e8ab071dc8183f18de7bb1362b31e173550eeb0c4635ad679050353d18d90a9b

Analysis

max time kernel
120s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8ab071dc8183f18de7bb1362b31e173550eeb0c4635ad679050353d18d90a9bN.exe
Size

2.5MB
MD5

3fbcb20da1f41b354cdc4926bdbf6ee0
SHA1

3f7518642e0f6345cfcd9d976ad3c4d5bf16d65e
SHA256

e8ab071dc8183f18de7bb1362b31e173550eeb0c4635ad679050353d18d90a9b
SHA512

18294698914780c5bc998cd2e8075b480cb60c6d15789ca5b7c0f7901583090ec9db6827eeb4dbc70cddad192b941872749c87b069d65caa7113cc718007e560
SSDEEP

49152:E2IRVeS7o0Z9D4rQsDXDG/yTXTXqJQ1HvAsWtL:E2U8rrXDG/ZJQ8

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	e8ab071dc8183f18de7bb1362b31e173550eeb0c4635ad679050353d18d90a9bN.exe

Loads dropped DLL 2 IoCs

pid	Process
3980	e8ab071dc8183f18de7bb1362b31e173550eeb0c4635ad679050353d18d90a9bN.exe
1336	RunDll32.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RunDll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e8ab071dc8183f18de7bb1362b31e173550eeb0c4635ad679050353d18d90a9bN.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\SearchScopes\{9AD09901-06DD-4DDD-A62D-6D2243B771AB}	e8ab071dc8183f18de7bb1362b31e173550eeb0c4635ad679050353d18d90a9bN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9AD09901-06DD-4DDD-A62D-6D2243B771AB}\URL = "http://start.myplaycity.com/results.php?category=web&s={searchTerms}"	e8ab071dc8183f18de7bb1362b31e173550eeb0c4635ad679050353d18d90a9bN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9AD09901-06DD-4DDD-A62D-6D2243B771AB}\FaviconURLFallback = "http://myplaycity.com/favicon.ico"	e8ab071dc8183f18de7bb1362b31e173550eeb0c4635ad679050353d18d90a9bN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9AD09901-06DD-4DDD-A62D-6D2243B771AB}\FaviconURL = "http://myplaycity.com/favicon.ico"	e8ab071dc8183f18de7bb1362b31e173550eeb0c4635ad679050353d18d90a9bN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9AD09901-06DD-4DDD-A62D-6D2243B771AB}\SuggestionsURLFallback = "http://start.myplaycity.com/results.php?category=web&s={searchTerms}"	e8ab071dc8183f18de7bb1362b31e173550eeb0c4635ad679050353d18d90a9bN.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9AD09901-06DD-4DDD-A62D-6D2243B771AB}\Deleted = "0"	e8ab071dc8183f18de7bb1362b31e173550eeb0c4635ad679050353d18d90a9bN.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\SearchScopes\	e8ab071dc8183f18de7bb1362b31e173550eeb0c4635ad679050353d18d90a9bN.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main	e8ab071dc8183f18de7bb1362b31e173550eeb0c4635ad679050353d18d90a9bN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9AD09901-06DD-4DDD-A62D-6D2243B771AB}\DisplayName = "MyPlayCity"	e8ab071dc8183f18de7bb1362b31e173550eeb0c4635ad679050353d18d90a9bN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{9AD09901-06DD-4DDD-A62D-6D2243B771AB}"	e8ab071dc8183f18de7bb1362b31e173550eeb0c4635ad679050353d18d90a9bN.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://start.myplaycity.com/"	e8ab071dc8183f18de7bb1362b31e173550eeb0c4635ad679050353d18d90a9bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://start.myplaycity.com/"	e8ab071dc8183f18de7bb1362b31e173550eeb0c4635ad679050353d18d90a9bN.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133729145607655998"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3820	chrome.exe
3820	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe
Token: SeShutdownPrivilege	3820	chrome.exe
Token: SeCreatePagefilePrivilege	3820	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe
3820	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3980 wrote to memory of 3820	3980	e8ab071dc8183f18de7bb1362b31e173550eeb0c4635ad679050353d18d90a9bN.exe	86
PID 3980 wrote to memory of 3820	3980	e8ab071dc8183f18de7bb1362b31e173550eeb0c4635ad679050353d18d90a9bN.exe	86
PID 3820 wrote to memory of 3576	3820	chrome.exe	87
PID 3820 wrote to memory of 3576	3820	chrome.exe	87
PID 3820 wrote to memory of 1828	3820	chrome.exe	88
PID 3820 wrote to memory of 1828	3820	chrome.exe	88
PID 3820 wrote to memory of 1828	3820	chrome.exe	88
PID 3820 wrote to memory of 1828	3820	chrome.exe	88
PID 3820 wrote to memory of 1828	3820	chrome.exe	88
PID 3820 wrote to memory of 1828	3820	chrome.exe	88
PID 3820 wrote to memory of 1828	3820	chrome.exe	88
PID 3820 wrote to memory of 1828	3820	chrome.exe	88
PID 3820 wrote to memory of 1828	3820	chrome.exe	88
PID 3820 wrote to memory of 1828	3820	chrome.exe	88
PID 3820 wrote to memory of 1828	3820	chrome.exe	88
PID 3820 wrote to memory of 1828	3820	chrome.exe	88
PID 3820 wrote to memory of 1828	3820	chrome.exe	88
PID 3820 wrote to memory of 1828	3820	chrome.exe	88
PID 3820 wrote to memory of 1828	3820	chrome.exe	88
PID 3820 wrote to memory of 1828	3820	chrome.exe	88
PID 3820 wrote to memory of 1828	3820	chrome.exe	88
PID 3820 wrote to memory of 1828	3820	chrome.exe	88
PID 3820 wrote to memory of 1828	3820	chrome.exe	88
PID 3820 wrote to memory of 1828	3820	chrome.exe	88
PID 3820 wrote to memory of 1828	3820	chrome.exe	88
PID 3820 wrote to memory of 1828	3820	chrome.exe	88
PID 3820 wrote to memory of 1828	3820	chrome.exe	88
PID 3820 wrote to memory of 1828	3820	chrome.exe	88
PID 3820 wrote to memory of 1828	3820	chrome.exe	88
PID 3820 wrote to memory of 1828	3820	chrome.exe	88
PID 3820 wrote to memory of 1828	3820	chrome.exe	88
PID 3820 wrote to memory of 1828	3820	chrome.exe	88
PID 3820 wrote to memory of 1828	3820	chrome.exe	88
PID 3820 wrote to memory of 1828	3820	chrome.exe	88
PID 3820 wrote to memory of 3988	3820	chrome.exe	89
PID 3820 wrote to memory of 3988	3820	chrome.exe	89
PID 3820 wrote to memory of 1552	3820	chrome.exe	90
PID 3820 wrote to memory of 1552	3820	chrome.exe	90
PID 3820 wrote to memory of 1552	3820	chrome.exe	90
PID 3820 wrote to memory of 1552	3820	chrome.exe	90
PID 3820 wrote to memory of 1552	3820	chrome.exe	90
PID 3820 wrote to memory of 1552	3820	chrome.exe	90
PID 3820 wrote to memory of 1552	3820	chrome.exe	90
PID 3820 wrote to memory of 1552	3820	chrome.exe	90
PID 3820 wrote to memory of 1552	3820	chrome.exe	90
PID 3820 wrote to memory of 1552	3820	chrome.exe	90
PID 3820 wrote to memory of 1552	3820	chrome.exe	90
PID 3820 wrote to memory of 1552	3820	chrome.exe	90
PID 3820 wrote to memory of 1552	3820	chrome.exe	90
PID 3820 wrote to memory of 1552	3820	chrome.exe	90
PID 3820 wrote to memory of 1552	3820	chrome.exe	90
PID 3820 wrote to memory of 1552	3820	chrome.exe	90
PID 3820 wrote to memory of 1552	3820	chrome.exe	90
PID 3820 wrote to memory of 1552	3820	chrome.exe	90
PID 3820 wrote to memory of 1552	3820	chrome.exe	90
PID 3820 wrote to memory of 1552	3820	chrome.exe	90
PID 3820 wrote to memory of 1552	3820	chrome.exe	90
PID 3820 wrote to memory of 1552	3820	chrome.exe	90
PID 3820 wrote to memory of 1552	3820	chrome.exe	90
PID 3820 wrote to memory of 1552	3820	chrome.exe	90
PID 3820 wrote to memory of 1552	3820	chrome.exe	90
PID 3820 wrote to memory of 1552	3820	chrome.exe	90
PID 3820 wrote to memory of 1552	3820	chrome.exe	90
PID 3820 wrote to memory of 1552	3820	chrome.exe	90

C:\Users\Admin\AppData\Local\Temp\e8ab071dc8183f18de7bb1362b31e173550eeb0c4635ad679050353d18d90a9bN.exe
"C:\Users\Admin\AppData\Local\Temp\e8ab071dc8183f18de7bb1362b31e173550eeb0c4635ad679050353d18d90a9bN.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of WriteProcessMemory
PID:3980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --install-from-webstore=gjmohbdbnfkkjolmdfbhhdfjgjclomkd
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3820
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff927b0cc40,0x7ff927b0cc4c,0x7ff927b0cc58
    3⤵
    PID:3576
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1884,i,2896370856862135800,5489728140566230152,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1876 /prefetch:2
    3⤵
    PID:1828
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2144,i,2896370856862135800,5489728140566230152,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2156 /prefetch:3
    3⤵
    PID:3988
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,2896370856862135800,5489728140566230152,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2456 /prefetch:8
    3⤵
    PID:1552
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,2896370856862135800,5489728140566230152,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3132 /prefetch:1
    3⤵
    PID:3260
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3252,i,2896370856862135800,5489728140566230152,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3264 /prefetch:1
    3⤵
    PID:4068
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3744,i,2896370856862135800,5489728140566230152,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4536 /prefetch:1
    3⤵
    PID:3324
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4732,i,2896370856862135800,5489728140566230152,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4752 /prefetch:8
    3⤵
    PID:1408
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4696,i,2896370856862135800,5489728140566230152,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4768 /prefetch:8
    3⤵
    PID:4388
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4692,i,2896370856862135800,5489728140566230152,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4528 /prefetch:8
    3⤵
    PID:3156
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4744,i,2896370856862135800,5489728140566230152,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5072 /prefetch:8
    3⤵
    PID:1664
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5184,i,2896370856862135800,5489728140566230152,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4720 /prefetch:8
    3⤵
    PID:904
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5152,i,2896370856862135800,5489728140566230152,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5140 /prefetch:8
    3⤵
    PID:4792
- C:\Windows\SysWOW64\RunDll32.exe
  RunDll32.exe "C:\Users\Admin\AppData\Local\Temp\emeraldtear_setup_files\OCSetupHlp.dll",_RHPID442RHEng2@16 3980,BBF5AF2DA843461C89EC2F8CD9290B50,4C45D0A47B8046A5BB5E9834F78B7D13,2FF754B3A0BD4BDAA3723AF69780872E
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1336

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
6d25e0e3de70b7f3bb8b5614029b2239

SHA1
0e374070eb41a2001a94c981674670d6f0f42d5e

SHA256
8d8b22673438ea0004f91ea40c7d20e1609154928a964f74efb593bd3154c2cc

SHA512
460ceb8a210f6a62e5b27d9979c8b0a0d1aa5be139529ffa7bdb03f806071522cfa6db1f0dd2c63dd1d23353f907192e1fd9e14ccaae50394fa9b2e3f7c49a81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
d1ae87796229a9a6bbd8c2af2c7504c2

SHA1
670e852448d6ded0207ff932c1b589e38003f696

SHA256
f8d87559f259e8e3bfeabb0a2e699d80c49886baa5a8c634cba1b48edea0314d

SHA512
888ca81524d93389b0d3b11fa1e24c2d071ed41768bbc65da403674c05e92aff852c75835b12afd140ce4e0b1aa1b613f6e7e909b735463d4e3c40202bbe3e95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
5ab775b6994127930bf718f1d15a9435

SHA1
ab2add6ce6302b09ac64bf0b6616eb8d4619464b

SHA256
dc8ef765e264865ed8fbfa3b479e2189b7ae352f5a19cd33cb6ebcacd1235aaf

SHA512
be9871b3b7bccb6197b76ed8c17e7704f2ba7007f2655507b7a5e81ed36f9d6be6f0ba452e10686687efed44c6018989c3f4a4e1ec54dd91c5d2598b791ed94f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
8ebf3b43028aa5a7599cd7f324cc336f

SHA1
6e44ed2c962b147ccedad73105dcd271a8c21d2a

SHA256
a6f4cbceb76b24c676a321bc48961618403ea29dab57c2c787676371c2424d37

SHA512
8e97311e0238618905c13218b57dcd1ca9d9e62fb96f9f80b9bc902229adacbcc826cb811d1f6e0a5bcebd10138ca18b34c42753c746e96f7fa9e06286d2af6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
6397912ed637236d83ae1dbe12f2e598

SHA1
0cba4117117416299634fa596609ae269e89e5db

SHA256
41af22ab0ee2455fab785d4c81ab0cb6feae44954b17b775c5bb76dcdb740176

SHA512
372de2b507b90ef806e95dbdc2da64553a8d0daf683e4a00f9e5f963b52b78128faa888f2e12e961948572235a846d81413b3d54b89c83100e15a0032771f3bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
744c4a2d76ff63bb428387cff26ee4bc

SHA1
53af3b1f9b9e0b74ab6eb38b9a1dcd9f9e0fdf39

SHA256
1206ffbf363589cbd2a459f88c7d6159dbfda58732745c21411fff4f1fea4a43

SHA512
adf7c0761e4501809b215bb7432cbc5870bb065c2fab562454de088dea69e80de371afee8a7cb2a12b8f7cccd133ce21ab843dd6717e0a842547cde5ed006038

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
108a1f79c1a6242a265cfaea58eee012

SHA1
cbc052f96ebf7b35c966b2dae119b7fc06a5940c

SHA256
97486e4fa706c83b4a3bdce10d313c5fe6d38e7244e1b0e38f3563258b907c19

SHA512
2b9c7030bb3a1721d97a67d616c236db077ebb4f0e717cd4c3be97f3175f702073771a6e07db502a53990843084fcb6ec8dc80848d43ee020fc84a49bb56ed50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
84fd1edfbdfdab1a1ce7c21a8deb1194

SHA1
bb249f766d28ab414b52a9ee19a31b5f6808abc1

SHA256
aebce6e005d283ef2392e833c61149bfc9b3e64c24250a09a34bd7a52ec3d19e

SHA512
47c00eaee3cfccef145f469422f0375a202ece954498bf4c5b6dcf92ed253c9c0c59b29ba666cf43a4f28b7ab827736badab73650b7fb919350c970ee81c900d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
2a02361a736486875f32068e61ff6405

SHA1
7e8d0817c19039108cd80665d088cc91aacd3c07

SHA256
d2635acd535d6480846951684ecd92679985c443bc1d6eb62fa2cf4cee233b43

SHA512
d3ccf5dfedb03892f2dcf5e87f5e210d90805c89bc4e4dbb9147adb207103db0bbe0cc437870eac14df1f35a541cafcd1b0ee3dc7686757dc0b91efabb15eae4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
41e1ae444c25b6ede8344877636531b2

SHA1
8d33b205a9ddf73d357daccb0eda34896566f228

SHA256
b168848b780921826c033c2d5383fdccd805f4fae720aaa82c6d36bdafb7b70a

SHA512
abd76c33340ac2a2744979634a23b681bc8b25a3bd0fd84143d6c05b92ec6be411e8938f7b843cf2cfeeed332b017a261add8f5c8fb5c1987361a76e6c981460

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
227KB

MD5
98820e17ec761af855a71a5a6a5ee097

SHA1
f534c732528a1dbc5657820151ca7d882f1362de

SHA256
96a5a94c06fe43b98c006707d15c9123833bb1514982ba6f54f4b7189b1c5bad

SHA512
95a63ee0ed03647097db9d69ad7ca227ffd76bba2d2cc0e321b84ab27fca74b60c309bef5dae7c8403539f7dcbb1abcf5dc26b0e4f48d353d9004aae3b7e7db1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
227KB

MD5
47f13c4bca3323035a986648a6fb6caf

SHA1
ff1e6556ab028fc34fcff48fe36154f75234693a

SHA256
4a6f6fdb9081ddbdc7d23f4923a9cdbb08781c08b9af4b6719e766e384012abb

SHA512
5ff226554e7803baaeb3fa93484a9eba051da90e3a2f5093e7c5cdc769f0425d573a5c273122774994e13df0918b3d2a249265367a307ba5ac7c1872b05b54c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\emeraldtear_setup_files\OCSetupHlp.dll

Filesize
824KB

MD5
9cfc4b6dd5abff3eaa80ad2c64aebb5a

SHA1
91a3b8b2f1b665fae9f22418674413a11f92cd40

SHA256
8c2d5aa0247a56509f5272363c31a8a7c71e0763badccc8a97d7c928605bc884

SHA512
cb97e5dcd3139e4c6c4f12208af541dbe0f9df03a462d20db7a419e625847f748ad9656aa757d5a23aff8a0ea31e5910bf34a801a675a2086eb5f521b798734c

Download Submit
memory/3980-86-0x0000000000400000-0x000000000068A000-memory.dmp

Filesize
2.5MB

Download
memory/3980-107-0x0000000000400000-0x000000000068A000-memory.dmp

Filesize
2.5MB

Download
memory/3980-0-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/3980-80-0x0000000000400000-0x000000000068A000-memory.dmp

Filesize
2.5MB

Download
memory/3980-50-0x0000000000400000-0x000000000068A000-memory.dmp

Filesize
2.5MB

Download
memory/3980-51-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download