xred | 6eb643eb56e8fbff11276d23354b6b473bc252464d3ef7b98ec8cbbd57792f8e

Analysis

max time kernel
59s
max time network
63s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-01-2025 22:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FileGrab.exe
Size

802KB
MD5

f4d902e70524666a52182720fe208ab1
SHA1

33774655d0fc10bccd652e95b18fb428dcd80a38
SHA256

6eb643eb56e8fbff11276d23354b6b473bc252464d3ef7b98ec8cbbd57792f8e
SHA512

5bf37506097654f384f12f2d90fc9888f0bb5eaa548033a616ed16cbc90fd7a6483aa1b74f7423925e11f7f826e42d5373ac1c88ab7b049e63e23288ac656d65
SSDEEP

12288:2MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V935lC6FOj:2nsJ39LyjbJkQFMhmC+6GD9q6Fq

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	FileGrab.exe

Executes dropped EXE 3 IoCs

pid	Process
3480	._cache_FileGrab.exe
4964	Synaptics.exe
5004	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	FileGrab.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileGrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_FileGrab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133812815063092992"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	FileGrab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
532	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3968	chrome.exe
3968	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe
Token: SeShutdownPrivilege	3968	chrome.exe
Token: SeCreatePagefilePrivilege	3968	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe
3968	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
532	EXCEL.EXE
532	EXCEL.EXE
532	EXCEL.EXE
532	EXCEL.EXE
532	EXCEL.EXE
532	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 3480	1724	FileGrab.exe	82
PID 1724 wrote to memory of 3480	1724	FileGrab.exe	82
PID 1724 wrote to memory of 3480	1724	FileGrab.exe	82
PID 1724 wrote to memory of 4964	1724	FileGrab.exe	83
PID 1724 wrote to memory of 4964	1724	FileGrab.exe	83
PID 1724 wrote to memory of 4964	1724	FileGrab.exe	83
PID 4964 wrote to memory of 5004	4964	Synaptics.exe	84
PID 4964 wrote to memory of 5004	4964	Synaptics.exe	84
PID 4964 wrote to memory of 5004	4964	Synaptics.exe	84
PID 3968 wrote to memory of 4436	3968	chrome.exe	99
PID 3968 wrote to memory of 4436	3968	chrome.exe	99
PID 3968 wrote to memory of 2580	3968	chrome.exe	100
PID 3968 wrote to memory of 2580	3968	chrome.exe	100
PID 3968 wrote to memory of 2580	3968	chrome.exe	100
PID 3968 wrote to memory of 2580	3968	chrome.exe	100
PID 3968 wrote to memory of 2580	3968	chrome.exe	100
PID 3968 wrote to memory of 2580	3968	chrome.exe	100
PID 3968 wrote to memory of 2580	3968	chrome.exe	100
PID 3968 wrote to memory of 2580	3968	chrome.exe	100
PID 3968 wrote to memory of 2580	3968	chrome.exe	100
PID 3968 wrote to memory of 2580	3968	chrome.exe	100
PID 3968 wrote to memory of 2580	3968	chrome.exe	100
PID 3968 wrote to memory of 2580	3968	chrome.exe	100
PID 3968 wrote to memory of 2580	3968	chrome.exe	100
PID 3968 wrote to memory of 2580	3968	chrome.exe	100
PID 3968 wrote to memory of 2580	3968	chrome.exe	100
PID 3968 wrote to memory of 2580	3968	chrome.exe	100
PID 3968 wrote to memory of 2580	3968	chrome.exe	100
PID 3968 wrote to memory of 2580	3968	chrome.exe	100
PID 3968 wrote to memory of 2580	3968	chrome.exe	100
PID 3968 wrote to memory of 2580	3968	chrome.exe	100
PID 3968 wrote to memory of 2580	3968	chrome.exe	100
PID 3968 wrote to memory of 2580	3968	chrome.exe	100
PID 3968 wrote to memory of 2580	3968	chrome.exe	100
PID 3968 wrote to memory of 2580	3968	chrome.exe	100
PID 3968 wrote to memory of 2580	3968	chrome.exe	100
PID 3968 wrote to memory of 2580	3968	chrome.exe	100
PID 3968 wrote to memory of 2580	3968	chrome.exe	100
PID 3968 wrote to memory of 2580	3968	chrome.exe	100
PID 3968 wrote to memory of 2580	3968	chrome.exe	100
PID 3968 wrote to memory of 2580	3968	chrome.exe	100
PID 3968 wrote to memory of 4680	3968	chrome.exe	101
PID 3968 wrote to memory of 4680	3968	chrome.exe	101
PID 3968 wrote to memory of 4020	3968	chrome.exe	102
PID 3968 wrote to memory of 4020	3968	chrome.exe	102
PID 3968 wrote to memory of 4020	3968	chrome.exe	102
PID 3968 wrote to memory of 4020	3968	chrome.exe	102
PID 3968 wrote to memory of 4020	3968	chrome.exe	102
PID 3968 wrote to memory of 4020	3968	chrome.exe	102
PID 3968 wrote to memory of 4020	3968	chrome.exe	102
PID 3968 wrote to memory of 4020	3968	chrome.exe	102
PID 3968 wrote to memory of 4020	3968	chrome.exe	102
PID 3968 wrote to memory of 4020	3968	chrome.exe	102
PID 3968 wrote to memory of 4020	3968	chrome.exe	102
PID 3968 wrote to memory of 4020	3968	chrome.exe	102
PID 3968 wrote to memory of 4020	3968	chrome.exe	102
PID 3968 wrote to memory of 4020	3968	chrome.exe	102
PID 3968 wrote to memory of 4020	3968	chrome.exe	102
PID 3968 wrote to memory of 4020	3968	chrome.exe	102
PID 3968 wrote to memory of 4020	3968	chrome.exe	102
PID 3968 wrote to memory of 4020	3968	chrome.exe	102
PID 3968 wrote to memory of 4020	3968	chrome.exe	102
PID 3968 wrote to memory of 4020	3968	chrome.exe	102
PID 3968 wrote to memory of 4020	3968	chrome.exe	102

