Analysis
-
max time kernel
600s -
max time network
596s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
08/02/2023, 23:00
Static task
static1
Behavioral task
behavioral1
Sample
vodka.dll
Resource
win7-20220812-en
General
-
Target
vodka.dll
-
Size
329KB
-
MD5
ec68dc542186d11e9c5f9b51f128ddd4
-
SHA1
ca2da4ba22d8430c6e8f48b62fc703f304a243b3
-
SHA256
be5820fb00e7bde9eaf30e37290a0913c4c73a841ad5b5d8fb9ad33285711ef1
-
SHA512
04ce78633f974423b17b8957c130186a5b60429ed4b455dbe2ae10c927f8705fe227926c5a5bda67d36953b5253249576c77105e3f76539c4b920e68c13839ba
-
SSDEEP
6144:z8HwSJZ88IKeVSi5CHvJITRTcKY+UC6vmtmHkRCTZHmR/UYSbO28m2XQ9IW:z8HwSJG83i5CPqTCKY+cOB/UnbrwXQaW
Malware Config
Extracted
qakbot
404.506
obama238
1675870889
81.229.117.95:2222
46.24.103.218:2078
74.92.243.113:50000
213.31.90.183:2222
103.71.21.107:443
27.109.19.90:2078
82.36.36.76:443
71.31.101.183:443
198.2.51.242:993
91.68.227.219:443
88.111.182.118:2222
68.150.18.161:443
50.68.204.71:995
76.27.40.189:443
2.98.146.106:995
70.121.198.103:2078
76.80.180.154:995
197.148.17.17:2078
12.172.173.82:32101
98.147.155.235:443
72.203.216.98:2222
2.88.198.90:995
83.248.199.56:443
87.149.176.97:443
86.96.72.139:2222
47.21.51.138:443
83.7.54.170:443
103.123.221.16:443
86.195.14.72:2222
92.27.86.48:2222
86.130.9.197:2222
217.128.200.114:2222
86.207.227.152:2222
37.14.229.220:2222
92.154.17.149:2222
89.152.120.181:443
72.188.121.121:443
189.222.55.8:443
109.149.147.177:2222
176.202.38.188:443
50.68.186.195:443
86.147.63.40:2222
50.68.204.71:443
24.64.112.40:3389
216.228.41.244:2222
73.161.176.218:443
12.172.173.82:50001
75.166.241.189:443
208.180.17.32:2222
87.202.101.164:50000
75.156.125.215:995
108.44.207.232:443
75.143.236.149:443
174.58.146.57:443
72.194.232.94:443
176.142.207.63:443
84.108.200.161:443
91.170.115.68:32100
72.80.7.6:995
88.126.112.14:50000
73.161.178.173:443
47.196.203.73:443
47.32.78.150:443
86.172.79.135:443
12.172.173.82:995
208.187.122.74:443
24.123.211.131:443
213.67.255.57:2222
70.77.116.233:443
15.181.199.242:2083
24.64.112.40:61202
24.64.112.40:2222
201.211.197.241:2222
88.126.94.4:50000
181.118.206.65:995
82.127.204.82:2222
86.194.156.14:2222
67.10.175.47:2222
71.52.53.166:443
67.61.71.201:443
104.35.24.154:443
98.145.23.67:443
70.51.132.216:2222
173.178.151.233:443
142.118.243.5:2222
67.70.5.159:2222
35.143.97.145:995
174.104.184.149:443
95.148.179.253:443
188.116.62.165:995
73.165.119.20:443
156.217.208.137:995
105.99.109.4:443
74.33.196.114:443
50.68.204.71:993
12.172.173.82:20
2.82.8.80:443
90.104.22.28:2222
70.90.245.157:443
136.35.241.159:443
81.151.102.224:443
31.53.29.161:2222
92.154.45.81:2222
12.172.173.82:465
190.28.90.2:443
47.34.30.133:443
72.88.245.71:443
162.248.14.107:443
91.254.132.23:443
75.98.154.19:443
193.253.100.236:2222
24.187.145.201:2222
65.92.222.42:2222
45.50.233.214:443
24.239.69.244:443
47.21.51.138:995
47.16.76.130:2222
70.27.104.2:2222
24.64.112.40:2078
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 1508 ChromeRecovery.exe -
Drops file in Program Files directory 7 IoCs
description ioc Process File created C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2908_1384752214\ChromeRecoveryCRX.crx elevation_service.exe File created C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2908_1384752214\ChromeRecovery.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2908_1384752214\ChromeRecovery.exe elevation_service.exe File created C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2908_1384752214\manifest.json elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2908_1384752214\manifest.json elevation_service.exe File created C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2908_1384752214\_metadata\verified_contents.json elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2908_1384752214\_metadata\verified_contents.json elevation_service.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 4276 4832 WerFault.exe 79 3964 4592 WerFault.exe 97 -
Discovers systems in the same network 1 TTPs 1 IoCs
pid Process 3652 net.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 5140 netstat.exe 4760 ipconfig.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4246620582-653642754-1174164128-1000\{6775B61E-57A3-4E31-8D08-66B8F754357D} chrome.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3104 rundll32.exe 3104 rundll32.exe 4112 chrome.exe 4112 chrome.exe 5104 chrome.exe 5104 chrome.exe 4792 msra.exe 4792 msra.exe 4792 msra.exe 4792 msra.exe 2740 chrome.exe 2740 chrome.exe 4792 msra.exe 4792 msra.exe 4792 msra.exe 4792 msra.exe 5072 chrome.exe 5072 chrome.exe 4792 msra.exe 4792 msra.exe 4792 msra.exe 4792 msra.exe 4792 msra.exe 4792 msra.exe 4792 msra.exe 4792 msra.exe 4792 msra.exe 4792 msra.exe 4792 msra.exe 4792 msra.exe 4792 msra.exe 4792 msra.exe 4792 msra.exe 4792 msra.exe 4792 msra.exe 4792 msra.exe 4792 msra.exe 4792 msra.exe 4792 msra.exe 4792 msra.exe 4792 msra.exe 4792 msra.exe 4792 msra.exe 4792 msra.exe 4792 msra.exe 4792 msra.exe 4792 msra.exe 4792 msra.exe 4792 msra.exe 4792 msra.exe 4792 msra.exe 4792 msra.exe 4792 msra.exe 4792 msra.exe 4792 msra.exe 4792 msra.exe 4792 msra.exe 4792 msra.exe 4792 msra.exe 4792 msra.exe 2804 chrome.exe 2804 chrome.exe 3952 chrome.exe 3952 chrome.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 3104 rundll32.exe 3104 rundll32.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
description pid Process Token: 33 3964 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3964 AUDIODG.EXE Token: SeDebugPrivilege 5140 netstat.exe Token: SeDebugPrivilege 4212 whoami.exe Token: SeDebugPrivilege 4212 whoami.exe Token: SeDebugPrivilege 4212 whoami.exe Token: SeDebugPrivilege 4212 whoami.exe Token: SeDebugPrivilege 4212 whoami.exe Token: SeDebugPrivilege 4212 whoami.exe Token: SeDebugPrivilege 4212 whoami.exe Token: SeDebugPrivilege 4212 whoami.exe Token: SeDebugPrivilege 4212 whoami.exe Token: SeDebugPrivilege 4212 whoami.exe Token: SeDebugPrivilege 4212 whoami.exe Token: SeDebugPrivilege 4212 whoami.exe Token: SeDebugPrivilege 4212 whoami.exe Token: SeDebugPrivilege 4212 whoami.exe Token: SeDebugPrivilege 4212 whoami.exe Token: SeDebugPrivilege 4212 whoami.exe Token: SeDebugPrivilege 4212 whoami.exe Token: SeDebugPrivilege 4212 whoami.exe Token: SeDebugPrivilege 4212 whoami.exe Token: SeDebugPrivilege 4212 whoami.exe Token: SeDebugPrivilege 4212 whoami.exe Token: SeDebugPrivilege 4212 whoami.exe Token: SeDebugPrivilege 4212 whoami.exe Token: SeDebugPrivilege 4212 whoami.exe Token: SeDebugPrivilege 4212 whoami.exe Token: SeDebugPrivilege 4212 whoami.exe Token: SeDebugPrivilege 4212 whoami.exe Token: SeSecurityPrivilege 5216 msiexec.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
pid Process 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe 5104 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4860 wrote to memory of 4832 4860 rundll32.exe 79 PID 4860 wrote to memory of 4832 4860 rundll32.exe 79 PID 4860 wrote to memory of 4832 4860 rundll32.exe 79 PID 816 wrote to memory of 3620 816 cmd.exe 94 PID 816 wrote to memory of 3620 816 cmd.exe 94 PID 3620 wrote to memory of 3104 3620 rundll32.exe 95 PID 3620 wrote to memory of 3104 3620 rundll32.exe 95 PID 3620 wrote to memory of 3104 3620 rundll32.exe 95 PID 3104 wrote to memory of 1492 3104 rundll32.exe 96 PID 3104 wrote to memory of 1492 3104 rundll32.exe 96 PID 3104 wrote to memory of 1492 3104 rundll32.exe 96 PID 3104 wrote to memory of 4592 3104 rundll32.exe 97 PID 3104 wrote to memory of 4592 3104 rundll32.exe 97 PID 3104 wrote to memory of 4592 3104 rundll32.exe 97 PID 3104 wrote to memory of 4592 3104 rundll32.exe 97 PID 3104 wrote to memory of 4592 3104 rundll32.exe 97 PID 5104 wrote to memory of 2192 5104 chrome.exe 102 PID 5104 wrote to memory of 2192 5104 chrome.exe 102 PID 5104 wrote to memory of 3204 5104 chrome.exe 104 PID 5104 wrote to memory of 3204 5104 chrome.exe 104 PID 5104 wrote to memory of 3204 5104 chrome.exe 104 PID 5104 wrote to memory of 3204 5104 chrome.exe 104 PID 5104 wrote to memory of 3204 5104 chrome.exe 104 PID 5104 wrote to memory of 3204 5104 chrome.exe 104 PID 5104 wrote to memory of 3204 5104 chrome.exe 104 PID 5104 wrote to memory of 3204 5104 chrome.exe 104 PID 5104 wrote to memory of 3204 5104 chrome.exe 104 PID 5104 wrote to memory of 3204 5104 chrome.exe 104 PID 5104 wrote to memory of 3204 5104 chrome.exe 104 PID 5104 wrote to memory of 3204 5104 chrome.exe 104 PID 5104 wrote to memory of 3204 5104 chrome.exe 104 PID 5104 wrote to memory of 3204 5104 chrome.exe 104 PID 5104 wrote to memory of 3204 5104 chrome.exe 104 PID 5104 wrote to memory of 3204 5104 chrome.exe 104 PID 5104 wrote to memory of 3204 5104 chrome.exe 104 PID 5104 wrote to memory of 3204 5104 chrome.exe 104 PID 5104 wrote to memory of 3204 5104 chrome.exe 104 PID 5104 wrote to memory of 3204 5104 chrome.exe 104 PID 5104 wrote to memory of 3204 5104 chrome.exe 104 PID 5104 wrote to memory of 3204 5104 chrome.exe 104 PID 5104 wrote to memory of 3204 5104 chrome.exe 104 PID 5104 wrote to memory of 3204 5104 chrome.exe 104 PID 5104 wrote to memory of 3204 5104 chrome.exe 104 PID 5104 wrote to memory of 3204 5104 chrome.exe 104 PID 5104 wrote to memory of 3204 5104 chrome.exe 104 PID 5104 wrote to memory of 3204 5104 chrome.exe 104 PID 5104 wrote to memory of 3204 5104 chrome.exe 104 PID 5104 wrote to memory of 3204 5104 chrome.exe 104 PID 5104 wrote to memory of 3204 5104 chrome.exe 104 PID 5104 wrote to memory of 3204 5104 chrome.exe 104 PID 5104 wrote to memory of 3204 5104 chrome.exe 104 PID 5104 wrote to memory of 3204 5104 chrome.exe 104 PID 5104 wrote to memory of 3204 5104 chrome.exe 104 PID 5104 wrote to memory of 3204 5104 chrome.exe 104 PID 5104 wrote to memory of 3204 5104 chrome.exe 104 PID 5104 wrote to memory of 3204 5104 chrome.exe 104 PID 5104 wrote to memory of 3204 5104 chrome.exe 104 PID 5104 wrote to memory of 3204 5104 chrome.exe 104 PID 5104 wrote to memory of 4112 5104 chrome.exe 105 PID 5104 wrote to memory of 4112 5104 chrome.exe 105 PID 5104 wrote to memory of 2828 5104 chrome.exe 106 PID 5104 wrote to memory of 2828 5104 chrome.exe 106 PID 5104 wrote to memory of 2828 5104 chrome.exe 106 PID 5104 wrote to memory of 2828 5104 chrome.exe 106
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\vodka.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\vodka.dll,#12⤵PID:4832
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 6203⤵
- Program crash
PID:4276
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4832 -ip 48321⤵PID:4764
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\system32\rundll32.exerundll32.exe vodka.dll,Wind2⤵
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe vodka.dll,Wind3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵PID:1492
-
-
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵PID:4592
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 3525⤵
- Program crash
PID:3964
-
-
-
C:\Windows\SysWOW64\msra.exeC:\Windows\SysWOW64\msra.exe4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4792 -
C:\Windows\SysWOW64\net.exenet view5⤵
- Discovers systems in the same network
PID:3652
-
-
C:\Windows\SysWOW64\cmd.execmd /c set5⤵PID:4860
-
-
C:\Windows\SysWOW64\arp.exearp -a5⤵PID:1636
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all5⤵
- Gathers network information
PID:4760
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.WORKGROUP5⤵PID:4224
-
-
C:\Windows\SysWOW64\net.exenet share5⤵PID:5244
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share6⤵PID:3952
-
-
-
C:\Windows\SysWOW64\route.exeroute print5⤵PID:5428
-
-
C:\Windows\SysWOW64\netstat.exenetstat -nao5⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:5140
-
-
C:\Windows\SysWOW64\net.exenet localgroup5⤵PID:4500
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup6⤵PID:2780
-
-
-
C:\Windows\SysWOW64\whoami.exewhoami /all5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4212
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4592 -ip 45921⤵PID:4232
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb7f394f50,0x7ffb7f394f60,0x7ffb7f394f702⤵PID:2192
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1636 /prefetch:22⤵PID:3204
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2016 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4112
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2300 /prefetch:82⤵PID:2828
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2984 /prefetch:12⤵PID:5096
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:12⤵PID:4424
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3764 /prefetch:12⤵PID:1188
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4520 /prefetch:82⤵PID:2992
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4528 /prefetch:82⤵PID:3868
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4784 /prefetch:82⤵PID:1492
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4644 /prefetch:82⤵PID:4420
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4752 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2740
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5072
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5524 /prefetch:82⤵PID:4024
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5108 /prefetch:82⤵PID:2664
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5260 /prefetch:82⤵PID:3484
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5128 /prefetch:82⤵PID:3868
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4516 /prefetch:82⤵PID:3472
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5688 /prefetch:82⤵PID:4208
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5780 /prefetch:82⤵PID:2536
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5096 /prefetch:82⤵PID:2164
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:12⤵PID:3964
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3856 /prefetch:12⤵PID:1016
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵PID:5072
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:12⤵PID:4684
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:12⤵PID:3940
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2980 /prefetch:12⤵PID:4100
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:12⤵PID:2668
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5520 /prefetch:82⤵PID:4668
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5216 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2804
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2988 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3952
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5964 /prefetch:82⤵PID:5608
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6028 /prefetch:82⤵PID:5688
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:82⤵PID:5784
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2632 /prefetch:82⤵PID:5820
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5796 /prefetch:82⤵PID:5924
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5952 /prefetch:82⤵PID:5972
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:82⤵PID:6052
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5964 /prefetch:22⤵PID:6092
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:82⤵PID:1152
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5948 /prefetch:82⤵PID:4224
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2136 /prefetch:82⤵PID:1884
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5948 /prefetch:82⤵PID:5592
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2136 /prefetch:82⤵PID:5632
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5968 /prefetch:82⤵PID:5708
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:82⤵PID:2652
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5176 /prefetch:82⤵PID:5088
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:82⤵PID:3636
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6020 /prefetch:82⤵PID:5852
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5496 /prefetch:82⤵PID:2740
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4920 /prefetch:82⤵PID:2304
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6076 /prefetch:82⤵PID:6056
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6068 /prefetch:82⤵PID:888
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,367076897628458269,15999507094893231897,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:82⤵PID:2312
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4472
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x33c 0x3e01⤵
- Suspicious use of AdjustPrivilegeToken
PID:3964
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"1⤵
- Drops file in Program Files directory
PID:2908 -
C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2908_1384752214\ChromeRecovery.exe"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2908_1384752214\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={f1a461c1-2eb0-4159-9a3d-6d25cd543e5f} --system2⤵
- Executes dropped EXE
PID:1508
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5216
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
253KB
MD549ac3c96d270702a27b4895e4ce1f42a
SHA155b90405f1e1b72143c64113e8bc65608dd3fd76
SHA25682aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f
SHA512b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0
-
Filesize
141KB
MD5ea1c1ffd3ea54d1fb117bfdbb3569c60
SHA110958b0f690ae8f5240e1528b1ccffff28a33272
SHA2567c3a6a7d16ac44c3200f572a764bce7d8fa84b9572dd028b15c59bdccbc0a77d
SHA5126c30728cac9eac53f0b27b7dbe2222da83225c3b63617d6b271a6cfedf18e8f0a8dffa1053e1cbc4c5e16625f4bbc0d03aa306a946c9d72faa4ceb779f8ffcaf