Analysis
-
max time kernel
89s -
max time network
73s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
06/05/2023, 14:13
Static task
static1
URLScan task
urlscan1
General
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot6151461640:AAHy5rzfSfRjAN6PI6u5fbOlJiEx2o7grQA/sendMessage?chat_id=5925171292
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 4 IoCs
resource yara_rule behavioral1/files/0x000700000001af0f-266.dat family_stormkitty behavioral1/files/0x000700000001af0f-296.dat family_stormkitty behavioral1/files/0x000700000001af0f-297.dat family_stormkitty behavioral1/memory/3324-298-0x0000000000E20000-0x0000000000E50000-memory.dmp family_stormkitty -
Async RAT payload 4 IoCs
resource yara_rule behavioral1/files/0x000700000001af0f-266.dat asyncrat behavioral1/files/0x000700000001af0f-296.dat asyncrat behavioral1/files/0x000700000001af0f-297.dat asyncrat behavioral1/memory/3324-298-0x0000000000E20000-0x0000000000E50000-memory.dmp asyncrat -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 3324 checker.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 8 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\c63bfa55c6905ee8165ea86928172f35\Admin@RDOTXCCL_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini checker.exe File opened for modification C:\Users\Admin\AppData\Local\c63bfa55c6905ee8165ea86928172f35\Admin@RDOTXCCL_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini checker.exe File created C:\Users\Admin\AppData\Local\c63bfa55c6905ee8165ea86928172f35\Admin@RDOTXCCL_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini checker.exe File opened for modification C:\Users\Admin\AppData\Local\c63bfa55c6905ee8165ea86928172f35\Admin@RDOTXCCL_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini checker.exe File created C:\Users\Admin\AppData\Local\c63bfa55c6905ee8165ea86928172f35\Admin@RDOTXCCL_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini checker.exe File created C:\Users\Admin\AppData\Local\c63bfa55c6905ee8165ea86928172f35\Admin@RDOTXCCL_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini checker.exe File created C:\Users\Admin\AppData\Local\c63bfa55c6905ee8165ea86928172f35\Admin@RDOTXCCL_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini checker.exe File created C:\Users\Admin\AppData\Local\c63bfa55c6905ee8165ea86928172f35\Admin@RDOTXCCL_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini checker.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 84 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 checker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier checker.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133278632431007363" chrome.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 3480 chrome.exe 3480 chrome.exe 3324 checker.exe 3324 checker.exe 3324 checker.exe 3324 checker.exe 3324 checker.exe 3324 checker.exe 3324 checker.exe 3324 checker.exe 3324 checker.exe 3324 checker.exe 3324 checker.exe 3324 checker.exe 3324 checker.exe 3324 checker.exe 3324 checker.exe 3480 chrome.exe 3480 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
