fickerstealer | f9ff859f39a9e54d733f9c3da77a0c42a4f9c6c53eccccfd7e874b8b5018ec96

Analysis

max time kernel
149s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
19-01-2025 15:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup (password is THEPIRATEBAY007).zip
Size

5.1MB
MD5

5a7b05af6be77d411d38e4b9603de6fb
SHA1

890c2441287979341aea951ff1dd0e4e692493bf
SHA256

f9ff859f39a9e54d733f9c3da77a0c42a4f9c6c53eccccfd7e874b8b5018ec96
SHA512

ff24593ff5703675fd41c53acb35e6e36cf33baa660e23a005287eab482c6e79a0cd922efb2b82a6cdec3b8b425f6aeb37f71340b0cbca6ecc2f70475b4c3b2e
SSDEEP

98304:Qay8P3DkDOgkjEBA43Or6uDfilxC0v+3ECjIir05+JKe5G6tZTaD027+mo:Qay8/6vDBAuOr6kYp+tEK6eKe5GoZF2k

Score

10^/10

fickerstealer microsoft discovery infostealer phishing

Malware Config

Extracted

Family

fickerstealer

45.93.201.181:80

Signatures

Fickerstealer
Ficker is an infostealer written in Rust and ASM.
infostealer fickerstealer
Fickerstealer family
fickerstealer

Executes dropped EXE 6 IoCs

pid	Process
2944	Setup.exe
2040	Setup.exe
3336	Setup.exe
1784	Setup.exe
2172	Setup.exe
1444	Setup.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	api.ipify.org

Detected potential entity reuse from brand MICROSOFT.
phishing microsoft

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133817752545221468"	chrome.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	7zFM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2944	Setup.exe
2944	Setup.exe
2944	Setup.exe
2944	Setup.exe
2944	Setup.exe
2944	Setup.exe
2944	Setup.exe
2944	Setup.exe
2944	Setup.exe
2944	Setup.exe
2944	Setup.exe
2944	Setup.exe
2944	Setup.exe
2944	Setup.exe
2944	Setup.exe
2944	Setup.exe
2944	Setup.exe
2944	Setup.exe
2944	Setup.exe
2944	Setup.exe
2944	Setup.exe
2944	Setup.exe
2944	Setup.exe
2944	Setup.exe
2944	Setup.exe
2944	Setup.exe
2944	Setup.exe
2944	Setup.exe
2944	Setup.exe
2944	Setup.exe
2944	Setup.exe
2944	Setup.exe
2944	Setup.exe
2944	Setup.exe
2944	Setup.exe
2944	Setup.exe
2944	Setup.exe
2944	Setup.exe
2944	Setup.exe
2944	Setup.exe
2944	Setup.exe
2944	Setup.exe
3336	Setup.exe
3336	Setup.exe
3336	Setup.exe
3336	Setup.exe
3336	Setup.exe
3336	Setup.exe
3336	Setup.exe
3336	Setup.exe
3336	Setup.exe
3336	Setup.exe
3336	Setup.exe
3336	Setup.exe
3336	Setup.exe
3336	Setup.exe
3336	Setup.exe
3336	Setup.exe
3336	Setup.exe
3336	Setup.exe
3336	Setup.exe
3336	Setup.exe
3336	Setup.exe
3336	Setup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4120	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4120	7zFM.exe
Token: 35	4120	7zFM.exe
Token: SeSecurityPrivilege	4120	7zFM.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe
Token: SeCreatePagefilePrivilege	2500	chrome.exe
Token: SeShutdownPrivilege	2500	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
4120	7zFM.exe
4120	7zFM.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe
2500	chrome.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2944	Setup.exe
3336	Setup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 2040	2944	Setup.exe	83
PID 2944 wrote to memory of 2040	2944	Setup.exe	83
PID 2944 wrote to memory of 2040	2944	Setup.exe	83
PID 2944 wrote to memory of 2040	2944	Setup.exe	83
PID 2944 wrote to memory of 2040	2944	Setup.exe	83
PID 2944 wrote to memory of 2040	2944	Setup.exe	83
PID 2944 wrote to memory of 2040	2944	Setup.exe	83
PID 2944 wrote to memory of 2040	2944	Setup.exe	83
PID 2944 wrote to memory of 2040	2944	Setup.exe	83
PID 2944 wrote to memory of 2040	2944	Setup.exe	83
PID 2944 wrote to memory of 2040	2944	Setup.exe	83
PID 2944 wrote to memory of 2040	2944	Setup.exe	83
PID 2944 wrote to memory of 2040	2944	Setup.exe	83
PID 2944 wrote to memory of 2040	2944	Setup.exe	83
PID 2944 wrote to memory of 2040	2944	Setup.exe	83
PID 2944 wrote to memory of 2040	2944	Setup.exe	83
PID 2944 wrote to memory of 2040	2944	Setup.exe	83
PID 2944 wrote to memory of 2040	2944	Setup.exe	83
PID 2944 wrote to memory of 2040	2944	Setup.exe	83
PID 2944 wrote to memory of 2040	2944	Setup.exe	83
PID 2944 wrote to memory of 2040	2944	Setup.exe	83
PID 3336 wrote to memory of 1784	3336	Setup.exe	88
PID 3336 wrote to memory of 1784	3336	Setup.exe	88
PID 3336 wrote to memory of 1784	3336	Setup.exe	88
PID 3336 wrote to memory of 1784	3336	Setup.exe	88
PID 3336 wrote to memory of 1784	3336	Setup.exe	88
PID 3336 wrote to memory of 1784	3336	Setup.exe	88
PID 3336 wrote to memory of 1784	3336	Setup.exe	88
PID 3336 wrote to memory of 1784	3336	Setup.exe	88
PID 3336 wrote to memory of 1784	3336	Setup.exe	88
PID 3336 wrote to memory of 1784	3336	Setup.exe	88
PID 3336 wrote to memory of 1784	3336	Setup.exe	88
PID 3336 wrote to memory of 1784	3336	Setup.exe	88
PID 3336 wrote to memory of 1784	3336	Setup.exe	88
PID 3336 wrote to memory of 1784	3336	Setup.exe	88
PID 3336 wrote to memory of 1784	3336	Setup.exe	88
PID 3336 wrote to memory of 1784	3336	Setup.exe	88
PID 3336 wrote to memory of 1784	3336	Setup.exe	88
PID 3336 wrote to memory of 1784	3336	Setup.exe	88
PID 3336 wrote to memory of 1784	3336	Setup.exe	88
PID 3336 wrote to memory of 1784	3336	Setup.exe	88
PID 3336 wrote to memory of 1784	3336	Setup.exe	88
PID 2172 wrote to memory of 1444	2172	Setup.exe	90
PID 2172 wrote to memory of 1444	2172	Setup.exe	90
PID 2172 wrote to memory of 1444	2172	Setup.exe	90
PID 2172 wrote to memory of 1444	2172	Setup.exe	90
PID 2172 wrote to memory of 1444	2172	Setup.exe	90
PID 2172 wrote to memory of 1444	2172	Setup.exe	90
PID 2172 wrote to memory of 1444	2172	Setup.exe	90
PID 2172 wrote to memory of 1444	2172	Setup.exe	90
PID 2172 wrote to memory of 1444	2172	Setup.exe	90
PID 2172 wrote to memory of 1444	2172	Setup.exe	90
PID 2172 wrote to memory of 1444	2172	Setup.exe	90
PID 2172 wrote to memory of 1444	2172	Setup.exe	90
PID 2172 wrote to memory of 1444	2172	Setup.exe	90
PID 2172 wrote to memory of 1444	2172	Setup.exe	90
PID 2172 wrote to memory of 1444	2172	Setup.exe	90
PID 2172 wrote to memory of 1444	2172	Setup.exe	90
PID 2172 wrote to memory of 1444	2172	Setup.exe	90
PID 2172 wrote to memory of 1444	2172	Setup.exe	90
PID 2172 wrote to memory of 1444	2172	Setup.exe	90
PID 2172 wrote to memory of 1444	2172	Setup.exe	90
PID 2172 wrote to memory of 1444	2172	Setup.exe	90
PID 2500 wrote to memory of 4348	2500	chrome.exe	92

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Setup (password is THEPIRATEBAY007).zip"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4120

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1540

C:\Users\Admin\Downloads\Setup.exe
"C:\Users\Admin\Downloads\Setup.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Users\Admin\Downloads\Setup.exe
  "C:\Users\Admin\Downloads\Setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2040

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:1576

C:\Users\Admin\Downloads\Setup.exe
"C:\Users\Admin\Downloads\Setup.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3336
- C:\Users\Admin\Downloads\Setup.exe
  "C:\Users\Admin\Downloads\Setup.exe"
  2⤵
  - Executes dropped EXE
  PID:1784

C:\Users\Admin\Downloads\Setup.exe
"C:\Users\Admin\Downloads\Setup.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\Downloads\Setup.exe
  "C:\Users\Admin\Downloads\Setup.exe"
  2⤵
  - Executes dropped EXE
  PID:1444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff97071cc40,0x7ff97071cc4c,0x7ff97071cc58
  2⤵
  PID:4348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1972,i,16797733106298257876,3233586605615330877,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1968 /prefetch:2
  2⤵
  PID:2240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1756,i,16797733106298257876,3233586605615330877,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2004 /prefetch:3
  2⤵
  PID:4396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2216,i,16797733106298257876,3233586605615330877,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2256 /prefetch:8
  2⤵
  PID:1496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3092,i,16797733106298257876,3233586605615330877,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3116 /prefetch:1
  2⤵
  PID:3944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,16797733106298257876,3233586605615330877,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:3324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4452,i,16797733106298257876,3233586605615330877,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4428 /prefetch:1
  2⤵
  PID:3384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4576,i,16797733106298257876,3233586605615330877,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4796 /prefetch:8
  2⤵
  PID:1416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4768,i,16797733106298257876,3233586605615330877,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3096 /prefetch:8
  2⤵
  PID:4852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4540,i,16797733106298257876,3233586605615330877,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4568 /prefetch:8
  2⤵
  PID:1096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5044,i,16797733106298257876,3233586605615330877,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4812 /prefetch:8
  2⤵
  PID:4704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5012,i,16797733106298257876,3233586605615330877,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4808 /prefetch:8
  2⤵
  PID:4100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4608,i,16797733106298257876,3233586605615330877,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5000 /prefetch:8
  2⤵
  PID:2676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5384,i,16797733106298257876,3233586605615330877,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5224 /prefetch:2
  2⤵
  PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4320,i,16797733106298257876,3233586605615330877,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:2848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3432,i,16797733106298257876,3233586605615330877,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:2708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=3264,i,16797733106298257876,3233586605615330877,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=3476,i,16797733106298257876,3233586605615330877,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4512 /prefetch:1
  2⤵
  PID:1796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5464,i,16797733106298257876,3233586605615330877,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4560 /prefetch:1
  2⤵
  PID:3088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5404,i,16797733106298257876,3233586605615330877,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5328 /prefetch:1
  2⤵
  PID:3396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3484,i,16797733106298257876,3233586605615330877,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  PID:1316

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\krosqm.txt

Filesize
14B

MD5
2c807857a435aa8554d595bd14ed35d1

SHA1
9003a73beceab3d1b1cd65614347c33117041a95

SHA256
3c4fae56f61b7cdf09709c2aaf65ca47d3bf9077b1e5eb0eb1e6c5c34923eb9b

SHA512
95c6fa9f5b342ef34d896f083700ee12d55723e24aff42805bac5c1aa73f07d0db4f9d435d31a61da187edc2336252dfb38529b3f2b1d2039aa2a8e65d64a7a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
7f12e938a6f064f8ebd42eb993c89645

SHA1
0da98840c97e83187a3de96af0c463c4917c28b2

SHA256
c141f993dfd83a7851ed4a8070b843f2f8d17378bd13f8c4ab4a3dae8100e90e

SHA512
7f4d34780e140e94d89f9f6db43de3d1831db3707f8a12a56f21e0957aedaea1532cdf5f0ffeb2012b696824516663b1e6b51744533bcf65453a2744feed8bee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
d474ec7f8d58a66420b6daa0893a4874

SHA1
4314642571493ba983748556d0e76ec6704da211

SHA256
553a19b6f44f125d9594c02231e4217e9d74d92b7065dc996d92f1e53f6bcb69

SHA512
344062d1be40db095abb7392b047b16f33ea3043158690cf66a2fa554aa2db79c4aa68de1308f1eddf6b9140b9ac5de70aad960b4e8e8b91f105213c4aace348

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
2dbc869625798003cb6276f2ea8c5e4e

SHA1
6dec85f19b47d06403dd02ad5afbe0fad7d5e1fd

SHA256
35ad65bdcdef3519627fd69105d9fcd95393363b3c52b31d659c6cdadebc5f6c

SHA512
302e623a43b29c36bc076dd9fc80c36eb31dac2203a086ab38ca553fb7777bd709ad2b33a218a1e26fae23ce77d8e39dd686d2d33cc4026df6829a86c0a83acb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
430043069ffa45779581043e83482474

SHA1
fac2844c953e23298e70fef9ceb0a3684ea56c82

SHA256
c4d5054f83a0890c9dd36cc6fc831344564da5230b9f87faae82677182ef7427

SHA512
e9c7974f9347941b527dfd5ccc4b9549a80ada33ad44b6366749b5f501cf8d114a118e9e68167999c6324cb42c71d46dbd88dc3ae194fa5c0db46cb4095f3862

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
860B

MD5
b78357721e59c241dc0eeb3d46992454

SHA1
b1a29a7a70e4bd09e5485f155fe4d1e4e0cd43b5

SHA256
7c13ca083f41a90a891d2ea9d2d54ce3545786bb6acb3938dcde9fa92311e403

SHA512
24eb1f221852d824a1bffe8c9836d2f9408e113fe3bc6940ad09fd5a81f769625858b03a86404012ddfae6f27c0d6776d74a11b081f9a3ee9165d2d8b96a240c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
a017d17de0179bd7b5f81cbbfc7c39f1

SHA1
cb5e76cc8e930c0cd7eb02946e57181f6cc6ec65

SHA256
c029d39d81692c93b44641b67f9133ff85c57e0308a64e6ce38e6ea9dcbb06e7

SHA512
892ca3d70aa8fd37969c2501b25668399b4e925f9ca2d679c574755e17f68c3b840bb7d7f004eb7575f03d676e30c91eaf1b9def77ee46fdbbfa1039d9166dd6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
de2f151337935311504fc848b19b7c00

SHA1
9915a7c9bae4685823c186d66806e8cc3c900f33

SHA256
4ace1a4f7c8a1af33f553ced24970c289100045b23ec18444e0d9d7a924b89c2

SHA512
18460d76485402c14b3e945d758a7a4c0093fb7880061bc693c505e9ae477369cd04d20e173f08c4a23daab86bba47e1bb3284702ca6b7f5d40144539bf11f22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ffc6c63b28b2bb043990eb3641d2d30e

SHA1
c437b4b11c96fbf0a33bf16da99aeff85e399527

SHA256
8813c9bd12b3d98217e9050c83909dbd8671490d5655db70345d0ba7028921c5

SHA512
50502d7bdd9dfcedf8f4154631ab79f37ef1c3d531fa1aac4861f24d013b27b1d78d916d564cc5c20b8fe0aed0cff4bcd51dd18436a84581c500416e02b88ea6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
45dae5735fdeff7caa326e7b94f4417d

SHA1
ffdc92cae53f0ecb3eb0d24d319afbf6c491f550

SHA256
c75ce3e9aa7c8fd095ecfcca8f73686f30dbc7c8b08b29f4f6becc8efbd96671

SHA512
cee38dc1c9cfc9b5dbb3f64df9b3617158b320275dc084a1027a11583ab32275a53098a68b01a6d4d9cf982082244e0a56fd75146e6d9a7df98e042e7ab4a06e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
682022f692f723fa1cfdbb2a9a4bb62e

SHA1
f26684e478dc4b621b01557c5b039b6c6598001b

SHA256
ec00ecbb3cad410e39558ee0ebce60c9d139103a95dc516369a14a6a058ffe66

SHA512
1128f852e7714ab7bc6f8f7049b3a5806f3902770abbda867cebc7776bbeb823e98368bbffc529c7d9b7f077df281382e42da92cd704eba21352f746243d3904

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
b984f0516d293c7fd0d77fc59f005f2a

SHA1
f4f3a673901dc56ae07d47e944d9b2063d96db5e

SHA256
0b6c1324bfbf2f817d896ffdcf8400928d8b5fe68c644aab3b368813eb972a2e

SHA512
c48c1950c6e843ceb85e6f04465ca86bc3bc38c95adf20dd3eedf09c3330f79878fddfb79056e664c116e970240df3e43d7414bb6af3aa8224062de0f7fc09e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
92f31171000dd3311460ab3efbeacdb1

SHA1
9babbb8ae98d97389d7650b6f80af78ccca535e9

SHA256
35adf7eada357300590a6d4b543793586ed9d41f1a500c3152f5b920f0370584

SHA512
578bdb233c82e38126c10150df464f48634318ded1354ad78b904dc2c84a8ced03f159014c65accd6b2135cf9dd14a0f8aaf130ad50595112f5e422fe139e9e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
ea70d99901b655b077a006ca5552edc1

SHA1
e2d6ae946d09d960af3182855d67760f27bb1c18

SHA256
4bffc64d32f174d81ff0be247379d2e12ddb2d0b5ea76c26bd03f24fd52e8eb7

SHA512
e3bab81714317daedc5cb1445cafba25dba3afb2d9b8abc4bf9da409251c319a8a9981839c0afa5d772ab27c3c23178310b3da788bdaa31022f2b00083496e48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
161ad3fd21dcfe4d13e96b2bfc652a41

SHA1
21af785cfe76f14ab4886ca90cb0d9a401c400a9

SHA256
466dbdf4b566526aa57bdaa0106979f7be3bf398c96f94bc05580e56440dbca8

SHA512
0b98f194652a5a5a3bd5411571be0563c5e50ac43a9f92fbb95045ef81fecc5bfb9ab523bbbc9a9c40ad398e19be025d9695e75cbcdacb522db772735dbb9c50

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\db472a8c-44e3-4982-ad82-bbd5a62ac3f1.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2500_110792736\193f4bc6-99fc-4205-a9c4-f156cd91e668.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2500_110792736\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
memory/1444-48-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1444-46-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1784-40-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1784-38-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2040-26-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2040-16-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2040-19-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2040-18-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2944-15-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3336-35-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download