Resubmissions

01/02/2022, 09:10

220201-k4279scee5 10

15/01/2022, 13:42

220115-qztyzsefhn 10

12/01/2022, 12:30

220112-ppk3nacfbl 10

10/01/2022, 10:49

220110-mwsd7sebe3 10

07/01/2022, 20:35

220107-zc2jzsdaeq 10

07/01/2022, 10:05

220107-l4rxzacba8 10

06/01/2022, 22:46

220106-2qch5abff5 10

06/01/2022, 19:07

220106-xsnxqabhfl 10

06/01/2022, 15:26

220106-svedvabda5 10

06/01/2022, 15:25

220106-st3p2sbgcq 10

Analysis

  • max time kernel
    190s
  • max time network
    189s
  • platform
    windows7_x64
  • resource
    win7-ja-20211208
  • submitted
    10/01/2022, 10:49

General

  • Target

    4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe

  • Size

    339KB

  • MD5

    b75726b4b619811b4c50d917822a4083

  • SHA1

    ed8b418d7357609ce03c4f7123c0bb711b9d227d

  • SHA256

    4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf

  • SHA512

    59516fdf6334f4005c7881322eb9a057939804e18ba8f13d0cb48fdc460aab19570c482e87700c6884807e1c885864ed422646f3150d9df731a10ecf5a7e05c9

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

http://srtuiyhuali.at/

http://fufuiloirtu.com/

http://amogohuigotuli.at/

http://novohudosovu.com/

http://brutuilionust.com/

http://bubushkalioua.com/

http://dumuilistrati.at/

http://verboliatsiaeeees.com/

rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

tofsee

C2

patmushta.info

parubey.info

Extracted

Family

raccoon

Version

1.8.4-hotfixs

rc4.plain

Signatures

  • Arkei

    Arkei is an infostealer written in C++.

