002fe9ce401b6ba1332efd3752825b28d66e02e19508574e44c907744a2fcd4e

Analysis

max time kernel
71s
max time network
135s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
19-03-2023 02:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup (1).exe
Size

1.6MB
MD5

0f6a293b1e53a1d5bcb3167bff991945
SHA1

2c046fe82fa07a323e6b0fe1437cb9aba037024c
SHA256

002fe9ce401b6ba1332efd3752825b28d66e02e19508574e44c907744a2fcd4e
SHA512

67376884c39ab73941a96202a2546fac39c2cfb32493a5967db6221837f4415243c956ee61b182b53d1e68462e74aa7e90e6f76c39a0101f58c522764fbf3496
SSDEEP

24576:q7FUDowAyrTVE3U5FRQyA/pBh2FQ7iiqW4OzV5wv:qBuZrEUaRB0FQOxWXo

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

Setup (1).tmp64.exe

pid process

1692 Setup (1).tmp
2700 64.exe
Loads dropped DLL 6 IoCs

Processes:

Setup (1).exeSetup (1).tmp

pid process

2016 Setup (1).exe
1692 Setup (1).tmp
1692 Setup (1).tmp
1692 Setup (1).tmp
1692 Setup (1).tmp
1692 Setup (1).tmp
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

1900 timeout.exe
2660 timeout.exe

pid	process
1692	Setup (1).tmp
2700	64.exe

pid	process
2016	Setup (1).exe
1692	Setup (1).tmp
1692	Setup (1).tmp
1692	Setup (1).tmp
1692	Setup (1).tmp
1692	Setup (1).tmp

pid	process
1900	timeout.exe
2660	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Setup (1).tmppowershell.exepowershell.exe

pid process

1692 Setup (1).tmp
1692 Setup (1).tmp
276 powershell.exe
276 powershell.exe
2264 powershell.exe
2264 powershell.exe

pid	process
1692	Setup (1).tmp
1692	Setup (1).tmp
276	powershell.exe
276	powershell.exe
2264	powershell.exe
2264	powershell.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

powershell.exechrome.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	276	powershell.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe
Token: SeShutdownPrivilege	1736	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Setup (1).tmpchrome.exe

pid process

1692 Setup (1).tmp
1736 chrome.exe
1736 chrome.exe
1736 chrome.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

chrome.exe

pid process

1736 chrome.exe
1736 chrome.exe
1736 chrome.exe

pid	process
1692	Setup (1).tmp
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe

pid	process
1736	chrome.exe
1736	chrome.exe
1736	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Setup (1).exeSetup (1).tmpcmd.exechrome.exe

