d23aab6822f83486a792afb7310912b552e050febdd0e92d3dc711a8e054c401

Resubmissions

28/06/2024, 20:23

240628-y56hzatgmj 4

28/06/2024, 20:20

240628-y4c52atfrj 4

28/06/2024, 20:18

240628-y3p37stfpp 4

28/06/2024, 20:15

240628-y1r5satflk 7

Analysis

max time kernel
80s
max time network
148s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
28/06/2024, 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Unconfirmed 216521.exe
Size

5.0MB
MD5

ea35a8472f27f246fde70c4c7a16f315
SHA1

5c5e86e77757278ccb1c4fde6cfc3053828c18d4
SHA256

d23aab6822f83486a792afb7310912b552e050febdd0e92d3dc711a8e054c401
SHA512

c6cbe6749f1e556ac9fbaa8c61b55a812d7868b2be352c95771df997fb770ac798355084e41badfa4f8e1182f71e06f9fb958b3b46efcfa61d9ffea6f8c58058
SSDEEP

98304:YSMX5HblvdIWXe+q2WWmQknh+oFAZTAxidupkxk/HK0SPtet/od3ygt9:YSE7dd9e+q2WWmQch+ZZREEkdoteaZ9f

Score

7^/10

spyware stealer

Malware Config

Signatures

Loads dropped DLL 12 IoCs

pid	Process
3060	Unconfirmed 216521.exe
3060	Unconfirmed 216521.exe
3060	Unconfirmed 216521.exe
3060	Unconfirmed 216521.exe
3060	Unconfirmed 216521.exe
3060	Unconfirmed 216521.exe
3060	Unconfirmed 216521.exe
3060	Unconfirmed 216521.exe
3060	Unconfirmed 216521.exe
3060	Unconfirmed 216521.exe
3060	Unconfirmed 216521.exe
3060	Unconfirmed 216521.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
5	pastebin.com
6	discord.com
7	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	api.ipify.org
3	api.ipify.org

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1968	chrome.exe
1968	chrome.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: 35	3060	Unconfirmed 216521.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe
Token: SeShutdownPrivilege	1968	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe
1968	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 3060	2204	Unconfirmed 216521.exe	29
PID 2204 wrote to memory of 3060	2204	Unconfirmed 216521.exe	29
PID 2204 wrote to memory of 3060	2204	Unconfirmed 216521.exe	29
PID 3060 wrote to memory of 2988	3060	Unconfirmed 216521.exe	30
PID 3060 wrote to memory of 2988	3060	Unconfirmed 216521.exe	30
PID 3060 wrote to memory of 2988	3060	Unconfirmed 216521.exe	30
PID 3060 wrote to memory of 2860	3060	Unconfirmed 216521.exe	31
PID 3060 wrote to memory of 2860	3060	Unconfirmed 216521.exe	31
PID 3060 wrote to memory of 2860	3060	Unconfirmed 216521.exe	31
PID 3060 wrote to memory of 2864	3060	Unconfirmed 216521.exe	32
PID 3060 wrote to memory of 2864	3060	Unconfirmed 216521.exe	32
PID 3060 wrote to memory of 2864	3060	Unconfirmed 216521.exe	32
PID 3060 wrote to memory of 2328	3060	Unconfirmed 216521.exe	33
PID 3060 wrote to memory of 2328	3060	Unconfirmed 216521.exe	33
PID 3060 wrote to memory of 2328	3060	Unconfirmed 216521.exe	33
PID 3060 wrote to memory of 2984	3060	Unconfirmed 216521.exe	34
PID 3060 wrote to memory of 2984	3060	Unconfirmed 216521.exe	34
PID 3060 wrote to memory of 2984	3060	Unconfirmed 216521.exe	34
PID 3060 wrote to memory of 2900	3060	Unconfirmed 216521.exe	35
PID 3060 wrote to memory of 2900	3060	Unconfirmed 216521.exe	35
PID 3060 wrote to memory of 2900	3060	Unconfirmed 216521.exe	35
PID 3060 wrote to memory of 2880	3060	Unconfirmed 216521.exe	36
PID 3060 wrote to memory of 2880	3060	Unconfirmed 216521.exe	36
PID 3060 wrote to memory of 2880	3060	Unconfirmed 216521.exe	36
PID 3060 wrote to memory of 2872	3060	Unconfirmed 216521.exe	37
PID 3060 wrote to memory of 2872	3060	Unconfirmed 216521.exe	37
PID 3060 wrote to memory of 2872	3060	Unconfirmed 216521.exe	37
PID 3060 wrote to memory of 2476	3060	Unconfirmed 216521.exe	38
PID 3060 wrote to memory of 2476	3060	Unconfirmed 216521.exe	38
PID 3060 wrote to memory of 2476	3060	Unconfirmed 216521.exe	38
PID 3060 wrote to memory of 2940	3060	Unconfirmed 216521.exe	39
PID 3060 wrote to memory of 2940	3060	Unconfirmed 216521.exe	39
PID 3060 wrote to memory of 2940	3060	Unconfirmed 216521.exe	39
PID 3060 wrote to memory of 2580	3060	Unconfirmed 216521.exe	40
PID 3060 wrote to memory of 2580	3060	Unconfirmed 216521.exe	40
PID 3060 wrote to memory of 2580	3060	Unconfirmed 216521.exe	40
PID 3060 wrote to memory of 2936	3060	Unconfirmed 216521.exe	41
PID 3060 wrote to memory of 2936	3060	Unconfirmed 216521.exe	41
PID 3060 wrote to memory of 2936	3060	Unconfirmed 216521.exe	41
PID 3060 wrote to memory of 2856	3060	Unconfirmed 216521.exe	42
PID 3060 wrote to memory of 2856	3060	Unconfirmed 216521.exe	42
PID 3060 wrote to memory of 2856	3060	Unconfirmed 216521.exe	42
PID 3060 wrote to memory of 2724	3060	Unconfirmed 216521.exe	43
PID 3060 wrote to memory of 2724	3060	Unconfirmed 216521.exe	43
PID 3060 wrote to memory of 2724	3060	Unconfirmed 216521.exe	43
PID 1968 wrote to memory of 1352	1968	chrome.exe	54
PID 1968 wrote to memory of 1352	1968	chrome.exe	54
PID 1968 wrote to memory of 1352	1968	chrome.exe	54
PID 1968 wrote to memory of 1692	1968	chrome.exe	55
PID 1968 wrote to memory of 1692	1968	chrome.exe	55
PID 1968 wrote to memory of 1692	1968	chrome.exe	55
PID 1968 wrote to memory of 1692	1968	chrome.exe	55
PID 1968 wrote to memory of 1692	1968	chrome.exe	55
PID 1968 wrote to memory of 1692	1968	chrome.exe	55
PID 1968 wrote to memory of 1692	1968	chrome.exe	55
PID 1968 wrote to memory of 1692	1968	chrome.exe	55
PID 1968 wrote to memory of 1692	1968	chrome.exe	55
PID 1968 wrote to memory of 1692	1968	chrome.exe	55
PID 1968 wrote to memory of 1692	1968	chrome.exe	55
PID 1968 wrote to memory of 1692	1968	chrome.exe	55
PID 1968 wrote to memory of 1692	1968	chrome.exe	55
PID 1968 wrote to memory of 1692	1968	chrome.exe	55
PID 1968 wrote to memory of 1692	1968	chrome.exe	55
PID 1968 wrote to memory of 1692	1968	chrome.exe	55

C:\Users\Admin\AppData\Local\Temp\Unconfirmed 216521.exe
"C:\Users\Admin\AppData\Local\Temp\Unconfirmed 216521.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Local\Temp\Unconfirmed 216521.exe
  "C:\Users\Admin\AppData\Local\Temp\Unconfirmed 216521.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c title N
    3⤵
    PID:2988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c title Ni
    3⤵
    PID:2860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c title Nit
    3⤵
    PID:2864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c title Nitr
    3⤵
    PID:2328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c title Nitro
    3⤵
    PID:2984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c title Nitro Ge
    3⤵
    PID:2900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c title Nitro Gen
    3⤵
    PID:2880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c title Nitro Gen
    3⤵
    PID:2872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c title Nitro Gene
    3⤵
    PID:2476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c title Nitro Gener
    3⤵
    PID:2940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c title Nitro Genera
    3⤵
    PID:2580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c title Nitro Generat
    3⤵
    PID:2936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c title Nitro Generato
    3⤵
    PID:2856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c title Nitro Generator
    3⤵
    PID:2724

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:2816

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:3008

C:\Windows\System32\control.exe
"C:\Windows\System32\control.exe" SYSTEM
1⤵
PID:1264

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:1604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6589758,0x7fef6589768,0x7fef6589778
  2⤵
  PID:1352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1152 --field-trial-handle=1132,i,1487190831540063520,3740487309874986568,131072 /prefetch:2
  2⤵
  PID:1692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1492 --field-trial-handle=1132,i,1487190831540063520,3740487309874986568,131072 /prefetch:8
  2⤵
  PID:2160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1592 --field-trial-handle=1132,i,1487190831540063520,3740487309874986568,131072 /prefetch:8
  2⤵
  PID:608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2060 --field-trial-handle=1132,i,1487190831540063520,3740487309874986568,131072 /prefetch:1
  2⤵
  PID:848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2068 --field-trial-handle=1132,i,1487190831540063520,3740487309874986568,131072 /prefetch:1
  2⤵
  PID:2500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1448 --field-trial-handle=1132,i,1487190831540063520,3740487309874986568,131072 /prefetch:2
  2⤵
  PID:2808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2836 --field-trial-handle=1132,i,1487190831540063520,3740487309874986568,131072 /prefetch:1
  2⤵
  PID:1076
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:2156
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x13f787688,0x13f787698,0x13f7876a8
    3⤵
    PID:1652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3768 --field-trial-handle=1132,i,1487190831540063520,3740487309874986568,131072 /prefetch:8
  2⤵
  PID:2140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3452 --field-trial-handle=1132,i,1487190831540063520,3740487309874986568,131072 /prefetch:1
  2⤵
  PID:3012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=664 --field-trial-handle=1132,i,1487190831540063520,3740487309874986568,131072 /prefetch:1
  2⤵
  PID:2480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=668 --field-trial-handle=1132,i,1487190831540063520,3740487309874986568,131072 /prefetch:1
  2⤵
  PID:2268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2524 --field-trial-handle=1132,i,1487190831540063520,3740487309874986568,131072 /prefetch:8
  2⤵
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2324 --field-trial-handle=1132,i,1487190831540063520,3740487309874986568,131072 /prefetch:8
  2⤵
  PID:300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3020 --field-trial-handle=1132,i,1487190831540063520,3740487309874986568,131072 /prefetch:1
  2⤵
  PID:2440

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
f3d43a508d15c150846e7c6f944f2822

SHA1
39135f483f7a17f134b95aaceb56ce066fe14989

SHA256
a8a0449d99b78fe20f3f48cb6cea401616b92b8b5396f277d92d5ac247bf1ed3

SHA512
a7cc975b73d7225141d134e7095c5807c55b9a03b9d605d4dd5acb3a90fb97c803e44e8345edb6fb3527d1b1bf2e0ee85d4fc35d7e86cc5d661075c18cab212a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
984bb495e5c777668b6294f1f2a2ae47

SHA1
58b25d378ef579b1854bbe3097f224ea50879bf7

SHA256
7e74fb68245a3d9855d526b92edde50b4ddd3747919fa5d328d98b861b43e0bb

SHA512
ca061f441ea468188bdda2d50005e612e6c129d3918c1d84c3591d0fdd3235443484d6b25e4dda7a9c69a4c40380c93bc6926024aa42285bbb00ab52c79395ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
05eb3fd137e9161baba38092ecb30cc4

SHA1
7ebeb05f31f023e557fe03b90686bf532121d1ac

SHA256
234d3b598e10fbb0b8a4235cc445d963f9fa3ea1b8f81c5e835ec3ecdbdaf15d

SHA512
a70743e76b8f74d539417cbb1334e830764bac43b54d7d60421050f43208c47b5ce0091506bc1e370964a9ced9cb4488cdb9ae2b0c72dfa5ce2da70cbeff0639

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
ecaf06e10c0148752eeaebca1a6489b9

SHA1
f8abde20f1041380708865bfc1067c866647e5e7

SHA256
d2a39fc52f3a5c70277cf7671d7317426c99906317a1cc52288d3c842c98d7b4

SHA512
e33a6440a2973d55b5565b561bcc3debabba6559e6df01ce2d6b2bb875b42fa258aa29437b8ee39dfe0edd6ba168e8173f1b946fc225fde3da09ed719fdcb275

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22042\_ctypes.pyd

Filesize
130KB

MD5
9e18aca18e4ece1c187f8c0cd12a5c8f

SHA1
a8ba36a9eea969d722a9ae90139d4d59f643f951

SHA256
3351627469ea8965b08bafc9de18d1d890479357df6bc8917f7218535e02f211

SHA512
237b0ef23d0a91014581b94f5c7696da1ab3c1c3a51f6ffe10787c65dc4f5a90d1760e4088afc9acc27bae7f159a32fa3e7a9b15daba5950751932683e9373b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22042\_hashlib.pyd

Filesize
38KB

MD5
e2f401c211fab8c5e1517764e9175616

SHA1
7497eb47b63435d60e7d1bf20b2c946335e6671e

SHA256
76fb36e23b8f6821caec61c49f90b194632e68c9c78c9eb1f2e668c1b6383a73

SHA512
1312eaa7cc46b774392ae9e588c41b104eda43703e48e5b13702e15da665c0e5cc8e21b4011141c63811cd366a0d5773ff26c40c27159b80486bc491eef450a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22042\_socket.pyd

Filesize
74KB

MD5
9f0683eb56d79d33ee3820f1d3504cc2

SHA1
0bf7a74e9040bb7ffda943ffef531520a9f419af

SHA256
39612c28eef633eef7e2e2c83a779fdda178d043d7aec0a07890e5d2a11cf4f8

SHA512
f086cc899b517ace259d27c048db5846552a7a8e57ddad4d6ea0b25b45e52282979309cea56bb56312aa83273b61f78b25b1ad6a61b6b3de33f5980c81ae6f32

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22042\_ssl.pyd

Filesize
120KB

MD5
a7fadacb8f4ff72a26f1ccbcfcdc33c1

SHA1
e73311cce41f1de6e01e13ef5745febf37fb3193

SHA256
b8232c839e99a3701657fe16f245e0afca2f269562682eb1a3468c47d07ac5cf

SHA512
a486a2c9fa2cf8a8b8c609a9f4d132c55c39dabcc1ea20455a27e23395515881c9cd396416796762777079aae6c6673dc9905bdcc92ff13d93e7e6c2a06403fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22042\base_library.zip

Filesize
760KB

MD5
d07fc3903321a9ba31ee744c34420d70

SHA1
e67f987bf2a9f039524a09d70bb99aab5a24f0f7

SHA256
0d459ddb2f1c496cd05b71e6233bc783997fed270b5023b7dad673345d363ea2

SHA512
aa7464e316e23c780cb29d89ce8845b145fc37db8f467e8a3035f5d42e6843997724936d27bf747aa46448032156fa6b043613538949e4195f4ac93abc74e518

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22042\libcrypto-1_1-x64.dll

Filesize
2.4MB

MD5
8c75bca5ea3bea4d63f52369e3694d01

SHA1
a0c0fd3d9e5688d75386094979171dbde2ce583a

SHA256
8513e629cd85a984e4a30dfe4b3b7502ab87c8bc920825c11035718cb0211ea0

SHA512
6d80d26d91b704d50ff3ad74f76d6b1afe98af3d7a18e43011dbe3809adc305b0e382c10868328eb82c9f8b4c77bca1522bdc023c7c8712057b65f6579c9dff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22042\libssl-1_1-x64.dll

Filesize
511KB

MD5
0205c08024bf4bb892b9f31d751531a0

SHA1
60875676bc6f2494f052769aa7d644ef4a28c5e5

SHA256
ebe7ffc7eb0b79e29bfc4e408ea27e9b633584dd7bc8e0b5ffc46af19263844b

SHA512
45da0c128bfb706cb0340ad40fbc691696f3483a0235faaac864dea4580b57e36aa5b4b55a60322081d2d2e2df788c550fd43c317582a9b6a2d66712df215bd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22042\nitro.exe.manifest

Filesize
1KB

MD5
4818855f73b865adac0eaf7c75c0658b

SHA1
7d3f3bb28e8157c69e5753ea722e2046792536ba

SHA256
18b99cc6c511459cd049ea7089cbf9557375ef0b13c148b2388e1e3320e09a1a

SHA512
083fd10b53b3426622072b56778338f780bf231d8f1b3e1043ca30abdbe20d4a4899ebc02a519916e0fe3493e02e13c7bd108f055fc78c37f1579745ebcc7bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22042\python37.dll

Filesize
3.6MB

MD5
d558d4db5a6bd29a8b60b8aa46e5329a

SHA1
a5036009de7165b1b4721263eae4b240ee689095

SHA256
1cfdd40a9107d89310e4e3b6df5f25f26944b312e61638d014f1b1a8050ccc07

SHA512
5590fbd6c9c81293b21e9da9d35d5177f03ba3d247771e4abef3420420d9024f3a775796d73becd5aeb469df648d3105a016693c6b8f68e8c61399212439eebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22042\select.pyd

Filesize
26KB

MD5
cf7bd630db53356c3dfd51ca8822b696

SHA1
202837642baa0d161d462039ab2441d491c6fe5f

SHA256
5ed33afc7f63de065457e0ef0852de0cc182a7111bd852e855eb9f48451b0e58

SHA512
4c32e03b670fa42f57e5e265e56e9845b719286ffecd8afcd583649fee11b803776f15ea28730925dc0c0b5510c18047ceda951fca1a716a1acc54f0dbc9e91a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22042\unicodedata.pyd

Filesize
1.0MB

MD5
d009552163b6a795e0816ea5ce4928ce

SHA1
f3640f46037735667b6eba057f89a978a3901430

SHA256
5938061557e920e925a4e9b31f950b6d25c5ff10e143fe8e1f773466810ce2a2

SHA512
5ed7513a843d2e239aae8a4ce9cbb42366d9f2a0ea5adaedd8dd8c53493594ee3b5b118f766cc04d47d3eb31ec03eeb77b0dc05851de5a585f6970830b6e8580

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI22042\VCRUNTIME140.dll

Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI22042\_bz2.pyd

Filesize
87KB

MD5
e5ba852cb53065389044fe34474a4699

SHA1
d14401c170be8f73de67cfc7ea414dfb1c878ae5

SHA256
690bfd170e038b7b369eb4e4e32621823b1050d895bae3ef538c6382cdc1b2b0

SHA512
c6db73a39c563ac8395214ba1fa9807542b228ebcf6daef9e5478ba99acfcd8dc3d4816c68c51128bb421e8ee2f4625ec24fbe1ef2d268eb01ce09c37ed27101

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI22042\_lzma.pyd

Filesize
251KB

MD5
c7bbbab8b4764c1c2bfd480dc649653c

SHA1
a5226b44fd42f39948174fab8b6ba5999104d831

SHA256
96205c0efbfbc282d3f4b76f8f2f189a409f365dbe9a9a088351a2906b18cd36

SHA512
aad92eb554af4a99647c770f8a0e988da78542df348e89b740f5f777b5acd992a896c9790598c2c9df35a4167347653e7b337ac98258b9c878c710582e7c21da

Download Submit