015a8c0370e6e77528ac092c52f6a5b24d09186ed3351efd86e312c0459c3298

Analysis

max time kernel
150s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 11:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

015a8c0370e6e77528ac092c52f6a5b24d09186ed3351efd86e312c0459c3298.exe
Size

3.5MB
MD5

7822b51fe45d1d29bb9aa96498bad9a5
SHA1

1bf471a781a5dbff92b3d460bbb16d57699a5774
SHA256

015a8c0370e6e77528ac092c52f6a5b24d09186ed3351efd86e312c0459c3298
SHA512

5eabd214618545b7f5afaac9f01ddffb6747ea99ac9362c26ed28cc5e2f49ce7166e19aef0b09cb157b0a821a07ff153903d58f8b4a3172c0b18f806b2b2f227
SSDEEP

98304:/AReJ/dWZNr65Ye8JLjUdFBr1VxcJWlE4qDMdXqx:/AoJdWy5nZPBRVxcJWlPqDq6x

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\chrome_installer.log	015a8c0370e6e77528ac092c52f6a5b24d09186ed3351efd86e312c0459c3298.exe
File opened for modification	C:\Program Files\Crashpad\metadata	chrmstp.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	chrmstp.exe
File opened for modification	C:\Program Files\Crashpad\metadata	chrmstp.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	chrmstp.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	015a8c0370e6e77528ac092c52f6a5b24d09186ed3351efd86e312c0459c3298.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	015a8c0370e6e77528ac092c52f6a5b24d09186ed3351efd86e312c0459c3298.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133764909540226200"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4756	chrome.exe
4756	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe
4664	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe
Token: SeShutdownPrivilege	4756	chrome.exe
Token: SeCreatePagefilePrivilege	4756	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4756	chrome.exe
4756	chrome.exe
4756	chrome.exe
1316	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 5040	4928	015a8c0370e6e77528ac092c52f6a5b24d09186ed3351efd86e312c0459c3298.exe	83
PID 4928 wrote to memory of 5040	4928	015a8c0370e6e77528ac092c52f6a5b24d09186ed3351efd86e312c0459c3298.exe	83
PID 4928 wrote to memory of 5040	4928	015a8c0370e6e77528ac092c52f6a5b24d09186ed3351efd86e312c0459c3298.exe	83
PID 4928 wrote to memory of 4756	4928	015a8c0370e6e77528ac092c52f6a5b24d09186ed3351efd86e312c0459c3298.exe	84
PID 4928 wrote to memory of 4756	4928	015a8c0370e6e77528ac092c52f6a5b24d09186ed3351efd86e312c0459c3298.exe	84
PID 4756 wrote to memory of 4736	4756	chrome.exe	85
PID 4756 wrote to memory of 4736	4756	chrome.exe	85
PID 4756 wrote to memory of 4916	4756	chrome.exe	86
PID 4756 wrote to memory of 4916	4756	chrome.exe	86
PID 4756 wrote to memory of 4916	4756	chrome.exe	86
PID 4756 wrote to memory of 4916	4756	chrome.exe	86
PID 4756 wrote to memory of 4916	4756	chrome.exe	86
PID 4756 wrote to memory of 4916	4756	chrome.exe	86
PID 4756 wrote to memory of 4916	4756	chrome.exe	86
PID 4756 wrote to memory of 4916	4756	chrome.exe	86
PID 4756 wrote to memory of 4916	4756	chrome.exe	86
PID 4756 wrote to memory of 4916	4756	chrome.exe	86
PID 4756 wrote to memory of 4916	4756	chrome.exe	86
PID 4756 wrote to memory of 4916	4756	chrome.exe	86
PID 4756 wrote to memory of 4916	4756	chrome.exe	86
PID 4756 wrote to memory of 4916	4756	chrome.exe	86
PID 4756 wrote to memory of 4916	4756	chrome.exe	86
PID 4756 wrote to memory of 4916	4756	chrome.exe	86
PID 4756 wrote to memory of 4916	4756	chrome.exe	86
PID 4756 wrote to memory of 4916	4756	chrome.exe	86
PID 4756 wrote to memory of 4916	4756	chrome.exe	86
PID 4756 wrote to memory of 4916	4756	chrome.exe	86
PID 4756 wrote to memory of 4916	4756	chrome.exe	86
PID 4756 wrote to memory of 4916	4756	chrome.exe	86
PID 4756 wrote to memory of 4916	4756	chrome.exe	86
PID 4756 wrote to memory of 4916	4756	chrome.exe	86
PID 4756 wrote to memory of 4916	4756	chrome.exe	86
PID 4756 wrote to memory of 4916	4756	chrome.exe	86
PID 4756 wrote to memory of 4916	4756	chrome.exe	86
PID 4756 wrote to memory of 4916	4756	chrome.exe	86
PID 4756 wrote to memory of 4916	4756	chrome.exe	86
PID 4756 wrote to memory of 4916	4756	chrome.exe	86
PID 4756 wrote to memory of 1948	4756	chrome.exe	87
PID 4756 wrote to memory of 1948	4756	chrome.exe	87
PID 4756 wrote to memory of 4172	4756	chrome.exe	88
PID 4756 wrote to memory of 4172	4756	chrome.exe	88
PID 4756 wrote to memory of 4172	4756	chrome.exe	88
PID 4756 wrote to memory of 4172	4756	chrome.exe	88
PID 4756 wrote to memory of 4172	4756	chrome.exe	88
PID 4756 wrote to memory of 4172	4756	chrome.exe	88
PID 4756 wrote to memory of 4172	4756	chrome.exe	88
PID 4756 wrote to memory of 4172	4756	chrome.exe	88
PID 4756 wrote to memory of 4172	4756	chrome.exe	88
PID 4756 wrote to memory of 4172	4756	chrome.exe	88
PID 4756 wrote to memory of 4172	4756	chrome.exe	88
PID 4756 wrote to memory of 4172	4756	chrome.exe	88
PID 4756 wrote to memory of 4172	4756	chrome.exe	88
PID 4756 wrote to memory of 4172	4756	chrome.exe	88
PID 4756 wrote to memory of 4172	4756	chrome.exe	88
PID 4756 wrote to memory of 4172	4756	chrome.exe	88
PID 4756 wrote to memory of 4172	4756	chrome.exe	88
PID 4756 wrote to memory of 4172	4756	chrome.exe	88
PID 4756 wrote to memory of 4172	4756	chrome.exe	88
PID 4756 wrote to memory of 4172	4756	chrome.exe	88
PID 4756 wrote to memory of 4172	4756	chrome.exe	88
PID 4756 wrote to memory of 4172	4756	chrome.exe	88
PID 4756 wrote to memory of 4172	4756	chrome.exe	88
PID 4756 wrote to memory of 4172	4756	chrome.exe	88
PID 4756 wrote to memory of 4172	4756	chrome.exe	88

