cd641c84836ec8e54d93417e7ec508bf3effe1fe6e6fd91fe5f5c8a09778591d

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04-06-2024 20:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rose-Stealer-main/payload/main.py
Size

27KB
MD5

732de31ac15a78c4340700c2d1e93c73
SHA1

5b5042db903da70001c849797c6745fa26e7cb96
SHA256

43d59afee461fca95bd9d074e967b00a09ce8b2602e42281373699c140a31aaf
SHA512

8324c454457a334e1e27f65f2551351b31823085e56b3ed39bfb7bd2da2b6a59165b5df4e1dd19742db34e8af63dc892ec4130b77751c62498f4387b2274d8da
SSDEEP

768:wQV4DBp5GT4RuxV4c/uuJuumRxiMBtN0W0DgckS0SH3f5XJXk:wL+4RuxV4c/uuJuumRNtrPcL0SH3f5X6

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133620056382026241"	chrome.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3832	chrome.exe
3832	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1908	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe
Token: SeShutdownPrivilege	3832	chrome.exe
Token: SeCreatePagefilePrivilege	3832	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
1908	OpenWith.exe
1908	OpenWith.exe
1908	OpenWith.exe
1908	OpenWith.exe
1908	OpenWith.exe
1908	OpenWith.exe
1908	OpenWith.exe
1908	OpenWith.exe
1908	OpenWith.exe
1908	OpenWith.exe
1908	OpenWith.exe
1908	OpenWith.exe
1908	OpenWith.exe
1908	OpenWith.exe
1908	OpenWith.exe
996	AcroRd32.exe
996	AcroRd32.exe
996	AcroRd32.exe
996	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 996	1908	OpenWith.exe	94
PID 1908 wrote to memory of 996	1908	OpenWith.exe	94
PID 1908 wrote to memory of 996	1908	OpenWith.exe	94
PID 996 wrote to memory of 1068	996	AcroRd32.exe	98
PID 996 wrote to memory of 1068	996	AcroRd32.exe	98
PID 996 wrote to memory of 1068	996	AcroRd32.exe	98
PID 1068 wrote to memory of 1452	1068	RdrCEF.exe	99
PID 1068 wrote to memory of 1452	1068	RdrCEF.exe	99
PID 1068 wrote to memory of 1452	1068	RdrCEF.exe	99
PID 1068 wrote to memory of 1452	1068	RdrCEF.exe	99
PID 1068 wrote to memory of 1452	1068	RdrCEF.exe	99
PID 1068 wrote to memory of 1452	1068	RdrCEF.exe	99
PID 1068 wrote to memory of 1452	1068	RdrCEF.exe	99
PID 1068 wrote to memory of 1452	1068	RdrCEF.exe	99
PID 1068 wrote to memory of 1452	1068	RdrCEF.exe	99
PID 1068 wrote to memory of 1452	1068	RdrCEF.exe	99
PID 1068 wrote to memory of 1452	1068	RdrCEF.exe	99
PID 1068 wrote to memory of 1452	1068	RdrCEF.exe	99
PID 1068 wrote to memory of 1452	1068	RdrCEF.exe	99
PID 1068 wrote to memory of 1452	1068	RdrCEF.exe	99
PID 1068 wrote to memory of 1452	1068	RdrCEF.exe	99
PID 1068 wrote to memory of 1452	1068	RdrCEF.exe	99
PID 1068 wrote to memory of 1452	1068	RdrCEF.exe	99
PID 1068 wrote to memory of 1452	1068	RdrCEF.exe	99
PID 1068 wrote to memory of 1452	1068	RdrCEF.exe	99
PID 1068 wrote to memory of 1452	1068	RdrCEF.exe	99
PID 1068 wrote to memory of 1452	1068	RdrCEF.exe	99
PID 1068 wrote to memory of 1452	1068	RdrCEF.exe	99
PID 1068 wrote to memory of 1452	1068	RdrCEF.exe	99
PID 1068 wrote to memory of 1452	1068	RdrCEF.exe	99
PID 1068 wrote to memory of 1452	1068	RdrCEF.exe	99
PID 1068 wrote to memory of 1452	1068	RdrCEF.exe	99
PID 1068 wrote to memory of 1452	1068	RdrCEF.exe	99
PID 1068 wrote to memory of 1452	1068	RdrCEF.exe	99
PID 1068 wrote to memory of 1452	1068	RdrCEF.exe	99
PID 1068 wrote to memory of 1452	1068	RdrCEF.exe	99
PID 1068 wrote to memory of 1452	1068	RdrCEF.exe	99
PID 1068 wrote to memory of 1452	1068	RdrCEF.exe	99
PID 1068 wrote to memory of 1452	1068	RdrCEF.exe	99
PID 1068 wrote to memory of 1452	1068	RdrCEF.exe	99
PID 1068 wrote to memory of 1452	1068	RdrCEF.exe	99
PID 1068 wrote to memory of 1452	1068	RdrCEF.exe	99
PID 1068 wrote to memory of 1452	1068	RdrCEF.exe	99
PID 1068 wrote to memory of 1452	1068	RdrCEF.exe	99
PID 1068 wrote to memory of 1452	1068	RdrCEF.exe	99
PID 1068 wrote to memory of 1452	1068	RdrCEF.exe	99
PID 1068 wrote to memory of 1452	1068	RdrCEF.exe	99
PID 1068 wrote to memory of 1276	1068	RdrCEF.exe	100
PID 1068 wrote to memory of 1276	1068	RdrCEF.exe	100
PID 1068 wrote to memory of 1276	1068	RdrCEF.exe	100
PID 1068 wrote to memory of 1276	1068	RdrCEF.exe	100
PID 1068 wrote to memory of 1276	1068	RdrCEF.exe	100
PID 1068 wrote to memory of 1276	1068	RdrCEF.exe	100
PID 1068 wrote to memory of 1276	1068	RdrCEF.exe	100
PID 1068 wrote to memory of 1276	1068	RdrCEF.exe	100
PID 1068 wrote to memory of 1276	1068	RdrCEF.exe	100
PID 1068 wrote to memory of 1276	1068	RdrCEF.exe	100
PID 1068 wrote to memory of 1276	1068	RdrCEF.exe	100
PID 1068 wrote to memory of 1276	1068	RdrCEF.exe	100
PID 1068 wrote to memory of 1276	1068	RdrCEF.exe	100
PID 1068 wrote to memory of 1276	1068	RdrCEF.exe	100
PID 1068 wrote to memory of 1276	1068	RdrCEF.exe	100
PID 1068 wrote to memory of 1276	1068	RdrCEF.exe	100
PID 1068 wrote to memory of 1276	1068	RdrCEF.exe	100

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Rose-Stealer-main\payload\main.py
1⤵
- Modifies registry class
PID:820

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Rose-Stealer-main\payload\main.py"
  2⤵
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:996
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1068
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E65D07A8E9FF949ED33F1BD665988E4E --mojo-platform-channel-handle=1732 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:1452
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=55EDFE322418F02BE0A8CF21D28757FE --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=55EDFE322418F02BE0A8CF21D28757FE --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:1276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb1554ab58,0x7ffb1554ab68,0x7ffb1554ab78
  2⤵
  PID:3276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1836 --field-trial-handle=1940,i,4344351567018858204,14839394579338469072,131072 /prefetch:2
  2⤵
  PID:3448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=1940,i,4344351567018858204,14839394579338469072,131072 /prefetch:8
  2⤵
  PID:4256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2292 --field-trial-handle=1940,i,4344351567018858204,14839394579338469072,131072 /prefetch:8
  2⤵
  PID:2824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3112 --field-trial-handle=1940,i,4344351567018858204,14839394579338469072,131072 /prefetch:1
  2⤵
  PID:3252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3160 --field-trial-handle=1940,i,4344351567018858204,14839394579338469072,131072 /prefetch:1
  2⤵
  PID:4656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3628 --field-trial-handle=1940,i,4344351567018858204,14839394579338469072,131072 /prefetch:1
  2⤵
  PID:1756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4312 --field-trial-handle=1940,i,4344351567018858204,14839394579338469072,131072 /prefetch:8
  2⤵
  PID:2228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4620 --field-trial-handle=1940,i,4344351567018858204,14839394579338469072,131072 /prefetch:8
  2⤵
  PID:3764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4688 --field-trial-handle=1940,i,4344351567018858204,14839394579338469072,131072 /prefetch:8
  2⤵
  PID:2368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4592 --field-trial-handle=1940,i,4344351567018858204,14839394579338469072,131072 /prefetch:8
  2⤵
  PID:1508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 --field-trial-handle=1940,i,4344351567018858204,14839394579338469072,131072 /prefetch:8
  2⤵
  PID:1884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4888 --field-trial-handle=1940,i,4344351567018858204,14839394579338469072,131072 /prefetch:1
  2⤵
  PID:3036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4676 --field-trial-handle=1940,i,4344351567018858204,14839394579338469072,131072 /prefetch:1
  2⤵
  PID:1324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4392 --field-trial-handle=1940,i,4344351567018858204,14839394579338469072,131072 /prefetch:1
  2⤵
  PID:1780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4724 --field-trial-handle=1940,i,4344351567018858204,14839394579338469072,131072 /prefetch:8
  2⤵
  PID:3472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3224 --field-trial-handle=1940,i,4344351567018858204,14839394579338469072,131072 /prefetch:8
  2⤵
  PID:3348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4884 --field-trial-handle=1940,i,4344351567018858204,14839394579338469072,131072 /prefetch:1
  2⤵
  PID:1692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=2740 --field-trial-handle=1940,i,4344351567018858204,14839394579338469072,131072 /prefetch:1
  2⤵
  PID:4584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5428 --field-trial-handle=1940,i,4344351567018858204,14839394579338469072,131072 /prefetch:8
  2⤵
  PID:820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5588 --field-trial-handle=1940,i,4344351567018858204,14839394579338469072,131072 /prefetch:8
  2⤵
  PID:2544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=4468 --field-trial-handle=1940,i,4344351567018858204,14839394579338469072,131072 /prefetch:1
  2⤵
  PID:4704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=6060 --field-trial-handle=1940,i,4344351567018858204,14839394579338469072,131072 /prefetch:1
  2⤵
  PID:4604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4792 --field-trial-handle=1940,i,4344351567018858204,14839394579338469072,131072 /prefetch:8
  2⤵
  PID:4644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5920 --field-trial-handle=1940,i,4344351567018858204,14839394579338469072,131072 /prefetch:8
  2⤵
  PID:704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=4644 --field-trial-handle=1940,i,4344351567018858204,14839394579338469072,131072 /prefetch:1
  2⤵
  PID:2032

