bc1f12efea0a18c6c43980d1db9836ba87d5da1f6250c4f2dc13b5608140d09f

Analysis

max time kernel
886s
max time network
912s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12/02/2023, 22:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

chatgpt_setup.msi
Size

866.0MB
MD5

324596620987a86b0d530eaee739300b
SHA1

191491ac5c5538d45a0d8bfd4861070fc79bff97
SHA256

e264899f00cafff5128691f7af57077f41b19446d637515467e556edd955448d
SHA512

3b1e80253f1de58f13fa0b59569feabf7b3f7a98f328d5ed4b11458096fddda73087551317e58e9ba014914c6f06c2441992f6de22d9a048f07c4fedfc6effc3
SSDEEP

1572864:ke6tVcO2NVvufkL1BQe6cGJFpNidrnV4U2Vz1EBoilXnhTT:OjYSkpBShrNiJnwljilXn1

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1136	chatgpt.exe
916	chatgpt.exe

Loads dropped DLL 8 IoCs

pid	Process
1356	MsiExec.exe
1356	MsiExec.exe
1916	MsiExec.exe
1916	MsiExec.exe
1136	chatgpt.exe
1136	chatgpt.exe
916	chatgpt.exe
916	chatgpt.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files\chatgpt\chatgpt\System\101\chromedriver.exe	msiexec.exe
File created	C:\Program Files\chatgpt\chatgpt\System\105\chromedriver.exe	msiexec.exe
File created	C:\Program Files\chatgpt\chatgpt\System.Net.Http.dll	msiexec.exe
File created	C:\Program Files\chatgpt\chatgpt\System\translate1.crx	msiexec.exe
File created	C:\Program Files\chatgpt\chatgpt\System\108\chromedriver.exe	msiexec.exe
File opened for modification	C:\Program Files\chatgpt\chatgpt\System.IO.Compression.dll	msiexec.exe
File created	C:\Program Files\chatgpt\chatgpt\System\103\chromedriver.exe	msiexec.exe
File created	C:\Program Files\chatgpt\chatgpt\System\106\chromedriver.exe	msiexec.exe
File created	C:\Program Files\chatgpt\chatgpt\chatgpt.exe.config	msiexec.exe
File created	C:\Program Files\chatgpt\chatgpt\System\110\chromedriver.exe	msiexec.exe
File opened for modification	C:\Program Files\chatgpt\chatgpt\System.Net.Http.dll	msiexec.exe
File created	C:\Program Files\chatgpt\chatgpt\System\104\chromedriver.exe	msiexec.exe
File created	C:\Program Files\chatgpt\chatgpt\System.IO.Compression.FileSystem.dll	msiexec.exe
File created	C:\Program Files\chatgpt\chatgpt\System\102\chromedriver.exe	msiexec.exe
File created	C:\Program Files\chatgpt\chatgpt\System.IO.Compression.dll	msiexec.exe
File created	C:\Program Files\chatgpt\chatgpt\chatgpt.exe	msiexec.exe
File created	C:\Program Files\chatgpt\chatgpt\System\109\chromedriver.exe	msiexec.exe
File created	C:\Program Files\chatgpt\chatgpt\logo.ico	msiexec.exe
File created	C:\Program Files\chatgpt\chatgpt\WebDriver.dll	msiexec.exe
File created	C:\Program Files\chatgpt\chatgpt\System\107\chromedriver.exe	msiexec.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\6e6da2.msi	msiexec.exe
File created	C:\Windows\Installer\6e6da7.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\6e6da2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7DE8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8D34.tmp	msiexec.exe
File created	C:\Windows\Installer\6e6da3.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8ECB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\6e6da3.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
1084	taskkill.exe
1664	taskkill.exe
1692	taskkill.exe
1452	taskkill.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
956	msiexec.exe
956	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1708	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1708	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	956	msiexec.exe
Token: SeTakeOwnershipPrivilege	956	msiexec.exe
Token: SeSecurityPrivilege	956	msiexec.exe
Token: SeCreateTokenPrivilege	1708	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1708	msiexec.exe
Token: SeLockMemoryPrivilege	1708	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1708	msiexec.exe
Token: SeMachineAccountPrivilege	1708	msiexec.exe
Token: SeTcbPrivilege	1708	msiexec.exe
Token: SeSecurityPrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeLoadDriverPrivilege	1708	msiexec.exe
Token: SeSystemProfilePrivilege	1708	msiexec.exe
Token: SeSystemtimePrivilege	1708	msiexec.exe
Token: SeProfSingleProcessPrivilege	1708	msiexec.exe
Token: SeIncBasePriorityPrivilege	1708	msiexec.exe
Token: SeCreatePagefilePrivilege	1708	msiexec.exe
Token: SeCreatePermanentPrivilege	1708	msiexec.exe
Token: SeBackupPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeShutdownPrivilege	1708	msiexec.exe
Token: SeDebugPrivilege	1708	msiexec.exe
Token: SeAuditPrivilege	1708	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1708	msiexec.exe
Token: SeChangeNotifyPrivilege	1708	msiexec.exe
Token: SeRemoteShutdownPrivilege	1708	msiexec.exe
Token: SeUndockPrivilege	1708	msiexec.exe
Token: SeSyncAgentPrivilege	1708	msiexec.exe
Token: SeEnableDelegationPrivilege	1708	msiexec.exe
Token: SeManageVolumePrivilege	1708	msiexec.exe
Token: SeImpersonatePrivilege	1708	msiexec.exe
Token: SeCreateGlobalPrivilege	1708	msiexec.exe
Token: SeCreateTokenPrivilege	1708	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1708	msiexec.exe
Token: SeLockMemoryPrivilege	1708	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1708	msiexec.exe
Token: SeMachineAccountPrivilege	1708	msiexec.exe
Token: SeTcbPrivilege	1708	msiexec.exe
Token: SeSecurityPrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeLoadDriverPrivilege	1708	msiexec.exe
Token: SeSystemProfilePrivilege	1708	msiexec.exe
Token: SeSystemtimePrivilege	1708	msiexec.exe
Token: SeProfSingleProcessPrivilege	1708	msiexec.exe
Token: SeIncBasePriorityPrivilege	1708	msiexec.exe
Token: SeCreatePagefilePrivilege	1708	msiexec.exe
Token: SeCreatePermanentPrivilege	1708	msiexec.exe
Token: SeBackupPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeShutdownPrivilege	1708	msiexec.exe
Token: SeDebugPrivilege	1708	msiexec.exe
Token: SeAuditPrivilege	1708	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1708	msiexec.exe
Token: SeChangeNotifyPrivilege	1708	msiexec.exe
Token: SeRemoteShutdownPrivilege	1708	msiexec.exe
Token: SeUndockPrivilege	1708	msiexec.exe
Token: SeSyncAgentPrivilege	1708	msiexec.exe
Token: SeEnableDelegationPrivilege	1708	msiexec.exe
Token: SeManageVolumePrivilege	1708	msiexec.exe
Token: SeImpersonatePrivilege	1708	msiexec.exe
Token: SeCreateGlobalPrivilege	1708	msiexec.exe
Token: SeCreateTokenPrivilege	1708	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1708	msiexec.exe
1708	msiexec.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 1356	956	msiexec.exe	29
PID 956 wrote to memory of 1356	956	msiexec.exe	29
PID 956 wrote to memory of 1356	956	msiexec.exe	29
PID 956 wrote to memory of 1356	956	msiexec.exe	29
PID 956 wrote to memory of 1356	956	msiexec.exe	29
PID 956 wrote to memory of 1356	956	msiexec.exe	29
PID 956 wrote to memory of 1356	956	msiexec.exe	29
PID 956 wrote to memory of 1916	956	msiexec.exe	33
PID 956 wrote to memory of 1916	956	msiexec.exe	33
PID 956 wrote to memory of 1916	956	msiexec.exe	33
PID 956 wrote to memory of 1916	956	msiexec.exe	33
PID 956 wrote to memory of 1916	956	msiexec.exe	33
PID 956 wrote to memory of 1916	956	msiexec.exe	33
PID 956 wrote to memory of 1916	956	msiexec.exe	33
PID 1708 wrote to memory of 1136	1708	msiexec.exe	36
PID 1708 wrote to memory of 1136	1708	msiexec.exe	36
PID 1708 wrote to memory of 1136	1708	msiexec.exe	36
PID 1708 wrote to memory of 1136	1708	msiexec.exe	36
PID 1136 wrote to memory of 1664	1136	chatgpt.exe	39
PID 1136 wrote to memory of 1664	1136	chatgpt.exe	39
PID 1136 wrote to memory of 1664	1136	chatgpt.exe	39
PID 1136 wrote to memory of 1664	1136	chatgpt.exe	39
PID 916 wrote to memory of 1084	916	chatgpt.exe	38
PID 916 wrote to memory of 1084	916	chatgpt.exe	38
PID 916 wrote to memory of 1084	916	chatgpt.exe	38
PID 916 wrote to memory of 1084	916	chatgpt.exe	38
PID 916 wrote to memory of 1692	916	chatgpt.exe	43
PID 916 wrote to memory of 1692	916	chatgpt.exe	43
PID 916 wrote to memory of 1692	916	chatgpt.exe	43
PID 916 wrote to memory of 1692	916	chatgpt.exe	43
PID 1136 wrote to memory of 1452	1136	chatgpt.exe	45
PID 1136 wrote to memory of 1452	1136	chatgpt.exe	45
PID 1136 wrote to memory of 1452	1136	chatgpt.exe	45
PID 1136 wrote to memory of 1452	1136	chatgpt.exe	45

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\chatgpt_setup.msi
1⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Program Files\chatgpt\chatgpt\chatgpt.exe
  "C:\Program Files\chatgpt\chatgpt\chatgpt.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1136
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill.exe /F /IM "chrome.exe"
    3⤵
    - Kills process with taskkill
    PID:1664
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill.exe /F /IM "chromedriver.exe"
    3⤵
    - Kills process with taskkill
    PID:1452

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 292434C1A50F743252DCD042F1F5240E C
  2⤵
  - Loads dropped DLL
  PID:1356
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C0F412C4C2CEC0A856B22E435FA0912C
  2⤵
  - Loads dropped DLL
  PID:1916

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1032

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004E8" "00000000000004CC"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1964

C:\Program Files\chatgpt\chatgpt\chatgpt.exe
"C:\Program Files\chatgpt\chatgpt\chatgpt.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:916
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /F /IM "chrome.exe"
  2⤵
  - Kills process with taskkill
  PID:1084
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /F /IM "chromedriver.exe"
  2⤵
  - Kills process with taskkill
  PID:1692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\chatgpt\chatgpt\WebDriver.dll

Filesize
8.4MB

MD5
961bdd1e0ab192f8e517bd434fb4cbe0

SHA1
e7de4921333a41ff9eaa1f29167bee26195f0daf

SHA256
f3d2ebb39d2edc3cce98299c724c5eff0b7a151c5d0857dd3f35ad0ff48fbe53

SHA512
fedbc711a4e887eb6f8ca99aa89343afcb25eac3dd8cfd0fb2f138a43b8293c3dd2650db9ebd56571a79136a5e00392e7b3ed22ace7c27e6a3fa3c5d927d7217

Download Submit
C:\Program Files\chatgpt\chatgpt\chatgpt.exe

Filesize
146KB

MD5
9ff2f9c28827de4de505c92b0212bd28

SHA1
00f18a24113a6373b0bd6febc70f9be065483add

SHA256
65266185bd058b2b4a8488984cd84e2fe4fbf452fd2fdaf0e8325b77ff6e90a9

SHA512
01c16d6b0b1537cd502fcdcb8b18d39513f005ad20adcad234565ce161df1181afc59740e3d12dd0311dd5a7d10b61617e814c6f96fbea05d10631397fe81046

Download Submit
C:\Program Files\chatgpt\chatgpt\chatgpt.exe

Filesize
146KB

MD5
9ff2f9c28827de4de505c92b0212bd28

SHA1
00f18a24113a6373b0bd6febc70f9be065483add

SHA256
65266185bd058b2b4a8488984cd84e2fe4fbf452fd2fdaf0e8325b77ff6e90a9

SHA512
01c16d6b0b1537cd502fcdcb8b18d39513f005ad20adcad234565ce161df1181afc59740e3d12dd0311dd5a7d10b61617e814c6f96fbea05d10631397fe81046

Download Submit
C:\Program Files\chatgpt\chatgpt\chatgpt.exe

Filesize
146KB

MD5
9ff2f9c28827de4de505c92b0212bd28

SHA1
00f18a24113a6373b0bd6febc70f9be065483add

SHA256
65266185bd058b2b4a8488984cd84e2fe4fbf452fd2fdaf0e8325b77ff6e90a9

SHA512
01c16d6b0b1537cd502fcdcb8b18d39513f005ad20adcad234565ce161df1181afc59740e3d12dd0311dd5a7d10b61617e814c6f96fbea05d10631397fe81046

Download Submit
C:\Program Files\chatgpt\chatgpt\chatgpt.exe.config

Filesize
189B

MD5
9dbad5517b46f41dbb0d8780b20ab87e

SHA1
ef6aef0b1ea5d01b6e088a8bf2f429773c04ba5e

SHA256
47e5a0f101af4151d7f13d2d6bfa9b847d5b5e4a98d1f4674b7c015772746cdf

SHA512
43825f5c26c54e1fc5bffcce30caad1449a28c0c9a9432e9ce17d255f8bf6057c1a1002d9471e5b654ab1de08fb6eabf96302cdb3e0fb4b63ba0ff186e903be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC840.tmp

Filesize
285KB

MD5
b77a2a2768b9cc78a71bbffb9812b978

SHA1
b70e27eb446fe1c3bc8ea03dabbee2739a782e04

SHA256
f74c97b1a53541b059d3bfafe41a79005ce5065f8210d7de9f1b600dc4e28aa0

SHA512
a8b16bc60f8559c78c64ca9e85cd7fd704bba1f55b362465b7accef1bb853d1c9616995a35f972256c57fbe877ce880398ba1fbceaa658604883aa12dcbc4f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC988.tmp

Filesize
285KB

MD5
b77a2a2768b9cc78a71bbffb9812b978

SHA1
b70e27eb446fe1c3bc8ea03dabbee2739a782e04

SHA256
f74c97b1a53541b059d3bfafe41a79005ce5065f8210d7de9f1b600dc4e28aa0

SHA512
a8b16bc60f8559c78c64ca9e85cd7fd704bba1f55b362465b7accef1bb853d1c9616995a35f972256c57fbe877ce880398ba1fbceaa658604883aa12dcbc4f57

Download Submit
C:\Windows\Installer\MSI7DE8.tmp

Filesize
285KB

MD5
b77a2a2768b9cc78a71bbffb9812b978

SHA1
b70e27eb446fe1c3bc8ea03dabbee2739a782e04

SHA256
f74c97b1a53541b059d3bfafe41a79005ce5065f8210d7de9f1b600dc4e28aa0

SHA512
a8b16bc60f8559c78c64ca9e85cd7fd704bba1f55b362465b7accef1bb853d1c9616995a35f972256c57fbe877ce880398ba1fbceaa658604883aa12dcbc4f57

Download Submit
C:\Windows\Installer\MSI8D34.tmp

Filesize
285KB

MD5
b77a2a2768b9cc78a71bbffb9812b978

SHA1
b70e27eb446fe1c3bc8ea03dabbee2739a782e04

SHA256
f74c97b1a53541b059d3bfafe41a79005ce5065f8210d7de9f1b600dc4e28aa0

SHA512
a8b16bc60f8559c78c64ca9e85cd7fd704bba1f55b362465b7accef1bb853d1c9616995a35f972256c57fbe877ce880398ba1fbceaa658604883aa12dcbc4f57

Download Submit
\Program Files\chatgpt\chatgpt\WebDriver.dll

Filesize
8.4MB

MD5
961bdd1e0ab192f8e517bd434fb4cbe0

SHA1
e7de4921333a41ff9eaa1f29167bee26195f0daf

SHA256
f3d2ebb39d2edc3cce98299c724c5eff0b7a151c5d0857dd3f35ad0ff48fbe53

SHA512
fedbc711a4e887eb6f8ca99aa89343afcb25eac3dd8cfd0fb2f138a43b8293c3dd2650db9ebd56571a79136a5e00392e7b3ed22ace7c27e6a3fa3c5d927d7217

Download Submit
\Program Files\chatgpt\chatgpt\WebDriver.dll

Filesize
8.4MB

MD5
961bdd1e0ab192f8e517bd434fb4cbe0

SHA1
e7de4921333a41ff9eaa1f29167bee26195f0daf

SHA256
f3d2ebb39d2edc3cce98299c724c5eff0b7a151c5d0857dd3f35ad0ff48fbe53

SHA512
fedbc711a4e887eb6f8ca99aa89343afcb25eac3dd8cfd0fb2f138a43b8293c3dd2650db9ebd56571a79136a5e00392e7b3ed22ace7c27e6a3fa3c5d927d7217

Download Submit
\Program Files\chatgpt\chatgpt\WebDriver.dll

Filesize
8.4MB

MD5
961bdd1e0ab192f8e517bd434fb4cbe0

SHA1
e7de4921333a41ff9eaa1f29167bee26195f0daf

SHA256
f3d2ebb39d2edc3cce98299c724c5eff0b7a151c5d0857dd3f35ad0ff48fbe53

SHA512
fedbc711a4e887eb6f8ca99aa89343afcb25eac3dd8cfd0fb2f138a43b8293c3dd2650db9ebd56571a79136a5e00392e7b3ed22ace7c27e6a3fa3c5d927d7217

Download Submit
\Program Files\chatgpt\chatgpt\WebDriver.dll

Filesize
8.4MB

MD5
961bdd1e0ab192f8e517bd434fb4cbe0

SHA1
e7de4921333a41ff9eaa1f29167bee26195f0daf

SHA256
f3d2ebb39d2edc3cce98299c724c5eff0b7a151c5d0857dd3f35ad0ff48fbe53

SHA512
fedbc711a4e887eb6f8ca99aa89343afcb25eac3dd8cfd0fb2f138a43b8293c3dd2650db9ebd56571a79136a5e00392e7b3ed22ace7c27e6a3fa3c5d927d7217

Download Submit
\Users\Admin\AppData\Local\Temp\MSIC840.tmp

Filesize
285KB

MD5
b77a2a2768b9cc78a71bbffb9812b978

SHA1
b70e27eb446fe1c3bc8ea03dabbee2739a782e04

SHA256
f74c97b1a53541b059d3bfafe41a79005ce5065f8210d7de9f1b600dc4e28aa0

SHA512
a8b16bc60f8559c78c64ca9e85cd7fd704bba1f55b362465b7accef1bb853d1c9616995a35f972256c57fbe877ce880398ba1fbceaa658604883aa12dcbc4f57

Download Submit
\Users\Admin\AppData\Local\Temp\MSIC988.tmp

Filesize
285KB

MD5
b77a2a2768b9cc78a71bbffb9812b978

SHA1
b70e27eb446fe1c3bc8ea03dabbee2739a782e04

SHA256
f74c97b1a53541b059d3bfafe41a79005ce5065f8210d7de9f1b600dc4e28aa0

SHA512
a8b16bc60f8559c78c64ca9e85cd7fd704bba1f55b362465b7accef1bb853d1c9616995a35f972256c57fbe877ce880398ba1fbceaa658604883aa12dcbc4f57

Download Submit
\Windows\Installer\MSI7DE8.tmp

Filesize
285KB

MD5
b77a2a2768b9cc78a71bbffb9812b978

SHA1
b70e27eb446fe1c3bc8ea03dabbee2739a782e04

SHA256
f74c97b1a53541b059d3bfafe41a79005ce5065f8210d7de9f1b600dc4e28aa0

SHA512
a8b16bc60f8559c78c64ca9e85cd7fd704bba1f55b362465b7accef1bb853d1c9616995a35f972256c57fbe877ce880398ba1fbceaa658604883aa12dcbc4f57

Download Submit
\Windows\Installer\MSI8D34.tmp

Filesize
285KB

MD5
b77a2a2768b9cc78a71bbffb9812b978

SHA1
b70e27eb446fe1c3bc8ea03dabbee2739a782e04

SHA256
f74c97b1a53541b059d3bfafe41a79005ce5065f8210d7de9f1b600dc4e28aa0

SHA512
a8b16bc60f8559c78c64ca9e85cd7fd704bba1f55b362465b7accef1bb853d1c9616995a35f972256c57fbe877ce880398ba1fbceaa658604883aa12dcbc4f57

Download Submit
memory/916-73-0x00000000002E0000-0x000000000030A000-memory.dmp

Filesize
168KB

Download
memory/916-88-0x0000000004C85000-0x0000000004C96000-memory.dmp

Filesize
68KB

Download
memory/916-78-0x0000000004C85000-0x0000000004C96000-memory.dmp

Filesize
68KB

Download
memory/1136-79-0x0000000004C95000-0x0000000004CA6000-memory.dmp

Filesize
68KB

Download
memory/1136-89-0x0000000004C95000-0x0000000004CA6000-memory.dmp

Filesize
68KB

Download
memory/1136-87-0x0000000007CA0000-0x0000000008516000-memory.dmp

Filesize
8.5MB

Download
memory/1356-57-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download
memory/1708-54-0x000007FEFBC61000-0x000007FEFBC63000-memory.dmp

Filesize
8KB

Download