C:\Users\Admin\AppData\Local\Temp\015a8c0370e6e77528ac092c52f6a5b24d09186ed3351efd86e312c0459c3298.exe
"C:\Users\Admin\AppData\Local\Temp\015a8c0370e6e77528ac092c52f6a5b24d09186ed3351efd86e312c0459c3298.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Users\Admin\AppData\Local\Temp\015a8c0370e6e77528ac092c52f6a5b24d09186ed3351efd86e312c0459c3298.exe
  C:\Users\Admin\AppData\Local\Temp\015a8c0370e6e77528ac092c52f6a5b24d09186ed3351efd86e312c0459c3298.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=128.0.6613.86 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x83f238,0x83f244,0x83f250
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4756
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc554acc40,0x7ffc554acc4c,0x7ffc554acc58
    3⤵
    PID:4736
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,2554342153598678568,16174426502597540839,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1708 /prefetch:2
    3⤵
    PID:4916
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2176,i,2554342153598678568,16174426502597540839,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2188 /prefetch:3
    3⤵
    PID:1948
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2300,i,2554342153598678568,16174426502597540839,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2312 /prefetch:8
    3⤵
    PID:4172
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,2554342153598678568,16174426502597540839,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3132 /prefetch:1
    3⤵
    PID:4912
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3096,i,2554342153598678568,16174426502597540839,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3328 /prefetch:1
    3⤵
    PID:4128
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4508,i,2554342153598678568,16174426502597540839,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4492 /prefetch:1
    3⤵
    PID:3608
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4792,i,2554342153598678568,16174426502597540839,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4808 /prefetch:8
    3⤵
    PID:3348
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Drops file in Program Files directory
    PID:3416
  - - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x7ff687a44698,0x7ff687a446a4,0x7ff687a446b0
      4⤵
      Drops file in Program Files directory
      PID:1308
  - - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\initial_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Drops file in Program Files directory
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:1316
    - - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x7ff687a44698,0x7ff687a446a4,0x7ff687a446b0
        5⤵
        Drops file in Program Files directory
        