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Windows security bypass 2 TTPs
  • Arkei Stealer Payload 4 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
  • Creates new service(s) 1 TTPs
  • Downloads MZ/PE file
  • Executes dropped EXE 11 IoCs
  • Modifies Windows Firewall 1 TTPs
  • Sets service image path in registry 2 TTPs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 16 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 38 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 9 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe
    "C:\Users\Admin\AppData\Local\Temp\4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:840
    • C:\Users\Admin\AppData\Local\Temp\4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe
      "C:\Users\Admin\AppData\Local\Temp\4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:1784
  • C:\Users\Admin\AppData\Local\Temp\25F8.exe
    C:\Users\Admin\AppData\Local\Temp\25F8.exe
    1⤵
    • Executes dropped EXE
    • Checks SCSI registry key(s)
    • Suspicious behavior: MapViewOfSection
    PID:1824
  • C:\Users\Admin\AppData\Roaming\jretatj
    C:\Users\Admin\AppData\Roaming\jretatj
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1944
    • C:\Users\Admin\AppData\Roaming\jretatj
      C:\Users\Admin\AppData\Roaming\jretatj
      2⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious behavior: MapViewOfSection
      PID:1760
  • C:\Users\Admin\AppData\Local\Temp\81B3.exe
    C:\Users\Admin\AppData\Local\Temp\81B3.exe
    1⤵
    • Executes dropped EXE
    PID:1280
  • C:\Users\Admin\AppData\Local\Temp\850E.exe
    C:\Users\Admin\AppData\Local\Temp\850E.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:288
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\fpgzxbnd\
      2⤵
        PID:840
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\lsnejoah.exe" C:\Windows\SysWOW64\fpgzxbnd\
        2⤵
          PID:1924
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create fpgzxbnd binPath= "C:\Windows\SysWOW64\fpgzxbnd\lsnejoah.exe /d\"C:\Users\Admin\AppData\Local\Temp\850E.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:1248
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description fpgzxbnd "wifi internet conection"
            2⤵
              PID:1900
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start fpgzxbnd
              2⤵
                PID:1132
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:1916
              • C:\Users\Admin\AppData\Local\Temp\915E.exe
                C:\Users\Admin\AppData\Local\Temp\915E.exe
                1⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetThreadContext
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1040
                • C:\Users\Admin\AppData\Local\Temp\915E.exe
                  C:\Users\Admin\AppData\Local\Temp\915E.exe
                  2⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:240
              • C:\Users\Admin\AppData\Local\Temp\B218.exe
                C:\Users\Admin\AppData\Local\Temp\B218.exe
                1⤵
                • Executes dropped EXE
                • Checks BIOS information in registry
                • Loads dropped DLL
                • Checks whether UAC is enabled
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Checks processor information in registry
                PID:1104
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\B218.exe" & exit
                  2⤵
                    PID:1100
                    • C:\Windows\SysWOW64\timeout.exe
                      timeout /t 5
                      3⤵
                      • Delays execution with timeout.exe
                      PID:1892
                • C:\Users\Admin\AppData\Local\Temp\CB82.exe
                  C:\Users\Admin\AppData\Local\Temp\CB82.exe
                  1⤵
                  • Executes dropped EXE
                  PID:908
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 424
                    2⤵
                    • Loads dropped DLL
                    • Program crash
                    • Suspicious use of AdjustPrivilegeToken
                    PID:920
                • C:\Windows\SysWOW64\explorer.exe
                  C:\Windows\SysWOW64\explorer.exe
                  1⤵
                  • Accesses Microsoft Outlook profiles
                  PID:1632
                • C:\Windows\explorer.exe
                  C:\Windows\explorer.exe
                  1⤵
                    PID:1380
                  • C:\Windows\SysWOW64\fpgzxbnd\lsnejoah.exe
                    C:\Windows\SysWOW64\fpgzxbnd\lsnejoah.exe /d"C:\Users\Admin\AppData\Local\Temp\850E.exe"
                    1⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    PID:1632
                    • C:\Windows\SysWOW64\svchost.exe
                      svchost.exe
                      2⤵
                        PID:472
                    • C:\Windows\system32\taskmgr.exe
                      "C:\Windows\system32\taskmgr.exe" /4
                      1⤵
                      • Loads dropped DLL
                      • Suspicious behavior: GetForegroundWindowSpam
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SendNotifyMessage
                      PID:1776
                    • C:\Users\Admin\AppData\Local\Temp\21C2.exe
                      C:\Users\Admin\AppData\Local\Temp\21C2.exe
                      1⤵
                      • Executes dropped EXE
                      • Accesses Microsoft Outlook profiles
                      • Checks processor information in registry
                      • Suspicious use of AdjustPrivilegeToken
                      • outlook_office_path
                      • outlook_win_path
                      PID:1560
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe"
                      1⤵
                      • Enumerates system info in registry
                      PID:1676
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef1fb4f50,0x7fef1fb4f60,0x7fef1fb4f70
                        2⤵
                          PID:1588
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1316 /prefetch:8
                          2⤵
                            PID:1772
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1148 /prefetch:2
                            2⤵
                              PID:1956
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1736 /prefetch:8
                              2⤵
                                PID:1512
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2112 /prefetch:1
                                2⤵
                                  PID:832
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2052 /prefetch:1
                                  2⤵
                                    PID:1088
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
                                    2⤵
                                      PID:2184
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1160 /prefetch:2
                                      2⤵
                                        PID:2304
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2976 /prefetch:1
                                        2⤵
                                          PID:2348
                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3184 /prefetch:8
                                          2⤵
                                            PID:2412
                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3304 /prefetch:8
                                            2⤵
                                              PID:2420
                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3836 /prefetch:8
                                              2⤵
                                                PID:2492
                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3880 /prefetch:8
                                                2⤵
                                                  PID:2500
                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3924 /prefetch:8
                                                  2⤵
                                                    PID:2532
                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3908 /prefetch:8
                                                    2⤵
                                                      PID:2524
                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3896 /prefetch:8
                                                      2⤵
                                                        PID:2516
                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2472 /prefetch:8
                                                        2⤵
                                                          PID:2508
                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4456 /prefetch:8
                                                          2⤵
                                                            PID:2712
                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4228 /prefetch:8
                                                            2⤵
                                                              PID:2756
                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4340 /prefetch:8
                                                              2⤵
                                                                PID:2764
                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3920 /prefetch:8
                                                                2⤵
                                                                  PID:2748
                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4264 /prefetch:8
                                                                  2⤵
                                                                    PID:2856
                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4196 /prefetch:8
                                                                    2⤵
                                                                      PID:2864
                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4316 /prefetch:8
                                                                      2⤵
                                                                        PID:2924
                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4320 /prefetch:8
                                                                        2⤵
                                                                          PID:2968
                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4516 /prefetch:8
                                                                          2⤵
                                                                            PID:3004
                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4476 /prefetch:8
                                                                            2⤵
                                                                              PID:3020
                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4528 /prefetch:8
                                                                              2⤵
                                                                                PID:3012
                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3756 /prefetch:8
                                                                                2⤵
                                                                                  PID:1916
                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3736 /prefetch:8
                                                                                  2⤵
                                                                                    PID:2276
                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4632 /prefetch:8
                                                                                    2⤵
                                                                                      PID:2444
                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4136 /prefetch:8
                                                                                      2⤵
                                                                                        PID:2420
                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
                                                                                        2⤵
                                                                                          PID:240
                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1
                                                                                          2⤵
                                                                                            PID:2600
                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4300 /prefetch:1
                                                                                            2⤵
                                                                                              PID:2664
                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4248 /prefetch:1
                                                                                              2⤵
                                                                                                PID:2552
                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2312 /prefetch:1
                                                                                                2⤵
                                                                                                  PID:2724
                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2240 /prefetch:1
                                                                                                  2⤵
                                                                                                    PID:2840
                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2140 /prefetch:1
                                                                                                    2⤵
                                                                                                      PID:2896

                                                                                                  Network

                                                                                                        MITRE ATT&CK Enterprise v6

                                                                                                        Replay Monitor

                                                                                                        Loading Replay Monitor...

                                                                                                        Downloads

                                                                                                        • memory/240-146-0x0000000004990000-0x0000000004991000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/240-143-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                          Filesize

                                                                                                          128KB

                                                                                                        • memory/240-133-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                          Filesize

                                                                                                          128KB

                                                                                                        • memory/240-134-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                          Filesize

                                                                                                          128KB

                                                                                                        • memory/240-135-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                          Filesize

                                                                                                          128KB

                                                                                                        • memory/240-136-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                          Filesize

                                                                                                          128KB

                                                                                                        • memory/240-137-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                          Filesize

                                                                                                          128KB

                                                                                                        • memory/240-142-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                          Filesize

                                                                                                          128KB

                                                                                                        • memory/288-120-0x0000000000400000-0x0000000000456000-memory.dmp

                                                                                                          Filesize

                                                                                                          344KB

                                                                                                        • memory/288-114-0x0000000000230000-0x0000000000243000-memory.dmp

                                                                                                          Filesize

                                                                                                          76KB

                                                                                                        • memory/288-113-0x0000000000220000-0x000000000022D000-memory.dmp

                                                                                                          Filesize

                                                                                                          52KB

                                                                                                        • memory/472-183-0x0000000000080000-0x0000000000095000-memory.dmp

                                                                                                          Filesize

                                                                                                          84KB

                                                                                                        • memory/472-184-0x0000000000080000-0x0000000000095000-memory.dmp

                                                                                                          Filesize

                                                                                                          84KB

                                                                                                        • memory/840-54-0x0000000000978000-0x0000000000989000-memory.dmp

                                                                                                          Filesize

                                                                                                          68KB

                                                                                                        • memory/840-58-0x0000000000020000-0x0000000000029000-memory.dmp

                                                                                                          Filesize

                                                                                                          36KB

                                                                                                        • memory/908-166-0x0000000000400000-0x0000000002BC5000-memory.dmp

                                                                                                          Filesize

                                                                                                          39.8MB

                                                                                                        • memory/908-164-0x0000000004320000-0x000000000436F000-memory.dmp

                                                                                                          Filesize

                                                                                                          316KB

                                                                                                        • memory/908-165-0x0000000004370000-0x0000000004401000-memory.dmp

                                                                                                          Filesize

                                                                                                          580KB

                                                                                                        • memory/920-181-0x00000000007D0000-0x00000000007D1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/1040-82-0x0000000001000000-0x000000000108A000-memory.dmp

                                                                                                          Filesize

                                                                                                          552KB

                                                                                                        • memory/1040-105-0x0000000004C70000-0x0000000004C71000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/1040-83-0x0000000001000000-0x000000000108A000-memory.dmp

                                                                                                          Filesize

                                                                                                          552KB

                                                                                                        • memory/1040-108-0x00000000001A0000-0x00000000001A1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/1104-88-0x00000000011C0000-0x00000000014C6000-memory.dmp

                                                                                                          Filesize

                                                                                                          3.0MB

                                                                                                        • memory/1104-91-0x00000000011C0000-0x00000000014C6000-memory.dmp

                                                                                                          Filesize

                                                                                                          3.0MB

                                                                                                        • memory/1104-95-0x0000000075E20000-0x0000000075ECC000-memory.dmp

                                                                                                          Filesize

                                                                                                          688KB

                                                                                                        • memory/1104-99-0x00000000011C0000-0x00000000014C6000-memory.dmp

                                                                                                          Filesize

                                                                                                          3.0MB

                                                                                                        • memory/1104-100-0x00000000011C0000-0x00000000014C6000-memory.dmp

                                                                                                          Filesize

                                                                                                          3.0MB

                                                                                                        • memory/1104-101-0x00000000011C0000-0x00000000014C6000-memory.dmp

                                                                                                          Filesize

                                                                                                          3.0MB

                                                                                                        • memory/1104-102-0x00000000011C0000-0x00000000014C6000-memory.dmp

                                                                                                          Filesize

                                                                                                          3.0MB

                                                                                                        • memory/1104-90-0x00000000011C0000-0x00000000014C6000-memory.dmp

                                                                                                          Filesize

                                                                                                          3.0MB

                                                                                                        • memory/1104-94-0x00000000760E0000-0x0000000076127000-memory.dmp

                                                                                                          Filesize

                                                                                                          284KB

                                                                                                        • memory/1104-93-0x0000000000210000-0x0000000000211000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/1104-92-0x00000000011C0000-0x00000000014C6000-memory.dmp