C:\Users\Admin\AppData\Local\Temp\FileGrab.exe
"C:\Users\Admin\AppData\Local\Temp\FileGrab.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Users\Admin\AppData\Local\Temp\._cache_FileGrab.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_FileGrab.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3480
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5004

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffd55f2cc40,0x7ffd55f2cc4c,0x7ffd55f2cc58
  2⤵
  PID:4436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1944,i,1771393290521228380,2929776872214354830,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1936 /prefetch:2
  2⤵
  PID:2580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2080,i,1771393290521228380,2929776872214354830,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  PID:4680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2308,i,1771393290521228380,2929776872214354830,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1788 /prefetch:8
  2⤵
  PID:4020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3132,i,1771393290521228380,2929776872214354830,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3172,i,1771393290521228380,2929776872214354830,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:1652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4540,i,1771393290521228380,2929776872214354830,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4556 /prefetch:1
  2⤵
  PID:1476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4816,i,1771393290521228380,2929776872214354830,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4824 /prefetch:8
  2⤵
  PID:1152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5052,i,1771393290521228380,2929776872214354830,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5040 /prefetch:8
  2⤵
  PID:1464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4868,i,1771393290521228380,2929776872214354830,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5040 /prefetch:8
  2⤵
  PID:5112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5192,i,1771393290521228380,2929776872214354830,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5108 /prefetch:8
  2⤵
  PID:3612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5076,i,1771393290521228380,2929776872214354830,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4856 /prefetch:8
  2⤵
  PID:1004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5208,i,1771393290521228380,2929776872214354830,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4944 /prefetch:8
  2⤵
  PID:888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4864,i,1771393290521228380,2929776872214354830,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5072 /prefetch:2
  2⤵
  PID:4288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5536,i,1771393290521228380,2929776872214354830,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:4088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3716,i,1771393290521228380,2929776872214354830,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:1532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5388,i,1771393290521228380,2929776872214354830,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4588 /prefetch:1
  2⤵
  PID:3600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5672,i,1771393290521228380,2929776872214354830,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:2348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=3280,i,1771393290521228380,2929776872214354830,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:4572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5548,i,1771393290521228380,2929776872214354830,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:3420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5408,i,1771393290521228380,2929776872214354830,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4860 /prefetch:1
  2⤵
  PID:1612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=4644,i,1771393290521228380,2929776872214354830,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:4408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=5128,i,1771393290521228380,2929776872214354830,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5164 /prefetch:1
  2⤵
  PID:2948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=5432,i,1771393290521228380,2929776872214354830,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:4904

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
802KB

MD5
f4d902e70524666a52182720fe208ab1

SHA1
33774655d0fc10bccd652e95b18fb428dcd80a38

SHA256
6eb643eb56e8fbff11276d23354b6b473bc252464d3ef7b98ec8cbbd57792f8e

SHA512
5bf37506097654f384f12f2d90fc9888f0bb5eaa548033a616ed16cbc90fd7a6483aa1b74f7423925e11f7f826e42d5373ac1c88ab7b049e63e23288ac656d65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\185c7d98-e74b-4fed-90ba-6760e9d29428.tmp

Filesize
9KB

MD5
f3882d56f7dc31043f89dc32c4f29a52

SHA1
35c93f029916614144939bd4b530c99246799027

SHA256
5755b17fd788166d6cc95df9efdf286b008af4f14ab21dfa25cea66a3e62233c

SHA512
1d75ce1e951ef0dde03ecc0813f04e950acc281df1407dae76d488c755835dc2bc59688701a66fb96b6c437fe2f87984b464551a0a44cde9aec17ddc2d01f54b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
3ddf37328eba125f8c0d62a41919b70a

SHA1
bbc3c8fa388e9058f6904dd46ec938d5224672ae

SHA256
7fbb028b33990f09564bd7175674970de984bbda628341e7851a437d85281f1f

SHA512
35e417d7e8bf41ff6c248d4d805e6e6c41fce79b1bba2f2067e8c732452536723024052eeadcd483951c653164164757a78aea7e7fd485685b646358aa0117ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
04a34551cd369b907a8698963a03fab4

SHA1
771a27fbf8db20a52c7a04a1509d401a39b7fce2

SHA256
d226bb5add794989f293207573561c1ba768493bb05bd921e1ccc41d254fdae4

SHA512
932a8900f6cb2f602eacd8a063fe1da0ae2dd5bcd6b18f138f4d4e485492002482f57dbef8f1f347907d05623868c89370ff94de807398820703b8d1aff124f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
91f1130069ade6475766fb10a8f581ed

SHA1
ef2b43ed60fd907d130743c8eaca8acfe3b2cbf4

SHA256
aad031d52af278b56e056cf781dcf805bc44bedcf77a8243f20cba49d37ce263

SHA512
e3fbff00d94c886f3d82d23db43ce0c250fc512d84bf146bc6ecb8903e10f84271bb3b9fcacd90b1dcca7eba4ec446e70e0a17de3c395a7bd350147c6e390e88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5a2a1da7ae4e7021c45e0cf51ad4b6bc

SHA1
db07b3e6eee2d8f64974c4888a5dc4debf2c1ad1

SHA256
17b581243a5ad718e8403ef5b926afb5721fcb1ac3a826963b3510bfe2ceeb8e

SHA512
ab24b3584878187b0f110ef066c9675f27b79abf932ce9e2de1e04c9e619dc3d9fad3290bff024c1e89586c9ae19fa2284bbdb01109a42303d0566a8d845a526

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
4003f25aaaa7c81eff3b390b3cd88b68

SHA1
5db0a100aa5a4f623bcfbbc42b6715fdcf616573

SHA256
9ec17b1ae9378e5c348e49b66bcf47c1e8e0ead5257c72dcb7b6ea72fdf2fcb3

SHA512
ecc99db673868cc4e88fa9d123c634703aeed72f58d9df6f3caa0920a4ef2206546ba1c2da527a92877317627c11f1408788c0ff4b17aa0c949cc82a1433a1c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\temp-index

Filesize
72B

MD5
db626df972a82d13fa6a0943af503db1

SHA1
e8aafd35f95d44b8c9a672a61e5c64bd59a0241e

SHA256
5f870103c4372aaddc092267c29f2b2f267655b537b5db70dfcab1f2627b5ad8

SHA512
40e5df26608131aa2e391ded73be7d6439c5c175d9184ffbc96d01c814118265c98ffeb9335fa424fc8b926089000c979ea77e7c733a7f0af1ed9db17abaf17f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
4d576a5c010f2f3cdb6c73ef75e61f55

SHA1
c8bf2aeb1b6f0ca82161661ece2038b8468f7a24

SHA256
659b535d6e5a127c2e8565042eeb236112c255e45cdec744bd74bd2405b450fa

SHA512
e3e8d2448f2b80faa7f9878a09eacbaced54fcd22ae20dd7047bc0316671f7cd3fe203966f5910cb73b0c689a2c7ca4202279847e74a8c3711667ee19eba7d54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
7733a67df6604e4f1f273ca36e0cf97e

SHA1
3a06c32bd040d8a541a92c4935783c7fb10f70de

SHA256
415385f77779af24ab8f28049753092d7f20c9e59446c9fa69d74014386f72b6

SHA512
64f6ccf378ac715ec3ec6bd879dec85575f028d31f01c9cf8b9fe682c8af16bd718ebfea18a1ee6633dfd4a374127d40fc977e92842108a9831822545d045423

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_FileGrab.exe

Filesize
49KB

MD5
27f87ebebb071afec1891e00fd0700a4

SHA1
fbfc0a10ecf83da88df02356568bcac2399b3b9d

SHA256
11b8cdd387370de1d162516b82376ecf28d321dc8f46ebcce389dccc2a5a4cc9

SHA512
5386cae4eef9b767082d1143962851727479295b75321e07927bf7ebd60c5e051aeb78d6fa306ed6ef1c1d0182a16f1132a23263aefe9ed5d9d446b70b43a25d

Download Submit
C:\Users\Admin\AppData\Local\Temp\10975E00

Filesize
27KB

MD5
70da233dbd83f3423915ecce504082dc

SHA1
3a83a17eec589b46c44d926653a172e53f63eebc

SHA256
0cf4087c69a92469ea6ee7e88f869c06ad237d0c28f89bfd9c8fa205e4cdf2ff

SHA512
358f0c3ce03e718bc0523e1431b5cc202177f5300b25560837ce8cb6eb16f739bc5cb22d620f9fca8db3221e4cc85606d9f5e36843bef5adac5706ff32c95f3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qCgn6EhG.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3968_651062824\3ee02e44-f1fc-410d-a1ee-917ebef56ced.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3968_651062824\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
memory/532-196-0x00007FFD33E50000-0x00007FFD33E60000-memory.dmp

Filesize
64KB

Download
memory/532-197-0x00007FFD33E50000-0x00007FFD33E60000-memory.dmp

Filesize
64KB

Download
memory/532-193-0x00007FFD33E50000-0x00007FFD33E60000-memory.dmp

Filesize
64KB

Download
memory/532-194-0x00007FFD33E50000-0x00007FFD33E60000-memory.dmp

Filesize
64KB

Download
memory/532-195-0x00007FFD33E50000-0x00007FFD33E60000-memory.dmp

Filesize
64KB

Download
memory/532-254-0x00007FFD33E50000-0x00007FFD33E60000-memory.dmp

Filesize
64KB

Download
memory/532-256-0x00007FFD33E50000-0x00007FFD33E60000-memory.dmp

Filesize
64KB

Download
memory/532-257-0x00007FFD33E50000-0x00007FFD33E60000-memory.dmp

Filesize
64KB

Download
memory/532-255-0x00007FFD33E50000-0x00007FFD33E60000-memory.dmp

Filesize
64KB

Download
memory/532-199-0x00007FFD314F0000-0x00007FFD31500000-memory.dmp

Filesize
64KB

Download
memory/532-198-0x00007FFD314F0000-0x00007FFD31500000-memory.dmp

Filesize
64KB

Download
memory/1724-0-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1724-129-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/3480-259-0x0000000072E50000-0x0000000073401000-memory.dmp

Filesize
5.7MB

Download
memory/3480-258-0x0000000072E52000-0x0000000072E53000-memory.dmp

Filesize
4KB

Download
memory/3480-134-0x0000000072E52000-0x0000000072E54000-memory.dmp

Filesize
8KB

Download
memory/3480-132-0x0000000072E50000-0x0000000073401000-memory.dmp

Filesize
5.7MB

Download
memory/3480-118-0x0000000072E52000-0x0000000072E53000-memory.dmp

Filesize
4KB

Download
memory/4964-261-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/4964-260-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/4964-133-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download