183160e943a1e0b38a07dc0d6fd775a32180bdee16cc5b5df90330276e95bd44

Analysis

max time kernel
599s
max time network
597s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/09/2024, 15:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nyx.exe
Size

7.5MB
MD5

34e9e2070c4b959fd5cde9aff77cd68b
SHA1

6aba2fb635ca0d6444684f015c97d1b5bce5d957
SHA256

1fdca0ed906e4cd623eef962377f59bcdce2dde3233a0a1ca306d8b5a9e9268c
SHA512

e38558b1a23872efcef6d252918f12e1732cd4b151bbc4d51b8a56bb9934f63b3d4ac9838f8c28edfb1549a89f18b128be502dfed2a537a2d1bf2695fa1ceb70
SSDEEP

98304:J35dIISLSHkNnEXSzrfZM7WcciwU6nqnlve59oI+k6k5MukqjpMxNepV:J35uaCEYrBM7Wc4hnqlGX6k5FTMW

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Nyx.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
20	raw.githubusercontent.com
14	raw.githubusercontent.com
15	raw.githubusercontent.com

Network Service Discovery 1 TTPs 8 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2324	CefSharp.BrowserSubprocess.exe
2256	CefSharp.BrowserSubprocess.exe
2248	CefSharp.BrowserSubprocess.exe
1100	CefSharp.BrowserSubprocess.exe
3544	CefSharp.BrowserSubprocess.exe
1376	CefSharp.BrowserSubprocess.exe
2332	CefSharp.BrowserSubprocess.exe
3424	CefSharp.BrowserSubprocess.exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	Nyx.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	Nyx.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2112_703745776\manifest.json	Nyx.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2112_703745776\_metadata\verified_contents.json	Nyx.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2112_703745776\manifest.fingerprint	Nyx.exe
File created	C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2112_703745776\privacy-sandbox-attestations.dat	Nyx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CefSharp.BrowserSubprocess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CefSharp.BrowserSubprocess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CefSharp.BrowserSubprocess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CefSharp.BrowserSubprocess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nyx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CefSharp.BrowserSubprocess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CefSharp.BrowserSubprocess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CefSharp.BrowserSubprocess.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CefSharp.BrowserSubprocess.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Nyx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Nyx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Nyx.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	Nyx.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133705434773443016"	Nyx.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2112	Nyx.exe
2112	Nyx.exe
2324	CefSharp.BrowserSubprocess.exe
2324	CefSharp.BrowserSubprocess.exe
2256	CefSharp.BrowserSubprocess.exe
2256	CefSharp.BrowserSubprocess.exe
2248	CefSharp.BrowserSubprocess.exe
2248	CefSharp.BrowserSubprocess.exe
1100	CefSharp.BrowserSubprocess.exe
1100	CefSharp.BrowserSubprocess.exe
3544	CefSharp.BrowserSubprocess.exe
3544	CefSharp.BrowserSubprocess.exe
1376	CefSharp.BrowserSubprocess.exe
1376	CefSharp.BrowserSubprocess.exe
2332	CefSharp.BrowserSubprocess.exe
2332	CefSharp.BrowserSubprocess.exe
2332	CefSharp.BrowserSubprocess.exe
2332	CefSharp.BrowserSubprocess.exe
3424	CefSharp.BrowserSubprocess.exe
3424	CefSharp.BrowserSubprocess.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2112	Nyx.exe
Token: SeDebugPrivilege	2324	CefSharp.BrowserSubprocess.exe
Token: SeDebugPrivilege	2256	CefSharp.BrowserSubprocess.exe
Token: SeDebugPrivilege	2248	CefSharp.BrowserSubprocess.exe
Token: SeDebugPrivilege	1100	CefSharp.BrowserSubprocess.exe
Token: SeShutdownPrivilege	2112	Nyx.exe
Token: SeCreatePagefilePrivilege	2112	Nyx.exe
Token: SeShutdownPrivilege	2112	Nyx.exe
Token: SeCreatePagefilePrivilege	2112	Nyx.exe
Token: SeShutdownPrivilege	2112	Nyx.exe
Token: SeCreatePagefilePrivilege	2112	Nyx.exe
Token: SeShutdownPrivilege	2112	Nyx.exe
Token: SeCreatePagefilePrivilege	2112	Nyx.exe
Token: SeDebugPrivilege	3544	CefSharp.BrowserSubprocess.exe
Token: SeShutdownPrivilege	2112	Nyx.exe
Token: SeCreatePagefilePrivilege	2112	Nyx.exe
Token: SeShutdownPrivilege	2112	Nyx.exe
Token: SeCreatePagefilePrivilege	2112	Nyx.exe
Token: SeShutdownPrivilege	2112	Nyx.exe
Token: SeCreatePagefilePrivilege	2112	Nyx.exe
Token: SeDebugPrivilege	1376	CefSharp.BrowserSubprocess.exe
Token: SeShutdownPrivilege	2112	Nyx.exe
Token: SeCreatePagefilePrivilege	2112	Nyx.exe
Token: SeShutdownPrivilege	2112	Nyx.exe
Token: SeCreatePagefilePrivilege	2112	Nyx.exe
Token: SeShutdownPrivilege	2112	Nyx.exe
Token: SeCreatePagefilePrivilege	2112	Nyx.exe
Token: SeShutdownPrivilege	2112	Nyx.exe
Token: SeCreatePagefilePrivilege	2112	Nyx.exe
Token: SeShutdownPrivilege	2112	Nyx.exe
Token: SeCreatePagefilePrivilege	2112	Nyx.exe
Token: SeShutdownPrivilege	2112	Nyx.exe
Token: SeCreatePagefilePrivilege	2112	Nyx.exe
Token: SeShutdownPrivilege	2112	Nyx.exe
Token: SeCreatePagefilePrivilege	2112	Nyx.exe
Token: SeShutdownPrivilege	2112	Nyx.exe
Token: SeCreatePagefilePrivilege	2112	Nyx.exe
Token: SeShutdownPrivilege	2112	Nyx.exe
Token: SeCreatePagefilePrivilege	2112	Nyx.exe
Token: SeShutdownPrivilege	2112	Nyx.exe
Token: SeCreatePagefilePrivilege	2112	Nyx.exe
Token: SeShutdownPrivilege	2112	Nyx.exe
Token: SeCreatePagefilePrivilege	2112	Nyx.exe
Token: SeShutdownPrivilege	2112	Nyx.exe
Token: SeCreatePagefilePrivilege	2112	Nyx.exe
Token: SeShutdownPrivilege	2112	Nyx.exe
Token: SeCreatePagefilePrivilege	2112	Nyx.exe
Token: SeShutdownPrivilege	2112	Nyx.exe
Token: SeCreatePagefilePrivilege	2112	Nyx.exe
Token: SeShutdownPrivilege	2112	Nyx.exe
Token: SeCreatePagefilePrivilege	2112	Nyx.exe
Token: SeShutdownPrivilege	2112	Nyx.exe
Token: SeCreatePagefilePrivilege	2112	Nyx.exe
Token: SeShutdownPrivilege	2112	Nyx.exe
Token: SeCreatePagefilePrivilege	2112	Nyx.exe
Token: SeShutdownPrivilege	2112	Nyx.exe
Token: SeCreatePagefilePrivilege	2112	Nyx.exe
Token: SeShutdownPrivilege	2112	Nyx.exe
Token: SeCreatePagefilePrivilege	2112	Nyx.exe
Token: SeShutdownPrivilege	2112	Nyx.exe
Token: SeCreatePagefilePrivilege	2112	Nyx.exe
Token: SeShutdownPrivilege	2112	Nyx.exe
Token: SeCreatePagefilePrivilege	2112	Nyx.exe
Token: SeShutdownPrivilege	2112	Nyx.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2324	2112	Nyx.exe	89
PID 2112 wrote to memory of 2324	2112	Nyx.exe	89
PID 2112 wrote to memory of 2324	2112	Nyx.exe	89
PID 2112 wrote to memory of 2248	2112	Nyx.exe	90
PID 2112 wrote to memory of 2248	2112	Nyx.exe	90
PID 2112 wrote to memory of 2248	2112	Nyx.exe	90
PID 2112 wrote to memory of 2256	2112	Nyx.exe	91
PID 2112 wrote to memory of 2256	2112	Nyx.exe	91
PID 2112 wrote to memory of 2256	2112	Nyx.exe	91
PID 2112 wrote to memory of 3544	2112	Nyx.exe	92
PID 2112 wrote to memory of 3544	2112	Nyx.exe	92
PID 2112 wrote to memory of 3544	2112	Nyx.exe	92
PID 2112 wrote to memory of 1100	2112	Nyx.exe	93
PID 2112 wrote to memory of 1100	2112	Nyx.exe	93
PID 2112 wrote to memory of 1100	2112	Nyx.exe	93
PID 2112 wrote to memory of 1376	2112	Nyx.exe	96
PID 2112 wrote to memory of 1376	2112	Nyx.exe	96
PID 2112 wrote to memory of 1376	2112	Nyx.exe	96
PID 2112 wrote to memory of 2332	2112	Nyx.exe	104
PID 2112 wrote to memory of 2332	2112	Nyx.exe	104
PID 2112 wrote to memory of 2332	2112	Nyx.exe	104
PID 2112 wrote to memory of 3424	2112	Nyx.exe	109
PID 2112 wrote to memory of 3424	2112	Nyx.exe	109
PID 2112 wrote to memory of 3424	2112	Nyx.exe	109

C:\Users\Admin\AppData\Local\Temp\Nyx.exe
"C:\Users\Admin\AppData\Local\Temp\Nyx.exe"
1⤵
- Checks computer location settings
- Checks system information in the registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\lib\resources\cefsharp\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\lib\resources\cefsharp\CefSharp.BrowserSubprocess.exe" --type=gpu-process --no-sandbox --enable-chrome-runtime --user-data-dir="C:\Users\Admin\AppData\Local\Temp\CefSharpCache" --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\lib\resources\cefsharp\locales" --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\lib\resources\cefsharp" --cefsharpexitsub --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3444,i,13739197792604188087,5021537894133627322,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=3560 --mojo-platform-channel-handle=3532 /prefetch:2 --host-process-id=2112
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2324
- C:\Users\Admin\AppData\Local\Temp\lib\resources\cefsharp\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\lib\resources\cefsharp\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --enable-chrome-runtime --user-data-dir="C:\Users\Admin\AppData\Local\Temp\CefSharpCache" --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\lib\resources\cefsharp\locales" --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\lib\resources\cefsharp" --cefsharpexitsub --field-trial-handle=3656,i,13739197792604188087,5021537894133627322,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=3668 --mojo-platform-channel-handle=3664 /prefetch:3 --host-process-id=2112
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2248
- C:\Users\Admin\AppData\Local\Temp\lib\resources\cefsharp\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\lib\resources\cefsharp\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --enable-chrome-runtime --user-data-dir="C:\Users\Admin\AppData\Local\Temp\CefSharpCache" --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\lib\resources\cefsharp\locales" --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\lib\resources\cefsharp" --cefsharpexitsub --field-trial-handle=3712,i,13739197792604188087,5021537894133627322,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=3760 --mojo-platform-channel-handle=3756 /prefetch:8 --host-process-id=2112
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2256
- C:\Users\Admin\AppData\Local\Temp\lib\resources\cefsharp\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\lib\resources\cefsharp\CefSharp.BrowserSubprocess.exe" --type=renderer --enable-chrome-runtime --user-data-dir="C:\Users\Admin\AppData\Local\Temp\CefSharpCache" --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\lib\resources\cefsharp\locales" --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\lib\resources\cefsharp" --cefsharpexitsub --no-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=5096,i,13739197792604188087,5021537894133627322,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=5168 --mojo-platform-channel-handle=5164 --host-process-id=2112 /prefetch:1
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3544
- C:\Users\Admin\AppData\Local\Temp\lib\resources\cefsharp\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\lib\resources\cefsharp\CefSharp.BrowserSubprocess.exe" --type=renderer --enable-chrome-runtime --user-data-dir="C:\Users\Admin\AppData\Local\Temp\CefSharpCache" --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\lib\resources\cefsharp\locales" --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\lib\resources\cefsharp" --cefsharpexitsub --no-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=5128,i,13739197792604188087,5021537894133627322,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=5188 --mojo-platform-channel-handle=5180 --host-process-id=2112 /prefetch:1
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1100
- C:\Users\Admin\AppData\Local\Temp\lib\resources\cefsharp\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\lib\resources\cefsharp\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-sandbox --enable-chrome-runtime --user-data-dir="C:\Users\Admin\AppData\Local\Temp\CefSharpCache" --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\lib\resources\cefsharp\locales" --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\lib\resources\cefsharp" --cefsharpexitsub --field-trial-handle=5964,i,13739197792604188087,5021537894133627322,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=6012 --mojo-platform-channel-handle=6008 /prefetch:8 --host-process-id=2112
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1376
- C:\Users\Admin\AppData\Local\Temp\lib\resources\cefsharp\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\lib\resources\cefsharp\CefSharp.BrowserSubprocess.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-sandbox --enable-chrome-runtime --user-data-dir="C:\Users\Admin\AppData\Local\Temp\CefSharpCache" --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\lib\resources\cefsharp\locales" --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\lib\resources\cefsharp" --cefsharpexitsub --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=6164,i,13739197792604188087,5021537894133627322,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=2624 --mojo-platform-channel-handle=6096 /prefetch:8 --host-process-id=2112
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2332
- C:\Users\Admin\AppData\Local\Temp\lib\resources\cefsharp\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\lib\resources\cefsharp\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-sandbox --enable-chrome-runtime --user-data-dir="C:\Users\Admin\AppData\Local\Temp\CefSharpCache" --locales-dir-path="C:\Users\Admin\AppData\Local\Temp\lib\resources\cefsharp\locales" --resources-dir-path="C:\Users\Admin\AppData\Local\Temp\lib\resources\cefsharp" --cefsharpexitsub --field-trial-handle=5744,i,13739197792604188087,5021537894133627322,262144 --disable-features=EnableHangWatcher --variations-seed-version --enable-logging=handle --log-file=5824 --mojo-platform-channel-handle=5800 /prefetch:8 --host-process-id=2112
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2112_703745776\manifest.fingerprint

Filesize
66B

MD5
97ea051b1c123c2e5831a46516a17313

SHA1
0669c39061ea4d0099e32f7bea278f24fdc3e063

SHA256
3415a43b382d6b4f75b383111950c7444be870b8bf06a9cc0e9fe6e64e609aa0

SHA512
24242c3e1061c188254abeb5b3ca4bf1d6d84810633b5073f0c9977e68035bef55645227717df2f187e5951894e514d24968fab9e333ddd2869ad32c474e537b

Download Submit
C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping2112_703745776\manifest.json

Filesize
97B

MD5
17f0e325ec97d35da53fe1aa431dba47

SHA1
0d615c84d0fb53440deb5745e90b7e55026675f6

SHA256
a7c07ace7eb11b1cef0bc17d5fbc7b5cf46f8f4d0efa4fd46cfe7f18670dfcb5

SHA512
655722862b21e3bd00ee663d8604eeda511074e7c58d397397f1397299328ac0e37eaabbe78ef943c12459a3c7a12fbd712d7c667e31622771ab51a64caade24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CefSharp.BrowserSubprocess.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CefSharpCache\Default\DawnWebGPUCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\CefSharpCache\Default\Extension Rules\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CefSharpCache\Default\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CefSharpCache\Default\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\CefSharpCache\Default\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CefSharpCache\Default\Network\0fe7da6e-5442-4112-be34-85cc9cc01704.tmp

Filesize
846B

MD5
c289504842cb0205a94e9a86a0e65334

SHA1
a2be303cc24df352faf2ad91766deaeed67d5751

SHA256
6dbacb08e22aea12ac1daa37bec2ebd7644f655052ad4379295bf1a18f2f4f7c

SHA512
5eed799aba31f75aa9a0c52d0dbd60bf17d4098fcb941cbde788d0fde70f2dcdef356daae7bf0456be98ab345bfe9b20326590af2ae1058b07aef88b639b41bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CefSharpCache\Default\Network\Network Persistent State

Filesize
846B

MD5
703a1ce4ca117b9a278c073f72555327

SHA1
7fa50542dda260d1424bf931d7e655fb134feb53

SHA256
fce9764391bf09c0716ea0cd803c183b620d9fd3886d03ddbd16e4372e0cbf60

SHA512
eb0c5dcab074de2586aa673639ac1fb1d7edc5dcf40af93cc600637ebd3c6e43b8f621adac4c13011722e227fe0031b17b49cd1f80c92e480f684f489953f1da

Download Submit
C:\Users\Admin\AppData\Local\Temp\CefSharpCache\Default\Network\Network Persistent State

Filesize
878B

MD5
3228505aa58b28296ef6d8e70a5cb48d

SHA1
a25c4f9e2a71acdda5ccadd57a48731634cef7fe

SHA256
aabdfd066ea76c584fe679a4edd2766f9b593f63670f5a354e7572e545fcaa97

SHA512
d1e9f04ce3b5a270bceeb2d8637232757e72970355c3439c4dd779a179c7cdb6061af296d6ef01a44c6e95de36f96784bd5766f0f822e461413f244ff8861d75

Download Submit
C:\Users\Admin\AppData\Local\Temp\CefSharpCache\Default\Network\Network Persistent State

Filesize
878B

MD5
8327cd0b85607aae398101fe044813f1

SHA1
009dc376d5e55bb7f3a0e4de15d71d9b8f12269d

SHA256
936a9e3cd23362014cc8e841004c8157333a7a6dc76c324697f7c470b2fac0a0

SHA512
6bdae68cc5a3bf2dac782be5552b41964f72bf44fc7593f5ee8eef77ea5d97402079803846a1cc8ba4e77e7efc7fabc9773cf753f13838f9e93a1ecb7ab29752

Download Submit
C:\Users\Admin\AppData\Local\Temp\CefSharpCache\Default\Network\Network Persistent State

Filesize
878B

MD5
9c4deec7bfb2ff94ea1db279918551b4

SHA1
6fb4fb3c8d07259d6841b3100738e1f94a03619f

SHA256
7ca04f348f9c10358ec6bbcd666b6d516ec68dd012b03050400fa1bf918c7f90

SHA512
13b3cd9f25831b110e6ad3e0b2d3d5dde41c95771b884c6921bab9cc57476488d8d81b8996bdbf4c20184953731268d2e5f6385278f6034915b6f3f27c31451b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CefSharpCache\Default\Network\Network Persistent State

Filesize
878B

MD5
cff1c8c070c00db021526528e52c04b4

SHA1
81f2e13699ebc8b656ca9d136459b725874db519

SHA256
d775b0971498fb995962c8ccd7c9cf41dae4d16361d576d62cb0c7113264f9ab

SHA512
c1c3d665f9c61198f9dd90ea5ca723b8f0f5c82844339deef9990b015d7077adcbf117d8e482fc04f0e5b86ddce2e81bc7982a7d659761611be18ce07db1f7e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CefSharpCache\Default\Network\Network Persistent State~RFe58b87d.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CefSharpCache\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\CefSharpCache\Default\Network\TransportSecurity

Filesize
355B

MD5
264350696fe9ce61efa82ce5f667139c

SHA1
e4b7465c0ec22a84a30f420431d965ff4d459100

SHA256
da6b77e5655fe0eff4e598e8fa640aaf73f4b6b55e14716e352c28dfe4b8a099

SHA512
201d91db9f8239e336f65572b40e298fd0c89032e7b177b4b35182cefce846da9ba9a35f4565833b9e384ed2d47c3558f1816f76bf6b449bf5d1fba27245bfa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CefSharpCache\Default\Network\TransportSecurity

Filesize
355B

MD5
10706a0c278bf495cd489749fe3a2979

SHA1
c1aa8c582b1e2be43bb30bce7598fd6e30281a13

SHA256
0367d65124ba9c4efbb7b024afef4127512c6d415d6273b64a83e502f14e2534

SHA512
79b50149a3d14be306f895ef1b588cb95d927dbf7c3212c72bd778c098031c50cfc2a612eaee8c5862aeb578caa0ab4844e55d5b1a7438922e09eea518d6c72a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CefSharpCache\Default\Network\TransportSecurity

Filesize
355B

MD5
09cbe32599664f21b5f941240c8219d8

SHA1
201242596bd5edbb22e5b27e781a30b3ecd01ae1

SHA256
acefa6719ddc55e9ebee5cd015243d2dd167568e86906d2f1f33cff1f8c9cad2

SHA512
e2364a26afe49e7d494191378bdd6642f3d8d11f826e7d253aac7e52e7ca8b5e9caa4a9225b49b111f3ee47f72d507ae04802023c86d3423cb781eab7952750f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CefSharpCache\Default\Network\TransportSecurity~RFe58cb0b.TMP

Filesize
355B

MD5
01b6825c8dfb9dc5bdfc84ee99ae3894

SHA1
b373bfc66b1fce49c752347b91183df91c79c130

SHA256
f64c41adc3f299d7536e229e31404a4e53513c694962a5fbc6fb3551262c80e3

SHA512
00f65e857dd50b680099c43db5ad9026fbc9142603b65dfb3f07de733941b5a1760e3bde8a77823b11d33e99730db6d8177926195def30d535e2db51041f1191

Download Submit
C:\Users\Admin\AppData\Local\Temp\CefSharpCache\Default\Preferences

Filesize
6KB

MD5
c9f7bc3b17420a7d7c6aabd9b881bbcd

SHA1
aeae38038ac25b33b99aedd34e12825e54a377e6

SHA256
0e1348f2f35fdf7a06e21c65eb775dbbb36e32fe3a763f1b7d00d756602c82c4

SHA512
e33b144439103d93e8694e302543276026f8b5062ef6456a347c73216e48da2f57f695af953d38910b2b05dca223e217c430fcbc54d3c5ed20d9d637d66bc525

Download Submit
C:\Users\Admin\AppData\Local\Temp\CefSharpCache\Default\Preferences~RFe583e3d.TMP

Filesize
6KB

MD5
594648049867ccedef5669c3d57cffa9

SHA1
dbb255513b46c8883b8e40c8359bf736ba261b48

SHA256
343163ff0d05f2eddc53edc3861811ac45a7c90a1817b09cb9cbccefd1a9a3ee

SHA512
da624143618258dd796dfe5374fe6e7775499c4ebf561cf09ff1191391fdaefd6e6bec4fd5851b5074cc9f5536447e4c205cceadbd386a2f77acb0389c7a91f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CefSharpCache\Default\Site Characteristics Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\CefSharpCache\Local State

Filesize
5KB

MD5
262c40c72e3c6abfa594048e394db54f

SHA1
c180812da491133e13f08700c5b7cfdd93a63913

SHA256
99949168869c2b33d297310590966673c9101e7ab4269b2e7a5c3aeb09663d3d

SHA512
1347b32d161a1802beb9b8631980338f073c60101b7f372322bf506d3e83f557a33fba13bbdcb0c3e34b3dc65b785f793ead3c8c6188d899afe7b8f020b0b393

Download Submit
C:\Users\Admin\AppData\Local\Temp\CefSharpCache\Local State

Filesize
1KB

MD5
e9b9fce2aa53f36d41fee0bbee260e4f

SHA1
e588086ca567c19adbc31b8211469046f364cea1

SHA256
50e3cba0489fca667c657d92736f8ad39df33ef030147e5f81f395936e9beec7

SHA512
1e4300edc5fd8b26f47437ec63102588d314870f230b99891254445c92292869073c19b22ddaf58b37ab9f4850e98bdd2e1780780a599673debbb9024c059073

Download Submit
C:\Users\Admin\AppData\Local\Temp\CefSharpCache\Local State

Filesize
2KB

MD5
9031f773855dff6cfb31af0d4d13818e

SHA1
0604957f7f2fc73f015ed74bc3ce88c6348f1f90

SHA256
6e164dc5dd3bbe894a6268fd9f8b5c1b588651c2f1e4d086e7ccbd0e2947514f

SHA512
e6cd2bee2477efd9c22544abb1490b0a105b5ee7ebf7b89a513a501f26e289b69f0ed354bd19b461668842e9c16ee01acf67f230066428c9f35cbb1d55179b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\CefSharpCache\Local State~RFe57a19f.TMP

Filesize
889B

MD5
22e652e4b0ee672049f8c4eff5570ed3

SHA1
5e655735481c1b9522ac758264f52ddc329da077

SHA256
8091e81e76ad0a497b2956ed322b1aa44d3f01ce6a55d13024d8fc13cdd7a9ad

SHA512
d9556b5c8d69b1e5c3e85469242330f57eb7d4c25d2ec3441e0494114920b1b54f1b546d4ee6b7d3951bb0361aefe70df91960247a46a08de531ee94e227b530

Download Submit
C:\Users\Admin\AppData\Local\Temp\CefSharpCache\PrivacySandboxAttestationsPreloaded\2024.8.23.1\privacy-sandbox-attestations.dat

Filesize
7KB

MD5
0a213e2cec0c432427311ad81a43066c

SHA1
98e0423ad20d04e4f597dc7057330480ccfd6bf4

SHA256
66d29ce2059cadcb876aa347bbc9826851dbfe23d0950910636637002406ce10

SHA512
0515108f30242ee8b358e301ca4a4a1b9d62f3da0f7945e40cde191038e572baa43503d2da5a200a1b6890448c48037995a1f872a53d1558d383180fe6f3d1b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\lib\resources\cefsharp\debug.log

Filesize
440B

MD5
4c5e3d4855591c986843c923efb109d0

SHA1
7c2cad35026c924d968a316e8cf1b63381689edd

SHA256
5a937de7c52f460e818d1566d646265133a427236d0a8b72589df0389131f605

SHA512
51ff47dc8fa612080f352ebca64e333f9e73469651181a69880fd5695db6a397c8e1a0f769c5afabc9cf64ae54e8e5a62c1dd366486cc7b7f332b6b3511ad6c3

Download Submit
memory/2112-8-0x000000000C7D0000-0x000000000C862000-memory.dmp

Filesize
584KB

Download
memory/2112-5-0x000000000AB00000-0x000000000AB08000-memory.dmp

Filesize
32KB

Download
memory/2112-1-0x00000000002F0000-0x0000000000A6E000-memory.dmp

Filesize
7.5MB

Download
memory/2112-2-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/2112-0-0x000000007448E000-0x000000007448F000-memory.dmp

Filesize
4KB

Download
memory/2112-12-0x000000000DDC0000-0x000000000DF1C000-memory.dmp

Filesize
1.4MB

Download
memory/2112-11-0x000000000C870000-0x000000000C95C000-memory.dmp

Filesize
944KB

Download
memory/2112-10-0x000000000C540000-0x000000000C564000-memory.dmp

Filesize
144KB

Download
memory/2112-3-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/2112-4-0x0000000005E60000-0x0000000006404000-memory.dmp

Filesize
5.6MB

Download
memory/2112-142-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/2112-141-0x000000007448E000-0x000000007448F000-memory.dmp

Filesize
4KB

Download
memory/2112-6-0x000000000B110000-0x000000000B148000-memory.dmp

Filesize
224KB

Download
memory/2112-7-0x000000000ABC0000-0x000000000ABCE000-memory.dmp

Filesize
56KB

Download
memory/2112-9-0x000000000C4F0000-0x000000000C53A000-memory.dmp

Filesize
296KB

Download
memory/2112-143-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/2324-30-0x0000000000450000-0x0000000000458000-memory.dmp

Filesize
32KB

Download
memory/2324-67-0x0000000004C00000-0x0000000004CEB000-memory.dmp

Filesize
940KB

Download
memory/2324-73-0x0000000004DE0000-0x0000000004E2A000-memory.dmp

Filesize
296KB

Download
memory/2332-229-0x0000000008F00000-0x0000000008F01000-memory.dmp

Filesize
4KB

Download
memory/2332-231-0x0000000008F00000-0x0000000008F01000-memory.dmp

Filesize
4KB

Download
memory/2332-233-0x0000000008F00000-0x0000000008F01000-memory.dmp

Filesize
4KB

Download
memory/2332-232-0x0000000008F00000-0x0000000008F01000-memory.dmp

Filesize
4KB

Download
memory/2332-230-0x0000000008F00000-0x0000000008F01000-memory.dmp

Filesize
4KB

Download
memory/2332-234-0x0000000008F00000-0x0000000008F01000-memory.dmp

Filesize
4KB

Download
memory/2332-223-0x0000000008F00000-0x0000000008F01000-memory.dmp

Filesize
4KB

Download
memory/2332-224-0x0000000008F00000-0x0000000008F01000-memory.dmp

Filesize
4KB

Download
memory/2332-228-0x0000000008F00000-0x0000000008F01000-memory.dmp

Filesize
4KB

Download
memory/2332-222-0x0000000008F00000-0x0000000008F01000-memory.dmp

Filesize
4KB

Download