f1a7dba708843124f16d5f83a914f6169237086547215eae6afce42b7c25e9c3

Analysis

max time kernel
164s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 04:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Firefox Installer.exe
Size

341KB
MD5

06b34ae4dcc1111e74013f7f4eaeb19c
SHA1

62930bc389764b0f0277dc5b13f725b55d49329c
SHA256

f1a7dba708843124f16d5f83a914f6169237086547215eae6afce42b7c25e9c3
SHA512

e7684ceaffe7920cfa6a4ecfea1b669bdd979ad57a7a770860e3a7f329b3bcd175e29ff66cbc02336360daee645b5a5cb5c8a0cdcffa3d47c7b4241f1764d37d
SSDEEP

6144:TaVWdyzOxeA1DfdwX3MmIOiH3nnnoS8+6z7R5xifG33RPC1is0JogP5DvXUTocDR:TMROxdDfOnMmXiH3nnnn8niEB9pvqHdn

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3040-0-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/3040-73-0x0000000000400000-0x0000000000446000-memory.dmp	upx

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\nsg5641.tmp	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsg5640.tmp\	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsg5642.tmp	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsg5643.tmp	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsg5642.tmp\	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsg5640.tmp	setup-stub.exe

Executes dropped EXE 1 IoCs

pid	Process
1652	setup-stub.exe

Loads dropped DLL 7 IoCs

pid	Process
1652	setup-stub.exe
1652	setup-stub.exe
1652	setup-stub.exe
1652	setup-stub.exe
1652	setup-stub.exe
1652	setup-stub.exe
1652	setup-stub.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3276	1652	WerFault.exe	83

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133606519482296514"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4768	chrome.exe
4768	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs

pid	Process
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4768	chrome.exe
Token: SeCreatePagefilePrivilege	4768	chrome.exe
Token: SeShutdownPrivilege	4768	chrome.exe
Token: SeCreatePagefilePrivilege	4768	chrome.exe
Token: SeShutdownPrivilege	4768	chrome.exe
Token: SeCreatePagefilePrivilege	4768	chrome.exe
Token: SeShutdownPrivilege	4768	chrome.exe
Token: SeCreatePagefilePrivilege	4768	chrome.exe
Token: SeShutdownPrivilege	4768	chrome.exe
Token: SeCreatePagefilePrivilege	4768	chrome.exe
Token: SeShutdownPrivilege	4768	chrome.exe
Token: SeCreatePagefilePrivilege	4768	chrome.exe
Token: SeShutdownPrivilege	4768	chrome.exe
Token: SeCreatePagefilePrivilege	4768	chrome.exe
Token: SeShutdownPrivilege	4768	chrome.exe
Token: SeCreatePagefilePrivilege	4768	chrome.exe
Token: SeShutdownPrivilege	4768	chrome.exe
Token: SeCreatePagefilePrivilege	4768	chrome.exe
Token: SeShutdownPrivilege	4768	chrome.exe
Token: SeCreatePagefilePrivilege	4768	chrome.exe
Token: SeShutdownPrivilege	4768	chrome.exe
Token: SeCreatePagefilePrivilege	4768	chrome.exe
Token: SeShutdownPrivilege	4768	chrome.exe
Token: SeCreatePagefilePrivilege	4768	chrome.exe
Token: SeShutdownPrivilege	4768	chrome.exe
Token: SeCreatePagefilePrivilege	4768	chrome.exe
Token: SeShutdownPrivilege	4768	chrome.exe
Token: SeCreatePagefilePrivilege	4768	chrome.exe
Token: SeShutdownPrivilege	4768	chrome.exe
Token: SeCreatePagefilePrivilege	4768	chrome.exe
Token: SeShutdownPrivilege	4768	chrome.exe
Token: SeCreatePagefilePrivilege	4768	chrome.exe
Token: SeShutdownPrivilege	4768	chrome.exe
Token: SeCreatePagefilePrivilege	4768	chrome.exe
Token: SeShutdownPrivilege	4768	chrome.exe
Token: SeCreatePagefilePrivilege	4768	chrome.exe
Token: SeShutdownPrivilege	4768	chrome.exe
Token: SeCreatePagefilePrivilege	4768	chrome.exe
Token: SeShutdownPrivilege	4768	chrome.exe
Token: SeCreatePagefilePrivilege	4768	chrome.exe
Token: SeShutdownPrivilege	4768	chrome.exe
Token: SeCreatePagefilePrivilege	4768	chrome.exe
Token: SeShutdownPrivilege	4768	chrome.exe
Token: SeCreatePagefilePrivilege	4768	chrome.exe
Token: SeShutdownPrivilege	4768	chrome.exe
Token: SeCreatePagefilePrivilege	4768	chrome.exe
Token: SeShutdownPrivilege	4768	chrome.exe
Token: SeCreatePagefilePrivilege	4768	chrome.exe
Token: SeShutdownPrivilege	4768	chrome.exe
Token: SeCreatePagefilePrivilege	4768	chrome.exe
Token: SeShutdownPrivilege	4768	chrome.exe
Token: SeCreatePagefilePrivilege	4768	chrome.exe
Token: SeShutdownPrivilege	4768	chrome.exe
Token: SeCreatePagefilePrivilege	4768	chrome.exe
Token: SeShutdownPrivilege	4768	chrome.exe
Token: SeCreatePagefilePrivilege	4768	chrome.exe
Token: SeShutdownPrivilege	4768	chrome.exe
Token: SeCreatePagefilePrivilege	4768	chrome.exe
Token: SeShutdownPrivilege	4768	chrome.exe
Token: SeCreatePagefilePrivilege	4768	chrome.exe
Token: SeShutdownPrivilege	4768	chrome.exe
Token: SeCreatePagefilePrivilege	4768	chrome.exe
Token: SeShutdownPrivilege	4768	chrome.exe
Token: SeCreatePagefilePrivilege	4768	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe
4768	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1652	setup-stub.exe
1652	setup-stub.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 1652	3040	Firefox Installer.exe	83
PID 3040 wrote to memory of 1652	3040	Firefox Installer.exe	83
PID 3040 wrote to memory of 1652	3040	Firefox Installer.exe	83
PID 4768 wrote to memory of 2200	4768	chrome.exe	104
PID 4768 wrote to memory of 2200	4768	chrome.exe	104
PID 4768 wrote to memory of 4964	4768	chrome.exe	105
PID 4768 wrote to memory of 4964	4768	chrome.exe	105
PID 4768 wrote to memory of 4964	4768	chrome.exe	105
PID 4768 wrote to memory of 4964	4768	chrome.exe	105
PID 4768 wrote to memory of 4964	4768	chrome.exe	105
PID 4768 wrote to memory of 4964	4768	chrome.exe	105
PID 4768 wrote to memory of 4964	4768	chrome.exe	105
PID 4768 wrote to memory of 4964	4768	chrome.exe	105
PID 4768 wrote to memory of 4964	4768	chrome.exe	105
PID 4768 wrote to memory of 4964	4768	chrome.exe	105
PID 4768 wrote to memory of 4964	4768	chrome.exe	105
PID 4768 wrote to memory of 4964	4768	chrome.exe	105
PID 4768 wrote to memory of 4964	4768	chrome.exe	105
PID 4768 wrote to memory of 4964	4768	chrome.exe	105
PID 4768 wrote to memory of 4964	4768	chrome.exe	105
PID 4768 wrote to memory of 4964	4768	chrome.exe	105
PID 4768 wrote to memory of 4964	4768	chrome.exe	105
PID 4768 wrote to memory of 4964	4768	chrome.exe	105
PID 4768 wrote to memory of 4964	4768	chrome.exe	105
PID 4768 wrote to memory of 4964	4768	chrome.exe	105
PID 4768 wrote to memory of 4964	4768	chrome.exe	105
PID 4768 wrote to memory of 4964	4768	chrome.exe	105
PID 4768 wrote to memory of 4964	4768	chrome.exe	105
PID 4768 wrote to memory of 4964	4768	chrome.exe	105
PID 4768 wrote to memory of 4964	4768	chrome.exe	105
PID 4768 wrote to memory of 4964	4768	chrome.exe	105
PID 4768 wrote to memory of 4964	4768	chrome.exe	105
PID 4768 wrote to memory of 4964	4768	chrome.exe	105
PID 4768 wrote to memory of 4964	4768	chrome.exe	105
PID 4768 wrote to memory of 4964	4768	chrome.exe	105
PID 4768 wrote to memory of 4964	4768	chrome.exe	105
PID 4768 wrote to memory of 4204	4768	chrome.exe	106
PID 4768 wrote to memory of 4204	4768	chrome.exe	106
PID 4768 wrote to memory of 1340	4768	chrome.exe	107
PID 4768 wrote to memory of 1340	4768	chrome.exe	107
PID 4768 wrote to memory of 1340	4768	chrome.exe	107
PID 4768 wrote to memory of 1340	4768	chrome.exe	107
PID 4768 wrote to memory of 1340	4768	chrome.exe	107
PID 4768 wrote to memory of 1340	4768	chrome.exe	107
PID 4768 wrote to memory of 1340	4768	chrome.exe	107
PID 4768 wrote to memory of 1340	4768	chrome.exe	107
PID 4768 wrote to memory of 1340	4768	chrome.exe	107
PID 4768 wrote to memory of 1340	4768	chrome.exe	107
PID 4768 wrote to memory of 1340	4768	chrome.exe	107
PID 4768 wrote to memory of 1340	4768	chrome.exe	107
PID 4768 wrote to memory of 1340	4768	chrome.exe	107
PID 4768 wrote to memory of 1340	4768	chrome.exe	107
PID 4768 wrote to memory of 1340	4768	chrome.exe	107
PID 4768 wrote to memory of 1340	4768	chrome.exe	107
PID 4768 wrote to memory of 1340	4768	chrome.exe	107
PID 4768 wrote to memory of 1340	4768	chrome.exe	107
PID 4768 wrote to memory of 1340	4768	chrome.exe	107
PID 4768 wrote to memory of 1340	4768	chrome.exe	107
PID 4768 wrote to memory of 1340	4768	chrome.exe	107
PID 4768 wrote to memory of 1340	4768	chrome.exe	107
PID 4768 wrote to memory of 1340	4768	chrome.exe	107
PID 4768 wrote to memory of 1340	4768	chrome.exe	107
PID 4768 wrote to memory of 1340	4768	chrome.exe	107
PID 4768 wrote to memory of 1340	4768	chrome.exe	107

