da506fa70f7953e840f3eba28faf557a2038e0b3d0a5105a0ebe3434ee5e9e61

Analysis

max time kernel
36s
max time network
39s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-01-2025 22:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adobe-air-51-1-1-3.exe
Size

5.9MB
MD5

34dba7939065022ad74458acbae28abd
SHA1

5f4e6e7cc0f2970068ff1c05189a8dc6881b8d33
SHA256

da506fa70f7953e840f3eba28faf557a2038e0b3d0a5105a0ebe3434ee5e9e61
SHA512

6271f67b486c7273fd391e4379f987fcce3042947909e97d05290d04469588a94bd501685f686037a400b788d6693e73f7d7799069c772b80da9556322c6cc79
SSDEEP

98304:FOB7drLD5C522D5K6O6DWT9dCrVodEdhIW5LkrNcBByeTTC3qdqH2pjin6uYRjUI:gB7drxU22DJVAbAeOIyBBNiKqMbZUI

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	adobe-air-51-1-1-3.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	setup.exe

Executes dropped EXE 1 IoCs

pid	Process
3260	Adobe AIR Installer.exe

Loads dropped DLL 1 IoCs

pid	Process
3260	Adobe AIR Installer.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adobe AIR Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobe-air-51-1-1-3.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Adobe AIR Installer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Adobe AIR Installer.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_IMG	Adobe AIR Installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_IMG\Adobe AIR Installer.exe = "1"	Adobe AIR Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT	Adobe AIR Installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT\Adobe AIR Installer.exe = "1"	Adobe AIR Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT	Adobe AIR Installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT\Adobe AIR Installer.exe = "1"	Adobe AIR Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	Adobe AIR Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	Adobe AIR Installer.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133806756525773122"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2716	chrome.exe
2716	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: 33	792	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	792	AUDIODG.EXE
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe
Token: SeShutdownPrivilege	2716	chrome.exe
Token: SeCreatePagefilePrivilege	2716	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe
2716	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3260	Adobe AIR Installer.exe
3260	Adobe AIR Installer.exe
3260	Adobe AIR Installer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 3260	2780	adobe-air-51-1-1-3.exe	84
PID 2780 wrote to memory of 3260	2780	adobe-air-51-1-1-3.exe	84
PID 2780 wrote to memory of 3260	2780	adobe-air-51-1-1-3.exe	84
PID 2716 wrote to memory of 1048	2716	chrome.exe	89
PID 2716 wrote to memory of 1048	2716	chrome.exe	89
PID 2716 wrote to memory of 3284	2716	chrome.exe	90
PID 2716 wrote to memory of 3284	2716	chrome.exe	90
PID 2716 wrote to memory of 3284	2716	chrome.exe	90
PID 2716 wrote to memory of 3284	2716	chrome.exe	90
PID 2716 wrote to memory of 3284	2716	chrome.exe	90
PID 2716 wrote to memory of 3284	2716	chrome.exe	90
PID 2716 wrote to memory of 3284	2716	chrome.exe	90
PID 2716 wrote to memory of 3284	2716	chrome.exe	90
PID 2716 wrote to memory of 3284	2716	chrome.exe	90
PID 2716 wrote to memory of 3284	2716	chrome.exe	90
PID 2716 wrote to memory of 3284	2716	chrome.exe	90
PID 2716 wrote to memory of 3284	2716	chrome.exe	90
PID 2716 wrote to memory of 3284	2716	chrome.exe	90
PID 2716 wrote to memory of 3284	2716	chrome.exe	90
PID 2716 wrote to memory of 3284	2716	chrome.exe	90
PID 2716 wrote to memory of 3284	2716	chrome.exe	90
PID 2716 wrote to memory of 3284	2716	chrome.exe	90
PID 2716 wrote to memory of 3284	2716	chrome.exe	90
PID 2716 wrote to memory of 3284	2716	chrome.exe	90
PID 2716 wrote to memory of 3284	2716	chrome.exe	90
PID 2716 wrote to memory of 3284	2716	chrome.exe	90
PID 2716 wrote to memory of 3284	2716	chrome.exe	90
PID 2716 wrote to memory of 3284	2716	chrome.exe	90
PID 2716 wrote to memory of 3284	2716	chrome.exe	90
PID 2716 wrote to memory of 3284	2716	chrome.exe	90
PID 2716 wrote to memory of 3284	2716	chrome.exe	90
PID 2716 wrote to memory of 3284	2716	chrome.exe	90
PID 2716 wrote to memory of 3284	2716	chrome.exe	90
PID 2716 wrote to memory of 3284	2716	chrome.exe	90
PID 2716 wrote to memory of 3284	2716	chrome.exe	90
PID 2716 wrote to memory of 3828	2716	chrome.exe	91
PID 2716 wrote to memory of 3828	2716	chrome.exe	91
PID 2716 wrote to memory of 456	2716	chrome.exe	92
PID 2716 wrote to memory of 456	2716	chrome.exe	92
PID 2716 wrote to memory of 456	2716	chrome.exe	92
PID 2716 wrote to memory of 456	2716	chrome.exe	92
PID 2716 wrote to memory of 456	2716	chrome.exe	92
PID 2716 wrote to memory of 456	2716	chrome.exe	92
PID 2716 wrote to memory of 456	2716	chrome.exe	92
PID 2716 wrote to memory of 456	2716	chrome.exe	92
PID 2716 wrote to memory of 456	2716	chrome.exe	92
PID 2716 wrote to memory of 456	2716	chrome.exe	92
PID 2716 wrote to memory of 456	2716	chrome.exe	92
PID 2716 wrote to memory of 456	2716	chrome.exe	92
PID 2716 wrote to memory of 456	2716	chrome.exe	92
PID 2716 wrote to memory of 456	2716	chrome.exe	92
PID 2716 wrote to memory of 456	2716	chrome.exe	92
PID 2716 wrote to memory of 456	2716	chrome.exe	92
PID 2716 wrote to memory of 456	2716	chrome.exe	92
PID 2716 wrote to memory of 456	2716	chrome.exe	92
PID 2716 wrote to memory of 456	2716	chrome.exe	92
PID 2716 wrote to memory of 456	2716	chrome.exe	92
PID 2716 wrote to memory of 456	2716	chrome.exe	92
PID 2716 wrote to memory of 456	2716	chrome.exe	92
PID 2716 wrote to memory of 456	2716	chrome.exe	92
PID 2716 wrote to memory of 456	2716	chrome.exe	92
PID 2716 wrote to memory of 456	2716	chrome.exe	92
PID 2716 wrote to memory of 456	2716	chrome.exe	92
PID 2716 wrote to memory of 456	2716	chrome.exe	92

