fickerstealer | 7c2b51c31a895f2eeb6afe748f11d0f6a16355b01c41f22749043c0da7804206

Analysis

max time kernel
74s
max time network
80s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2024 18:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

793.8MB
MD5

9a851a47a9bd2f92c61d2486d1be3064
SHA1

3cda31c06db97246705d95dfcf4908eafb514b87
SHA256

7c2b51c31a895f2eeb6afe748f11d0f6a16355b01c41f22749043c0da7804206
SHA512

90340910dc1ee90ccfe7f451578de67c5ca32b95525157acd8b5bc2e99b9c0b2254bfb58997cc848a0ead871bc3f1e03dbb152d56aa709c4ecd3742404eec27b
SSDEEP

196608:6spHQk/ICYcdYtOQYMvm6Iu+8RuJQHIsuRuJyPquRuJXMD349nt3njto03qJbYav:6csCYgIBH2XD349nt3nW03s8up

Score

10^/10

fickerstealer discovery infostealer

Malware Config

Extracted

Family

fickerstealer

45.93.201.181:80

Signatures

Fickerstealer
Ficker is an infostealer written in Rust and ASM.
infostealer fickerstealer
Fickerstealer family
fickerstealer

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	api.ipify.org

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133795403439452020"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	mspaint.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2392	vlc.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3704	Setup.exe
3704	Setup.exe
3704	Setup.exe
3704	Setup.exe
3704	Setup.exe
3704	Setup.exe
3704	Setup.exe
3704	Setup.exe
3704	Setup.exe
3704	Setup.exe
3704	Setup.exe
3704	Setup.exe
3704	Setup.exe
3704	Setup.exe
3704	Setup.exe
3704	Setup.exe
3704	Setup.exe
3704	Setup.exe
3704	Setup.exe
3704	Setup.exe
3704	Setup.exe
3704	Setup.exe
3704	Setup.exe
3704	Setup.exe
3704	Setup.exe
3704	Setup.exe
3704	Setup.exe
3704	Setup.exe
3704	Setup.exe
3704	Setup.exe
3704	Setup.exe
3704	Setup.exe
3704	Setup.exe
3704	Setup.exe
3704	Setup.exe
3704	Setup.exe
3704	Setup.exe
3704	Setup.exe
3704	Setup.exe
3704	Setup.exe
3704	Setup.exe
3704	Setup.exe
3220	mspaint.exe
3220	mspaint.exe
4712	mspaint.exe
4712	mspaint.exe
4192	chrome.exe
4192	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2392	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe
Token: SeShutdownPrivilege	4192	chrome.exe
Token: SeCreatePagefilePrivilege	4192	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
2392	vlc.exe
2392	vlc.exe
2392	vlc.exe
2392	vlc.exe
2392	vlc.exe
2392	vlc.exe
2392	vlc.exe
2392	vlc.exe
2392	vlc.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2392	vlc.exe
2392	vlc.exe
2392	vlc.exe
2392	vlc.exe
2392	vlc.exe
2392	vlc.exe
2392	vlc.exe
2392	vlc.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2392	vlc.exe
3220	mspaint.exe
3836	OpenWith.exe
4712	mspaint.exe
2080	OpenWith.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3704	Setup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3704 wrote to memory of 3688	3704	Setup.exe	83
PID 3704 wrote to memory of 3688	3704	Setup.exe	83
PID 3704 wrote to memory of 3688	3704	Setup.exe	83
PID 3704 wrote to memory of 3688	3704	Setup.exe	83
PID 3704 wrote to memory of 3688	3704	Setup.exe	83
PID 3704 wrote to memory of 3688	3704	Setup.exe	83
PID 3704 wrote to memory of 3688	3704	Setup.exe	83
PID 3704 wrote to memory of 3688	3704	Setup.exe	83
PID 3704 wrote to memory of 3688	3704	Setup.exe	83
PID 3704 wrote to memory of 3688	3704	Setup.exe	83
PID 3704 wrote to memory of 3688	3704	Setup.exe	83
PID 3704 wrote to memory of 3688	3704	Setup.exe	83
PID 3704 wrote to memory of 3688	3704	Setup.exe	83
PID 3704 wrote to memory of 3688	3704	Setup.exe	83
PID 3704 wrote to memory of 3688	3704	Setup.exe	83
PID 3704 wrote to memory of 3688	3704	Setup.exe	83
PID 3704 wrote to memory of 3688	3704	Setup.exe	83
PID 3704 wrote to memory of 3688	3704	Setup.exe	83
PID 3704 wrote to memory of 3688	3704	Setup.exe	83
PID 3704 wrote to memory of 3688	3704	Setup.exe	83
PID 3704 wrote to memory of 3688	3704	Setup.exe	83
PID 4192 wrote to memory of 4940	4192	chrome.exe	119
PID 4192 wrote to memory of 4940	4192	chrome.exe	119
PID 4192 wrote to memory of 5036	4192	chrome.exe	120
PID 4192 wrote to memory of 5036	4192	chrome.exe	120
PID 4192 wrote to memory of 5036	4192	chrome.exe	120
PID 4192 wrote to memory of 5036	4192	chrome.exe	120
PID 4192 wrote to memory of 5036	4192	chrome.exe	120
PID 4192 wrote to memory of 5036	4192	chrome.exe	120
PID 4192 wrote to memory of 5036	4192	chrome.exe	120
PID 4192 wrote to memory of 5036	4192	chrome.exe	120
PID 4192 wrote to memory of 5036	4192	chrome.exe	120
PID 4192 wrote to memory of 5036	4192	chrome.exe	120
PID 4192 wrote to memory of 5036	4192	chrome.exe	120
PID 4192 wrote to memory of 5036	4192	chrome.exe	120
PID 4192 wrote to memory of 5036	4192	chrome.exe	120
PID 4192 wrote to memory of 5036	4192	chrome.exe	120
PID 4192 wrote to memory of 5036	4192	chrome.exe	120
PID 4192 wrote to memory of 5036	4192	chrome.exe	120
PID 4192 wrote to memory of 5036	4192	chrome.exe	120
PID 4192 wrote to memory of 5036	4192	chrome.exe	120
PID 4192 wrote to memory of 5036	4192	chrome.exe	120
PID 4192 wrote to memory of 5036	4192	chrome.exe	120
PID 4192 wrote to memory of 5036	4192	chrome.exe	120
PID 4192 wrote to memory of 5036	4192	chrome.exe	120
PID 4192 wrote to memory of 5036	4192	chrome.exe	120
PID 4192 wrote to memory of 5036	4192	chrome.exe	120
PID 4192 wrote to memory of 5036	4192	chrome.exe	120
PID 4192 wrote to memory of 5036	4192	chrome.exe	120
PID 4192 wrote to memory of 5036	4192	chrome.exe	120
PID 4192 wrote to memory of 5036	4192	chrome.exe	120
PID 4192 wrote to memory of 5036	4192	chrome.exe	120
PID 4192 wrote to memory of 5036	4192	chrome.exe	120
PID 4192 wrote to memory of 4952	4192	chrome.exe	121
PID 4192 wrote to memory of 4952	4192	chrome.exe	121
PID 4192 wrote to memory of 1892	4192	chrome.exe	122
PID 4192 wrote to memory of 1892	4192	chrome.exe	122
PID 4192 wrote to memory of 1892	4192	chrome.exe	122
PID 4192 wrote to memory of 1892	4192	chrome.exe	122
PID 4192 wrote to memory of 1892	4192	chrome.exe	122
PID 4192 wrote to memory of 1892	4192	chrome.exe	122
PID 4192 wrote to memory of 1892	4192	chrome.exe	122
PID 4192 wrote to memory of 1892	4192	chrome.exe	122
PID 4192 wrote to memory of 1892	4192	chrome.exe	122

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3704
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3688

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\UnpublishGet.mpg"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2392

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\BlockLock.jpe" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3220

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:4960

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3836

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\ExportComplete.jpg" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4712