description	pid	process	target process
PID 2016 wrote to memory of 1692	2016	Setup (1).exe	Setup (1).tmp
PID 2016 wrote to memory of 1692	2016	Setup (1).exe	Setup (1).tmp
PID 2016 wrote to memory of 1692	2016	Setup (1).exe	Setup (1).tmp
PID 2016 wrote to memory of 1692	2016	Setup (1).exe	Setup (1).tmp
PID 2016 wrote to memory of 1692	2016	Setup (1).exe	Setup (1).tmp
PID 2016 wrote to memory of 1692	2016	Setup (1).exe	Setup (1).tmp
PID 2016 wrote to memory of 1692	2016	Setup (1).exe	Setup (1).tmp
PID 1692 wrote to memory of 1656	1692	Setup (1).tmp	cmd.exe
PID 1692 wrote to memory of 1656	1692	Setup (1).tmp	cmd.exe
PID 1692 wrote to memory of 1656	1692	Setup (1).tmp	cmd.exe
PID 1692 wrote to memory of 1656	1692	Setup (1).tmp	cmd.exe
PID 1656 wrote to memory of 276	1656	cmd.exe	powershell.exe
PID 1656 wrote to memory of 276	1656	cmd.exe	powershell.exe
PID 1656 wrote to memory of 276	1656	cmd.exe	powershell.exe
PID 1656 wrote to memory of 1948	1656	cmd.exe	reg.exe
PID 1656 wrote to memory of 1948	1656	cmd.exe	reg.exe
PID 1656 wrote to memory of 1948	1656	cmd.exe	reg.exe
PID 1656 wrote to memory of 1880	1656	cmd.exe	reg.exe
PID 1656 wrote to memory of 1880	1656	cmd.exe	reg.exe
PID 1656 wrote to memory of 1880	1656	cmd.exe	reg.exe
PID 1656 wrote to memory of 300	1656	cmd.exe	reg.exe
PID 1656 wrote to memory of 300	1656	cmd.exe	reg.exe
PID 1656 wrote to memory of 300	1656	cmd.exe	reg.exe
PID 1656 wrote to memory of 1708	1656	cmd.exe	reg.exe
PID 1656 wrote to memory of 1708	1656	cmd.exe	reg.exe
PID 1656 wrote to memory of 1708	1656	cmd.exe	reg.exe
PID 1656 wrote to memory of 1300	1656	cmd.exe	reg.exe
PID 1656 wrote to memory of 1300	1656	cmd.exe	reg.exe
PID 1656 wrote to memory of 1300	1656	cmd.exe	reg.exe
PID 1656 wrote to memory of 820	1656	cmd.exe	reg.exe
PID 1656 wrote to memory of 820	1656	cmd.exe	reg.exe
PID 1656 wrote to memory of 820	1656	cmd.exe	reg.exe
PID 1656 wrote to memory of 1736	1656	cmd.exe	chrome.exe
PID 1656 wrote to memory of 1736	1656	cmd.exe	chrome.exe
PID 1656 wrote to memory of 1736	1656	cmd.exe	chrome.exe
PID 1736 wrote to memory of 1748	1736	chrome.exe	chrome.exe
PID 1736 wrote to memory of 1748	1736	chrome.exe	chrome.exe
PID 1736 wrote to memory of 1748	1736	chrome.exe	chrome.exe
PID 1656 wrote to memory of 1900	1656	cmd.exe	timeout.exe
PID 1656 wrote to memory of 1900	1656	cmd.exe	timeout.exe
PID 1656 wrote to memory of 1900	1656	cmd.exe	timeout.exe
PID 1736 wrote to memory of 1916	1736	chrome.exe	chrome.exe
PID 1736 wrote to memory of 1916	1736	chrome.exe	chrome.exe
PID 1736 wrote to memory of 1916	1736	chrome.exe	chrome.exe
PID 1736 wrote to memory of 1916	1736	chrome.exe	chrome.exe
PID 1736 wrote to memory of 1916	1736	chrome.exe	chrome.exe
PID 1736 wrote to memory of 1916	1736	chrome.exe	chrome.exe
PID 1736 wrote to memory of 1916	1736	chrome.exe	chrome.exe
PID 1736 wrote to memory of 1916	1736	chrome.exe	chrome.exe
PID 1736 wrote to memory of 1916	1736	chrome.exe	chrome.exe
PID 1736 wrote to memory of 1916	1736	chrome.exe	chrome.exe
PID 1736 wrote to memory of 1916	1736	chrome.exe	chrome.exe
PID 1736 wrote to memory of 1916	1736	chrome.exe	chrome.exe
PID 1736 wrote to memory of 1916	1736	chrome.exe	chrome.exe
PID 1736 wrote to memory of 1916	1736	chrome.exe	chrome.exe
PID 1736 wrote to memory of 1916	1736	chrome.exe	chrome.exe
PID 1736 wrote to memory of 1916	1736	chrome.exe	chrome.exe
PID 1736 wrote to memory of 1916	1736	chrome.exe	chrome.exe
PID 1736 wrote to memory of 1916	1736	chrome.exe	chrome.exe
PID 1736 wrote to memory of 1916	1736	chrome.exe	chrome.exe
PID 1736 wrote to memory of 1916	1736	chrome.exe	chrome.exe
PID 1736 wrote to memory of 1916	1736	chrome.exe	chrome.exe
PID 1736 wrote to memory of 1916	1736	chrome.exe	chrome.exe
PID 1736 wrote to memory of 1916	1736	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\Setup (1).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (1).exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Local\Temp\is-ARFGP.tmp\Setup (1).tmp
"C:\Users\Admin\AppData\Local\Temp\is-ARFGP.tmp\Setup (1).tmp" /SL5="$70124,800077,786944,C:\Users\Admin\AppData\Local\Temp\Setup (1).exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-U0M3I.tmp\chrome.bat" install"
3⤵
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallAllowlist" /v "1" /t REG_SZ /d pejhfhcoekcajgokallhmklcjkkeemgj /f
4⤵
PID:1948

