hxxp://au[.]download[.]windowsupdate[.]com/c/msdownload/update/software/defu/2024/01/mpsigstub_6103d9f6bf95c772c8b7ee89aee370cdca4642f8[.]exe

Analysis

max time kernel
149s
max time network
137s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
29/01/2024, 09:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

http://au.download.windowsupdate.com/c/msdownload/update/software/defu/2024/01/mpsigstub_6103d9f6bf95c772c8b7ee89aee370cdca4642f8.exe

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 7 IoCs

pid	Process
1892	mpsigstub_6103d9f6bf95c772c8b7ee89aee370cdca4642f8.exe
4236	mpsigstub_6103d9f6bf95c772c8b7ee89aee370cdca4642f8.exe
308	mpsigstub_6103d9f6bf95c772c8b7ee89aee370cdca4642f8.exe
3720	mpsigstub_6103d9f6bf95c772c8b7ee89aee370cdca4642f8.exe
1864	mpsigstub_6103d9f6bf95c772c8b7ee89aee370cdca4642f8.exe
4332	mpsigstub_6103d9f6bf95c772c8b7ee89aee370cdca4642f8.exe
5076	mpsigstub_6103d9f6bf95c772c8b7ee89aee370cdca4642f8.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133509952437548820"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-167039816-2868247564-2551780377-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1932	chrome.exe
1932	chrome.exe
4852	chrome.exe
4852	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe
Token: SeShutdownPrivilege	1932	chrome.exe
Token: SeCreatePagefilePrivilege	1932	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 1668	1932	chrome.exe	52
PID 1932 wrote to memory of 1668	1932	chrome.exe	52
PID 1932 wrote to memory of 764	1932	chrome.exe	79
PID 1932 wrote to memory of 764	1932	chrome.exe	79
PID 1932 wrote to memory of 764	1932	chrome.exe	79
PID 1932 wrote to memory of 764	1932	chrome.exe	79
PID 1932 wrote to memory of 764	1932	chrome.exe	79
PID 1932 wrote to memory of 764	1932	chrome.exe	79
PID 1932 wrote to memory of 764	1932	chrome.exe	79
PID 1932 wrote to memory of 764	1932	chrome.exe	79
PID 1932 wrote to memory of 764	1932	chrome.exe	79
PID 1932 wrote to memory of 764	1932	chrome.exe	79
PID 1932 wrote to memory of 764	1932	chrome.exe	79
PID 1932 wrote to memory of 764	1932	chrome.exe	79
PID 1932 wrote to memory of 764	1932	chrome.exe	79
PID 1932 wrote to memory of 764	1932	chrome.exe	79
PID 1932 wrote to memory of 764	1932	chrome.exe	79
PID 1932 wrote to memory of 764	1932	chrome.exe	79
PID 1932 wrote to memory of 764	1932	chrome.exe	79
PID 1932 wrote to memory of 764	1932	chrome.exe	79
PID 1932 wrote to memory of 764	1932	chrome.exe	79
PID 1932 wrote to memory of 764	1932	chrome.exe	79
PID 1932 wrote to memory of 764	1932	chrome.exe	79
PID 1932 wrote to memory of 764	1932	chrome.exe	79
PID 1932 wrote to memory of 764	1932	chrome.exe	79
PID 1932 wrote to memory of 764	1932	chrome.exe	79
PID 1932 wrote to memory of 764	1932	chrome.exe	79
PID 1932 wrote to memory of 764	1932	chrome.exe	79
PID 1932 wrote to memory of 764	1932	chrome.exe	79
PID 1932 wrote to memory of 764	1932	chrome.exe	79
PID 1932 wrote to memory of 764	1932	chrome.exe	79
PID 1932 wrote to memory of 764	1932	chrome.exe	79
PID 1932 wrote to memory of 764	1932	chrome.exe	79
PID 1932 wrote to memory of 764	1932	chrome.exe	79
PID 1932 wrote to memory of 764	1932	chrome.exe	79
PID 1932 wrote to memory of 764	1932	chrome.exe	79
PID 1932 wrote to memory of 764	1932	chrome.exe	79
PID 1932 wrote to memory of 764	1932	chrome.exe	79
PID 1932 wrote to memory of 764	1932	chrome.exe	79
PID 1932 wrote to memory of 764	1932	chrome.exe	79
PID 1932 wrote to memory of 3848	1932	chrome.exe	78
PID 1932 wrote to memory of 3848	1932	chrome.exe	78
PID 1932 wrote to memory of 1400	1932	chrome.exe	75
PID 1932 wrote to memory of 1400	1932	chrome.exe	75
PID 1932 wrote to memory of 1400	1932	chrome.exe	75
PID 1932 wrote to memory of 1400	1932	chrome.exe	75
PID 1932 wrote to memory of 1400	1932	chrome.exe	75
PID 1932 wrote to memory of 1400	1932	chrome.exe	75
PID 1932 wrote to memory of 1400	1932	chrome.exe	75
PID 1932 wrote to memory of 1400	1932	chrome.exe	75
PID 1932 wrote to memory of 1400	1932	chrome.exe	75
PID 1932 wrote to memory of 1400	1932	chrome.exe	75
PID 1932 wrote to memory of 1400	1932	chrome.exe	75
PID 1932 wrote to memory of 1400	1932	chrome.exe	75
PID 1932 wrote to memory of 1400	1932	chrome.exe	75
PID 1932 wrote to memory of 1400	1932	chrome.exe	75
PID 1932 wrote to memory of 1400	1932	chrome.exe	75
PID 1932 wrote to memory of 1400	1932	chrome.exe	75
PID 1932 wrote to memory of 1400	1932	chrome.exe	75
PID 1932 wrote to memory of 1400	1932	chrome.exe	75
PID 1932 wrote to memory of 1400	1932	chrome.exe	75
PID 1932 wrote to memory of 1400	1932	chrome.exe	75
PID 1932 wrote to memory of 1400	1932	chrome.exe	75
PID 1932 wrote to memory of 1400	1932	chrome.exe	75

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://au.download.windowsupdate.com/c/msdownload/update/software/defu/2024/01/mpsigstub_6103d9f6bf95c772c8b7ee89aee370cdca4642f8.exe
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff83f829758,0x7ff83f829768,0x7ff83f829778
  2⤵
  PID:1668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1852 --field-trial-handle=1916,i,15545611365455405914,11943828227134766351,131072 /prefetch:8
  2⤵
  PID:1400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2608 --field-trial-handle=1916,i,15545611365455405914,11943828227134766351,131072 /prefetch:1
  2⤵
  PID:1424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2600 --field-trial-handle=1916,i,15545611365455405914,11943828227134766351,131072 /prefetch:1
  2⤵
  PID:952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1796 --field-trial-handle=1916,i,15545611365455405914,11943828227134766351,131072 /prefetch:8
  2⤵
  PID:3848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1524 --field-trial-handle=1916,i,15545611365455405914,11943828227134766351,131072 /prefetch:2
  2⤵
  PID:764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4252 --field-trial-handle=1916,i,15545611365455405914,11943828227134766351,131072 /prefetch:8
  2⤵
  PID:2368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4604 --field-trial-handle=1916,i,15545611365455405914,11943828227134766351,131072 /prefetch:8
  2⤵
  PID:4336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4556 --field-trial-handle=1916,i,15545611365455405914,11943828227134766351,131072 /prefetch:8
  2⤵
  PID:3040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4840 --field-trial-handle=1916,i,15545611365455405914,11943828227134766351,131072 /prefetch:8
  2⤵
  PID:3868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4564 --field-trial-handle=1916,i,15545611365455405914,11943828227134766351,131072 /prefetch:8
  2⤵
  PID:2836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4836 --field-trial-handle=1916,i,15545611365455405914,11943828227134766351,131072 /prefetch:8
  2⤵
  PID:3904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4440 --field-trial-handle=1916,i,15545611365455405914,11943828227134766351,131072 /prefetch:8
  2⤵
  PID:1568
- C:\Users\Admin\Downloads\mpsigstub_6103d9f6bf95c772c8b7ee89aee370cdca4642f8.exe
  "C:\Users\Admin\Downloads\mpsigstub_6103d9f6bf95c772c8b7ee89aee370cdca4642f8.exe"
  2⤵
  - Executes dropped EXE
  PID:1892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=1480 --field-trial-handle=1916,i,15545611365455405914,11943828227134766351,131072 /prefetch:1
  2⤵
  PID:2680
- C:\Users\Admin\Downloads\mpsigstub_6103d9f6bf95c772c8b7ee89aee370cdca4642f8.exe
  "C:\Users\Admin\Downloads\mpsigstub_6103d9f6bf95c772c8b7ee89aee370cdca4642f8.exe"
  2⤵
  - Executes dropped EXE
  PID:4236
- C:\Users\Admin\Downloads\mpsigstub_6103d9f6bf95c772c8b7ee89aee370cdca4642f8.exe
  "C:\Users\Admin\Downloads\mpsigstub_6103d9f6bf95c772c8b7ee89aee370cdca4642f8.exe"
  2⤵
  - Executes dropped EXE
  PID:308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 --field-trial-handle=1916,i,15545611365455405914,11943828227134766351,131072 /prefetch:8
  2⤵
  PID:4488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4664 --field-trial-handle=1916,i,15545611365455405914,11943828227134766351,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4852

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5104

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1104

C:\Users\Admin\Downloads\mpsigstub_6103d9f6bf95c772c8b7ee89aee370cdca4642f8.exe
"C:\Users\Admin\Downloads\mpsigstub_6103d9f6bf95c772c8b7ee89aee370cdca4642f8.exe"
1⤵
- Executes dropped EXE
PID:3720

