107bb526c374d6fd9f45317c0c16e83ab50076f2bcd630caf3d6794596fae69b

Resubmissions

03/02/2023, 15:51

230203-taw9labe31 7

03/02/2023, 15:47

230203-s8p3habe21 7

03/02/2023, 15:44

230203-s6jgyafh93 8

03/02/2023, 15:40

230203-s4h4dsfh85 8

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-es
resource tags

arch:x64arch:x86image:win10v2004-20220812-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
03/02/2023, 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SKlauncher 3.0.exe
Size

1.2MB
MD5

32c7e3347f8e532e675d154eb07f4ccf
SHA1

5ca004745e2cdab497a7d6ef29c7efb25dc4046d
SHA256

107bb526c374d6fd9f45317c0c16e83ab50076f2bcd630caf3d6794596fae69b
SHA512

c82f3a01719f30cbb876a1395fda713ddba07b570bc188515b1b705e54e15a7cca5f71f741d51763f63aa5f40e00df06f63b341ed4db6b1be87b3ee59460dbe2
SSDEEP

24576:Dh199z42ojP6a7HJlF9eu5XFQZSIZeNGdmEE8H17UBcegl:R9zbgH3euNFQZr/oEE892cfl

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
3468	JavaSetup8u361.exe
3700	JavaSetup8u361.exe
3364	LZMA_EXE
3244	LZMA_EXE

Loads dropped DLL 1 IoCs

pid	Process
3552	javaw.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb	javaw.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
616	chrome.exe
616	chrome.exe
3100	chrome.exe
3100	chrome.exe
3752	chrome.exe
3752	chrome.exe
3168	chrome.exe
3168	chrome.exe
4972	chrome.exe
4972	chrome.exe
3404	chrome.exe
3404	chrome.exe
1820	chrome.exe
1820	chrome.exe
992	chrome.exe
992	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe
3100	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3552	javaw.exe
3552	javaw.exe
3700	JavaSetup8u361.exe
3700	JavaSetup8u361.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4748 wrote to memory of 3552	4748	SKlauncher 3.0.exe	80
PID 4748 wrote to memory of 3552	4748	SKlauncher 3.0.exe	80
PID 3100 wrote to memory of 2848	3100	chrome.exe	91
PID 3100 wrote to memory of 2848	3100	chrome.exe	91
PID 3100 wrote to memory of 2600	3100	chrome.exe	94
PID 3100 wrote to memory of 2600	3100	chrome.exe	94
PID 3100 wrote to memory of 2600	3100	chrome.exe	94
PID 3100 wrote to memory of 2600	3100	chrome.exe	94
PID 3100 wrote to memory of 2600	3100	chrome.exe	94
PID 3100 wrote to memory of 2600	3100	chrome.exe	94
PID 3100 wrote to memory of 2600	3100	chrome.exe	94
PID 3100 wrote to memory of 2600	3100	chrome.exe	94
PID 3100 wrote to memory of 2600	3100	chrome.exe	94
PID 3100 wrote to memory of 2600	3100	chrome.exe	94
PID 3100 wrote to memory of 2600	3100	chrome.exe	94
PID 3100 wrote to memory of 2600	3100	chrome.exe	94
PID 3100 wrote to memory of 2600	3100	chrome.exe	94
PID 3100 wrote to memory of 2600	3100	chrome.exe	94
PID 3100 wrote to memory of 2600	3100	chrome.exe	94
PID 3100 wrote to memory of 2600	3100	chrome.exe	94
PID 3100 wrote to memory of 2600	3100	chrome.exe	94
PID 3100 wrote to memory of 2600	3100	chrome.exe	94
PID 3100 wrote to memory of 2600	3100	chrome.exe	94
PID 3100 wrote to memory of 2600	3100	chrome.exe	94
PID 3100 wrote to memory of 2600	3100	chrome.exe	94
PID 3100 wrote to memory of 2600	3100	chrome.exe	94
PID 3100 wrote to memory of 2600	3100	chrome.exe	94
PID 3100 wrote to memory of 2600	3100	chrome.exe	94
PID 3100 wrote to memory of 2600	3100	chrome.exe	94
PID 3100 wrote to memory of 2600	3100	chrome.exe	94
PID 3100 wrote to memory of 2600	3100	chrome.exe	94
PID 3100 wrote to memory of 2600	3100	chrome.exe	94
PID 3100 wrote to memory of 2600	3100	chrome.exe	94
PID 3100 wrote to memory of 2600	3100	chrome.exe	94
PID 3100 wrote to memory of 2600	3100	chrome.exe	94
PID 3100 wrote to memory of 2600	3100	chrome.exe	94
PID 3100 wrote to memory of 2600	3100	chrome.exe	94
PID 3100 wrote to memory of 2600	3100	chrome.exe	94
PID 3100 wrote to memory of 2600	3100	chrome.exe	94
PID 3100 wrote to memory of 2600	3100	chrome.exe	94
PID 3100 wrote to memory of 2600	3100	chrome.exe	94
PID 3100 wrote to memory of 2600	3100	chrome.exe	94
PID 3100 wrote to memory of 2600	3100	chrome.exe	94
PID 3100 wrote to memory of 2600	3100	chrome.exe	94
PID 3100 wrote to memory of 616	3100	chrome.exe	95
PID 3100 wrote to memory of 616	3100	chrome.exe	95
PID 3100 wrote to memory of 4808	3100	chrome.exe	96
PID 3100 wrote to memory of 4808	3100	chrome.exe	96
PID 3100 wrote to memory of 4808	3100	chrome.exe	96
PID 3100 wrote to memory of 4808	3100	chrome.exe	96
PID 3100 wrote to memory of 4808	3100	chrome.exe	96
PID 3100 wrote to memory of 4808	3100	chrome.exe	96
PID 3100 wrote to memory of 4808	3100	chrome.exe	96
PID 3100 wrote to memory of 4808	3100	chrome.exe	96
PID 3100 wrote to memory of 4808	3100	chrome.exe	96
PID 3100 wrote to memory of 4808	3100	chrome.exe	96
PID 3100 wrote to memory of 4808	3100	chrome.exe	96
PID 3100 wrote to memory of 4808	3100	chrome.exe	96
PID 3100 wrote to memory of 4808	3100	chrome.exe	96
PID 3100 wrote to memory of 4808	3100	chrome.exe	96
PID 3100 wrote to memory of 4808	3100	chrome.exe	96
PID 3100 wrote to memory of 4808	3100	chrome.exe	96
PID 3100 wrote to memory of 4808	3100	chrome.exe	96
PID 3100 wrote to memory of 4808	3100	chrome.exe	96

C:\Users\Admin\AppData\Local\Temp\SKlauncher 3.0.exe
"C:\Users\Admin\AppData\Local\Temp\SKlauncher 3.0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -Xms32m -Xmx256m -jar "C:\Users\Admin\AppData\Local\Temp\SKlauncher 3.0.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:3552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffb4c444f50,0x7ffb4c444f60,0x7ffb4c444f70
  2⤵
  PID:2848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1640,8651524752468135386,9485207534169695156,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1672 /prefetch:2
  2⤵
  PID:2600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1640,8651524752468135386,9485207534169695156,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2016 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1640,8651524752468135386,9485207534169695156,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2308 /prefetch:8
  2⤵
  PID:4808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,8651524752468135386,9485207534169695156,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2908 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,8651524752468135386,9485207534169695156,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3076 /prefetch:1
  2⤵
  PID:3244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,8651524752468135386,9485207534169695156,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3776 /prefetch:1
  2⤵
  PID:5052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,8651524752468135386,9485207534169695156,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4452 /prefetch:8
  2⤵
  PID:3060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,8651524752468135386,9485207534169695156,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4596 /prefetch:8
  2⤵
  PID:2164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,8651524752468135386,9485207534169695156,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4716 /prefetch:8
  2⤵
  PID:3840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,8651524752468135386,9485207534169695156,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4520 /prefetch:8
  2⤵
  PID:4308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,8651524752468135386,9485207534169695156,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4464 /prefetch:8
  2⤵
  PID:3556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,8651524752468135386,9485207534169695156,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4716 /prefetch:8
  2⤵
  PID:1932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,8651524752468135386,9485207534169695156,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4528 /prefetch:8
  2⤵
  PID:3848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,8651524752468135386,9485207534169695156,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4956 /prefetch:8
  2⤵
  PID:5096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,8651524752468135386,9485207534169695156,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
  2⤵
  PID:4440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,8651524752468135386,9485207534169695156,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:5020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1640,8651524752468135386,9485207534169695156,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2996 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,8651524752468135386,9485207534169695156,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2984 /prefetch:1
  2⤵
  PID:4896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,8651524752468135386,9485207534169695156,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:1448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,8651524752468135386,9485207534169695156,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4800 /prefetch:8
  2⤵
  PID:432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1640,8651524752468135386,9485207534169695156,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4800 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,8651524752468135386,9485207534169695156,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3524 /prefetch:8
  2⤵
  PID:4404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,8651524752468135386,9485207534169695156,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,8651524752468135386,9485207534169695156,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3848 /prefetch:8
  2⤵
  PID:2416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,8651524752468135386,9485207534169695156,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4928 /prefetch:8
  2⤵
  PID:4640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,8651524752468135386,9485207534169695156,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
  2⤵
  PID:4864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,8651524752468135386,9485207534169695156,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
  2⤵
  PID:3496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1640,8651524752468135386,9485207534169695156,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5956 /prefetch:8
  2⤵
  PID:4124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1640,8651524752468135386,9485207534169695156,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5284 /prefetch:8
  2⤵
  PID:2748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1640,8651524752468135386,9485207534169695156,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1640,8651524752468135386,9485207534169695156,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6136 /prefetch:8
  2⤵
  PID:4968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1640,8651524752468135386,9485207534169695156,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6064 /prefetch:8
  2⤵
  PID:3808
- C:\Users\Admin\Downloads\JavaSetup8u361.exe
  "C:\Users\Admin\Downloads\JavaSetup8u361.exe"
  2⤵
  - Executes dropped EXE
  PID:3468
- - C:\Users\Admin\AppData\Local\Temp\jds240639578.tmp\JavaSetup8u361.exe
    "C:\Users\Admin\AppData\Local\Temp\jds240639578.tmp\JavaSetup8u361.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3700
  - - C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE
      "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE" d "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\au.msi" "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\msi.tmp"
      4⤵
      Executes dropped EXE
      PID:3364
  - - C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE
      "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE" d "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\jre1.8.0_361.msi" "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\msi.tmp"
      4⤵
      Executes dropped EXE
      PID:3244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1640,8651524752468135386,9485207534169695156,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1640,8651524752468135386,9485207534169695156,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,8651524752468135386,9485207534169695156,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3984 /prefetch:8
  2⤵
  PID:4996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1640,8651524752468135386,9485207534169695156,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2760 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,8651524752468135386,9485207534169695156,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2292 /prefetch:8
  2⤵
  PID:4612