C:\Users\Admin\AppData\Local\Temp\adobe-air-51-1-1-3.exe
"C:\Users\Admin\AppData\Local\Temp\adobe-air-51-1-1-3.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Users\Admin\AppData\Local\Temp\AIR9124.tmp\Adobe AIR Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\AIR9124.tmp\Adobe AIR Installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3260

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4b4 0x304
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf8,0x124,0x7ffbc53ccc40,0x7ffbc53ccc4c,0x7ffbc53ccc58
  2⤵
  PID:1048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1776,i,118753477094217998,3579385121497807809,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1768 /prefetch:2
  2⤵
  PID:3284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1972,i,118753477094217998,3579385121497807809,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2008 /prefetch:3
  2⤵
  PID:3828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,118753477094217998,3579385121497807809,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2280 /prefetch:8
  2⤵
  PID:456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,118753477094217998,3579385121497807809,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:3220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3320,i,118753477094217998,3579385121497807809,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:1428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3676,i,118753477094217998,3579385121497807809,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4588 /prefetch:1
  2⤵
  PID:672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4932,i,118753477094217998,3579385121497807809,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4944 /prefetch:8
  2⤵
  PID:2680
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Program Files directory
  PID:3568
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x7ff694864698,0x7ff6948646a4,0x7ff6948646b0
    3⤵
    - Drops file in Program Files directory
    PID:2212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4944,i,118753477094217998,3579385121497807809,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5072 /prefetch:8
  2⤵
  PID:4408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4076,i,118753477094217998,3579385121497807809,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4848 /prefetch:1
  2⤵
  PID:4200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5200,i,118753477094217998,3579385121497807809,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4432 /prefetch:8
  2⤵
  PID:2496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5196,i,118753477094217998,3579385121497807809,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5340 /prefetch:8
  2⤵
  PID:2272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5220,i,118753477094217998,3579385121497807809,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5460 /prefetch:8
  2⤵
  PID:860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4448,i,118753477094217998,3579385121497807809,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3156 /prefetch:8
  2⤵
  PID:1880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5400,i,118753477094217998,3579385121497807809,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5820 /prefetch:2
  2⤵
  PID:3640