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1668

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3984

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_Rose-Stealer-main.zip\Rose-Stealer-main\assets\requirements.txt
1⤵
PID:3200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\8f4246c2-2506-402f-ba58-f25ecbbdddae.tmp

Filesize
16KB

MD5
f0c53b1e51a3e6e15cbf9a20bffb92ad

SHA1
8fa7fc607643ed3fc8da1c13b746324b09163254

SHA256
2f5548c26372411973dbb731f90c3ba11e171552d3bded23da4b2d45b2bde556

SHA512
b818fa01a78d4fdb8f58884cf4c0ec3002dcc23f6738e9b433532e2898c832230023f1760351ca70a453d4b9b6c668baff81cde4dcf543506d254283cb68bf55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
59KB

MD5
fac49e161e404a2a94033d91245077d8

SHA1
fcdd095a60d94e7fedb86bf29c784007b4d7e9c7

SHA256
782fae8642551618ba67e354c7335e274ffeb931ca0c02698e5cd8ca5931a349

SHA512
0a3e34ab9bc45b40f7c2b2c26896ced8869a78992e1a8fae4d0dffd7815216a0168c19661de536b6174f168f88563185ed87929c04a7d8238250960bcf562bb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

Filesize
40KB

MD5
aa12ea792026e66caab5841d4d0b9bab

SHA1
47beeba1239050999e8c98ded40f02ce82a78d3f

SHA256
65fe153a832452e97f5d484440a7047e314d3a83cb61ad2508fed48a820e1de1

SHA512
0b2b1bb8851c60c9d4ab1d039b990a4de5799c97c50b45f64e36a21849c14e785f69196f674ac225b1419d7f501338054074cab6203d041361a4fa1ed8802b27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
288B

MD5
377c60102c9b24d12f0b4c0af5f75e2f

SHA1
c0f454b9ceaf7dd2e83d734da8c2c813efe497ca

SHA256
fbce5b39822614fbfcc08d93a5eefd648cb1a1e7d5e2de4ec3ca40282db5774d

SHA512
1e5d161ea75dc2389fbf4d8ab4988b68926e35dc6a454e00e8c7bce9abb256f06b34fa0900486f076547a6aaa4e9cc13f85fd45efec6e339b9831af4637a3e34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
426339d6f172b8d475354e637abf7b28

SHA1
2b57c58096a9d56f8e00287bb45aaa2188f73ff4

SHA256
07563f8b2a889753f0f9a218fe7617b469f9274fdc50e022cf6ff36ae7aeeed9

SHA512
c932ccce3d5e19a441ec6dbf53cef61b64a7b8910e299d40ad939e21c05a41e7672620597e2facce0ec29d7067a5ef95b3b4dbde7482abb4ade347060a5a18db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
23231f505f21580755abd44ab63099c4

SHA1
b2f11a60b188518206d30de75a32aed4d1a8b094

SHA256
fc30786605b228f47bedfc05cc1c3e6446157c20c0e6ebf6bc5cd951f55ffe8c

SHA512
feb540f411b2af51d45051c8aafe5fba4083d1b6aa61c81c7e5fc267bf9bb86519ba52e050fc6fffa60045a3938a093edc5e6a6e370c88ccce52988793687bed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
e76922bd69d13d5f6cd3f2a13a719533

SHA1
ef11a0a187f60dd37b0bd5c0d73ccb471b65dcf3

SHA256
ed57315313c4a51ca71cfba95487bd95e0faac5f9a4d12920f2bbe0291d94002

SHA512
ec94fa165249ee4644e2b2a9e71c4c995158dbc46bda734eb93c34ed7da82987e4b7dde005a1364bf16d0841fec8750ce1698e39dcec25b08b4bb435ec05a09e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
2ac9c69f45e77c854e2d60ca1847f32c

