e0fa60e9367bdbc0cf203dc06d74b7a06d57cc936e46c2cd07baa33acc3ef9b8

Analysis

max time kernel
68s
max time network
52s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
26-04-2024 19:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

2.6MB
MD5

67bd2636ed9b2ecea88b330dd2db6a14
SHA1

8a4fe483d33dd22645a50465ef7b986b4258518e
SHA256

e0fa60e9367bdbc0cf203dc06d74b7a06d57cc936e46c2cd07baa33acc3ef9b8
SHA512

231e0ca1140f200d6bd664e4ad4391a5fd0479af2ed7a17459d7736cbe6b810bd23685bd5a02d71ddeb8324b821df8aefffa2e2e14b468fad57233f27f96b3ca
SSDEEP

49152:F6CF3UUTfHfvQLeTpNTyAthgSoY5qo80lCAyStTvoJnr1hEyGyyiNZy4G:A63tnvQLeHOAthrso8TSCJBCNuZy4G

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3296	setup.tmp
3116	unins000.exe
2280	_iu14D2N.tmp

Loads dropped DLL 7 IoCs

pid	Process
3296	setup.tmp
3296	setup.tmp
3296	setup.tmp
3296	setup.tmp
3296	setup.tmp
3296	setup.tmp
3296	setup.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Teardown\unins000.dat	setup.tmp
File created	C:\Program Files (x86)\Teardown\is-N61DN.tmp	setup.tmp
File opened for modification	C:\Program Files (x86)\Teardown\unins000.dat	setup.tmp
File opened for modification	C:\Program Files (x86)\Teardown\unins000.dat	_iu14D2N.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133586334203611420"	chrome.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3296	setup.tmp
3296	setup.tmp
368	msedge.exe
368	msedge.exe
4948	msedge.exe
4948	msedge.exe
1892	chrome.exe
1892	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe
Token: SeShutdownPrivilege	1892	chrome.exe
Token: SeCreatePagefilePrivilege	1892	chrome.exe

Suspicious use of FindShellTrayWindow 56 IoCs

pid	Process
3296	setup.tmp
3296	setup.tmp
2280	_iu14D2N.tmp
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4508 wrote to memory of 3296	4508	setup.exe	88
PID 4508 wrote to memory of 3296	4508	setup.exe	88
PID 4508 wrote to memory of 3296	4508	setup.exe	88
PID 3296 wrote to memory of 3116	3296	setup.tmp	92
PID 3296 wrote to memory of 3116	3296	setup.tmp	92
PID 3296 wrote to memory of 3116	3296	setup.tmp	92
PID 3116 wrote to memory of 2280	3116	unins000.exe	93
PID 3116 wrote to memory of 2280	3116	unins000.exe	93
PID 3116 wrote to memory of 2280	3116	unins000.exe	93
PID 3296 wrote to memory of 4948	3296	setup.tmp	94
PID 3296 wrote to memory of 4948	3296	setup.tmp	94
PID 4948 wrote to memory of 3448	4948	msedge.exe	95
PID 4948 wrote to memory of 3448	4948	msedge.exe	95
PID 4948 wrote to memory of 4180	4948	msedge.exe	96
PID 4948 wrote to memory of 4180	4948	msedge.exe	96
PID 4948 wrote to memory of 4180	4948	msedge.exe	96
PID 4948 wrote to memory of 4180	4948	msedge.exe	96
PID 4948 wrote to memory of 4180	4948	msedge.exe	96
PID 4948 wrote to memory of 4180	4948	msedge.exe	96
PID 4948 wrote to memory of 4180	4948	msedge.exe	96
PID 4948 wrote to memory of 4180	4948	msedge.exe	96
PID 4948 wrote to memory of 4180	4948	msedge.exe	96
PID 4948 wrote to memory of 4180	4948	msedge.exe	96
PID 4948 wrote to memory of 4180	4948	msedge.exe	96
PID 4948 wrote to memory of 4180	4948	msedge.exe	96
PID 4948 wrote to memory of 4180	4948	msedge.exe	96
PID 4948 wrote to memory of 4180	4948	msedge.exe	96
PID 4948 wrote to memory of 4180	4948	msedge.exe	96
PID 4948 wrote to memory of 4180	4948	msedge.exe	96
PID 4948 wrote to memory of 4180	4948	msedge.exe	96
PID 4948 wrote to memory of 4180	4948	msedge.exe	96
PID 4948 wrote to memory of 4180	4948	msedge.exe	96
PID 4948 wrote to memory of 4180	4948	msedge.exe	96
PID 4948 wrote to memory of 4180	4948	msedge.exe	96
PID 4948 wrote to memory of 4180	4948	msedge.exe	96
PID 4948 wrote to memory of 4180	4948	msedge.exe	96
PID 4948 wrote to memory of 4180	4948	msedge.exe	96
PID 4948 wrote to memory of 4180	4948	msedge.exe	96
PID 4948 wrote to memory of 4180	4948	msedge.exe	96
PID 4948 wrote to memory of 4180	4948	msedge.exe	96
PID 4948 wrote to memory of 4180	4948	msedge.exe	96
PID 4948 wrote to memory of 4180	4948	msedge.exe	96
PID 4948 wrote to memory of 4180	4948	msedge.exe	96
PID 4948 wrote to memory of 4180	4948	msedge.exe	96
PID 4948 wrote to memory of 4180	4948	msedge.exe	96
PID 4948 wrote to memory of 4180	4948	msedge.exe	96
PID 4948 wrote to memory of 4180	4948	msedge.exe	96
PID 4948 wrote to memory of 4180	4948	msedge.exe	96
PID 4948 wrote to memory of 4180	4948	msedge.exe	96
PID 4948 wrote to memory of 4180	4948	msedge.exe	96
PID 4948 wrote to memory of 4180	4948	msedge.exe	96
PID 4948 wrote to memory of 4180	4948	msedge.exe	96
PID 4948 wrote to memory of 4180	4948	msedge.exe	96
PID 4948 wrote to memory of 368	4948	msedge.exe	97
PID 4948 wrote to memory of 368	4948	msedge.exe	97
PID 4948 wrote to memory of 1180	4948	msedge.exe	98
PID 4948 wrote to memory of 1180	4948	msedge.exe	98
PID 4948 wrote to memory of 1180	4948	msedge.exe	98
PID 4948 wrote to memory of 1180	4948	msedge.exe	98
PID 4948 wrote to memory of 1180	4948	msedge.exe	98
PID 4948 wrote to memory of 1180	4948	msedge.exe	98
PID 4948 wrote to memory of 1180	4948	msedge.exe	98
PID 4948 wrote to memory of 1180	4948	msedge.exe	98
PID 4948 wrote to memory of 1180	4948	msedge.exe	98

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4508
- C:\Users\Admin\AppData\Local\Temp\is-GUT88.tmp\setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-GUT88.tmp\setup.tmp" /SL5="$501D4,2171004,231424,C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3296
- - C:\Program Files (x86)\Teardown\unins000.exe
    "C:\Program Files (x86)\Teardown\unins000.exe" /VERYSILENT
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3116
  - - C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp
      "C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp" /SECONDPHASE="C:\Program Files (x86)\Teardown\unins000.exe" /FIRSTPHASEWND=$30200 /VERYSILENT
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of FindShellTrayWindow
      PID:2280
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ti-url.com/teardown-1
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4948
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffd2a146f8,0x7fffd2a14708,0x7fffd2a14718
      4⤵
      PID:3448
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,5805082421024059576,16989099936842512189,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
      4⤵
      PID:4180
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,5805082421024059576,16989099936842512189,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:368
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,5805082421024059576,16989099936842512189,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8
      4⤵
      PID:1180
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5805082421024059576,16989099936842512189,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
      4⤵
      PID:2840
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5805082421024059576,16989099936842512189,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
      4⤵
      PID:5100
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,5805082421024059576,16989099936842512189,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4192 /prefetch:1
      4⤵
      PID:380

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4764

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffd25bcc40,0x7fffd25bcc4c,0x7fffd25bcc58
  2⤵
  PID:4200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,13673050552010815636,8309110468007663386,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2164,i,13673050552010815636,8309110468007663386,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  PID:4716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2240,i,13673050552010815636,8309110468007663386,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2428 /prefetch:8
  2⤵
  PID:4832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3132,i,13673050552010815636,8309110468007663386,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3156,i,13673050552010815636,8309110468007663386,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:4488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3692,i,13673050552010815636,8309110468007663386,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3676 /prefetch:1
  2⤵
  PID:3284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4832,i,13673050552010815636,8309110468007663386,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4840 /prefetch:8
  2⤵
  PID:1544

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:2276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Teardown\unins000.dat

Filesize
102KB

MD5
44b4396b40faaf283b44b6d1e9976eb2

SHA1
2e5c5de53c80cce6c9ddaba89edecd8f227fbd6a

SHA256
9da23c3982a04666f3e3b446d4ecac6f72ac4731de9e9e73b11447d50bc62aef

SHA512
205c592037fe5598b88f782b6ca12a4fc90fbe25433a353e4b7bb4670e950e73475d013fca3893dc61ad012fff7bccbcec042bd8b23b4e1f1b4732666d9a2dc5

Download Submit
C:\Program Files (x86)\Teardown\unins000.exe

Filesize
1.5MB

MD5
c2fa06f6c13e06615252ee599fd29175

SHA1
b61e68d5242f398cd8e81b5d64b290baa1c2f5a5

SHA256
41c8c50a15a10fefb05b428b3555b6b173708d3819d2527fe449164746f7c497

SHA512
363b4799d81f3b038b44ff510da333b95ecd6f7637bee0ebcb903e47acdab5b88d9822a4c2824fc0a419e2c92ba2b72163643cac2b8d80ea32f8f7e3e9275d5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
06ba9366d7d91657dc92f496f5f2cd13

SHA1
b176435ef6c2ed7b2895f44358ca2dc5bb6fcc9a

SHA256
a7bd885c3b2a78324c4e28434f5ae891b683d6e1d2fd79632c6906c83177967e

SHA512
17fac3e4422402ad0d689071c5a8527a276197b9ff9e38cd8d8e4db73afde68bc4328f920f13a8031efc4c8d80c4d4723c4c22d647b2c3622bfc3b8aa0687a94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
940f8867eac8a44015e98cbd23ed81d0

SHA1
21c8a36d3a7f2e59312b23e32174d86e01d21b40

SHA256
8e4f1a6f503cf1e27198a5fabad3214a487f1f79e59ed34a445614eb411f6402

SHA512
1af70f181cf9dcce0d87457e84ac5d7b36c8c1b051ead6d334c73dd75645627ff45f5d9298f0583016cbcc7715eecb42a0e5d2831b503c5f9a1c2f0741ed64b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
57cf47cd3c8daa07911a4aaa8faffe6c

SHA1
bdddfb9ac2c2f91c4f15a4d20b7a8fd9dae32749

SHA256
d8babfb5547a708e676e6ac5b301dc6045d6b0ef414918368ffddf0a3c610c30

SHA512
7fca6de1236afe3872c92cff6e8ccd277fd1dbe4d0bdb5595279162fad9c3d3b31e95a26cd6ea2c4fd0989f0c51dde3c9f908bba2719d083dc5a00b1183dd09e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
14903403390e5006ff59f644e474a837

SHA1
e496b11aef26cd48ca5ceef1f40e61ca71dd3d11

SHA256
8c21b81ec2daaf767ff204e30e4af5179bf80f15142c6463fc367db51aac214f

SHA512
35605e878c04dc527c124c3bdbf05e79c9915b619c62191e4c065bbee98d3ddc689fe692e73f8b1dbb9c1c68734912e0adab97cd87101860f77983c2d71168e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
25c7a1bff705b594da217928b5800867

SHA1
edfb47a5a4c19058cc3eaf0c04083eafbe240c9c

SHA256
ec8abdaca3dc908dc7002cf5cc2b11a7d208054c51930a2e50d8560cc2672ec0

SHA512
ee5bf7c8a73e5ba75a342dbe8fcfafe01bd782d9722aa0c3ee4827724f42675b994c7bb5b0ef63331f7d0ee8a57ed44a34777b18c56520b873984db23a2fdb00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
919c29d42fb6034fee2f5de14d573c63

SHA1
24a2e1042347b3853344157239bde3ed699047a8

SHA256
17cd6de97a0c020cb4935739cfef4ec4e074e8d127ac4c531b6dc496580c8141

SHA512
bb7eadd087bbcec8b1b8a49b102b454333f2f9708d36b6ffc3c82fdc52e46873398d967238c3bfe9ac6caef45b017a5fe3938ebf5f3053e4ef9be7b2752b563d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b2290ca03b4ca5fe52d82550c7e7d69

SHA1
20583a7851a906444204ce8ba4fa51153e6cd494

SHA256
f9ff4871fc5317299de907489d466e630be63d698c8f7cb77cc81faddbecc6d2

SHA512
704ec8122cc1c263dff67ddbb5c20ee0db8a438674d716bc3be5b266ee5629a219b0049d721f9eb2dd8f2d8fda0163659eaa4d3e1f0a6e9072a8ffb92bb2b25d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b0188d99369a89380cacb7ca0c5ba6a8

SHA1
f3d32393998c54f9cebad8e7b45f70d25581fdc2

SHA256
da37146553eb5e5367e2601946d5cf9030d01487941faa10cb44fe48ddd33ed1

SHA512
6d698b414044c1ae3739ec60f1ef19ebf29783ca789431192acd61de74a4ea3f255a0e56bbaf74f340c249f31623aef45febe5f1f62cffb30430122fb7ece5fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
ea679bc765c9c2f02922f93c0c3844f6