                                                                                                          Filesize

                                                                                                          3.0MB

                                                                                                        • memory/1104-87-0x00000000011C0000-0x00000000014C6000-memory.dmp

                                                                                                          Filesize

                                                                                                          3.0MB

                                                                                                        • memory/1104-89-0x0000000000740000-0x0000000000784000-memory.dmp

                                                                                                          Filesize

                                                                                                          272KB

                                                                                                        • memory/1280-122-0x0000000000240000-0x000000000025C000-memory.dmp

                                                                                                          Filesize

                                                                                                          112KB

                                                                                                        • memory/1280-123-0x0000000000400000-0x000000000045A000-memory.dmp

                                                                                                          Filesize

                                                                                                          360KB

                                                                                                        • memory/1280-121-0x0000000000220000-0x0000000000231000-memory.dmp

                                                                                                          Filesize

                                                                                                          68KB

                                                                                                        • memory/1296-74-0x00000000040F0000-0x0000000004106000-memory.dmp

                                                                                                          Filesize

                                                                                                          88KB

                                                                                                        • memory/1296-66-0x0000000004090000-0x00000000040A6000-memory.dmp

                                                                                                          Filesize

                                                                                                          88KB

                                                                                                        • memory/1296-59-0x0000000002120000-0x0000000002136000-memory.dmp

                                                                                                          Filesize

                                                                                                          88KB

                                                                                                        • memory/1380-111-0x0000000000070000-0x0000000000077000-memory.dmp

                                                                                                          Filesize

                                                                                                          28KB

                                                                                                        • memory/1380-112-0x0000000000060000-0x000000000006C000-memory.dmp

                                                                                                          Filesize

                                                                                                          48KB

                                                                                                        • memory/1560-170-0x00000000024E0000-0x0000000002566000-memory.dmp

                                                                                                          Filesize

                                                                                                          536KB

                                                                                                        • memory/1560-195-0x000000001BCC0000-0x000000001BD48000-memory.dmp

                                                                                                          Filesize

                                                                                                          544KB

                                                                                                        • memory/1560-191-0x000000001BBD0000-0x000000001BC1C000-memory.dmp

                                                                                                          Filesize

                                                                                                          304KB

                                                                                                        • memory/1560-161-0x000000013F8D0000-0x000000013FCBE000-memory.dmp

                                                                                                          Filesize

                                                                                                          3.9MB

                                                                                                        • memory/1560-162-0x000000013F8D0000-0x000000013FCBE000-memory.dmp

                                                                                                          Filesize

                                                                                                          3.9MB

                                                                                                        • memory/1560-192-0x000000001C196000-0x000000001C1B5000-memory.dmp

                                                                                                          Filesize

                                                                                                          124KB

                                                                                                        • memory/1560-193-0x000000001BC20000-0x000000001BC6C000-memory.dmp

                                                                                                          Filesize

                                                                                                          304KB

                                                                                                        • memory/1560-187-0x0000000000820000-0x0000000000870000-memory.dmp

                                                                                                          Filesize

                                                                                                          320KB

                                                                                                        • memory/1560-194-0x000000001C1B5000-0x000000001C1B6000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/1560-188-0x0000000000870000-0x000000000087C000-memory.dmp

                                                                                                          Filesize

                                                                                                          48KB

                                                                                                        • memory/1560-189-0x0000000002570000-0x00000000025C4000-memory.dmp

                                                                                                          Filesize

                                                                                                          336KB

                                                                                                        • memory/1560-178-0x000000001C190000-0x000000001C192000-memory.dmp

                                                                                                          Filesize

                                                                                                          8KB

                                                                                                        • memory/1632-115-0x0000000000220000-0x0000000000294000-memory.dmp

                                                                                                          Filesize

                                                                                                          464KB

                                                                                                        • memory/1632-116-0x0000000000080000-0x00000000000EB000-memory.dmp

                                                                                                          Filesize

                                                                                                          428KB

                                                                                                        • memory/1632-110-0x0000000074831000-0x0000000074833000-memory.dmp

                                                                                                          Filesize

                                                                                                          8KB

                                                                                                        • memory/1632-190-0x0000000000400000-0x0000000000456000-memory.dmp

                                                                                                          Filesize

                                                                                                          344KB

                                                                                                        • memory/1776-141-0x000007FEFC2E1000-0x000007FEFC2E3000-memory.dmp

                                                                                                          Filesize

                                                                                                          8KB

                                                                                                        • memory/1784-55-0x0000000000400000-0x0000000000409000-memory.dmp

                                                                                                          Filesize

                                                                                                          36KB

                                                                                                        • memory/1784-57-0x0000000076641000-0x0000000076643000-memory.dmp

                                                                                                          Filesize

                                                                                                          8KB

                                                                                                        • memory/1824-62-0x000000000054A000-0x000000000055A000-memory.dmp

                                                                                                          Filesize

                                                                                                          64KB

                                                                                                        • memory/1824-64-0x0000000000020000-0x0000000000029000-memory.dmp

                                                                                                          Filesize

                                                                                                          36KB

                                                                                                        • memory/1824-65-0x0000000000400000-0x000000000046D000-memory.dmp

                                                                                                          Filesize

                                                                                                          436KB

                                                                                                        • memory/1944-68-0x00000000002E8000-0x00000000002F9000-memory.dmp

                                                                                                          Filesize

                                                                                                          68KB