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffa465bcc40,0x7ffa465bcc4c,0x7ffa465bcc58
  2⤵
  PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2044,i,9341213540869587239,15616755255679511592,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2020 /prefetch:2
  2⤵
  PID:5036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1368,i,9341213540869587239,15616755255679511592,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2244 /prefetch:3
  2⤵
  PID:4952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,9341213540869587239,15616755255679511592,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2252 /prefetch:8
  2⤵
  PID:1892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,9341213540869587239,15616755255679511592,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:3580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3208,i,9341213540869587239,15616755255679511592,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:4840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3732,i,9341213540869587239,15616755255679511592,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3716 /prefetch:1
  2⤵
  PID:1952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4868,i,9341213540869587239,15616755255679511592,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4876 /prefetch:8
  2⤵
  PID:4852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5020,i,9341213540869587239,15616755255679511592,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5032 /prefetch:8
  2⤵
  PID:756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4896,i,9341213540869587239,15616755255679511592,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4908 /prefetch:8
  2⤵
  PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4900,i,9341213540869587239,15616755255679511592,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5344 /prefetch:8
  2⤵
  PID:4660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5328,i,9341213540869587239,15616755255679511592,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4876 /prefetch:8
  2⤵
  PID:60
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5352,i,9341213540869587239,15616755255679511592,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5032 /prefetch:8
  2⤵
  PID:3612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5176,i,9341213540869587239,15616755255679511592,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5604 /prefetch:2
  2⤵
  PID:5476

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\krosqm.txt

Filesize
14B

MD5
2c807857a435aa8554d595bd14ed35d1

SHA1
9003a73beceab3d1b1cd65614347c33117041a95

SHA256
3c4fae56f61b7cdf09709c2aaf65ca47d3bf9077b1e5eb0eb1e6c5c34923eb9b

SHA512
95c6fa9f5b342ef34d896f083700ee12d55723e24aff42805bac5c1aa73f07d0db4f9d435d31a61da187edc2336252dfb38529b3f2b1d2039aa2a8e65d64a7a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
8ad2f92d8570497ef49f9f365702d065

SHA1
c35597516134ad3500ddf187b85d7570eb58d6f8

SHA256
f08a0bb9dfa3a193ba1752f482ccbc653bb727ce319c75929ed6d6177f34b2d9

SHA512
6ab69b367aaa633e2740d729c7f7b7aaddeed7d29159d7c0f0066f867b9a1ec8b29b79715d1cf929133cb69b8fb77883303dfe5097dd319f72efe08b2934ca09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
3ddcf9c797f67f52ca28c7b09d4e85ab

SHA1
75c0741562e1dedd2545e512e9177b95046a29df

SHA256
622085ced6bbe9748dbdd2cc009ea1deb0a05c2ef371743d53ef3d57193753ec

SHA512
0b0d6382772f7b3193583f7a8525a69c905d26cf7609e93eeaf89419d5df23c81f543247176d80da32ad67ddca1a9f8c0d6489c819ae3bdf15e758e9f450d4b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
0d4baa103e9ac0d64d71e63f67c5fe49

SHA1
bc3b76991041da7e5f079ddcbc3b8a57791124ff

SHA256
190bda5b3425a7e714910bb15335b9d324aa7bb347fe94c5147854ce7c4c9d00

SHA512
03b93530ba538a1fa0bb10b3842de22b2e236d381e18da296e57c5ba31334d00358ef7705797f598de073b4449fdcec3cf27b991d32bf11411ab8d519b1e9c30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a8476b691bcba6d1b3b15e11243a3218

SHA1
190fe88fa246a806f0f785fd99778e61e716e3f1

SHA256
bd051b00efb8ae5694e874fe8aea77952b7a01b675bf42af59d1dc70349bd45e

SHA512
6426fdbcba6ce8669f831f8a58ecef9d24e7e36db32104d36b3f4e09ef2e27f060f6e259bbbb8fee6711219099464dae819ffcbaa296572c1dbe34738652a62c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6cf4615e8991b8661e5242c337a29957

SHA1
85dd0602899de272e9f72fd171af082c3b28668e

SHA256
27c719418e6adef7b9b758e173666cf50268cc16b95067ee1cdc08ee6780db65

SHA512
9c95be773a124446eb5cd76d3ee7d9a40ee8a1013f4e3d3ac943e3a838434d907f2fc380e6a0ed22ba2063b9f94bd00aec1d14765d47b7016a5a64906b3d098b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
09d86d21bdb16eb29b607ab9b03a1b3c

SHA1
c69a20ca11164f43363b8cab0f149d149ec97a16

SHA256
94764a56343c19170ef3bc23d6ece842647f3c94cba2b8c7a6346213aaf99ca1

SHA512
99306eed1b8b373a61fd29a56f8d810cc72bcebaba633823cbce9d1aaa1276fcbac45e39ca23c63a22f5a9eacaf97eacf2d5358210500f57852d48cee71d7e94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
aba7ed0c3a8558717e8dd409ce4cf4ed

SHA1
3371543c10146ceb94a4d5ceeb9b4421258a525a

SHA256
46d8c899880a4159a4695177ccbc1fc642979d905a31e47edd37124dd7d60d3d

SHA512
c159c14b386baa1c2e257ec59c53bbc0a75fc2312463930fe22f933a00163d913f347b558222d976f304e56d9e6edb735dc89bd88cb919a4ffe9a50cb9600a37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
64106a158146b95899613ed13faef963

SHA1
2b83078db9f078367fdd9504b159c2a91da59780

SHA256
3c57283e43fca3b28f0bbc5b9a21d73d55ac85d7502b9705fdfc3f7e0361658e

SHA512
7b1a1261239e19ec4181dc2a54c6df76cdcf620e1b36e205f7ecbe881aad27551e410830db1dbc00001befde21a0892418be49632c81a6f2d84130245dfa9086

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
b355db464e99c8a50a83fc9be3f51e28

SHA1
6493b7a7be035d08f9c096dc401c53504f7a1ba7

SHA256
bf48635c94a8f1061966fb4f801cc6997088a3ad2e321701e5f14101aa38f8b7

SHA512
28ef27a95da999c62a7b53628093d8b3f4b0e49b41647bbfeb1f27f9cba45d13aed6e615533bca6d856be28face8d82d20d5026432410c800a5f79994d2e7a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4192_962393426\907bbfa7-d98a-4de6-8abb-d44f417a1bc0.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4192_962393426\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
memory/2392-30-0x00007FFA43420000-0x00007FFA444D0000-memory.dmp

Filesize
16.7MB

Download
memory/2392-28-0x00007FFA48410000-0x00007FFA48444000-memory.dmp

Filesize
208KB

Download
memory/2392-27-0x00007FF72BF30000-0x00007FF72C028000-memory.dmp

Filesize
992KB

Download
memory/2392-29-0x00007FFA44A80000-0x00007FFA44D36000-memory.dmp

Filesize
2.7MB

Download
memory/3688-2-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3688-1-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3688-9-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3704-0-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4960-46-0x0000011DABB60000-0x0000011DABB61000-memory.dmp

Filesize
4KB

Download
memory/4960-31-0x0000011DA2F60000-0x0000011DA2F70000-memory.dmp

Filesize
64KB

Download
memory/4960-35-0x0000011DA2FA0000-0x0000011DA2FB0000-memory.dmp

Filesize
64KB

Download
memory/4960-42-0x0000011DABAE0000-0x0000011DABAE1000-memory.dmp

Filesize
4KB

Download
memory/4960-44-0x0000011DABB60000-0x0000011DABB61000-memory.dmp

Filesize
4KB

Download
memory/4960-50-0x0000011DABC00000-0x0000011DABC01000-memory.dmp

Filesize
4KB

Download
memory/4960-47-0x0000011DABBF0000-0x0000011DABBF1000-memory.dmp

Filesize
4KB

Download
memory/4960-48-0x0000011DABBF0000-0x0000011DABBF1000-memory.dmp

Filesize
4KB

Download
memory/4960-49-0x0000011DABC00000-0x0000011DABC01000-memory.dmp

Filesize
4KB

Download