SHA1
009b6de1358869ddcd83a27a5f9ddc9fbd7181c3

SHA256
a06bed3272a7e41a37dc6ce6854267f8ddee29bbccc10889196acea7a29f5b6b

SHA512
dd50479bf99e0ffee82a66cd104bc86de2ef08dcb3e4d2a353064a32a823dbd2efd29e05e8102642cc703dc3ce0ec7e4de84cb9b2c03ae23ae91a3dc4913bd9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2G7N0.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GUT88.tmp\setup.tmp

Filesize
1.5MB

MD5
94e3db3c7b21799a971fe69a223fee13

SHA1
7be39c93b03acb3e2b221f4886b910d7e2e68954

SHA256
d5fa30d540634f7dd95d362c257d38b9ef2a8d674901ac091d3978424363ffd4

SHA512
c5b31e3b7c4af0d76356fc640a599d24f8a6d6debb5f10658a42c29b10ad59b50df0c27fb349a1bb5cf5658dd8011e189f51cb83bf74f2fd803dc6636353f325

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TNK2Q.tmp\CallbackCtrl.dll

Filesize
4KB

MD5
f07e819ba2e46a897cfabf816d7557b2

SHA1
8d5fd0a741dd3fd84650e40dd3928ae1f15323cc

SHA256
68f42a7823ed7ee88a5c59020ac52d4bbcadf1036611e96e470d986c8faa172d

SHA512
7ed26d41ead2ace0b5379639474d319af9a3e4ed2dd9795c018f8c5b9b533fd36bfc1713a1f871789bf14884d186fd0559939de511dde24673b0515165d405af

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TNK2Q.tmp\ISDone.dll

Filesize
452KB

MD5
4feafa8b5e8cdb349125c8af0ac43974

SHA1
7f17e5e1b088fc73690888b215962fbcd395c9bd

SHA256
bb8a0245dcc5c10a1c7181bad509b65959855009a8105863ef14f2bb5b38ac71

SHA512
d63984ee385b4f1eba8e590d6de4f082fb0121689295ec6e496539209459152465f6db09e6d8f92eec996a89fc40432077cbfa807beb2de7f375154fef6554bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TNK2Q.tmp\WinTB.dll

Filesize
75KB

MD5
a2eee508e6a51c6335650532e05ac550

SHA1
8703fb138bb8443f17c0c24da7edd69b1f2660b1

SHA256
75fb2984e1b06f4278fb7b3c77e9fec84e02a3b4bf82d35120f8cbe7bdbc76bf

SHA512
14e1abea3109c17f1fbe6ec455593bf91ba1b811ea302806a83a97a96bf582f1c46e8fe635e1d8739c5c007298eabd41311e07e50961ec2084cf97bde0595370

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TNK2Q.tmp\b2p.dll

Filesize
22KB

MD5
ab35386487b343e3e82dbd2671ff9dab

SHA1
03591d07aea3309b631a7d3a6e20a92653e199b8

SHA256
c3729545522fcff70db61046c0efd962df047d40e3b5ccd2272866540fc872b2

SHA512
b67d7384c769b2b1fdd3363fc3b47d300c2ea4d37334acfd774cf29169c0a504ba813dc3ecbda5b71a3f924110a77a363906b16a87b4b1432748557567d1cf09

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TNK2Q.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
memory/2280-88-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/3116-85-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/3116-74-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/3296-42-0x00000000061E0000-0x00000000061EF000-memory.dmp

Filesize
60KB

Download
memory/3296-41-0x0000000073FD0000-0x0000000073FE1000-memory.dmp

Filesize
68KB

Download
memory/3296-39-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/3296-73-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/3296-109-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/3296-40-0x0000000003240000-0x00000000032B7000-memory.dmp

Filesize
476KB

Download
memory/3296-62-0x0000000006D90000-0x0000000006D91000-memory.dmp

Filesize
4KB

Download
memory/3296-33-0x00000000061D0000-0x00000000061D2000-memory.dmp

Filesize
8KB

Download
memory/3296-43-0x0000000006D80000-0x0000000006D81000-memory.dmp

Filesize
4KB

Download
memory/3296-7-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/3296-37-0x00000000068A0000-0x00000000068A1000-memory.dmp

Filesize
4KB

Download
memory/3296-16-0x0000000003240000-0x00000000032B7000-memory.dmp

Filesize
476KB

Download
memory/3296-29-0x00000000061E0000-0x00000000061EF000-memory.dmp

Filesize
60KB

Download
memory/3296-32-0x0000000073FD0000-0x0000000073FE1000-memory.dmp

Filesize
68KB

Download
memory/4508-111-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4508-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4508-38-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4508-2-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download