meduza | 3a82d1297c523205405817a019d3923c8f6c8b4802e4e4676d562b17973b21ea

Analysis

max time kernel
150s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
26/12/2024, 05:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup5.0.zip
Size

2.3MB
MD5

d7d4d1c2aa4cbda1118cd1a9ba8c8092
SHA1

0935cb34d76369f11ec09c1af2f0320699687bec
SHA256

3a82d1297c523205405817a019d3923c8f6c8b4802e4e4676d562b17973b21ea
SHA512

d96d6769afc7af04b80a863895009cd79c8c1f9f68d8631829484611dfce7d4f1c75fc9b54157482975c6968a46e635e533d0cad687ef856ddc81ab3444bb553
SSDEEP

49152:Bx8Jh672TFZ620k0OVCnqeDkHjmxg7ux43NAhxg4fTrQ:BxYVNvVCn9DkDnrNfqTrQ

Score

10^/10

meduza discovery stealer

Malware Config

Extracted

Family

meduza

109.107.181.162

Attributes

anti_dbg
true
anti_vm
true
build_name
6
extensions
none
grabber_max_size
1.048576e+06
links
none
port
15666
self_destruct
true

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 8 IoCs

resource	yara_rule
behavioral1/memory/4532-12-0x0000000140000000-0x000000014013E000-memory.dmp	family_meduza
behavioral1/memory/4532-13-0x0000000140000000-0x000000014013E000-memory.dmp	family_meduza
behavioral1/memory/4532-11-0x0000000140000000-0x000000014013E000-memory.dmp	family_meduza
behavioral1/memory/4532-9-0x0000000140000000-0x000000014013E000-memory.dmp	family_meduza
behavioral1/memory/72-25-0x0000000140000000-0x000000014013E000-memory.dmp	family_meduza
behavioral1/memory/3564-37-0x0000000140000000-0x000000014013E000-memory.dmp	family_meduza
behavioral1/memory/2940-49-0x0000000140000000-0x000000014013E000-memory.dmp	family_meduza
behavioral1/memory/2272-795-0x0000000140000000-0x000000014013E000-memory.dmp	family_meduza

Meduza family
meduza

Executes dropped EXE 10 IoCs

pid	Process
4524	setup7.0.exe
4532	setup7.0.exe
4356	setup7.0.exe
72	setup7.0.exe
4828	setup7.0.exe
3564	setup7.0.exe
576	setup7.0.exe
2940	setup7.0.exe
392	setup7.0.exe
2272	setup7.0.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 4524 set thread context of 4532	4524	setup7.0.exe	80
PID 4356 set thread context of 72	4356	setup7.0.exe	82
PID 4828 set thread context of 3564	4828	setup7.0.exe	84
PID 576 set thread context of 2940	576	setup7.0.exe	86
PID 392 set thread context of 2272	392	setup7.0.exe	110