pid Process 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe Token: SeShutdownPrivilege 3480 chrome.exe Token: SeCreatePagefilePrivilege 3480 chrome.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe 3480 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3480 wrote to memory of 3552 3480 chrome.exe 66 PID 3480 wrote to memory of 3552 3480 chrome.exe 66 PID 3480 wrote to memory of 3880 3480 chrome.exe 68 PID 3480 wrote to memory of 3880 3480 chrome.exe 68 PID 3480 wrote to memory of 3880 3480 chrome.exe 68 PID 3480 wrote to memory of 3880 3480 chrome.exe 68 PID 3480 wrote to memory of 3880 3480 chrome.exe 68 PID 3480 wrote to memory of 3880 3480 chrome.exe 68 PID 3480 wrote to memory of 3880 3480 chrome.exe 68 PID 3480 wrote to memory of 3880 3480 chrome.exe 68 PID 3480 wrote to memory of 3880 3480 chrome.exe 68 PID 3480 wrote to memory of 3880 3480 chrome.exe 68 PID 3480 wrote to memory of 3880 3480 chrome.exe 68 PID 3480 wrote to memory of 3880 3480 chrome.exe 68 PID 3480 wrote to memory of 3880 3480 chrome.exe 68 PID 3480 wrote to memory of 3880 3480 chrome.exe 68 PID 3480 wrote to memory of 3880 3480 chrome.exe 68 PID 3480 wrote to memory of 3880 3480 chrome.exe 68 PID 3480 wrote to memory of 3880 3480 chrome.exe 68 PID 3480 wrote to memory of 3880 3480 chrome.exe 68 PID 3480 wrote to memory of 3880 3480 chrome.exe 68 PID 3480 wrote to memory of 3880 3480 chrome.exe 68 PID 3480 wrote to memory of 3880 3480 chrome.exe 68 PID 3480 wrote to memory of 3880 3480 chrome.exe 68 PID 3480 wrote to memory of 3880 3480 chrome.exe 68 PID 3480 wrote to memory of 3880 3480 chrome.exe 68 PID 3480 wrote to memory of 3880 3480 chrome.exe 68 PID 3480 wrote to memory of 3880 3480 chrome.exe 68 PID 3480 wrote to memory of 3880 3480 chrome.exe 68 PID 3480 wrote to memory of 3880 3480 chrome.exe 68 PID 3480 wrote to memory of 3880 3480 chrome.exe 68 PID 3480 wrote to memory of 3880 3480 chrome.exe 68 PID 3480 wrote to memory of 3880 3480 chrome.exe 68 PID 3480 wrote to memory of 3880 3480 chrome.exe 68 PID 3480 wrote to memory of 3880 3480 chrome.exe 68 PID 3480 wrote to memory of 3880 3480 chrome.exe 68 PID 3480 wrote to memory of 3880 3480 chrome.exe 68 PID 3480 wrote to memory of 3880 3480 chrome.exe 68 PID 3480 wrote to memory of 3880 3480 chrome.exe 68 PID 3480 wrote to memory of 3880 3480 chrome.exe 68 PID 3480 wrote to memory of 4392 3480 chrome.exe 69 PID 3480 wrote to memory of 4392 3480 chrome.exe 69 PID 3480 wrote to memory of 4764 3480 chrome.exe 70 PID 3480 wrote to memory of 4764 3480 chrome.exe 70 PID 3480 wrote to memory of 4764 3480 chrome.exe 70 PID 3480 wrote to memory of 4764 3480 chrome.exe 70 PID 3480 wrote to memory of 4764 3480 chrome.exe 70 PID 3480 wrote to memory of 4764 3480 chrome.exe 70 PID 3480 wrote to memory of 4764 3480 chrome.exe 70 PID 3480 wrote to memory of 4764 3480 chrome.exe 70 PID 3480 wrote to memory of 4764 3480 chrome.exe 70 PID 3480 wrote to memory of 4764 3480 chrome.exe 70 PID 3480 wrote to memory of 4764 3480 chrome.exe 70 PID 3480 wrote to memory of 4764 3480 chrome.exe 70 PID 3480 wrote to memory of 4764 3480 chrome.exe 70 PID 3480 wrote to memory of 4764 3480 chrome.exe 70 PID 3480 wrote to memory of 4764 3480 chrome.exe 70 PID 3480 wrote to memory of 4764 3480 chrome.exe 70 PID 3480 wrote to memory of 4764 3480 chrome.exe 70 PID 3480 wrote to memory of 4764 3480 chrome.exe 70 PID 3480 wrote to memory of 4764 3480 chrome.exe 70 PID 3480 wrote to memory of 4764 3480 chrome.exe 70 PID 3480 wrote to memory of 4764 3480 chrome.exe 70 PID 3480 wrote to memory of 4764 3480 chrome.exe 70
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://anonfiles.com/iac0Bdp5zb/checker_exe1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fff3fec9758,0x7fff3fec9768,0x7fff3fec97782⤵PID:3552
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1600 --field-trial-handle=1772,i,1302285884585738640,2346120644438175954,131072 /prefetch:22⤵PID:3880
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2008 --field-trial-handle=1772,i,1302285884585738640,2346120644438175954,131072 /prefetch:82⤵PID:4392
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2156 --field-trial-handle=1772,i,1302285884585738640,2346120644438175954,131072 /prefetch:82⤵PID:4764
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2968 --field-trial-handle=1772,i,1302285884585738640,2346120644438175954,131072 /prefetch:12⤵PID:3700
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2976 --field-trial-handle=1772,i,1302285884585738640,2346120644438175954,131072 /prefetch:12⤵PID:4744
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4372 --field-trial-handle=1772,i,1302285884585738640,2346120644438175954,131072 /prefetch:12⤵PID:5068
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 --field-trial-handle=1772,i,1302285884585738640,2346120644438175954,131072 /prefetch:82⤵PID:4960
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 --field-trial-handle=1772,i,1302285884585738640,2346120644438175954,131072 /prefetch:82⤵PID:428
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3172 --field-trial-handle=1772,i,1302285884585738640,2346120644438175954,131072 /prefetch:12⤵PID:788
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5268 --field-trial-handle=1772,i,1302285884585738640,2346120644438175954,131072 /prefetch:12⤵PID:1592
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4860 --field-trial-handle=1772,i,1302285884585738640,2346120644438175954,131072 /prefetch:82⤵PID:2576
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 --field-trial-handle=1772,i,1302285884585738640,2346120644438175954,131072 /prefetch:82⤵PID:3212
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1528 --field-trial-handle=1772,i,1302285884585738640,2346120644438175954,131072 /prefetch:82⤵PID:2632
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5388 --field-trial-handle=1772,i,1302285884585738640,2346120644438175954,131072 /prefetch:82⤵PID:3912
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5440 --field-trial-handle=1772,i,1302285884585738640,2346120644438175954,131072 /prefetch:82⤵PID:4300
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5568 --field-trial-handle=1772,i,1302285884585738640,2346120644438175954,131072 /prefetch:82⤵PID:3160
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5208 --field-trial-handle=1772,i,1302285884585738640,2346120644438175954,131072 /prefetch:82⤵PID:4368
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5544 --field-trial-handle=1772,i,1302285884585738640,2346120644438175954,131072 /prefetch:82⤵PID:4364
-
-
C:\Users\Admin\Downloads\checker.exe"C:\Users\Admin\Downloads\checker.exe"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3324 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵PID:2208
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:1036
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵PID:3188
-
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵PID:1116
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵PID:2576
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:4112
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid4⤵PID:3932
-
-
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:3656
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4B
MD5184260348236f9554fe9375772ff966e
SHA1c6d28f73737fec3883c5b4cebe30bfe12bbe4bf4
SHA2565b64147d2864c61f08bdd4fb85c70d4d26e2b8d7774dc20edabeb13c9391c327
SHA51263706ed5b6bcee264f69454748241b91975b60f1022b167c430701a9390a5c032d89d67e3ce21b2d918e2f512e14ac928efc89d798012fcd1282d364a4048ab5
-
Filesize
168B
MD59b49d2a1be496d45e9346e887a3646f1
SHA15080b64636705db2b148e2f0a048e28440e60380
SHA256d6d0a1e79657e1035a554481bbcb8ccab3247e8939f4eb52e0896d7368da10dd
SHA512c853a0b65849d007b7d2fa5907610f1d382509509a9bc5408d04bb974295a6d47ad873a5a726345d598dd9956b622682586f75581fdf637b3725e3a007cd34ab
-
Filesize
148KB
MD566d410ff90f1ef742d0245e555f153fc
SHA16c4433642df2a686c5ccc8201965e84f05c4839b
SHA25619f0bd9b327bc6531dbc39ca9d3a63221a2e679667aba61d65005f9063154d32
SHA512959ba718e7ec5d30b4bd6cc77cc609e8b2482019e110a9d08d2280b78d9a433461fcc15796855fc72b51582bfa5ad13846c343b57941359c55216b7bef25a213
-
Filesize
2KB
MD5f367dee742886a3e7020c64bee8c2ce2
SHA1475d8bd4bc8e633262d4c0b2d83428e6342e2ae7
SHA256d9b830dee5e5731a3f4545e5800f7bb482b8cc5f82cf93a4b67b8811f766cfab
SHA5121cd18c6fa3ee73282884409cf8cc5bb08dce26b2e8ed2573220448d4bca5850a1f4c220787d6b57a727b6f8458370110141b98ea3865a0d957758c9407382ad7
-
Filesize
535B
MD506db82b9c212193ab67231840d0d6edb
SHA1695c2124320d722b49ee0b8f56f6db8fcf47d170
SHA2568bc82edb22b20f0f8a09322933ba9e19a8d8ea578f965689dab8448faaf3e3fa
SHA512aa6f7a33ceb2c46f1c5cefc4fbb688d01d85efe535bec958fa08ea2a75c3b79d9eaf1dc3316aa5cead806fbcd862c390631bce0aeab9a131a79524ba0a2716b2
-
Filesize
6KB
MD5c716dc46d9bd27cac22481ae5a6da612
SHA1032ff8ce9d8f03858854217afa482cc72427caf4
SHA256d775c4859c84fcf1a140c8eb798614a9856e03251566878d29e4b942626ae1a3
SHA5126f3f3e01048f9869717549c11231e3a85d2b882945f354a2e374ce8d42c4e024122ca2d9c64753f11dd77ff86bc7a2020e03aa2d8dfdb19a76a83d6755340124
-
Filesize
6KB
MD5ddf1eff990d0d46c85d5cc9cb8ccdaaf
SHA1fdadced01438ae9b04f4b3f99699a1c7784db4c5
SHA2561c5c9c60f5038f158ad3089e0d554b5bb4e652c74e5d6c00817e3923b15c808b
SHA512348b5b066ffd110342adf17a361e931157f77cf6a79812806386870439d468c0442f5dbb0070e672331240142bd403677d7cab0c1614fdeae47a097dea3968a4
-
Filesize
6KB
MD5883779237d38a0a9d97098e3fff80154
SHA178454c819b15084725860407943243a3fb6c03fc
SHA256fb7a477c760a36998e65a8a0a331fc8ee7a8ff4ea4967cbe71dfa89c954bf546
SHA51294d6bcb08f901825b2989b0ddbb8e77f96f2316a0982285cfeb690735743e39bcf34c772546fd8a351ea40af6094f85441c46a89ae17af09fdfdbbfbdb431137
-
Filesize
5KB
MD50fa0f50d0489c059ac88f45cf860089e
SHA145d534297fca7fe3804a3b06161487860653068c
SHA256654ec7559bdb77d69f26a953fb716239a8137cf6222885dd151a5206cb9beb70
SHA512fbafcbab3e58eb207d80fcec4b39a30ce2a9bb43bc2ce2d1276f5a662d3b82288b9739b5008159096ce781d02111968ed65f77819456b8746df007f5f3686d8b
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize96B
MD5fd05e1daa8a8f16ec68788044fed48eb
SHA1ce962b7f0419d3a87923d5b36ed657754a4156ba
SHA2567a873bf279f3358f63d1ce07f4883a84909107e41a5a76f8f8b674fa897f6394
SHA51237da96654ab5d18cd5762377059496920c43bc9105b1d7e3ee10560df9d0fb9d056829e3d77e672626f0e540294c2ccfc94f1a87707a136e6e8fa530ebbb34f2
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe56d381.TMP
Filesize48B
MD54f1d1eb9ae6dd7c4ff603d769e41a13b
SHA1b494cd5759955491782e20939ba1e30346e3f966
SHA25652c3ea1da0e25ab78a589f4fe850630a38b0da0d0392db7d99ed7bacd628d5bd
SHA5126b8383f169a93544e9c95e8eea1db4205340a934019b06cdaa5baf83d9b572ab111423547c1ac469bd9b09d435d3ff21d5cd6ae0d809dfebef6beb0b877551ea
-
Filesize
150KB
MD5d09666e486cd060863ccdf7fa2602c51
SHA103111b7b9414d481244eeac12034291d46d048db
SHA2561d10e663c652de0e2b17b2c8c098c51c1606f8955ddcf0abac81e6e45a7b4e73
SHA512373b8ead4dd77111659b872c485786eb7d9a060ccfa5b8673bf95ac1c75427f8a86790860dc34215c2c8081fef4bfb5372c238c2f156ac84cad2dccc4ad62e54
-
Filesize
150KB
MD522ef0b33c27926cb284485b26cde6a7f
SHA1d880e210dd8dd0e8b887391cbaa9888382095ab9
SHA256a847dd2512a6451e6dde72dca33c3f3011dddce56508f60d14feae19b74e9945
SHA512a54d336f71ef58cc5ffbc671a7e53c4a8077f08b9f0052aa6da6c0ea7b349f87246da80475c65b6aa6494c8c3198204cc6f9e9b0e55f4fed6b5c8d9cd22aec3c
-
Filesize
72KB
MD5bfca3daf5b8fbc6424d9f1bf904c9036
SHA1c9fe4f7ca4ca1bb2a52db95fe1b8d31eb82bfbf4
SHA256095a276f7f007984fcb28b786733bdfb04ddfe656cc322584e231d174fe98432
SHA51267c59a053af97a4ef124579547273e3c48fa1ccf4528d029a421e14168d444e828d7c3b964a9128747585aa3e32f874dc1d845f8e6fb90a6e4d0c452483fef5b
-
Filesize
111KB
MD517fc39f81e9166a07534bb6f64b1acf1
SHA1605d3317fbc43bb8beaf3fcc60218c3cec96f5e8
SHA25643a8993245fb91d33d03436cdb33e8697a1c1a9a69e2795406524efc792cfb44
SHA512856f14ff668714d6229faa94f73e1feb333f1cb938e593f8c7925c0146549a321263b1c96b53c34f337cdcc5bef28924353b9d43ff7d1e5227b4298f7e96509e
-
Filesize
98KB
MD501667b4a6c8f69f3d2745bd41076d41d
SHA142f1fb87869bd34f7de341d6cb624f78fdbeb469
SHA2560eaa337f44fabf6550b68e350f4124a893e44578cea9028177148cdb271b037f
SHA512fda0eb57fad9dcc72561028df532f1947e697fbe76a3229fe4e32b343618e956dede1c9766492b43ae68c5642d5cf6abfdc05e0ef5c806c939599149627723b6
-
Filesize
150KB
MD5e1beb02b006fc5cc2b595afd63fef237
SHA18385a3e2d9b5100f97b51f718af07c134846071d
SHA25628853b07e1056acc066b70fdcfdab912841f535809f0b1dd7e61ea9446b8d180
SHA512d4898171134a448e0922b7134586f28cfbda5891c83958e2a4d7ab6daf2f687eb9c2ffe867a9c3463f06213eef8a645632f22223aaaa74f50be534df82f713f5
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
C:\Users\Admin\AppData\Local\c63bfa55c6905ee8165ea86928172f35\Admin@RDOTXCCL_en-US\Browsers\Firefox\Bookmarks.txt
Filesize105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Local\c63bfa55c6905ee8165ea86928172f35\Admin@RDOTXCCL_en-US\System\Process.txt
Filesize4KB
MD55e278e9654537fe26a47e8bf0c42a52c
SHA11ed49c94ecc816960d18fa5f0a5ad394ffb5f570
SHA256d2be44b6182e36a85a6f1231e8343947833411382d1bf8cb792d7d12ca683c9b
SHA512b3c54d8de2d08093d0f76e153d632bce066b8528acac423815eb15e6184ef694535022d912e3705ac07e65951e0998e7bb5c36b38f7aa4b7358d31e32203fe7a
-
Filesize
170KB
MD5075502feb35553ae0c5cfb7dfb5c4c92
SHA15e6d95e20e8c5e060649a87b8fc662b3302d4742
SHA25645574ef8a8b7e8c507a2ecb11fb5f35abe8d8d28c6af660d36b667185635cfe2
SHA512ae23e3c0f7f37cc96a6eca26ed7f775af9af27024e3a1c32c9b62b14d27fac8b308aa0c838b579be2a2cbb211a609cfc49d023c43115f0ec89efddcc7055b959
-
Filesize
170KB
MD5075502feb35553ae0c5cfb7dfb5c4c92
SHA15e6d95e20e8c5e060649a87b8fc662b3302d4742
SHA25645574ef8a8b7e8c507a2ecb11fb5f35abe8d8d28c6af660d36b667185635cfe2
SHA512ae23e3c0f7f37cc96a6eca26ed7f775af9af27024e3a1c32c9b62b14d27fac8b308aa0c838b579be2a2cbb211a609cfc49d023c43115f0ec89efddcc7055b959
-
Filesize
170KB
MD5075502feb35553ae0c5cfb7dfb5c4c92
SHA15e6d95e20e8c5e060649a87b8fc662b3302d4742
SHA25645574ef8a8b7e8c507a2ecb11fb5f35abe8d8d28c6af660d36b667185635cfe2
SHA512ae23e3c0f7f37cc96a6eca26ed7f775af9af27024e3a1c32c9b62b14d27fac8b308aa0c838b579be2a2cbb211a609cfc49d023c43115f0ec89efddcc7055b959