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Google\Chrome\Extensions\pejhfhcoekcajgokallhmklcjkkeemgj" /v "path" /t REG_SZ /d C:\\apps.crx /f
4⤵
PID:1880

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Google\Chrome\Extensions\pejhfhcoekcajgokallhmklcjkkeemgj" /v "version" /t REG_SZ /d 2.9 /f
4⤵
PID:300

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\WOW6432Node\Policies\Google\Chrome\ExtensionInstallAllowlist" /v "1" /t REG_SZ /d pejhfhcoekcajgokallhmklcjkkeemgj /f
4⤵
PID:1708

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\WOW6432Node\Google\Chrome\Extensions\pejhfhcoekcajgokallhmklcjkkeemgj" /v "path" /t REG_SZ /d C:\\apps.crx /f
4⤵
PID:1300

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\WOW6432Node\Google\Chrome\Extensions\pejhfhcoekcajgokallhmklcjkkeemgj" /v "version" /t REG_SZ /d 2.9 /f
4⤵
PID:820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --load-extension="C:\apps-helper" --no-startup-window
4⤵
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6719758,0x7fef6719768,0x7fef6719778
5⤵
PID:1748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1168 --field-trial-handle=1392,i,9397407627104050346,14347767586519781976,131072 /prefetch:2
5⤵
PID:1916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1376 --field-trial-handle=1392,i,9397407627104050346,14347767586519781976,131072 /prefetch:8
5⤵
PID:2036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1644 --field-trial-handle=1392,i,9397407627104050346,14347767586519781976,131072 /prefetch:8
5⤵
PID:324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2184 --field-trial-handle=1392,i,9397407627104050346,14347767586519781976,131072 /prefetch:8
5⤵
PID:1208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2464 --field-trial-handle=1392,i,9397407627104050346,14347767586519781976,131072 /prefetch:8
5⤵
PID:592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2624 --field-trial-handle=1392,i,9397407627104050346,14347767586519781976,131072 /prefetch:1
5⤵
PID:1496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2272 --field-trial-handle=1392,i,9397407627104050346,14347767586519781976,131072 /prefetch:8
5⤵
PID:1584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2524 --field-trial-handle=1392,i,9397407627104050346,14347767586519781976,131072 /prefetch:8
5⤵
PID:2072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1168 --field-trial-handle=1392,i,9397407627104050346,14347767586519781976,131072 /prefetch:2
5⤵
PID:2456

C:\Windows\system32\timeout.exe
timeout 8
4⤵
- Delays execution with timeout.exe
PID:1900

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-U0M3I.tmp\edge.bat" install"
3⤵
PID:2236

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell.exe -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\is-U0M3I.tmp\\edge.ps1
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2264

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallAllowlist" /v "1" /t REG_SZ /d pejhfhcoekcajgokallhmklcjkkeemgj /f
4⤵
PID:2348

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Edge\Extensions\pejhfhcoekcajgokallhmklcjkkeemgj" /v "path" /t REG_SZ /d C:\\apps.crx /f
4⤵
PID:2356

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Edge\Extensions\pejhfhcoekcajgokallhmklcjkkeemgj" /v "version" /t REG_SZ /d 2.9 /f
4⤵
PID:2364

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\WOW6432Node\Policies\Microsoft\Edge\ExtensionInstallAllowlist" /v "1" /t REG_SZ /d pejhfhcoekcajgokallhmklcjkkeemgj /f
4⤵
PID:2372

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\WOW6432Node\Microsoft\Edge\Extensions\pejhfhcoekcajgokallhmklcjkkeemgj" /v "path" /t REG_SZ /d C:\\apps.crx /f
4⤵
PID:2380

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\WOW6432Node\Microsoft\Edge\Extensions\pejhfhcoekcajgokallhmklcjkkeemgj" /v "version" /t REG_SZ /d 2.9 /f
4⤵
PID:2388

C:\Windows\system32\timeout.exe
timeout 8
4⤵
- Delays execution with timeout.exe
PID:2660

C:\Users\Admin\AppData\Local\Temp\is-U0M3I.tmp\64.exe
"C:\Users\Admin\AppData\Local\Temp\is-U0M3I.tmp\64.exe" --system-level
3⤵
- Executes dropped EXE
PID:2700