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
d29402d94554cbddf4cd843c7926227e

SHA1
f8c708b8a2e555f6191291bbb50e420836fd4551

SHA256
0484b6aad951ff6589bdd98b240964c026c778d9fb0df07112d5063525d849cb

SHA512
23fa0abb0fe1b2d65b0ab66f570efdfc6d3a0d6c9ab17ae4cd98339a4694db9900f21db88af7d3ebd82e9ab06946adbb6bd4961d3d0f42c3506b85be9fe02cbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
74bd993f93c5f73e724a96c1554b4ffb

SHA1
d538e96c88c21945341d167911a402de1cdc5c5c

SHA256
67d2e5bde06534cc3f15d7b18c9286b3a11718f90184ac74049668cd03b4d9f6

SHA512
0a8197f83914888407d123656dce3b0fc278347e19646e8d8022256345d4147d7e97f1826f0d6aad0f6ec23c259aee44ba2cdb5fbc8723e6e7367bafd0f6f279

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
05f407e3316fffceaf4d0629ae436ad9

SHA1
efea4ae5f6019f4a652fca92f4ddaf4ac35b915a

SHA256
642939ed3bce2fc8b257535d360a3bdc91653e10982cd9527275f467f1bddc01

SHA512
8f65127b72b90ecfbb43e6ce09b7f53594573cf5f826b3e2e3df52679942e7b65027b084e18d5072547e0831f5070bda96f38e23d7d394bf7806f9067f8828c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
5b4e90c471994e2aeb5ec02665de406f

SHA1
0fed57674b39ca9d68a976608e635ba9dec0245c

SHA256
ee2760f36fc72b058fe6321b95fdfbbfaad0ea7a126dc9363ec4ddbf0819b354

SHA512
1d75550563843fe3a055356faf0f7c585081fb0151c3a275f1c1f8e73652cbd7fd61eb1e9d4898a9926a63dbc2c8afde49bb0faf7442757ceb0b6035a831281a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
a56f9066424700af0ae0e0d80bb5ae7e

SHA1
b4bf775ca9123d84308b890950c6d1d9b89fa038

SHA256
b53a00bf0b476ca2613a12ac731290c7cf21327864b035e08e3df5f12f2a8d09

SHA512
b869c5c0d7849120d133762c44f7f970311782722f5d56c011fc55288610957beb8f794569ff0a83a77945516d5139124b932054d7c2a09a2760c886d6ea4016

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIR9124.tmp\Adobe AIR Installer.exe

Filesize
383KB

MD5
6ba34f521e2de430fa5ba108e399d12e

SHA1
830ee63d8db0020201b6d0cb8d5a2ed2dd523256

SHA256
1a54ac75b4b671657c4368c6a73143e63462be076312921bc6d1e94a12426c58

SHA512
1e3826aa000abaa15d93e516b8398f31a9517d8dbbaa2ee671cfb2619af3818efe8b810e6fde3411c8b05b8c51afbd58b561c6d76e4383ac300bb7a3ce8f6401

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIR9124.tmp\Adobe AIR\Versions\1.0\Adobe AIR.dll

Filesize
13.4MB

MD5
b10e155460556fa4667536de7bb40e43

SHA1
a17872d7ff29a307fac5b4ed98887a420f716964

SHA256
371c442e9ce81a9514d25eccbe6e9c37a7b766bc5de1a7e03e50ac77cb8ce374

SHA512
4a3d2b0ec3d3ae868c50530136da228d835234198a41aa47ef11c40843249bad29425d50967ce8205c948336d02107e69655900c071cb5b3cb0c63e57ea557d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIR9124.tmp\setup.swf

Filesize
512KB

MD5
ad5f7d53caef368303bebde302582d92

SHA1
9efad61bf69e80d7468236695e0a108d360ae749

SHA256
2b501bfdb378ba7130b8e4b4b2263adfb4f95887cf071ded134f4cffeee5f40d

SHA512
8a31c0009c915dbb46c054388d793c1db8fc7b5ae1df419b3f284cad1d2f8db1f2ed759dcb126868d64af8a0a94c9e479776e6da86296af4e73a0850821c49e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2716_455505604\56d0ddaa-5ea2-48b0-9b6e-e591f9963c75.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2716_455505604\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit