WMIC.exe
Token: SeSecurityPrivilege	1212	WMIC.exe
Token: SeTakeOwnershipPrivilege	1212	WMIC.exe
Token: SeLoadDriverPrivilege	1212	WMIC.exe
Token: SeSystemProfilePrivilege	1212	WMIC.exe
Token: SeSystemtimePrivilege	1212	WMIC.exe
Token: SeProfSingleProcessPrivilege	1212	WMIC.exe
Token: SeIncBasePriorityPrivilege	1212	WMIC.exe
Token: SeCreatePagefilePrivilege	1212	WMIC.exe
Token: SeBackupPrivilege	1212	WMIC.exe
Token: SeRestorePrivilege	1212	WMIC.exe
Token: SeShutdownPrivilege	1212	WMIC.exe
Token: SeDebugPrivilege	1212	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1212	WMIC.exe
Token: SeRemoteShutdownPrivilege	1212	WMIC.exe
Token: SeUndockPrivilege	1212	WMIC.exe
Token: SeManageVolumePrivilege	1212	WMIC.exe
Token: 33	1212	WMIC.exe
Token: 34	1212	WMIC.exe
Token: 35	1212	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1212	WMIC.exe
Token: SeSecurityPrivilege	1212	WMIC.exe
Token: SeTakeOwnershipPrivilege	1212	WMIC.exe
Token: SeLoadDriverPrivilege	1212	WMIC.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exe

pid	process
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Setup.exeSetup.execmd.execmd.exechrome.exe

description	pid	process	target process
PID 1208 wrote to memory of 1664	1208	Setup.exe	Setup.exe
PID 1208 wrote to memory of 1664	1208	Setup.exe	Setup.exe
PID 1208 wrote to memory of 1664	1208	Setup.exe	Setup.exe
PID 1208 wrote to memory of 1664	1208	Setup.exe	Setup.exe
PID 1208 wrote to memory of 1664	1208	Setup.exe	Setup.exe
PID 1208 wrote to memory of 1664	1208	Setup.exe	Setup.exe
PID 1208 wrote to memory of 1664	1208	Setup.exe	Setup.exe
PID 1208 wrote to memory of 1664	1208	Setup.exe	Setup.exe
PID 1208 wrote to memory of 1664	1208	Setup.exe	Setup.exe
PID 1208 wrote to memory of 1664	1208	Setup.exe	Setup.exe
PID 1208 wrote to memory of 1664	1208	Setup.exe	Setup.exe
PID 1664 wrote to memory of 520	1664	Setup.exe	wmic.exe
PID 1664 wrote to memory of 520	1664	Setup.exe	wmic.exe
PID 1664 wrote to memory of 520	1664	Setup.exe	wmic.exe
PID 1664 wrote to memory of 1040	1664	Setup.exe	cmd.exe
PID 1664 wrote to memory of 1040	1664	Setup.exe	cmd.exe
PID 1664 wrote to memory of 1040	1664	Setup.exe	cmd.exe
PID 1040 wrote to memory of 1212	1040	cmd.exe	WMIC.exe
PID 1040 wrote to memory of 1212	1040	cmd.exe	WMIC.exe
PID 1040 wrote to memory of 1212	1040	cmd.exe	WMIC.exe
PID 1664 wrote to memory of 1964	1664	Setup.exe	cmd.exe
PID 1664 wrote to memory of 1964	1664	Setup.exe	cmd.exe
PID 1664 wrote to memory of 1964	1664	Setup.exe	cmd.exe
PID 1964 wrote to memory of 1748	1964	cmd.exe	WMIC.exe
PID 1964 wrote to memory of 1748	1964	cmd.exe	WMIC.exe
PID 1964 wrote to memory of 1748	1964	cmd.exe	WMIC.exe
PID 1676 wrote to memory of 1328	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 1328	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 1328	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 588	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 588	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 588	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 588	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 588	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 588	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 588	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 588	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 588	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 588	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 588	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 588	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 588	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 588	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 588	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 588	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 588	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 588	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 588	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 588	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 588	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 588	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 588	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 588	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 588	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 588	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 588	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 588	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 588	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 588	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 588	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 588	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 588	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 588	1676	chrome.exe	chrome.exe
PID 1676 wrote to memory of 588	1676	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1208