C:\Users\Admin\AppData\Local\Temp\Firefox Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Firefox Installer.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Local\Temp\7zS0EB7F347\setup-stub.exe
  .\setup-stub.exe
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1652
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 2256
    3⤵
    - Program crash
    PID:3276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1652 -ip 1652
1⤵
PID:2052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa6d04ab58,0x7ffa6d04ab68,0x7ffa6d04ab78
  2⤵
  PID:2200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1764 --field-trial-handle=1948,i,4050234646976212529,18390105162672370335,131072 /prefetch:2
  2⤵
  PID:4964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1948,i,4050234646976212529,18390105162672370335,131072 /prefetch:8
  2⤵
  PID:4204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2252 --field-trial-handle=1948,i,4050234646976212529,18390105162672370335,131072 /prefetch:8
  2⤵
  PID:1340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3128 --field-trial-handle=1948,i,4050234646976212529,18390105162672370335,131072 /prefetch:1
  2⤵
  PID:1496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3136 --field-trial-handle=1948,i,4050234646976212529,18390105162672370335,131072 /prefetch:1
  2⤵
  PID:936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4364 --field-trial-handle=1948,i,4050234646976212529,18390105162672370335,131072 /prefetch:1
  2⤵
  PID:2068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4524 --field-trial-handle=1948,i,4050234646976212529,18390105162672370335,131072 /prefetch:8
  2⤵
  PID:2348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4656 --field-trial-handle=1948,i,4050234646976212529,18390105162672370335,131072 /prefetch:8
  2⤵
  PID:2024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4844 --field-trial-handle=1948,i,4050234646976212529,18390105162672370335,131072 /prefetch:8
  2⤵
  PID:3368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4952 --field-trial-handle=1948,i,4050234646976212529,18390105162672370335,131072 /prefetch:8
  2⤵
  PID:5100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4568 --field-trial-handle=1948,i,4050234646976212529,18390105162672370335,131072 /prefetch:8
  2⤵
  PID:4624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4732 --field-trial-handle=1948,i,4050234646976212529,18390105162672370335,131072 /prefetch:1
  2⤵
  PID:4948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4848 --field-trial-handle=1948,i,4050234646976212529,18390105162672370335,131072 /prefetch:1
  2⤵
  PID:2204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4564 --field-trial-handle=1948,i,4050234646976212529,18390105162672370335,131072 /prefetch:1
  2⤵
  PID:3436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4452 --field-trial-handle=1948,i,4050234646976212529,18390105162672370335,131072 /prefetch:1
  2⤵
  PID:3216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4492 --field-trial-handle=1948,i,4050234646976212529,18390105162672370335,131072 /prefetch:1
  2⤵
  PID:824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=3664 --field-trial-handle=1948,i,4050234646976212529,18390105162672370335,131072 /prefetch:1
  2⤵
  PID:3544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=4464 --field-trial-handle=1948,i,4050234646976212529,18390105162672370335,131072 /prefetch:1
  2⤵
  PID:4140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=1732 --field-trial-handle=1948,i,4050234646976212529,18390105162672370335,131072 /prefetch:1
  2⤵
  PID:4760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=4224 --field-trial-handle=1948,i,4050234646976212529,18390105162672370335,131072 /prefetch:1
  2⤵
  PID:2192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 --field-trial-handle=1948,i,4050234646976212529,18390105162672370335,131072 /prefetch:8
  2⤵
  PID:112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=3224 --field-trial-handle=1948,i,4050234646976212529,18390105162672370335,131072 /prefetch:1
  2⤵
  PID:2064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5332 --field-trial-handle=1948,i,4050234646976212529,18390105162672370335,131072 /prefetch:1
  2⤵
  PID:1480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=4448 --field-trial-handle=1948,i,4050234646976212529,18390105162672370335,131072 /prefetch:1
  2⤵
  PID:3868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=5284 --field-trial-handle=1948,i,4050234646976212529,18390105162672370335,131072 /prefetch:1
  2⤵
  PID:3296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=5536 --field-trial-handle=1948,i,4050234646976212529,18390105162672370335,131072 /prefetch:1
  2⤵
  PID:4072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=1640 --field-trial-handle=1948,i,4050234646976212529,18390105162672370335,131072 /prefetch:1
  2⤵
  PID:1532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=5332 --field-trial-handle=1948,i,4050234646976212529,18390105162672370335,131072 /prefetch:1
  2⤵
  PID:4656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=4684 --field-trial-handle=1948,i,4050234646976212529,18390105162672370335,131072 /prefetch:1
  2⤵
  PID:2064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=4928 --field-trial-handle=1948,i,4050234646976212529,18390105162672370335,131072 /prefetch:1
  2⤵
  PID:2780

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
576B

MD5
00f84f0032a9c43aa42760d457266a26

SHA1
f8c96156f0a0faa97e3579e4a122cfa4e7f40c4d

SHA256
909b402452c009738de9284a0a81833e295a61d9462cf8941c333b9ac9962db9

SHA512
6da2b7a5e958a8fd7b77ea1dca870b394149952654601cde53fd2b695fb939c5bb2c2192042a4062c58afa81df343cf56091dbe418c5242bd6dbfb4caf7a6bc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
46fbe745b2267459162ce87ff5bd8119

SHA1
be3cdcf9acf8e969a6a3a56d1a4d27eb9fa8f91e

SHA256
6f6402766908da0b2f5c279873de1c852cfae0b8da9e2a1135ac27fd4d2320af

SHA512
b8605ab74e2c043b26cd082193c9bc9e8bc7588fe34d26c11660a4e246413d84766562568297eb77478f5cf7b6e75434eeb85610608561ce84fb7c840162b32c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
414384fa8e461837de0f8784fdb55ca7

SHA1
16e16976df9e9fa5f93bdb19716e4a4a5e99a224

SHA256
0952fc1170911799b7780b0e5b2c04fcbd4ea59a48793fb94e900af5a02187d9

SHA512
9b7927618335d06fb1256ec0738e43e6ae46a3cdba62d54636667aa393ebdbfd71d468d40550401c2d726a418ab4131d3f88a4e6df91b3ed97f6aee44f962a45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
f5a601e19539a0594320bfc9f10c7056

SHA1
da1d274913f577a53800cd48a7e216a7d6a5eb7d

SHA256
c9246815b71f7d13172643a0bccdcfde3b4d514eb4eeba1d03d1131c8be53346

SHA512
1af2e1e2890defe95538f5923cac80fc03827ef30d31460fe4a2bfee55ea91fe01aed9a81bc8c177afa4d7ad8abfb2ed2eefed4cc2abc5f2cb7972ee8c252a69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
6fd5a7f55699e9efa8adf1ce0416543a

SHA1
c9ff5523eb8ab1b0a016188663d53ec8e1099802

SHA256
55f6a1f36731000cb5765be8b004f1febca99d3c066d56104b15fa7d3ac34478

SHA512
b866d193a021c2c5cca26d9cae9a8d947ea9f1bf34cb8b73df82ab8af17597ed84b0df1fbbcb488d8f18d9c0f5699de06eeac98259921cd71cd526f8620a36c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
1b5b9d948e84765490773783ef7acce3

SHA1
5b254be90c4142f9d64765017a407b33c6653b3a

SHA256
83be961f8e6c7580f712e767fe069937372ef1a15260097ee463463c999e1d24

SHA512
81aab2911b88ec3a4ca1acd90c89994be0faea9fa2982b067bb7b03a364000016d6932591b06fc2525cf1c987a6a438331b85646f4cbe81b3f33142a8f9f348a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
72a04bdbc44934b70e55f0c65b0af899

SHA1
effb4372eb539b8daeadf35482256b22ef245d0d

SHA256
d7caada47a3b56994c162af77934d1772c73d0d61fb9c25982d444d3dc1762e5

SHA512
74c1f3bb2c4ce10d139554eff5c6db01addaa9851b25bd87e53e1908e312171e9647f8101f3e7572d8d6c88b1b1ab6e0fa037b46767dc6955af9001a66d5330f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8f47a0eb5265b5108e8428e47f5cef6d

SHA1
d49f5f1b05fde1175856d82426f5299a4f1b4230

SHA256
d1c529b2148aebd2865abae08e8e43d736fe1a35c06c78e3f8aeca781d553252

SHA512
13a6f06aecd9a08d1cb4741cb3c0d38ecfd1ad57c812be75d8abf291cc611a1445715a73508922262500a93be4400d5159442c6a50c4e72045d655dd1c047e37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
ddb4987f1112d394f100c08893f5ec74

SHA1
28ca9be4b37be25319e2becd435617a8c8e242f4

SHA256
58cf4323f5afb00f7eb72c086aafe01e3dbcd56d26f544ee24bf817d3e48191d

SHA512
44bb041b86343525e4a520f94e3fee565d693d2622451af5b65cf6498cc80287bd61f4772c58fc02c11c8875e6bf35d1b874850672f886327910863cc689c5fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
259KB

MD5
140d4c2bbcb4e43572a46a7a34a0a56c

SHA1
e7b93ce2e6da7494b4331e8bc78623a35bcb2d73

SHA256
76be341679684228d6df46a357d22d35a0774a6cb743b6ba80ac220a1554387a

SHA512
3042af26df1d9df4787e236f851fd9ab0d44cc287464b3ab919f8ce5182b9dadf6395b269c54be21e1da9584aad3cf18d9c07a5a9b273dea2dd1008a0d6ec4d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
91KB

MD5
f0ecce7d60942336c8c1458678582baf

SHA1
bcc38246697ad9f36e0416edeae2a8724af3f848

SHA256
aee9df841c86560ea52d398ba5fe93ab6e6a7b166124ada7c28bd65ed01256c5

SHA512
a62d37e77fa8709250084effab6a2e0ba4980677f6d323e87d85584aa9eb07e5b848e8341a4e6ac8413e9a9378a0a0a413a5141360ee5a54ecf8b85be121dacf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe59794d.TMP

Filesize
88KB

MD5
77eca677e1a715d64834491fee5cfcdc

SHA1
0afa16ac2cb6f752281b62182c086ae4f390b364

SHA256
19324ff681c297d6c4c51f56a733976fc7a1f41844365a6f7381c6b66b8fc193

SHA512
65c13339828a62c09257908724fa0e4d29e4feb93ec52021d3dd27f1de257ace773de88849629873ea71f0269e8cde1bfa7773928830e0ca95ec88a92613ccdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0EB7F347\setup-stub.exe

Filesize
550KB

MD5
e5cb36cf06b545691e641e6b1b4d1b54

SHA1
a9f8133fc86205b6a58092998255546b7cd3d612

SHA256
83cb88f2fdfd9849c1ecddd41a8c3dc242c3a337d312ba2024011c71912ca8fb

SHA512
554505711ca23089e1134307bc20c55ec9319f58c65b74444df69f35429d19d9b74ae92fd5539e90acd040476a0e94adf7a95926ba60a1a9998829bb1f69bca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv5600.tmp\CityHash.dll

Filesize
53KB

MD5
2021acc65fa998daa98131e20c4605be

SHA1
2e8407cfe3b1a9d839ea391cfc423e8df8d8a390

SHA256
c299a0a71bf57eb241868158b4fcfe839d15d5ba607e1bdc5499fdf67b334a14

SHA512
cb96d3547bab778cbe94076be6765ed2ae07e183e4888d6c380f240b8c6708662a3b2b6b2294e38c48bc91bf2cc5fc7cfcd3afe63775151ba2fe34b06ce38948