        PID:1392
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5016,i,2554342153598678568,16174426502597540839,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5012 /prefetch:8
    3⤵
    PID:4228
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4828,i,2554342153598678568,16174426502597540839,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4804 /prefetch:8
    3⤵
    PID:3884
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4812,i,2554342153598678568,16174426502597540839,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4800 /prefetch:8
    3⤵
    PID:2164
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4836,i,2554342153598678568,16174426502597540839,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5232 /prefetch:8
    3⤵
    PID:620
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4708,i,2554342153598678568,16174426502597540839,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5372 /prefetch:8
    3⤵
    PID:4248
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4992,i,2554342153598678568,16174426502597540839,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4392 /prefetch:2
    3⤵
    PID:692
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5144,i,2554342153598678568,16174426502597540839,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5064 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4664

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Crashpad\settings.dat

Filesize
40B

MD5
55f32e6aec4df939336d9cb71996605e

SHA1
b59723cd644db1070707d9035f2feddf4f9dd0d9

SHA256
b02c8b9bad67364d8863487c84b32b343ac6dc353175a3eeef04113ac644b9f0

SHA512
bdc7596c40dfd874789323e31d4d2a80fbe3187a9453cfa8657409efbdede4a89a96da1cee6fe1b6083fc1988850107b73499720a7627845bf2d5085473330e1

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\20241119115554.pma

Filesize
520B

MD5
d7bdecbddac6262e516e22a4d6f24f0b

SHA1
1a633ee43641fa78fbe959d13fa18654fd4a90be

SHA256
db3be7c6d81b2387c39b32d15c096173022cccee1015571dd3e09f2a69b508a9

SHA512
1e72db18de776fe264db3052ce9a842c9766a720a9119fc6605f795c36d4c7bf8f77680c5564f36e591368ccd354104a7412f267c4157f04c4926bce51aeeaa1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
9e930267525529064c3cccf82f7f630d

SHA1
9cdf349a8e5e2759aeeb73063a414730c40a5341

SHA256
1cf7df0f74ee0baaaaa32e44c197edec1ae04c2191e86bf52373f2a5a559f1ac

SHA512
dbc7db60f6d140f08058ba07249cc1d55127896b14663f6a4593f88829867063952d1f0e0dd47533e7e8532aa45e3acc90c117b8dd9497e11212ac1daa703055

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
25f746c76935f3f8f6f7cfd066ca32e9

SHA1
6c7cd3bb065fa9effe62ab18505ec53c428e2a9d

SHA256
cb3a09b0fe4ad320adf6e9134be58d962c1ef71d1389faf1ca1ee776fe66ff59

SHA512
7cc0651aca9acbf73148fd1d02b801b0d7d72c5cd692c69d22a4685e4e7d7065f43092a2e53616a37fca08129a0a28e85398cbce8c8414c8a3fade9fda6ba50d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

Filesize
192KB

MD5
a8cf54419129b874864cf206392ece0f

SHA1
2d8f78e5d6951faedba3257d5794227f34c50967

SHA256
b8a7649c907c010db609d7143f3f0601a385b9cf803f4b0bddb449c41151cc1f

SHA512
02a77857be5123636fdc44791f6cf7a4532fa53e34576be7f6ab21da51ef400fc138d7dda6a2880b2b42ddb22a803a1897e4f95ea3479487af61a199c7929a8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
87275bcce6f077ad3cb40e9d0204e2cf

SHA1
4739376e8758112a81e393499caa8a022d692714

SHA256
b9405ed00108bdca62718b0c22c062142bead62efb2fc60d261b59ad275f41f9

SHA512
79443c9fdb4b60ebddfd6027a76a73e82ee4ecb5d7ba8e1b91a7dd68d49fa6bb2b20206e23e8059d19938b10b5b0ab46bf4fb317bba653291605ff568b65273e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
1f324dd719419449e7def50c981eed3b

SHA1
ebcc0ecae082dbb2b6d79b5f38de9e9992e213c8

SHA256
d0957aed3e4bff63d191baf8dc22d60df68b72c6462fe73198ab0466887cb281

SHA512
3df89a0066ad6c81dc1ba0cdc51d0a4e4ece22eae489f74db510e2ca14c11fb23f582c12b642d28759fdc540f84ce9ad4126e89db660570e805c4e8ef766da38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
161b032aaab5b83391133f7735881c3c

SHA1
e87f1bc9116c1876828058afdc7e8faf3f507838

SHA256
ca89a724ebfc7b2a82b87b0c42a79954781a39a9e2c95adc98be8a91beedc95e

SHA512
e8e2dc24647b87d92eb459cabde4f94b8993903af9b250eb8525a4a1777f586475e341cfe3be77a9a7f55f4d5a79fb41c999e65868e60d7b75cf0a38491298af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
4762a58819af5fbcebfa3b595d8457d1

SHA1
44018a35d88dd978bd5744ef835379c1c793fcb5

SHA256
5869b82fd8365a0c5695fcd74efb5862be942b3abe463cc850a34914ae7f53b1

SHA512
2872c8b0f73f8d95cb86328eedbe494e183e05c1319bf9fe52482b535d2f4b527a6167852ba0375e1a9868c37f24317bb10f5be09fc0617c3312137825095af4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
82e4f99694d17b18d12abff0c99bb79b

SHA1
852c44fda5986de7a28d953e75c13b0bfc2acd72

SHA256
37af2cc1d28b5494665fefe337ca0af7d0f56f1288548b5625fe012af558511c

SHA512
2f019124b3be1458f7145904fa65dd033c40d7dc534e969fdfff8bd22de70511a8cf22a88be0e9077fa9568e1884fc93bf0b74f0624c5976634112220743987d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
de2dfbc5f9b405bb8aa38cb9bb096d55

SHA1
ac5a00e50147a2551e4c2bd109a0207bdfb6c750

SHA256
8008bd7c56bc41ae8d3cf4f633210cb949b025257b12b4fcc2e362a32833c950

SHA512
0f4ef08d8d46354a0ca8554b49ceb2725eba8f85bf1aff938ff4e0de963016cc71f4ff2f48c47526f432d444df35da10e80bd8222d6f30d1fd6c1de0b8da84c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
cb517259673045452c8d01a07c1397fe

SHA1
af4b91925a5ee52290dd1e05e68b306dc1f0609c

SHA256
182699267af1c7a469d65b8f5595a8d1400f919008425ac609e4350d589ad686

SHA512
f980e4d4a891e1f3b44c61beb20dd28b815e8928378540e47142520e9f6939a9bb63349f94866bb1edeb4ff1d39a145697962ae498ccf7be7582f3549712c28d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
d983d0da241ff17cca78950649d54a63

SHA1
294a476da9a5232e357d89b20788f347a795f019

SHA256
457cc1fbd0a7718cbe8009108bfc0f6a9b7095a26c621ca1b160eaf94726f513

SHA512
e01ec9f6e961c6705e3fafc8ef6dbd2d3352f3d84e95111d3fb325bbeb85885c427d8cffbafd0b3588e5cc766ad086e6b7b1dc7ea82789468c7cfc6f69ded622

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
76caa8e1c883a76fcfa2ddddac07a8e0

SHA1
38a007262cea9a0c58b3a869d377e852f5f04c19

SHA256
f5d61c2ca81703b442aac8d590d0a88b698bd79f9427c787ca3fe54dfaaa3090

SHA512
261fce8a2c68f45903eb462fd4e8884b8a6623e93fd4de0161168c3c74f7ff6acf673ba389d202bacab94e5bb84c31ba1dabd1d34643b3ca1b589eb9c4d934d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57c0c0.TMP

Filesize
1KB

MD5
5386b112fa0b22a45f72028ce295ee8b

SHA1
d3d2e5eed63f1a936bef8f91fd5cd7d428d97152

SHA256
292c54382483f19e3d6b68359299d9fb2a328d4545085dd1d0fe01fddb48eeba

SHA512
3f1fb663e1e7c04dc417f0c65db6de30acc3706f1a45c640fde8e64978db7a0229ed624f07914b6e25ced7a5a44145243036c4949a5f367e66969bf70d909819

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
cf445d521c811490beeb8848a4715d3a

SHA1
8b56724ecb81c46215948e89fe2cf9d04190c8cd

SHA256
a716821b3a6e5bf622528a628a7ebd8668991ebdd9a223c55f1674dd14ead35e

SHA512
ebde2e0327cbede8ddeb2787a4100bf6bbb59f78d801165d338c2df37ebd21b40fb27a2b2439588293b35abec816fcc91151bd29063e6a511c7b21ba54d43c10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
e52b0c82b51f8a11e8c244fb9e426482

SHA1
1017266c94aa0de5be9f097e53069fb3b493da7f

SHA256
22c1b6a97fee211442048d4293127d1225b706607e011ca3e6f5a934fda2bc5a

SHA512
14f9845e0f6a964c2c00b9a5ef8b883857ebc37d27b16a75e099cdef9c5c160109b8c3000481dc9718ea288bec72fb77e322f34fa389605765f43a94e7d0ab89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
a407e5faf9d978defd09ea89ef00d907

SHA1
4abbb6c82c072c7d47e599fe7d80fc80dffcec1f

SHA256
dd57f37fb6d7ba4153bcbce95e00d06264fbe7a3f6c0a8e358bd0641d85fe91d

SHA512
8842d8ca8967293f1e4c37c198b31137a15382b47cb6a6333d41694e32e95ea948f18cded8df15b0167383962c20f7f1c10463b136c98e181fee52d3c5b44187

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
9e209250a64d8572dc040727f426cc38

SHA1
2cea2fc797de04032dc2fa24dc6084b701fe586a

SHA256
8b3aa7e2dff7aba104784544d2ba93185ed95c9510993586b9065c2dcd04a3da

SHA512
c8ece89749c48ef0b9fe4737bf20a4287e9c0a150cb767481993aca3cf62b266378016543618cc48f73b9a37d6c07cb62e5f56692b22c7aca9dae68271dff159

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
11d2d1d200e90101c27f8aec35429043

SHA1
73e50591422ff9b356f549c173b311e3e9459941

SHA256
cde51bfcdb0b3fa8599b3da8d8aefda292cd6fd0a5925af4495a6981521b2d0c

SHA512
d52d1e35da9c45f6b5cc10f39d8755cf4c0f892c37fa55de704418632a9bfd156113bee61202886ab479f964ccb3c7e04e63119c97e8af70d6daa8af5bbcaf74

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4756_1124570749\566b9e2a-7264-4fb2-bfb9-df9ef2a67c83.tmp

Filesize
132KB

MD5
da75bb05d10acc967eecaac040d3d733

SHA1
95c08e067df713af8992db113f7e9aec84f17181

SHA256
33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2

SHA512
56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4756_1124570749\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit