Analysis
-
max time kernel
65s -
max time network
72s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
16/02/2023, 15:41
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://kpi-offscan.kpi.ac.th/elib/cgi-bin/opacexe.exe?op=redir&lang=0&db=Main&pat=%A1%D2%C3%C1%D5%CA%E8%C7%B9%C3%E8%C7%C1&cat=sub&skin=u&lpp=20&catop=&scid=zzz&bid=1115&u=https%3A%2F%2Fs3.amazonaws.com%2Fappforest_uf%2Ff1675615245021x188597381800609020%2Findexxxx.html%3FtvePhp0wGKBEaVy%3Da2VsbHkucm95ZXJAc3RhdGUuc2QudXM%3D%26
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
http://kpi-offscan.kpi.ac.th/elib/cgi-bin/opacexe.exe?op=redir&lang=0&db=Main&pat=%A1%D2%C3%C1%D5%CA%E8%C7%B9%C3%E8%C7%C1&cat=sub&skin=u&lpp=20&catop=&scid=zzz&bid=1115&u=https%3A%2F%2Fs3.amazonaws.com%2Fappforest_uf%2Ff1675615245021x188597381800609020%2Findexxxx.html%3FtvePhp0wGKBEaVy%3Da2VsbHkucm95ZXJAc3RhdGUuc2QudXM%3D%26
Resource
win10v2004-20221111-en
General
-
Target
http://kpi-offscan.kpi.ac.th/elib/cgi-bin/opacexe.exe?op=redir&lang=0&db=Main&pat=%A1%D2%C3%C1%D5%CA%E8%C7%B9%C3%E8%C7%C1&cat=sub&skin=u&lpp=20&catop=&scid=zzz&bid=1115&u=https%3A%2F%2Fs3.amazonaws.com%2Fappforest_uf%2Ff1675615245021x188597381800609020%2Findexxxx.html%3FtvePhp0wGKBEaVy%3Da2VsbHkucm95ZXJAc3RhdGUuc2QudXM%3D%26
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0039a4992542d901 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd8362e63385414b841ec03a03436a49000000000200000000001066000000010000200000008439b3e3e8f8ed84f2fe03d3cc077065761e959050a5b1d86552bb458cd9dd76000000000e800000000200002000000005dcccd3f6bf818c4af5aa2e5a867f0f3fb51653b9cf20b14a25892bd3e527159000000031e78a90ff1600c1d92991894b786e2a3ef07b7cad66d869497351ae04003b2ec5fc391487ff2c87863c6b748b5a1aa01cd957b2bc771e22847368232543cbc402885c84be9a5464fb7d07a7ab657d9f364002949647cb99b423a298a373676b189784cc96104cec70a3c2348b3f8e87250472eaabf2614c5e54f1fe5ca1ecda94f34ea9ea99f0008a9eac0b31e6a08440000000101b6526947f38b2ed93a5f4c129e6145beaf745dbcb4177484ad7d5c6e821e28425d60fb90806584a8b283a9480b5f77959c287da5400c09aa0d8274def6d09 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D099C561-AE18-11ED-BF38-72F0FB4431DC} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd8362e63385414b841ec03a03436a4900000000020000000000106600000001000020000000660e64cb62454eac0bcba272f7c6f873b74cc1a9cf5743c357b224b8c51a2b5e000000000e8000000002000020000000b142c6778836c358b9b9d19a776c51c5308e338c9018d0ea67746afea5eb19842000000029a9c608fad70814e3ee3b7b49db476b75cae79adb9becd6710adc0b6daeacc84000000053de4a146a9da63933c24b4841c1eb2b455e8f40ebd01dd47fdd20ffc2f49cd28f56dc56649a8a985e083c912e574cded554a9110d814a09544df94d73fa64b8 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1544 chrome.exe 1008 chrome.exe 1008 chrome.exe 2624 chrome.exe 2632 chrome.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 1312 iexplore.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe -
Suspicious use of SendNotifyMessage 32 IoCs
pid Process 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe 1008 chrome.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1312 iexplore.exe 1312 iexplore.exe 1916 IEXPLORE.EXE 1916 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1312 wrote to memory of 1916 1312 iexplore.exe 29 PID 1312 wrote to memory of 1916 1312 iexplore.exe 29 PID 1312 wrote to memory of 1916 1312 iexplore.exe 29 PID 1312 wrote to memory of 1916 1312 iexplore.exe 29 PID 1008 wrote to memory of 1648 1008 chrome.exe 32 PID 1008 wrote to memory of 1648 1008 chrome.exe 32 PID 1008 wrote to memory of 1648 1008 chrome.exe 32 PID 1008 wrote to memory of 1496 1008 chrome.exe 34 PID 1008 wrote to memory of 1496 1008 chrome.exe 34 PID 1008 wrote to memory of 1496 1008 chrome.exe 34 PID 1008 wrote to memory of 1496 1008 chrome.exe 34 PID 1008 wrote to memory of 1496 1008 chrome.exe 34 PID 1008 wrote to memory of 1496 1008 chrome.exe 34 PID 1008 wrote to memory of 1496 1008 chrome.exe 34 PID 1008 wrote to memory of 1496 1008 chrome.exe 34 PID 1008 wrote to memory of 1496 1008 chrome.exe 34 PID 1008 wrote to memory of 1496 1008 chrome.exe 34 PID 1008 wrote to memory of 1496 1008 chrome.exe 34 PID 1008 wrote to memory of 1496 1008 chrome.exe 34 PID 1008 wrote to memory of 1496 1008 chrome.exe 34 PID 1008 wrote to memory of 1496 1008 chrome.exe 34 PID 1008 wrote to memory of 1496 1008 chrome.exe 34 PID 1008 wrote to memory of 1496 1008 chrome.exe 34 PID 1008 wrote to memory of 1496 1008 chrome.exe 34 PID 1008 wrote to memory of 1496 1008 chrome.exe 34 PID 1008 wrote to memory of 1496 1008 chrome.exe 34 PID 1008 wrote to memory of 1496 1008 chrome.exe 34 PID 1008 wrote to memory of 1496 1008 chrome.exe 34 PID 1008 wrote to memory of 1496 1008 chrome.exe 34 PID 1008 wrote to memory of 1496 1008 chrome.exe 34 PID 1008 wrote to memory of 1496 1008 chrome.exe 34 PID 1008 wrote to memory of 1496 1008 chrome.exe 34 PID 1008 wrote to memory of 1496 1008 chrome.exe 34 PID 1008 wrote to memory of 1496 1008 chrome.exe 34 PID 1008 wrote to memory of 1496 1008 chrome.exe 34 PID 1008 wrote to memory of 1496 1008 chrome.exe 34 PID 1008 wrote to memory of 1496 1008 chrome.exe 34 PID 1008 wrote to memory of 1496 1008 chrome.exe 34 PID 1008 wrote to memory of 1496 1008 chrome.exe 34 PID 1008 wrote to memory of 1496 1008 chrome.exe 34 PID 1008 wrote to memory of 1496 1008 chrome.exe 34 PID 1008 wrote to memory of 1496 1008 chrome.exe 34 PID 1008 wrote to memory of 1496 1008 chrome.exe 34 PID 1008 wrote to memory of 1496 1008 chrome.exe 34 PID 1008 wrote to memory of 1496 1008 chrome.exe 34 PID 1008 wrote to memory of 1496 1008 chrome.exe 34 PID 1008 wrote to memory of 1496 1008 chrome.exe 34 PID 1008 wrote to memory of 1496 1008 chrome.exe 34 PID 1008 wrote to memory of 1544 1008 chrome.exe 33 PID 1008 wrote to memory of 1544 1008 chrome.exe 33 PID 1008 wrote to memory of 1544 1008 chrome.exe 33 PID 1008 wrote to memory of 1816 1008 chrome.exe 35 PID 1008 wrote to memory of 1816 1008 chrome.exe 35 PID 1008 wrote to memory of 1816 1008 chrome.exe 35 PID 1008 wrote to memory of 1816 1008 chrome.exe 35 PID 1008 wrote to memory of 1816 1008 chrome.exe 35 PID 1008 wrote to memory of 1816 1008 chrome.exe 35 PID 1008 wrote to memory of 1816 1008 chrome.exe 35 PID 1008 wrote to memory of 1816 1008 chrome.exe 35 PID 1008 wrote to memory of 1816 1008 chrome.exe 35 PID 1008 wrote to memory of 1816 1008 chrome.exe 35 PID 1008 wrote to memory of 1816 1008 chrome.exe 35 PID 1008 wrote to memory of 1816 1008 chrome.exe 35 PID 1008 wrote to memory of 1816 1008 chrome.exe 35
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://kpi-offscan.kpi.ac.th/elib/cgi-bin/opacexe.exe?op=redir&lang=0&db=Main&pat=%A1%D2%C3%C1%D5%CA%E8%C7%B9%C3%E8%C7%C1&cat=sub&skin=u&lpp=20&catop=&scid=zzz&bid=1115&u=https%3A%2F%2Fs3.amazonaws.com%2Fappforest_uf%2Ff1675615245021x188597381800609020%2Findexxxx.html%3FtvePhp0wGKBEaVy%3Da2VsbHkucm95ZXJAc3RhdGUuc2QudXM%3D%261⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1312 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1916
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef69c4f50,0x7fef69c4f60,0x7fef69c4f702⤵PID:1648
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=992,11630431388719535635,8006103697163004752,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1320 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1544
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=992,11630431388719535635,8006103697163004752,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1004 /prefetch:22⤵PID:1496
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=992,11630431388719535635,8006103697163004752,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1820 /prefetch:82⤵PID:1816
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=992,11630431388719535635,8006103697163004752,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2036 /prefetch:12⤵PID:2092
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=992,11630431388719535635,8006103697163004752,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2024 /prefetch:12⤵PID:2084
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=992,11630431388719535635,8006103697163004752,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:82⤵PID:2180
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=992,11630431388719535635,8006103697163004752,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3272 /prefetch:22⤵PID:2416
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=992,11630431388719535635,8006103697163004752,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:12⤵PID:2460
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=992,11630431388719535635,8006103697163004752,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3448 /prefetch:82⤵PID:2524
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=992,11630431388719535635,8006103697163004752,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3596 /prefetch:82⤵PID:2532
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=992,11630431388719535635,8006103697163004752,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3904 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2624
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=992,11630431388719535635,8006103697163004752,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3916 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2632
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=992,11630431388719535635,8006103697163004752,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1720 /prefetch:82⤵PID:2752
-
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --reenable-autoupdates --system-level2⤵PID:2788
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x13c,0x140,0x144,0x110,0x148,0x13fb1a890,0x13fb1a8a0,0x13fb1a8b03⤵PID:3048
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=992,11630431388719535635,8006103697163004752,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2596 /prefetch:12⤵PID:2796
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=992,11630431388719535635,8006103697163004752,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2128 /prefetch:12⤵PID:2860
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=992,11630431388719535635,8006103697163004752,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:12⤵PID:2956
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_B5D3A17E5BEDD2EDA793611A0A74E1E8
Filesize1KB
MD5d02d993c04f5bb559db79ad34ad6d951
SHA1ea52daa9c8cc293fd1d34f818f9f9603ac35587f
SHA256858f9672189196ec20a33415cb34aef67d8c27a5abbeeb83c48c0409a31dd825
SHA512d6b5122c41b2f14acfd5377996a8adb222cbc29a288276055d591007ec49dc8f13e463c99104ab1686ff4ba6974bfa7628cd4caac4b8805ba583ce42209e7757
-
Filesize
61KB
MD5fc4666cbca561e864e7fdf883a9e6661
SHA12f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA25610f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
Filesize1KB
MD500ccd517743aa254b592a594cdc345b8
SHA10187d39dc1e3bb6c08351b854b8afdb13a6b4f7b
SHA256383dbc6e3af3db1377fccdc150abba58a7a329bb60c8bfdc1059f25a5ba2a245
SHA512c425bc915d0f04425713890f1dabbff5acc6dd842f6920d9120c9e53f46581110ad8ab01617d7d2b4d197baa5a639bdf878f9bc54edb13f53b34e6ddc087686b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894
Filesize1KB
MD56bbae51a44cf23494fc50d8110d70a20
SHA19dea838ea649811e2048419c3c9cd068e7bee83f
SHA25693ff10b404c86cbe12d02bf06e29ec579b3f2c009547946ad07dad28f0da8195
SHA5127adc167ebfb2f535d22f9b90b67eb7c25bf69de98fb87e540583b609923d6032ca3686aa46ecc488d09b2c167e005ef8111489d7758b5fd2955ab870b885e060
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D03E46CD585BBE111C712E6577BC5F07_824D601B4CA63DE5D34E27269DEF752D
Filesize471B
MD5b77dd19016fb6a5c90f777364efe98e3
SHA19f011fcf34e0a30e0820344576359e919faade5d
SHA256b579222d46c5417091dabf6227486e96c75da2a7de7f2265606f0465ac069aff
SHA512c2268c59019df08352b65188084dda0adb7ab8ac28757ef7ef197a99c95fd61adeb1fcb5c80f24713da6ae78edc40513ccafc96033f1525ea868120398c15a74
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_B5D3A17E5BEDD2EDA793611A0A74E1E8
Filesize438B
MD58bbd8504f976d8a9f92abb4fb29932f3
SHA1a4d6875a20cb8ffcf014ba849d6e2f4beb2862b8
SHA25654d1a9c7c7ead629df241bcf3f898fff9cdcd13ff56121265b0fc2bfdabb99dd
SHA51288bbc6228c8c60627c5c1eca1591d2f1239de4fc3be66d66646aefd03408598bde96df5c42c5d10a1c08c155bf4a7f790d621fdc9a6df26df066badc3e27dcad
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e56589058783318137857815a8327aa7
SHA19db741d68271b617ff7bce09559aa079728e69e1
SHA2564ef85fc80710da19563021c2735be11d401c870deb560feeb04237621e996f7a
SHA512ca4155e7f4ac9c51cc8b769814dfbf58c6e5954f38edb13f9abd63cb5f8a13884a8b873aef222ede1a891050a93c57fe52cb4541b793c52f5657f96cf4c3079d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5112d24b007359d561fdd2fbd4519f198
SHA1529cac7f5e44cd8518eabe1dee15cc462caab506
SHA2566f278e373405d3e72c18c74d76655f650c650c190cdf15bede73312cfd2297af
SHA512b6ea43497e7b215060bbe2dbb2106f22e3c80cda461ee3a23ade92d0ec2dd8391ba3b23e5a649fec437a0e729a0a5b5952acb6fb1a04486f366c8bf3c573d969
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62
Filesize458B
MD5b1121c6b91e5c2cb286962e2cb1f8b7f
SHA1de6c33c1ecc5939f73664e7e97dc88e66b0b036a
SHA256a61b33cfc13355102cab902acfe50370f4323037ce75e15727c62f95017628ff
SHA512c4dd1db06c1dfd22043a6c203f58b2c0692f4304cb0622d078bf8057a881899a51ba7865267a3b12b997d8e90d6c7e4413782a5f136122b75ae6a845209f8ff3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894
Filesize432B
MD541a5a0172dc0cee8867e2f840b47f486
SHA1c1b746ee5f68208afea43b4b39bcadcf6f2c1d7b
SHA2561c323bfb000e5ea6f41a581a55526200d59234e83051228c2511ba07f66b7937
SHA5127ad7c37e0d259b31042a3998871f9cdb187cf76cde5e688a461ffb1954abaf6a21d71b2c7c49659913b370fedd90172ed3357efba4ca9f4b616480ca16c4d18f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D03E46CD585BBE111C712E6577BC5F07_824D601B4CA63DE5D34E27269DEF752D
Filesize448B
MD5a45689a4006ab8a28290bce453bd3731
SHA16bc45308f7b954abe4954bc13b1a760abc9b52ae
SHA2567ca5b7e0c6b3d8863b9d27031ab8000a6fbb083210cf4bb2743493429e7e079c
SHA512643d756f37dbc55304a95eed234b61d3f735d8179cb4260d020c6e64855bfdafd55b28d3d2816956567882e264796a8dee818b81343f6811336aacbf7d820150