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv5600.tmp\InetBgDL.dll

Filesize
17KB

MD5
97c607f5d0add72295f8d0f27b448037

SHA1
dfb9a1aa1d3b1f7821152afaac149cad38c8ce3c

SHA256
dc98ed352476af459c91100b8c29073988da19d3adc73e2c2086d25f238544a5

SHA512
ad759062152869089558389c741876029198c5b98fa725e2d2927866dc8b416ae2de871cb2479f614f6d29b6f646bf7191d02837c3cabc15b8185b563bc46268

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv5600.tmp\System.dll

Filesize
22KB

MD5
b361682fa5e6a1906e754cfa08aa8d90

SHA1
c6701aee0c866565de1b7c1f81fd88da56b395d3

SHA256
b711c4f17690421c9dc8ddb9ed5a9ddc539b3a28f11e19c851e25dcfc7701c04

SHA512
2778f91c9bcf83277d26c71118a1ccb0fb3ce50e89729f14f4915bc65dd48503a77b1e5118ce774dea72f5ce3cc8681eb9ca3c55cf90e9f61a177101ba192ae9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv5600.tmp\UAC.dll

Filesize
28KB

MD5
d23b256e9c12fe37d984bae5017c5f8c

SHA1
fd698b58a563816b2260bbc50d7f864b33523121

SHA256
ec6a56d981892bf251df1439bea425a5f6c7e1c7312d44bedd5e2957f270338c

SHA512
13f284821324ffaeadafd3651f64d896186f47cf9a68735642cf37b37de777dba197067fbccd3a7411b5dc7976e510439253bd24c9be1d36c0a59d924c17ae8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv5600.tmp\UserInfo.dll

Filesize
14KB

MD5
610ad03dec634768cd91c7ed79672d67

SHA1
dc8099d476e2b324c09db95059ec5fd3febe1e1e

SHA256
c6c413108539f141bea3f679e0e2ef705898c51ec7c2607f478a865fc5e2e2df

SHA512
18c3c92be81aadfa73884fe3bdf1fce96ccfbd35057600ef52788a871de293b64f677351ba2885c6e9ce5c3890c22471c92832ffc13ba544e9d0b347c5d33bfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv5600.tmp\WebBrowser.dll

Filesize
103KB

MD5
b53cd4ad8562a11f3f7c7890a09df27a

SHA1
db66b94670d47c7ee436c2a5481110ed4f013a48

SHA256
281a0dc8b4f644334c2283897963b20df88fa9fd32acca98ed2856b23318e6ec

SHA512
bb45d93ed13df24a2056040c219cdf36ee44c8cddb7e178fdaabcec63ac965e07f679ca1fa42591bba571992af619aa1dc76e819a7901709df79598a2b0cef81

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv5600.tmp\profile_cleanup.html

Filesize
1KB

MD5
1cb97b5f8c5f2728b26742d1d0669899

SHA1
bb5ab1b8c00810fcb18184a996573c5accdc72c3

SHA256
dec82e9caa154300e1aa44f550c16b455a2025be4fb1c3155cb75fe04a6b6611

SHA512
768ed2b070485f3bbcf457aefdc0ef8f1737ad8ac4a2703e2feaff424f9a2c69a2f5928a3be898932ef4976a44ea829a099d090bd9941a24d045d5c8ac8b7b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv5600.tmp\profile_cleanup.js

Filesize
1KB

MD5
d845e8f4c0edb3cab17e6a30090ac5b8

SHA1
654f058570f0868f0acc5f0595147f3385a9c265

SHA256
1adcfdd9768242c6c639b10e4f0bcda24f6a957a169c1dede265e40336ecbd4f

SHA512
401d800c484b74401b90c3285d8b6cc0018baf4979d6ec7bb174f7810d3f60adfa6b4cebeafcee20d5a7c3597447f755af19c5fecf1863e2438fe427dbdf9fed

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv5600.tmp\stub_common.js

Filesize
815B

MD5
efce3dce0165b3f6551db47e5c0ac8d6

SHA1
1e15f6bb688e3d645092c1aa5ee3136f8de65312

SHA256
dab39cbae31848cce0b5c43fddd2674fef4dea5b7a3dacdaabdc78a8a931817e

SHA512
cec12da07f52822aaed340b1b751153efa43e5c3d747fa39f03bb2800bf53e9416020d654a818a6088acb2cf5581714433d818537f04af150e6bfb6861c03988

Download Submit
memory/3040-73-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3040-0-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download