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
2⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\System32\Wbem\wmic.exe
wmic os get Caption
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:520

C:\Windows\system32\cmd.exe
cmd /C "wmic path win32_VideoController get name"
3⤵
- Suspicious use of WriteProcessMemory
PID:1040

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1212

C:\Windows\system32\cmd.exe
cmd /C "wmic cpu get name"
3⤵
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get name
4⤵
PID:1748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6974f50,0x7fef6974f60,0x7fef6974f70
2⤵
PID:1328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1108,14397594332304326321,16949529068727318225,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1120 /prefetch:2
2⤵
PID:588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1108,14397594332304326321,16949529068727318225,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1264 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1108,14397594332304326321,16949529068727318225,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1784 /prefetch:8
2⤵
PID:592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,14397594332304326321,16949529068727318225,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2036 /prefetch:1
2⤵
PID:1104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,14397594332304326321,16949529068727318225,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2112 /prefetch:1
2⤵
PID:1040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,14397594332304326321,16949529068727318225,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
2⤵
PID:916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1108,14397594332304326321,16949529068727318225,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3272 /prefetch:2
2⤵
PID:1784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,14397594332304326321,16949529068727318225,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
2⤵
PID:1496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,14397594332304326321,16949529068727318225,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3516 /prefetch:8
2⤵
PID:1936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,14397594332304326321,16949529068727318225,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3616 /prefetch:8
2⤵
PID:2040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,14397594332304326321,16949529068727318225,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3684 /prefetch:8
2⤵
PID:1780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,14397594332304326321,16949529068727318225,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3696 /prefetch:8
2⤵
PID:1952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,14397594332304326321,16949529068727318225,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3572 /prefetch:8
2⤵
PID:832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,14397594332304326321,16949529068727318225,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3616 /prefetch:8
2⤵
PID:1936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,14397594332304326321,16949529068727318225,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3704 /prefetch:8
2⤵
PID:784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,14397594332304326321,16949529068727318225,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3884 /prefetch:8
2⤵
PID:2056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,14397594332304326321,16949529068727318225,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4052 /prefetch:8
2⤵
PID:2064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,14397594332304326321,16949529068727318225,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:1
2⤵
PID:2248

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\pipe\crashpad_1676_LVJAMNVBFQUKIXKK
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/520-70-0x0000000000000000-mapping.dmp

Download
memory/1040-71-0x0000000000000000-mapping.dmp

Download
memory/1212-72-0x0000000000000000-mapping.dmp

Download
memory/1664-61-0x0000000000400000-0x00000000008D8000-memory.dmp

Filesize
4.8MB

Download
memory/1664-54-0x0000000000400000-0x00000000008D8000-memory.dmp

Filesize
4.8MB

Download
memory/1664-64-0x0000000000400000-0x00000000008D8000-memory.dmp

Filesize
4.8MB

Download
memory/1664-65-0x0000000000400000-0x00000000008D8000-memory.dmp

Filesize
4.8MB

Download
memory/1664-66-0x0000000000465EA0-mapping.dmp

Download
memory/1664-68-0x0000000000400000-0x00000000008D8000-memory.dmp

Filesize
4.8MB

Download
memory/1664-69-0x0000000000400000-0x00000000008D8000-memory.dmp

Filesize
4.8MB

Download
memory/1664-62-0x0000000000400000-0x00000000008D8000-memory.dmp

Filesize
4.8MB

Download
memory/1664-59-0x0000000000400000-0x00000000008D8000-memory.dmp

Filesize
4.8MB

Download
memory/1664-57-0x0000000000400000-0x00000000008D8000-memory.dmp

Filesize
4.8MB

Download
memory/1664-55-0x0000000000400000-0x00000000008D8000-memory.dmp

Filesize
4.8MB

Download
memory/1664-75-0x0000000000400000-0x00000000008D8000-memory.dmp

Filesize
4.8MB

Download
memory/1748-74-0x0000000000000000-mapping.dmp

Download
memory/1964-73-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads