meduza | 1316c0afbe65e24b66a9f93c3429446fc8e3fff2abe42c81d46976fbb40d410c

Analysis

max time kernel
199s
max time network
206s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
30-10-2024 23:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Installer.exe
Size

2.2MB
MD5

7747b27850026fb5f5bc9bfc83b821fe
SHA1

d59fbdf28bed8fa5e5f7432079be6529b562924c
SHA256

1d001ffbecf6dbe5b89871fcba974a147c1336bd7c80110813fc0120f8b04f62
SHA512

f015e76322ce71e2ee881c2cdb15a0bc61da4ea7c2ed6ea313dce543a0161635167e62a484d3342cd569a087ad20089953177459387c6961c53db69b4b7e062f
SSDEEP

49152:po4nOn8huOxcEeWJa4q2Fi/mU5QyrIx6hpfou+7qN8vMwMS:i8JhuscEeWJa4q2Fi/f5QFwpfod7v7MS

Score

10^/10

meduza collection discovery spyware stealer

Malware Config

Extracted

Family

meduza

109.107.181.162

Attributes

anti_dbg
true
anti_vm
true
build_name
459
extensions
none
grabber_max_size
1.048576e+06
links
none
port
15666
self_destruct
true

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 3 IoCs

resource	yara_rule
behavioral1/memory/1772-8-0x0000000140000000-0x000000014013E000-memory.dmp	family_meduza
behavioral1/memory/1772-17-0x0000000140000000-0x000000014013E000-memory.dmp	family_meduza
behavioral1/memory/1772-85-0x0000000140000000-0x000000014013E000-memory.dmp	family_meduza

Meduza family
meduza
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Installer.exe
Key opened	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Installer.exe
Key opened	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Installer.exe
Key opened	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Installer.exe
Key opened	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Installer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	api.ipify.org
3	api.ipify.org

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4368	cmd.exe
2500	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133748045145106616"	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2500	PING.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1772	Installer.exe
1772	Installer.exe
3756	chrome.exe
3756	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1772	Installer.exe
Token: SeImpersonatePrivilege	1772	Installer.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe
Token: SeShutdownPrivilege	3756	chrome.exe
Token: SeCreatePagefilePrivilege	3756	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe
3756	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3756 wrote to memory of 3132	3756	chrome.exe	80
PID 3756 wrote to memory of 3132	3756	chrome.exe	80
PID 3756 wrote to memory of 1232	3756	chrome.exe	81
PID 3756 wrote to memory of 1232	3756	chrome.exe	81
PID 3756 wrote to memory of 1232	3756	chrome.exe	81
PID 3756 wrote to memory of 1232	3756	chrome.exe	81
PID 3756 wrote to memory of 1232	3756	chrome.exe	81
PID 3756 wrote to memory of 1232	3756	chrome.exe	81
PID 3756 wrote to memory of 1232	3756	chrome.exe	81
PID 3756 wrote to memory of 1232	3756	chrome.exe	81
PID 3756 wrote to memory of 1232	3756	chrome.exe	81
PID 3756 wrote to memory of 1232	3756	chrome.exe	81
PID 3756 wrote to memory of 1232	3756	chrome.exe	81
PID 3756 wrote to memory of 1232	3756	chrome.exe	81
PID 3756 wrote to memory of 1232	3756	chrome.exe	81
PID 3756 wrote to memory of 1232	3756	chrome.exe	81
PID 3756 wrote to memory of 1232	3756	chrome.exe	81
PID 3756 wrote to memory of 1232	3756	chrome.exe	81
PID 3756 wrote to memory of 1232	3756	chrome.exe	81
PID 3756 wrote to memory of 1232	3756	chrome.exe	81
PID 3756 wrote to memory of 1232	3756	chrome.exe	81
PID 3756 wrote to memory of 1232	3756	chrome.exe	81
PID 3756 wrote to memory of 1232	3756	chrome.exe	81
PID 3756 wrote to memory of 1232	3756	chrome.exe	81
PID 3756 wrote to memory of 1232	3756	chrome.exe	81
PID 3756 wrote to memory of 1232	3756	chrome.exe	81
PID 3756 wrote to memory of 1232	3756	chrome.exe	81
PID 3756 wrote to memory of 1232	3756	chrome.exe	81
PID 3756 wrote to memory of 1232	3756	chrome.exe	81
PID 3756 wrote to memory of 1232	3756	chrome.exe	81
PID 3756 wrote to memory of 1232	3756	chrome.exe	81
PID 3756 wrote to memory of 1232	3756	chrome.exe	81
PID 3756 wrote to memory of 4620	3756	chrome.exe	82
PID 3756 wrote to memory of 4620	3756	chrome.exe	82
PID 3756 wrote to memory of 4712	3756	chrome.exe	83
PID 3756 wrote to memory of 4712	3756	chrome.exe	83
PID 3756 wrote to memory of 4712	3756	chrome.exe	83
PID 3756 wrote to memory of 4712	3756	chrome.exe	83
PID 3756 wrote to memory of 4712	3756	chrome.exe	83
PID 3756 wrote to memory of 4712	3756	chrome.exe	83
PID 3756 wrote to memory of 4712	3756	chrome.exe	83
PID 3756 wrote to memory of 4712	3756	chrome.exe	83
PID 3756 wrote to memory of 4712	3756	chrome.exe	83
PID 3756 wrote to memory of 4712	3756	chrome.exe	83
PID 3756 wrote to memory of 4712	3756	chrome.exe	83
PID 3756 wrote to memory of 4712	3756	chrome.exe	83
PID 3756 wrote to memory of 4712	3756	chrome.exe	83
PID 3756 wrote to memory of 4712	3756	chrome.exe	83
PID 3756 wrote to memory of 4712	3756	chrome.exe	83
PID 3756 wrote to memory of 4712	3756	chrome.exe	83
PID 3756 wrote to memory of 4712	3756	chrome.exe	83
PID 3756 wrote to memory of 4712	3756	chrome.exe	83
PID 3756 wrote to memory of 4712	3756	chrome.exe	83
PID 3756 wrote to memory of 4712	3756	chrome.exe	83
PID 3756 wrote to memory of 4712	3756	chrome.exe	83
PID 3756 wrote to memory of 4712	3756	chrome.exe	83
PID 3756 wrote to memory of 4712	3756	chrome.exe	83
PID 3756 wrote to memory of 4712	3756	chrome.exe	83
PID 3756 wrote to memory of 4712	3756	chrome.exe	83
PID 3756 wrote to memory of 4712	3756	chrome.exe	83
PID 3756 wrote to memory of 4712	3756	chrome.exe	83
PID 3756 wrote to memory of 4712	3756	chrome.exe	83
PID 3756 wrote to memory of 4712	3756	chrome.exe	83
PID 3756 wrote to memory of 4712	3756	chrome.exe	83

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Installer.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Installer.exe

C:\Users\Admin\AppData\Local\Temp\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1772
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\Installer.exe"
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:4368
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd43e4cc40,0x7ffd43e4cc4c,0x7ffd43e4cc58
  2⤵
  PID:3132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2020,i,16542278044288497576,9604192064835404708,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2016 /prefetch:2
  2⤵
  PID:1232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1904,i,16542278044288497576,9604192064835404708,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  PID:4620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2156,i,16542278044288497576,9604192064835404708,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2208 /prefetch:8
  2⤵
  PID:4712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,16542278044288497576,9604192064835404708,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3124 /prefetch:1
  2⤵
  PID:1732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3156,i,16542278044288497576,9604192064835404708,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:3724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4416,i,16542278044288497576,9604192064835404708,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4380 /prefetch:1
  2⤵
  PID:2552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4560,i,16542278044288497576,9604192064835404708,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4572 /prefetch:8
  2⤵
  PID:2456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4580,i,16542278044288497576,9604192064835404708,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4712 /prefetch:8
  2⤵
  PID:2116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4588,i,16542278044288497576,9604192064835404708,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4864 /prefetch:8
  2⤵
  PID:1148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5016,i,16542278044288497576,9604192064835404708,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5008 /prefetch:8
  2⤵
  PID:2328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5132,i,16542278044288497576,9604192064835404708,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4884 /prefetch:8
  2⤵
  PID:2480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4904,i,16542278044288497576,9604192064835404708,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4572 /prefetch:8
  2⤵
  PID:3188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=212,i,16542278044288497576,9604192064835404708,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4920 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:768

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3492

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\23aeecd2-4862-4898-a9fc-0106bb156515.tmp

Filesize
9KB

MD5
9cd0e532b8f763ac856017ee1ac94c11

SHA1
df2953110b6751841a1618a9f2b50d345636066c

SHA256
06f623268213aa3809a36fb39ecaca6dc9b58b553b8283b7b540a1b4d222e27a

SHA512
8fcbf0d9611ab8a04bb3124ff9d16f3cbf8a631658c85b433485bfee95ff5978fc90f5c8e8afabc56531efee2e85432d25867713577169d58d7826ffc398c8b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
4bac1f61f26b4dd25fb82c3654a0bfbe

SHA1
a66d8ebe487f9698519f2cbdf4c490592c0f3783

SHA256
37032430c16cf08101615dca2101246da637facfbb5a1e446be98b6bb24a9672

SHA512
c58177f5c2c60043c9cf81d03485fd78e1bbeafb945e5245862ff61308ea3c30f4d0bfb7d0b4d343d710db40b82be3407322955ed7d7659ab9acdbd7c916b6b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
a38ceac85353a5bd4b85077a24cfdaec

SHA1
d28ff5a7b0dd100b6cfa12caf458a10587041c2f

SHA256
39e210fdcbdaa40bccbfdf7cf6c3a3997ced9137e3fe67539500abf59d417fd6

SHA512
d3913aab68ec19f17ebcdc2a34ba13a7b9533ae251e9eb7af0321bac09cabadd81c17167a7b0ed90405ea6d0627ddace0d1a4c3c08ed23dd15a09308b23c3736

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
a7adf889e883ae4c381952f5abbd7f28

SHA1
b3bd3f462392716b48e9d36d96b662e266d0f734

SHA256
db64e06deb0616611740c2d5c8f8e9f1ebc2d33d4d2f7bad31389eabdf30d4ab

SHA512
133537e2ac7a74cf1be51cbe2b07eb6bb30209a04c80f09a84041f585fe0b211da890184b6bc8fcaa96db93ee3e894cb2f605eaa882cac7a10f56ed3c72be16d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2eb8420983f035e94822aaa25e1eeef6

SHA1
302d65bdb378af2553174e475d0e7455bef20d12

SHA256
f8f0c74bf0a7fa6455ced01dd2afb97a0e51a45f005aa8faf0d95defbceb094d

SHA512
f1ad2857768e42f81422f1a39a692d8ce87f39501d8cc9afd9efaa7d6892b968673d5d0580f386d5705159348ee01665beda62fe584ae93499848f1c6827c8d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
6601e10daf5917ecd8b595edc667de48

SHA1
96e8b83a990b58dce6ecbfd94dd4491e93477b5e

SHA256
d4ac49d39d4f89e634edfbcd75063734be1e604526b647d2e72748691bab900c

SHA512
a2cc3c1ec7b6f53aaaab9697f37d67bdf5de1b7e2175883b431afd11b36a49f543188f5ed0160208a1b5c4fcce15472262c73219b14900620c9152cf399ac6ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dc3983ec1d7f1c429e6abdc423726fdf

SHA1
98fe22b8c8fce30f74040f42055546265e5c81bd

SHA256
cfc1ddebabf124c05ae00c2fd19900533b15b922090f53747578ac07d0c92769

SHA512
f46a55360557f73dbfd090d198f250b01f9a4bce4e27048b7deab4f4bccef9edee5a81ae683c859988ed241aa80c19442a072acb89998b7f3a5fcf2847964ed6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
fd4377e6b829baaee22a4f0253e8f31c

SHA1
5d54652044eb170269d7ae1e1655cab29f24bac3

SHA256
da8b27c9f35c368560bcd6a16f9d1e2793a7083a63026f8b3a08de60d253070d

SHA512
09ca158abd74ad32c6a001b6aa9fb85383a67f657b128f4648048c0ca83f8368ff72ab84d60dab9498387b4d39b145859b653ca25efddd55f36d2fd7d93c525d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
32ff319e54bcd3a363ea32098e37246d

SHA1
e11f062ee5bfc3139a42224f677f358e5736fb2d

SHA256
20ea47fd7c70ec5a21ce0bcd768235dff8342823ce5b132dd3bba4225af9c8a9

SHA512
a9ea3829fda19582190421be423169e7c7315192fbcea75bd329eb026acadc9418b9de5217c2321830566f8dafe8e574bfec1e01702311f1d0221564a2845edf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
68bfef5372d36bef5df9a916d07adefa

SHA1
466a0b00623b8246a8e806fdc422da9daf2ee49e

SHA256
1728b28ce638ed1be01c07200b277ce8d15755b0b65fdb9e80c55a4f61d19f64

SHA512
05fa0200a1044f4b71fa96fae4d5376aaed6c211880ff23e74a18c2d355d9ca44ebc7cc905f30a631bd989007fc00ac2dd838b8fdf10eb8b539797fcd7c883c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8c15393f6b34b9f6930a4f0864de1d8d

SHA1
4e85905d5f42eff66d0c31e879692e2f42cda0bc

SHA256
6570261858b52456c29b535d2b7cf4448ab6265371345e84edf4a3ca222e56cc

SHA512
81107b4fd8e2416968a82d980be0f787a6940912b3ab2cad8707bf463098ab3d487eaaa912410ceca41db2da359605da86652351c34e0ec50b6def3bef37b710

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
18245958317adc5c7d4c849d6185f668

SHA1
16232399088d0286b2c7069d7d0fffe634248d37

SHA256
cc93febff957418931f8aaac9fc3471bf2fcd9f5d3c0b00c9a1b0cab444bbbd9

SHA512
cc9de73a663b50a04434e3661d9aef29d12ee542c10bea49ab8590b939422a2033be7ea07d2efd19947ae8c1096ab3869698186b1ce44452dc623a5ba6a7d580

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
7a6bbc864da72a3aec2dbfeb4ff1fae3

SHA1
cdd65bcb6caf20c8e6d3ab17bf0bf65dce0903eb

SHA256
869d5338b4584830822bfd2878f54a75949f042716c8ca8361a65761143afcc9

SHA512
f8bd6b3f5ef2090da73797f74de83b9a5951891407a81288af6bb499e9175e0f834457688fc868ac8745c83688f09249b1075488bb3ee9adadad0d4ff12fd74c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
e7ce936c731083393a532558d9fcac44

SHA1
f6078034e2f5683fa7f0691407f8262ac0f2096d

SHA256
bf78373909849209a614c139f888a87a3a3997924e91536eca57b2432248c4c7

SHA512
fbbd2ed4c8d25bf7a3e6eefd7713c7777321e542b9e259da7127cc441709387bd9ff4a5b59f54996488a036b0db27a14bfb3b3d07315804233dbbc69c6129e08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
af92e6d991dcede881488e9aedbb6763

SHA1
095d38309eef95ea574d5c6889643db1df86eba0

SHA256
e80c3b43fb2bd5e9ed91ef645847a5ec5193e8f15bf102b11eec261d2821d735

SHA512
c93c56c420d7891694717b7a40d190f11f228467b8df218f61184ec33a004470140ec3122f2cf775f9ff4245c33067f76a05e8792995f7e01d60dc4ca8d17e26

Download Submit
memory/1772-85-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/1772-0-0x00007FF77C800000-0x00007FF77C801000-memory.dmp

Filesize
4KB

Download
memory/1772-17-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/1772-8-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download