C:\Users\Admin\AppData\Local\Temp\is-U0M3I.tmp\CR_94201.tmp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-U0M3I.tmp\CR_94201.tmp\setup.exe" --install-archive="C:\Users\Admin\AppData\Local\Temp\is-U0M3I.tmp\CR_94201.tmp\CHROME.PACKED.7Z" --system-level
4⤵
PID:2948

C:\Users\Admin\AppData\Local\Temp\is-U0M3I.tmp\CR_94201.tmp\setup.exe
C:\Users\Admin\AppData\Local\Temp\is-U0M3I.tmp\CR_94201.tmp\setup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --annotation=plat=Win64 --annotation=prod=Chromnius --annotation=ver=112.0.5567.0 --initial-client-data=0x12c,0x130,0x134,0x100,0x138,0x13f2e75b0,0x13f2e75c0,0x13f2e75d0
5⤵
PID:2976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell.exe -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\is-U0M3I.tmp\\chrome.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:276

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:616

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
863b891b8c98cfebcfc6267eecbab26b

SHA1
7e81bc0cc3b1ea54e7b5e499a7d8c153743cf605

SHA256
7d095e8e21aad603164ca654c7bcc486a233778a6c811a138631b5e4bbfed414

SHA512
18c2ff46e083134f1431cd9ae910c37f4678eb911800f287f86e0809e5dac45ecc9ecedf40d7710293f3730d3fd7cc60fadf7f9cc16db2db232e4b7f5dafbe83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
458edcca307b3157420937774a198f5e

SHA1
b5b049f5ec4a0887d7b72d2791dfb1b806dfe94d

SHA256
155b8353632589716ea50cbd24f5a2d61bc57014765a8d0e676662d261c9774a

SHA512
7fd2472f2ec8f74d1c1b7146c256f285ea343150b7327d5de732eebde7b3a2231a17adead23f0239310a0ea9ff6e8a927d3e6fd71fa6588157eb503b16b0de44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT~RF6c9b56.TMP
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000004.dbtmp
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ARFGP.tmp\Setup (1).tmp
Filesize
3.0MB

MD5
104684b539640daef74e717e02abcf98

SHA1
3dbe093bbe92ab27c23610795358a763eab1b11b

SHA256
c46d28f68af133e26dcb5f60564e4e31896c7917b68baf5d0c11fc2dd5bad7f3

SHA512
3eaa956d34ec3d98fcb9cb28a08d8832314140f0ac9f7e3266a75831ea7e99041090fd98ff69a221ce8a0a5615767b34cd3555c182d069e3a1bbd02e1a5e54c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U0M3I.tmp\64.exe
Filesize
76.7MB

MD5
dd55acb4e7da17d3adbd39a7a9424ec4

SHA1
e6b2198cab4cadc9f7b4b836b23a2db98d8007cb

SHA256
ea47702b9edf57d228ba9baff5b7579fd36311745ce13815c3f67e873144f7d3

SHA512
5a90c5e25c9e9e262673ef34c19165da5e441fb001a08df56c89e47ec2ea6d572d24bc94c0a81f28c7cae3045233f19c1bdda0415ffe5c49cbd0422044d39cf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U0M3I.tmp\64.exe
Filesize
76.7MB

MD5
dd55acb4e7da17d3adbd39a7a9424ec4

SHA1
e6b2198cab4cadc9f7b4b836b23a2db98d8007cb

SHA256
ea47702b9edf57d228ba9baff5b7579fd36311745ce13815c3f67e873144f7d3

SHA512
5a90c5e25c9e9e262673ef34c19165da5e441fb001a08df56c89e47ec2ea6d572d24bc94c0a81f28c7cae3045233f19c1bdda0415ffe5c49cbd0422044d39cf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U0M3I.tmp\CR_94201.tmp\setup.exe
Filesize
3.0MB

MD5
183d951fba47ce3865c0d249584c7dca

SHA1
a730f71636bec0c48bc280e1ba82ddb19913d234

SHA256
84425be0f55a9c44773ce048b30993035e56f1fb4fc83bce44c5a06b2cb8bdec

SHA512
1f94837ba5d8a1ab7ade955ccd7d6342885a57d1970bfe328dda420325c8b9ff862eeb7023ba3fa2f6fa71875be8005d7801611ca18d783cbbc755381352a597

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U0M3I.tmp\CR_94201.tmp\setup.exe
Filesize
3.0MB

MD5
183d951fba47ce3865c0d249584c7dca

SHA1
a730f71636bec0c48bc280e1ba82ddb19913d234

SHA256
84425be0f55a9c44773ce048b30993035e56f1fb4fc83bce44c5a06b2cb8bdec

SHA512
1f94837ba5d8a1ab7ade955ccd7d6342885a57d1970bfe328dda420325c8b9ff862eeb7023ba3fa2f6fa71875be8005d7801611ca18d783cbbc755381352a597

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U0M3I.tmp\CR_94201.tmp\setup.exe
Filesize
3.0MB

MD5
183d951fba47ce3865c0d249584c7dca

SHA1
a730f71636bec0c48bc280e1ba82ddb19913d234

SHA256
84425be0f55a9c44773ce048b30993035e56f1fb4fc83bce44c5a06b2cb8bdec

SHA512
1f94837ba5d8a1ab7ade955ccd7d6342885a57d1970bfe328dda420325c8b9ff862eeb7023ba3fa2f6fa71875be8005d7801611ca18d783cbbc755381352a597

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U0M3I.tmp\chrome.bat
Filesize
3KB

MD5
4c5b195c47cebff1b982c9afad1cca4e

SHA1
9e1520208b0cdfd477e9bffb3052fe430a8a3e9f

SHA256
863be4d05876fb592b7aaad0182a16cfea50ecbac47e35b55cb3b66484ddde5f

SHA512
6a1f2abddf5585530817510be84a09ffcc88811f22193b67a0a4b163b77fd42c963820eb9795d5488ac84d3219ab775a477e6f861aec2b248cb56d9ea24e2712

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U0M3I.tmp\chrome.ps1
Filesize
27B

MD5
c774ee6f456444fcadd09dc5e27a501b

SHA1
3b49a20623ff5968b24dac1bcd1a57125e111341

SHA256
d3477d17f918bc82462191dee88fe57f25d19173a8361d94580e2dfae3b503df

SHA512
a2b8f0ce3dd8b3c9d7e1bd468953eb4a03f0f11511cf65531497056d7ad9a8134d628cf1e1a5e2baafbe05a1a47ffa4673d1fcdc915e7aa9e7da12de4644674d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U0M3I.tmp\edge.bat
Filesize
2KB

MD5
197091a1406e37481df082c9c8a22c9f

SHA1
46ba95dd2546f9a49f60b5556be4f3f307ef7edf

SHA256
68fb78ac6345271ac15010969bee7409384b086022f9513a76598692c1e8bd25

SHA512
a82957ac8c69b8b9dfb694b9e7faf65cba92330bf1910e06620e3cc2424a354b24a6ede3948715dc11dfeb0676a3af655c05b0249ca07661afd5d8d3fa891b8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U0M3I.tmp\edge.ps1
Filesize
27B

MD5
c2325eb340fbf3ac139dad081449f643

SHA1
51f767c9d7c8b823983932e0c6821fa94b6791d4

SHA256
1fbcca088a4e94dd4bcf72c74051c621185b9c12397d927cc63452399f4ed8b3

SHA512
e68bcdcba878e35804c164437ea07d42228adc60f7d3e5e046d56009965282119e691a2398f09749e11c457055f2aeb9e87c4157553358e957ea26f5baf9ef6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1736_2126934258\apps.crx
Filesize
12KB

MD5
6867d60051d20ce9af6e70e446237548

SHA1
5ee5950d11118220620401e9423278d8ae84bc67

SHA256
8be446a55eb96bb216719b1d838610d0a873c7d23eb27f1a785271e592da96c0

SHA512
08c598604e984bc8ac8258fac9e69e223b19b6e616200c996d4eb3083889927e0b10f519b34a19e8f35a0736ec19e0d788c51a2e4d1a5ae113e86b82f90dfc64

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
0721cd52cbc3dcb2bcfdd1ae560f1853

SHA1
cd7b8886db9c131a8de95fcc3f1b590dda8a4199

SHA256
9dce8924742c3874470e9f8091cc3e715af7621053b6511ccfd0bb54d3f1d983

SHA512
c82f05672d2e141d540428410cf6b6001c349eefd2249c58d695024c8d897d85a1ebef0d4167bcf1cdbf2c863dd33d1d711c7e8841c2c8f66b741e21cf898ed0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\B8PUSJL03QCYMUBTYOWM.temp
Filesize
7KB

MD5
0721cd52cbc3dcb2bcfdd1ae560f1853

SHA1
cd7b8886db9c131a8de95fcc3f1b590dda8a4199

SHA256
9dce8924742c3874470e9f8091cc3e715af7621053b6511ccfd0bb54d3f1d983

SHA512
c82f05672d2e141d540428410cf6b6001c349eefd2249c58d695024c8d897d85a1ebef0d4167bcf1cdbf2c863dd33d1d711c7e8841c2c8f66b741e21cf898ed0

Download Submit
C:\apps-helper\manifest.json
Filesize
219B

MD5
8cb0aca2b1457ccdffe28f9843bed9f5

SHA1
dcff694b3f2eac4bca4a6b96f32026d1cad9fb83

SHA256
15db2b5b55e74489dd4ad623328fbc10022bde652c6099dd07d93f6263663c62

SHA512
07e99c3684c9952d1cd9ad42ba147b934023392b1abd2fd688c585505c197fef9eaa5804f6413d9be8217f6c66cfd3f09e05d1ace57230380c0f9b4ad333e670

Download Submit
C:\apps-helper\service.js
Filesize
164B

MD5
637b35d87a311e04cd5cd8784f86e0b4

SHA1
1002135b3306d7f5c7dcf37afe7e0d536cc3e642

SHA256
f5cec8e00eda7960d48299c44d4196f9de3a7907c68913585b656759eba82bfc

SHA512
990fbf0b42e561af98c481646df327b5a693d327c08c3cb6bf5484e6a446b7844167988bf4aa74c92efb277b05536583bdea0703f7158a8b35405098e53b224b

Download Submit
C:\apps.crx
Filesize
12KB

MD5
6867d60051d20ce9af6e70e446237548

SHA1
5ee5950d11118220620401e9423278d8ae84bc67

SHA256
8be446a55eb96bb216719b1d838610d0a873c7d23eb27f1a785271e592da96c0

SHA512
08c598604e984bc8ac8258fac9e69e223b19b6e616200c996d4eb3083889927e0b10f519b34a19e8f35a0736ec19e0d788c51a2e4d1a5ae113e86b82f90dfc64

Download Submit
\??\pipe\crashpad_1736_ISDHAXRJHHHDLBQE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\is-ARFGP.tmp\Setup (1).tmp
Filesize
3.0MB

MD5
104684b539640daef74e717e02abcf98

SHA1
3dbe093bbe92ab27c23610795358a763eab1b11b

SHA256
c46d28f68af133e26dcb5f60564e4e31896c7917b68baf5d0c11fc2dd5bad7f3

SHA512
3eaa956d34ec3d98fcb9cb28a08d8832314140f0ac9f7e3266a75831ea7e99041090fd98ff69a221ce8a0a5615767b34cd3555c182d069e3a1bbd02e1a5e54c1

Download Submit
\Users\Admin\AppData\Local\Temp\is-U0M3I.tmp\64.exe
Filesize
76.7MB

MD5
dd55acb4e7da17d3adbd39a7a9424ec4

SHA1
e6b2198cab4cadc9f7b4b836b23a2db98d8007cb

SHA256
ea47702b9edf57d228ba9baff5b7579fd36311745ce13815c3f67e873144f7d3

SHA512
5a90c5e25c9e9e262673ef34c19165da5e441fb001a08df56c89e47ec2ea6d572d24bc94c0a81f28c7cae3045233f19c1bdda0415ffe5c49cbd0422044d39cf0

Download Submit
\Users\Admin\AppData\Local\Temp\is-U0M3I.tmp\64.exe
Filesize
76.7MB

MD5
dd55acb4e7da17d3adbd39a7a9424ec4

SHA1
e6b2198cab4cadc9f7b4b836b23a2db98d8007cb

SHA256
ea47702b9edf57d228ba9baff5b7579fd36311745ce13815c3f67e873144f7d3

SHA512
5a90c5e25c9e9e262673ef34c19165da5e441fb001a08df56c89e47ec2ea6d572d24bc94c0a81f28c7cae3045233f19c1bdda0415ffe5c49cbd0422044d39cf0

Download Submit
\Users\Admin\AppData\Local\Temp\is-U0M3I.tmp\64.exe
Filesize
76.7MB

MD5
dd55acb4e7da17d3adbd39a7a9424ec4

SHA1
e6b2198cab4cadc9f7b4b836b23a2db98d8007cb

SHA256
ea47702b9edf57d228ba9baff5b7579fd36311745ce13815c3f67e873144f7d3

SHA512
5a90c5e25c9e9e262673ef34c19165da5e441fb001a08df56c89e47ec2ea6d572d24bc94c0a81f28c7cae3045233f19c1bdda0415ffe5c49cbd0422044d39cf0

Download Submit
\Users\Admin\AppData\Local\Temp\is-U0M3I.tmp\64.exe
Filesize
76.7MB

MD5
dd55acb4e7da17d3adbd39a7a9424ec4

SHA1
e6b2198cab4cadc9f7b4b836b23a2db98d8007cb

SHA256
ea47702b9edf57d228ba9baff5b7579fd36311745ce13815c3f67e873144f7d3

SHA512
5a90c5e25c9e9e262673ef34c19165da5e441fb001a08df56c89e47ec2ea6d572d24bc94c0a81f28c7cae3045233f19c1bdda0415ffe5c49cbd0422044d39cf0

Download Submit
\Users\Admin\AppData\Local\Temp\is-U0M3I.tmp\64.exe
Filesize
76.7MB

MD5
dd55acb4e7da17d3adbd39a7a9424ec4

SHA1
e6b2198cab4cadc9f7b4b836b23a2db98d8007cb

SHA256
ea47702b9edf57d228ba9baff5b7579fd36311745ce13815c3f67e873144f7d3

SHA512
5a90c5e25c9e9e262673ef34c19165da5e441fb001a08df56c89e47ec2ea6d572d24bc94c0a81f28c7cae3045233f19c1bdda0415ffe5c49cbd0422044d39cf0

Download Submit
\Users\Admin\AppData\Local\Temp\is-U0M3I.tmp\CR_94201.tmp\setup.exe
Filesize
3.0MB

MD5
183d951fba47ce3865c0d249584c7dca

SHA1
a730f71636bec0c48bc280e1ba82ddb19913d234

SHA256
84425be0f55a9c44773ce048b30993035e56f1fb4fc83bce44c5a06b2cb8bdec

SHA512
1f94837ba5d8a1ab7ade955ccd7d6342885a57d1970bfe328dda420325c8b9ff862eeb7023ba3fa2f6fa71875be8005d7801611ca18d783cbbc755381352a597

Download Submit
\Users\Admin\AppData\Local\Temp\is-U0M3I.tmp\CR_94201.tmp\setup.exe
Filesize
3.0MB

MD5
183d951fba47ce3865c0d249584c7dca

SHA1
a730f71636bec0c48bc280e1ba82ddb19913d234

SHA256
84425be0f55a9c44773ce048b30993035e56f1fb4fc83bce44c5a06b2cb8bdec

SHA512
1f94837ba5d8a1ab7ade955ccd7d6342885a57d1970bfe328dda420325c8b9ff862eeb7023ba3fa2f6fa71875be8005d7801611ca18d783cbbc755381352a597

Download Submit
memory/276-102-0x0000000002760000-0x00000000027E0000-memory.dmp

Filesize
512KB

Download
memory/276-97-0x000000001B190000-0x000000001B472000-memory.dmp

Filesize
2.9MB

Download
memory/276-99-0x0000000002730000-0x0000000002738000-memory.dmp

Filesize
32KB

Download
memory/276-101-0x0000000002760000-0x00000000027E0000-memory.dmp

Filesize
512KB

Download
memory/276-104-0x0000000002760000-0x00000000027E0000-memory.dmp

Filesize
512KB

Download
memory/276-103-0x0000000002760000-0x00000000027E0000-memory.dmp

Filesize
512KB

Download
memory/1692-100-0x0000000000400000-0x0000000000708000-memory.dmp

Filesize
3.0MB

Download
memory/1692-62-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1692-272-0x0000000000400000-0x0000000000708000-memory.dmp

Filesize
3.0MB

Download
memory/2016-98-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2016-54-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2236-243-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/2264-220-0x000000000272B000-0x0000000002762000-memory.dmp

Filesize
220KB

Download
memory/2264-219-0x0000000002724000-0x0000000002727000-memory.dmp

Filesize
12KB

Download
memory/2264-217-0x0000000002090000-0x0000000002098000-memory.dmp

Filesize
32KB

Download
memory/2264-216-0x000000001B2B0000-0x000000001B592000-memory.dmp

Filesize
2.9MB

Download