SHA1
13ae897ed8089d00ae2369e944c97805f326f7ba

SHA256
aff16a75dd080c88103fad48a3a30053d30bbe3d196f7532ee56c7374903f81b

SHA512
85da6221864fd8a07ba8cdfb5fe07ccb5aa85acc1543d3309121a321e7a749b1bc87b5800b73cf24833217383d76b2d560eea8d306aaf58f8962b824110a717d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
4a60c986d7bd158a7bc2d6b2a268c5cb

SHA1
5eb5483f483d67769e576f0f774f7cd08e56d062

SHA256
b042a5fc3acce7384555e04c6597767e2a861662652ce65c8e788e6cdd3cc164

SHA512
2b7c0897ca43d3903e0ecc7595d61806accbf15e8a9d650147021e521de2abdc2006a3f94f2dd57be761e82efcded6ae9bafbd87aebf1e3282b414a9d6e14217

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
d538c734786ee4c4d7f88c1e9160426d

SHA1
dcc2262aa3dd95af07888b5cf2776ef4e933ba41

SHA256
6be3852af6362523c58a0f59aea920c985a8d91d3b9f9174c7ba9ea547d7f533

SHA512
1e306c1056ffecbe886ccd9974c307245fda02c050a2813be95bea23bd3adfb13dcd9ec54f1809ec36c8c9b2f1789dfd94ac4d93863ddffab3b060cb928bc991

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d58170965f172ff1e089223871680498

SHA1
d91165a2fd601425851979f999cc71ccfb7ed5cc

SHA256
6f06f93f7d1e2ceb5bbdb5b69c448b86b6e5383286aa7518aba30a841460856b

SHA512
09121924828e4cd1c98602d6387242d997187951a3583088f462607a8515668d67bd36c7089654aa0e87a913679670094c794c759bbd3c72ad84d3c139f78b78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
261KB

MD5
901a1cc46cf24fb956fcb70309a770bb

SHA1
30e30f60a5c0c8bbdbc3eb24d8c86fb0e2158954

SHA256
240704cf85cdeecf09d51f966a3133d700dc31e97867f1266b12ad6c973eee6c

SHA512
a62c85f6074f1d959baab3cb83efc2adaa0b4380ffb1a25b1ea17e3592a8856d9a2fe014aa796341504f7eb14216c68a611a7a28e21dbccc0595f04413d0227d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
261KB

MD5
7a6417f628f3623fd8887b8869137ad2

SHA1
892b19fcc6ae39734c1e7ab54406f4fdaa2ad11d

SHA256
5d36a04ac48438bf69eabca461a0e389427b6e50125d94e93e968613d6a899b2

SHA512
4d2f7ed1cf4b91deff7b3d433d171e10d7f9a2251c108c91402c0b8cc0e3ac8218f7478647c48d1c9e03bfa557b1520fa3cc5cccd646aea33cba49903c846316

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
97KB

MD5
402ff9ae417c072bea88c2acfb109c23

SHA1
8fb834854551e646610bf1b1f29809a87367577e

SHA256
657449dbd5c3c5b2adcc1de65efeb1e6b96ced727c5e21525afc450991b81c3a

SHA512
c5a99bf65016118d4d09ad56b05e8d7e88fdf5ceb953bd4904f3ca55f7d5c7fc875354b8ae9fb756c2e7992e0cc9848d0c71b9a7230b71f54d81b68d4653b273

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe587654.TMP

Filesize
89KB

MD5
04d609eef2a23ea6636e09cfe4e2bad0

SHA1
95ad294f2c544e38da08fdc88455d4636730904c

SHA256
20e3d0be7f6bcfa5d110888df6594379118345c9e3aaad2da0c28b5f57e347ec

SHA512
af87f91879e67a6d5a7306ef01ae0a22c3942bfdb304a69943e80f51a2e214e76c8030b45aaf15fcc7825a32f458976ab06d43b8059fcf96511fe39c2a80f8cd

Download Submit
C:\Users\Admin\Downloads\Rose-Stealer-main.zip

Filesize
11KB

MD5
6ebc149af0e359c95fc64bf59f38a6c6

SHA1
dcc5e4bf2cfd2e6e9d55f7bea6b9c645b8ad6c58

SHA256
cd641c84836ec8e54d93417e7ec508bf3effe1fe6e6fd91fe5f5c8a09778591d

SHA512
1842049fe3b5cd9e27c2dab6d3e09f7a1dc10b9392541630f55f8e541629b08d26eba34a0382cb858bfb9e0ac7a767a27eb5c68e830142bf071972d0a616cb05

Download Submit