C:\Users\Admin\Downloads\mpsigstub_6103d9f6bf95c772c8b7ee89aee370cdca4642f8.exe
"C:\Users\Admin\Downloads\mpsigstub_6103d9f6bf95c772c8b7ee89aee370cdca4642f8.exe"
1⤵
- Executes dropped EXE
PID:1864

C:\Users\Admin\Downloads\mpsigstub_6103d9f6bf95c772c8b7ee89aee370cdca4642f8.exe
"C:\Users\Admin\Downloads\mpsigstub_6103d9f6bf95c772c8b7ee89aee370cdca4642f8.exe"
1⤵
- Executes dropped EXE
PID:4332

C:\Users\Admin\Downloads\mpsigstub_6103d9f6bf95c772c8b7ee89aee370cdca4642f8.exe
"C:\Users\Admin\Downloads\mpsigstub_6103d9f6bf95c772c8b7ee89aee370cdca4642f8.exe"
1⤵
- Executes dropped EXE
PID:5076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
c2ab7cf309d6fa62e34b764523d425a2

SHA1
1dda6a1599bb9f84a88e3f6849faa72417a127c9

SHA256
5c0dfa0b2c39d970068b33aec158ace9886246deea546aaac8e422b754074f9a

SHA512
0a2a788fc0ea8398b7d4a1c08c6ea4de4bfcc0e7f60b0e08679a3b07cccdf1d4bf494eafeef9b41ae299c693f199ab08a65b57c79a3c8ca85de7a2cd45c14a7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
feb81fe638ffb67962c7af806af2648e

SHA1
cb0f537c2c35eb2c0d57951088084f9c339143a3

SHA256
1184c281dbbffe805e60ec9b7371ee9108cbbd14a0b45a7b9701b26318bc2eef

SHA512
d68069b194c62a2c0de32823c182c1f4e23923b2f516bb589e07e0765c8e32140a074e5675498387e84913c869eaeb32d7ddbe6059f6a172ed91322fb32006d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f2c64ac79427ec19e900cd6e78be7dc6

SHA1
f24ac40d98932bc37766bddf4290e2f95cd5bede

SHA256
699e06e69d7760aa97e27378cf8625ca25cedefc6d6d4ec7d432ad7645c5c5b8

SHA512
3da16e754660935e43a39a6f5c99eb52665d49942d969afe0b2908506c213d73015b50acc3ea6ff9efd22ee14f29c0b7ef01875617c47d70cd5ebf9e47731a7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
6cf6cd3bb1f18141f03ff1c3502e7f87

SHA1
73cbc2f38c3d08b55394b1db140be1e22a2e9b09

SHA256
75c5a4d872130f798743e1cea77bb3dbbe7c73445213010411fe2d1d7de231b1

SHA512
86f7cab448ada37d123d2e494cd3ee92550873d17bdd8cb744fb3dde5e57232b71cf66fe7d97bb2c8441dad0a741733b855814ab30a316fae0468a0354e28635

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
feeb0f995e43e735181790ba61443ba6

SHA1
44e254ee789a19482424c4041050e1d93f935a1f

SHA256
6e06c0e567359223538899600c975f5fcc17149e2106300c9e60f72b5a498e97

SHA512
266740bcde33dc2485592fbf21bf4b7c30e491fe4de422d747fa5ce1950bdceb718681f2a79a685e89ca3c26fa00515600e91f562f2489ae44dcfd2520b3587b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
105KB

MD5
0fa9205504a7297f2193a4d4237f986c

SHA1
b0f79ccd1ada25779a2c4114a2b5d949b4650510

SHA256
03feb7e4056454b20c41e5a76c2a3249d97596c16febf642ed42b3d5b88f1741

SHA512
82ba73496a711d396fa9024c5c1cd274702b8e4aa612b4f0371cab1263ace51a722cfe70b259642c4fdc9468fe1a69a018c4b0e17293663eae4c3a490e51bd2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe588681.TMP

Filesize
103KB

MD5
461171d8ad893073cd0073490a67bf5e

SHA1
d00af0d492ce048a42a951ef58575229021c52a9

SHA256
96480244a27687585b7990b08de61a40a06ed74c7c37caf087771d6b79e91a5b

SHA512
09a5b07699e97e82993e896810930adea76c5d4fc3132f69c033ed3a1dfc6ff8e972a0b6d58fc950754fe956166b7a18fb910ebfdd49e0525aa287f0fe087fad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 278053.crdownload

Filesize
897KB

MD5
71cf589293424c4389202c7f1752fb2d

SHA1
6103d9f6bf95c772c8b7ee89aee370cdca4642f8

SHA256
071b0d3a08503a8b88aeeda1d20f371a563377028f6e252dc66cce60ab8f823e

SHA512
893ad57ffa14912ce51e33461f9786d6976ea6d57ef66cf74b6e1fcc97ce9aa5a49632d73c84bf575256234b6ac3df2451976846dafa2fe34668bea7295bdd17

Download Submit