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133796640232414749"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2816	7zFM.exe
2816	7zFM.exe
2816	7zFM.exe
2816	7zFM.exe
2816	7zFM.exe
2816	7zFM.exe
2816	7zFM.exe
2816	7zFM.exe
2816	7zFM.exe
2816	7zFM.exe
2816	7zFM.exe
2816	7zFM.exe
2816	7zFM.exe
2816	7zFM.exe
2816	7zFM.exe
2816	7zFM.exe
2816	7zFM.exe
2816	7zFM.exe
2816	7zFM.exe
2816	7zFM.exe
432	chrome.exe
432	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2816	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
432	chrome.exe
432	chrome.exe
432	chrome.exe
432	chrome.exe
432	chrome.exe
432	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2816	7zFM.exe
Token: 35	2816	7zFM.exe
Token: SeSecurityPrivilege	2816	7zFM.exe
Token: SeSecurityPrivilege	2816	7zFM.exe
Token: SeDebugPrivilege	4532	setup7.0.exe
Token: SeImpersonatePrivilege	4532	setup7.0.exe
Token: SeSecurityPrivilege	2816	7zFM.exe
Token: SeDebugPrivilege	72	setup7.0.exe
Token: SeImpersonatePrivilege	72	setup7.0.exe
Token: SeSecurityPrivilege	2816	7zFM.exe
Token: SeDebugPrivilege	3564	setup7.0.exe
Token: SeImpersonatePrivilege	3564	setup7.0.exe
Token: SeSecurityPrivilege	2816	7zFM.exe
Token: SeDebugPrivilege	2940	setup7.0.exe
Token: SeImpersonatePrivilege	2940	setup7.0.exe
Token: SeShutdownPrivilege	432	chrome.exe
Token: SeCreatePagefilePrivilege	432	chrome.exe
Token: SeShutdownPrivilege	432	chrome.exe
Token: SeCreatePagefilePrivilege	432	chrome.exe
Token: SeShutdownPrivilege	432	chrome.exe
Token: SeCreatePagefilePrivilege	432	chrome.exe
Token: SeShutdownPrivilege	432	chrome.exe
Token: SeCreatePagefilePrivilege	432	chrome.exe
Token: SeShutdownPrivilege	432	chrome.exe
Token: SeCreatePagefilePrivilege	432	chrome.exe
Token: SeShutdownPrivilege	432	chrome.exe
Token: SeCreatePagefilePrivilege	432	chrome.exe
Token: SeShutdownPrivilege	432	chrome.exe
Token: SeCreatePagefilePrivilege	432	chrome.exe
Token: SeShutdownPrivilege	432	chrome.exe
Token: SeCreatePagefilePrivilege	432	chrome.exe
Token: SeShutdownPrivilege	432	chrome.exe
Token: SeCreatePagefilePrivilege	432	chrome.exe
Token: SeShutdownPrivilege	432	chrome.exe
Token: SeCreatePagefilePrivilege	432	chrome.exe
Token: SeShutdownPrivilege	432	chrome.exe
Token: SeCreatePagefilePrivilege	432	chrome.exe
Token: SeShutdownPrivilege	432	chrome.exe
Token: SeCreatePagefilePrivilege	432	chrome.exe
Token: SeShutdownPrivilege	432	chrome.exe
Token: SeCreatePagefilePrivilege	432	chrome.exe
Token: SeShutdownPrivilege	432	chrome.exe
Token: SeCreatePagefilePrivilege	432	chrome.exe
Token: SeShutdownPrivilege	432	chrome.exe
Token: SeCreatePagefilePrivilege	432	chrome.exe
Token: SeShutdownPrivilege	432	chrome.exe
Token: SeCreatePagefilePrivilege	432	chrome.exe
Token: SeShutdownPrivilege	432	chrome.exe
Token: SeCreatePagefilePrivilege	432	chrome.exe
Token: SeShutdownPrivilege	432	chrome.exe
Token: SeCreatePagefilePrivilege	432	chrome.exe
Token: SeShutdownPrivilege	432	chrome.exe
Token: SeCreatePagefilePrivilege	432	chrome.exe
Token: SeShutdownPrivilege	432	chrome.exe
Token: SeCreatePagefilePrivilege	432	chrome.exe
Token: SeShutdownPrivilege	432	chrome.exe
Token: SeCreatePagefilePrivilege	432	chrome.exe
Token: SeShutdownPrivilege	432	chrome.exe
Token: SeCreatePagefilePrivilege	432	chrome.exe
Token: SeShutdownPrivilege	432	chrome.exe
Token: SeCreatePagefilePrivilege	432	chrome.exe
Token: SeShutdownPrivilege	432	chrome.exe
Token: SeCreatePagefilePrivilege	432	chrome.exe
Token: SeShutdownPrivilege	432	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
2816	7zFM.exe
2816	7zFM.exe
2816	7zFM.exe
2816	7zFM.exe
2816	7zFM.exe
2816	7zFM.exe
432	chrome.exe
432	chrome.exe
432	chrome.exe
432	chrome.exe
432	chrome.exe
432	chrome.exe
432	chrome.exe
432	chrome.exe
432	chrome.exe
432	chrome.exe
432	chrome.exe
432	chrome.exe
432	chrome.exe
432	chrome.exe
432	chrome.exe
432	chrome.exe
432	chrome.exe
432	chrome.exe
432	chrome.exe
432	chrome.exe
432	chrome.exe
432	chrome.exe
432	chrome.exe
432	chrome.exe
432	chrome.exe
432	chrome.exe
2816	7zFM.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
432	chrome.exe
432	chrome.exe
432	chrome.exe
432	chrome.exe
432	chrome.exe
432	chrome.exe
432	chrome.exe
432	chrome.exe
432	chrome.exe
432	chrome.exe
432	chrome.exe
432	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 4524	2816	7zFM.exe	77
PID 2816 wrote to memory of 4524	2816	7zFM.exe	77
PID 4524 wrote to memory of 4532	4524	setup7.0.exe	80
PID 4524 wrote to memory of 4532	4524	setup7.0.exe	80
PID 4524 wrote to memory of 4532	4524	setup7.0.exe	80
PID 4524 wrote to memory of 4532	4524	setup7.0.exe	80
PID 4524 wrote to memory of 4532	4524	setup7.0.exe	80
PID 4524 wrote to memory of 4532	4524	setup7.0.exe	80
PID 4524 wrote to memory of 4532	4524	setup7.0.exe	80
PID 4524 wrote to memory of 4532	4524	setup7.0.exe	80
PID 4524 wrote to memory of 4532	4524	setup7.0.exe	80
PID 4524 wrote to memory of 4532	4524	setup7.0.exe	80
PID 2816 wrote to memory of 4356	2816	7zFM.exe	81
PID 2816 wrote to memory of 4356	2816	7zFM.exe	81
PID 4356 wrote to memory of 72	4356	setup7.0.exe	82
PID 4356 wrote to memory of 72	4356	setup7.0.exe	82
PID 4356 wrote to memory of 72	4356	setup7.0.exe	82
PID 4356 wrote to memory of 72	4356	setup7.0.exe	82
PID 4356 wrote to memory of 72	4356	setup7.0.exe	82
PID 4356 wrote to memory of 72	4356	setup7.0.exe	82
PID 4356 wrote to memory of 72	4356	setup7.0.exe	82
PID 4356 wrote to memory of 72	4356	setup7.0.exe	82
PID 4356 wrote to memory of 72	4356	setup7.0.exe	82
PID 4356 wrote to memory of 72	4356	setup7.0.exe	82
PID 2816 wrote to memory of 4828	2816	7zFM.exe	83
PID 2816 wrote to memory of 4828	2816	7zFM.exe	83
PID 4828 wrote to memory of 3564	4828	setup7.0.exe	84
PID 4828 wrote to memory of 3564	4828	setup7.0.exe	84
PID 4828 wrote to memory of 3564	4828	setup7.0.exe	84
PID 4828 wrote to memory of 3564	4828	setup7.0.exe	84
PID 4828 wrote to memory of 3564	4828	setup7.0.exe	84
PID 4828 wrote to memory of 3564	4828	setup7.0.exe	84
PID 4828 wrote to memory of 3564	4828	setup7.0.exe	84
PID 4828 wrote to memory of 3564	4828	setup7.0.exe	84
PID 4828 wrote to memory of 3564	4828	setup7.0.exe	84
PID 4828 wrote to memory of 3564	4828	setup7.0.exe	84
PID 2816 wrote to memory of 576	2816	7zFM.exe	85
PID 2816 wrote to memory of 576	2816	7zFM.exe	85
PID 576 wrote to memory of 2940	576	setup7.0.exe	86
PID 576 wrote to memory of 2940	576	setup7.0.exe	86
PID 576 wrote to memory of 2940	576	setup7.0.exe	86
PID 576 wrote to memory of 2940	576	setup7.0.exe	86
PID 576 wrote to memory of 2940	576	setup7.0.exe	86
PID 576 wrote to memory of 2940	576	setup7.0.exe	86
PID 576 wrote to memory of 2940	576	setup7.0.exe	86
PID 576 wrote to memory of 2940	576	setup7.0.exe	86
PID 576 wrote to memory of 2940	576	setup7.0.exe	86
PID 576 wrote to memory of 2940	576	setup7.0.exe	86
PID 432 wrote to memory of 1228	432	chrome.exe	88
PID 432 wrote to memory of 1228	432	chrome.exe	88
PID 432 wrote to memory of 3168	432	chrome.exe	89
PID 432 wrote to memory of 3168	432	chrome.exe	89
PID 432 wrote to memory of 3168	432	chrome.exe	89
PID 432 wrote to memory of 3168	432	chrome.exe	89
PID 432 wrote to memory of 3168	432	chrome.exe	89
PID 432 wrote to memory of 3168	432	chrome.exe	89
PID 432 wrote to memory of 3168	432	chrome.exe	89
PID 432 wrote to memory of 3168	432	chrome.exe	89
PID 432 wrote to memory of 3168	432	chrome.exe	89
PID 432 wrote to memory of 3168	432	chrome.exe	89
PID 432 wrote to memory of 3168	432	chrome.exe	89
PID 432 wrote to memory of 3168	432	chrome.exe	89
PID 432 wrote to memory of 3168	432	chrome.exe	89
PID 432 wrote to memory of 3168	432	chrome.exe	89

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Setup5.0.zip"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Users\Admin\AppData\Local\Temp\7zO00B99C18\setup7.0.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO00B99C18\setup7.0.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\Users\Admin\AppData\Local\Temp\7zO00B99C18\setup7.0.exe
    C:\Users\Admin\AppData\Local\Temp\7zO00B99C18\setup7.0.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4532
- C:\Users\Admin\AppData\Local\Temp\7zO00BE03B8\setup7.0.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO00BE03B8\setup7.0.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4356
- - C:\Users\Admin\AppData\Local\Temp\7zO00BE03B8\setup7.0.exe
    C:\Users\Admin\AppData\Local\Temp\7zO00BE03B8\setup7.0.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:72
- C:\Users\Admin\AppData\Local\Temp\7zO00BE5B88\setup7.0.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO00BE5B88\setup7.0.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Users\Admin\AppData\Local\Temp\7zO00BE5B88\setup7.0.exe
    C:\Users\Admin\AppData\Local\Temp\7zO00BE5B88\setup7.0.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3564
- C:\Users\Admin\AppData\Local\Temp\7zO00BCF688\setup7.0.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO00BCF688\setup7.0.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:576
- - C:\Users\Admin\AppData\Local\Temp\7zO00BCF688\setup7.0.exe
    C:\Users\Admin\AppData\Local\Temp\7zO00BCF688\setup7.0.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2940
- C:\Users\Admin\AppData\Local\Temp\7zO00BBCFE9\setup7.0.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO00BBCFE9\setup7.0.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:392
- - C:\Users\Admin\AppData\Local\Temp\7zO00BBCFE9\setup7.0.exe
    C:\Users\Admin\AppData\Local\Temp\7zO00BBCFE9\setup7.0.exe
    3⤵
    - Executes dropped EXE
    PID:2272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff82f83cc40,0x7ff82f83cc4c,0x7ff82f83cc58
  2⤵
  PID:1228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1796,i,1265049388346294885,8238074199260023376,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1740 /prefetch:2
  2⤵
  PID:3168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2044,i,1265049388346294885,8238074199260023376,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2108 /prefetch:3
  2⤵
  PID:2960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2184,i,1265049388346294885,8238074199260023376,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2200 /prefetch:8
  2⤵
  PID:2792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,1265049388346294885,8238074199260023376,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:3584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,1265049388346294885,8238074199260023376,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:4252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4500,i,1265049388346294885,8238074199260023376,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4524 /prefetch:1
  2⤵
  PID:3236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4784,i,1265049388346294885,8238074199260023376,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4844 /prefetch:8
  2⤵
  PID:968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4868,i,1265049388346294885,8238074199260023376,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4844 /prefetch:8
  2⤵
  PID:4380
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:244
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff70ab54698,0x7ff70ab546a4,0x7ff70ab546b0
    3⤵
    - Drops file in Windows directory
    PID:2108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4316,i,1265049388346294885,8238074199260023376,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4844 /prefetch:8
  2⤵
  PID:2972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4856,i,1265049388346294885,8238074199260023376,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4860 /prefetch:8
  2⤵
  PID:4244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5028,i,1265049388346294885,8238074199260023376,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4964 /prefetch:8
  2⤵
  PID:3376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4320,i,1265049388346294885,8238074199260023376,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4420 /prefetch:8
  2⤵
  PID:3132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5224,i,1265049388346294885,8238074199260023376,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4840 /prefetch:2
  2⤵
  PID:3592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5012,i,1265049388346294885,8238074199260023376,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4844 /prefetch:1
  2⤵
  PID:2344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3464,i,1265049388346294885,8238074199260023376,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4432 /prefetch:1
  2⤵
  PID:4036

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
cf141d9029023efbcf480ed501a0b63a

SHA1
e871dd087ec0327f8f5ac241f899ed17e473c968

SHA256
79d3d192f8d9b9f23bcc29cafd0a5f31927021dca04fdbda8c54f83b787b2454

SHA512
1e580f618c4a0eae4208fe1ec9ad1fce079e2e6f0f6abec84d86d0ba4cd4b18a11150fa51989f057633afdb186080bcfc5af14d27aea6ea712610cef1a3a8eda

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
520B

MD5
99ac01ebf8235a855de5080a1af6efee

SHA1
c5223b7c40ea23715fb4d2331fb27eb1a308f562

SHA256
e4c35b82da167c5be61d5dd09cf13121bc3869ddb716c4ba3c4fcd5375047ed5

SHA512
95f53a7209d1d028e4de6c115008f7a6163579acafe96252412153ee02732b4a133e8216700b893f32f55e553e8ea948ed2144a5ce9d72fa0f0112f3794dec11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
0aa239a75a3aa9317b6596ecd213d483

SHA1
0a0887c234c30bdc7cb7225a3f34ec1f8c0df9a1

SHA256
0ceb4f320421815c7168cb1210595fa7af18e0be8602528148ee953c7400183a

SHA512
47f8c5bf5f02ced959b82723eadd1873c2f6143b655116ee0a929adc4a2c922259e29b6a6e1d74e387dffedc2af9ef330e2c591d9e89877b4dace1f4944f75a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
8f29b342cab10b1aeb03d92ebb901bf8

SHA1
a40f63b4bbb3b70fbb9c7233425e8f6cce856a19

SHA256
628d65e4f3058e9e71f12bedd074baaab4c11aa2d0da1b2a806be7a4f2f43886

SHA512
90c273f02dfbce7abca828045095e1432d2d5b78b565f244b9db3aeb5a511e6535b160c30856509da1a9897d788d84f4645b81d3c5bbcce295ae4a439d76c25e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
999261d855eb5920867acaff869589a9

SHA1
ea349601c3fcfc1e5754c3c9d5e973eb663a8d8e

SHA256
ddbc55101b588c0e38c32d21f8405dcc1318000b3e44acace6b0e34592ea520c

SHA512
9b717c714986c623af9a3f4f61e18b7e74831308a813dd9f5c771e6227f1277e8b18dc2e47b0fc545ea8373ff2b81764a8b2662eaf0d33ef5275e57555b6f810

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8e2b5f4dc2123eaa7b81a86162b49147

SHA1
3eb330945f47cbe52d222d2e92d611911a646304

SHA256
68cf1a75f118d2d2bb290a5d397b201e03c132bd0d5e207b71a74fd9d7d1eacf

SHA512
71861bf47e4b56af5b086704b31536984d26fef5739fe790cb5ab87442b6f8b5a4bc924cb428807bae02cc6257fdbf39a74dd3266315200341127953f3004591

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
225ac8446ef9dacc428533716687c10b

SHA1
886df65363156e3019c203cbbbdc00e95c82a181

SHA256
b00f160dd762187febb52b8ba2efc9d4772aef53c8b369fbbd15d99a8b94104b

SHA512
3f0c55b34a45aa263ac39c14ca32c19df27e0fd1ef39e7d24f97169b9117b071d8a9670e3de3bae8a6e38cb3eb42d50b9546655b014e7c52db1aae648c99bc10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e52874e04007e0dba6412bb10194d064

SHA1
36dd9b523ba1b7060d04e18db433dd704bcd8289

SHA256
4bed32b31c936bf414a249f561174747c8e520e3ef2406c56fd506b6a64816d4

SHA512
efc63cd8a7bc37c8706598504250e4fa32c72c62ad87f95936f6d6756bac99e6a07b2b78e512ce40a8ea7086f9a271acd998dc8baff72372165f64ef2ebeabf4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
b231c2c3ca6fe79f5984185047559d82

SHA1
7ebc2d30a5babac80182a6e91d967a5c240b9ab1

SHA256
0ae771c6d3f66f10364b03956da4e20d14cfa240556427972d2da2fad4152ff1

SHA512
6849fa3108b7f26de91857127dde270d617650e3d5dc001260570ecc2e4bb562f1c733ae20cda7fbbbf843f045f2b5b7d99b33f2cdd3fa41b2d6aac34abc1251

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
23519d482f2dcbc0fff8a15256e8926d

SHA1
667d2bce4a0662c0b118fc19d957cdf7995b440e

SHA256
ca0a515691a737af66626bb424f1949d083101a9b90dbc1a6d7b72d203d5e750

SHA512
07b5de431ae7a2b29ba8efbf533a2faa93c3999174a2b651e6d60b28fcf159d388369e618ec1015138b15bbd542f5915ee2bb2c9fdcfd753af6d2e41441494b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
ae69cae0e4e9ddb61c2829ca17fc5e05

SHA1
e646d98b5e647945f480e1a059af7db28e0aa2fb

SHA256
ec0a79dee04c6f202fc382f022469382ca0b67c49a311064aca950493016cefd

SHA512
b6abf012a70101eb397ecfa10be9e11dc3cf3e1d7056da47a6ab279cc1a4ab3b697bde317a08d27a566f401d747a51568a66580d567691b5cc0da2feeb57ea5c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
abb9c6e0005070016c52426e08bf60cf

SHA1
310da70c7beff4f319cf4bdb25ea44dfd157f779

SHA256
3930d093702dbe3b1b76b8347aafa5b1aa9af4eda32aca2daee31817645a5f5b

SHA512
0b25fa234dd6b76740c9009590504d702e99f5a87f32c564d8d56b1a00110ebfd92e5a6c19b4785f3b900afd0eed8f9b48c4ff44c3805f773bb341235d3e4f90

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO00B99C18\setup7.0.exe

Filesize
3.6MB

MD5
d38571e4500bd3936c55ab41b7d40c4b

SHA1
b7dfcd284dd985b92c4ab45e13bfc45dcf067ac5

SHA256
ec711f3d9eb360eb08ef30c0b315de37a59da35bd6e332d8f19d18fc480d9a3c

SHA512
324e71c33eab94097b4e0cc0b6d28d8bdbca1739282b6b1fafdbb440ba2ab69d256b4905046edd719bdf20192440d160193f983f2217ccaf4972b5617a2a592a

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir432_1749255570\3629e5fa-1240-439a-bebb-7c1aeabb400f.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir432_1749255570\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
memory/72-25-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/2272-795-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/2940-49-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3564-37-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/4532-9-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/4532-11-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/4532-13-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/4532-12-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download