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE

Filesize
142KB

MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE

Filesize
142KB

MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\LZMA_EXE

Filesize
142KB

MD5
3842c46f2fbc7522ef625f1833530804

SHA1
3615c072ad5bdadba5e5e22e75eefaf7def92312

SHA256
17cb7cf185355b60d6ed5138a86c78b9fd5a7d6d3c0dd90f2224246e823166e7

SHA512
9adbeb491f18c3009c51fbc9c140d4287cafe53b2fe9e8280513a5dc7bb8bbbfb5aeed00b2c0f7901a6f9f4d5a7b1ad3bbd81e87d202c7094036d5f6c4b53c3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\au.msi

Filesize
843KB

MD5
c95a831719a0a8659911c2d961a9e425

SHA1
84e5db605edecd9976f2a7d45b00c2c5deabe11d

SHA256
bb5d1befb8970ee28066d13727056d54e0ee624564556757c26c75d6faafcc9d

SHA512
073f2e9ce88f18ddf6d5e9d1d47a142b68a4935d73854580ca6d5b619473632965051e398bf5485ff0664d2caf2ed13d4260ab64428c7ea2cce78983feed3069

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\jre1.8.0_361.msi

Filesize
52.6MB

MD5
1aa57a5a04ec43b25937efa2a3f0f0ad

SHA1
6121bef34c9c603e8b03140c05e0418096ac7bb6

SHA256
66a697fe354addb90ae4e3c6b617f9ca0e5a65a439435f674e3f6d8c7db85b6b

SHA512
1461ff7fc5d3a1e3fff20bd42324f0dc6f82bbdb9d35cc425535449a0f8e346599c4012802f0a801cce243eea4d878e6430a02db5b24fe6cc99b24cdad31c4e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_361\msi.tmp

Filesize
1016KB

MD5
459a51b2e65d53e4e568215e77317cc5

SHA1
f2308f14d1033f79a1d10b392520cb2459b0e737

SHA256
9da5f7bb7d99c3b8d5c9100a0573e928f48452319989ab026af5fcff1119a5d9

SHA512
7e3b8cb97c4c61eb147473d62dc163205ecd85235e6c711b39c4a76b06e8cee7d70f2594e0710df90e1b949c4bdb442a759912afeb72c6b4f0a34750daf17886

Download Submit
C:\Users\Admin\AppData\Local\Temp\flatlaf.temp\flatlaf-windows-x86_64-4095029289000.dll

Filesize
9KB

MD5
697d496ac9f5aaab8ae025322358c61e

SHA1
2043eac8cdcc2e24b854af1eacd77a5f2a395a27

SHA256
a7273a4cf48ab3413f2c186cc95a3367a73ce99f8d45329383219d4cc27003aa

SHA512
b6702cd49a3af9f97f697565136f140692af9f8b271e672f2e91c920a23212b778583786f2377078117113647926338614a92c4a2423318b7a21ba2fe3a89838

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds240639578.tmp\JavaSetup8u361.exe

Filesize
1.9MB

MD5
442dcacd62016db76c61af770301626f

SHA1
1ef7a54bb0fb6395b271d88e4d87e7ac3b76e58a

SHA256
8aa49738b3efd4a2e2b3d71991c209db46e082e1739de43147041f9af2a7fff7

SHA512
3c21efe1f3422107bddc48d0edd842924dfdf6682b1e81ace83aa992ba49e224d45fd0fc6a73be9de6806effe71d8a1908f550c8b1cf520df4972c252b721bf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds240639578.tmp\JavaSetup8u361.exe

Filesize
1.9MB

MD5
442dcacd62016db76c61af770301626f

SHA1
1ef7a54bb0fb6395b271d88e4d87e7ac3b76e58a

SHA256
8aa49738b3efd4a2e2b3d71991c209db46e082e1739de43147041f9af2a7fff7

SHA512
3c21efe1f3422107bddc48d0edd842924dfdf6682b1e81ace83aa992ba49e224d45fd0fc6a73be9de6806effe71d8a1908f550c8b1cf520df4972c252b721bf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
267KB

MD5
cb66bce6e0b1c1d570c757a462e73624

SHA1
6707d91bee9f34be70421bf00298ccb4403f4f94

SHA256
50043d394b2f468d43430a9d760c929d6e990c769983e28f1e19f69d30dce9a5

SHA512
89f072b3a49bdb95127d55384d4bdc4c768c17b3b5c541f82c873c20ca9de04e25870b8a830d35c592d5f451d433372349162243f1431183545054b0086278ad

Download Submit
C:\Users\Admin\Downloads\JavaSetup8u361.exe

Filesize
2.2MB

MD5
d3809baddaf7b1e7d94484160043328b

SHA1
e1979f5248d3b20858b11386ce22b1ccb0a9bfb5

SHA256
e28f198ca200445ab45dd4e94d49993ad1a9a21548908ca9c09ade6419c2e079

SHA512
96350ef6c81a1bc7d3c6b29c2a66ffaa1cf4f86172d3f52d39bcbf3886da41208b75cfe16bbf4ea23e04b2e0616637083eeacdefb8c0edc3ce6d0f2f89f881c6

Download Submit
C:\Users\Admin\Downloads\JavaSetup8u361.exe

Filesize
2.2MB

MD5
d3809baddaf7b1e7d94484160043328b

SHA1
e1979f5248d3b20858b11386ce22b1ccb0a9bfb5

SHA256
e28f198ca200445ab45dd4e94d49993ad1a9a21548908ca9c09ade6419c2e079

SHA512
96350ef6c81a1bc7d3c6b29c2a66ffaa1cf4f86172d3f52d39bcbf3886da41208b75cfe16bbf4ea23e04b2e0616637083eeacdefb8c0edc3ce6d0f2f89f881c6

Download Submit
memory/3552-166-0x0000000002AF0000-0x0000000003AF0000-memory.dmp

Filesize
16.0MB

Download
memory/3552-165-0x0000000002AF0000-0x0000000003AF0000-memory.dmp

Filesize
16.0MB

Download
memory/3552-162-0x0000000002AF0000-0x0000000003AF0000-memory.dmp

Filesize
16.0MB

Download
memory/3552-150-0x0000000002AF0000-0x0000000003AF0000-memory.dmp

Filesize
16.0MB

Download
memory/3552-137-0x0000000002AF0000-0x0000000003AF0000-memory.dmp

Filesize
16.0MB

Download