Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
05/07/2023, 12:59
Static task
static1
Behavioral task
behavioral1
Sample
iexpioreexe.exe
Resource
win10v2004-20230621-en
General
-
Target
iexpioreexe.exe
-
Size
140KB
-
MD5
667aca3b0011aebd3ac1eb04a929e79b
-
SHA1
7489d2101aaa8057fdfe8c22cca54df999f9bd7b
-
SHA256
f10495057c282936b7d00e5bed9c2eb0efdcef1e23ef60ec6be4566fb2626be3
-
SHA512
ddd335b9af141352409b1a94ca0020a581ba19b5cfa3edb9daad0805ce51d8a4d12ce6f5a4e0742db9cab7f92ae67f83b3a51f88dc018821aa0f8edf5e636b45
-
SSDEEP
1536:Vua+BTv3tIO8MtM+/6jRVGIk1MgHjsPGYYwOda2CqqZOIgQJb0lfjtO+vbWL8xJb:Vn+htWMtf+7GZYGVA2QJgi8xJLDoU
Malware Config
Signatures
-
FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
-
Fatal Rat payload 3 IoCs
resource yara_rule behavioral1/memory/4920-133-0x0000000010000000-0x000000001001C000-memory.dmp fatalrat behavioral1/memory/3484-141-0x0000000010000000-0x000000001001C000-memory.dmp fatalrat behavioral1/memory/4992-476-0x0000000010000000-0x000000001001C000-memory.dmp fatalrat -
Executes dropped EXE 3 IoCs
pid Process 3484 Jklmno.exe 2508 Jklmno.exe 4992 iexpioreexe.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Software\Microsoft\Windows\CurrentVersion\Run chrome.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Jklmno.exe iexpioreexe.exe File opened for modification C:\Windows\Jklmno.exe iexpioreexe.exe File opened for modification C:\Windows\Jklmno.exe Jklmno.exe File created C:\Windows\Jklmno.exe Jklmno.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jklmno.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Jklmno.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 14 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\Jklmno Qrstuvwx Jklmno.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM Jklmno.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services\Jklmno Qrstuvwx Jklmno.exe Set value (str) \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services\Jklmno Qrstuvwx\Group = "Fatal" Jklmno.exe Key created \REGISTRY\USER\.DEFAULT\Software Jklmno.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft Jklmno.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet Jklmno.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services Jklmno.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133330356949321553" chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Services\Jklmno Qrstuvwx\InstallTime = "2023-07-05 13:00" Jklmno.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie Jklmno.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum Jklmno.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" Jklmno.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4920 iexpioreexe.exe 4920 iexpioreexe.exe 3484 Jklmno.exe 3484 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe 2508 Jklmno.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
pid Process 4928 chrome.exe 4928 chrome.exe 4928 chrome.exe 4928 chrome.exe 4928 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4920 iexpioreexe.exe Token: SeDebugPrivilege 3484 Jklmno.exe Token: SeDebugPrivilege 2508 Jklmno.exe Token: SeDebugPrivilege 4484 taskmgr.exe Token: SeSystemProfilePrivilege 4484 taskmgr.exe Token: SeCreateGlobalPrivilege 4484 taskmgr.exe Token: 33 4484 taskmgr.exe Token: SeIncBasePriorityPrivilege 4484 taskmgr.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe Token: SeShutdownPrivilege 4928 chrome.exe Token: SeCreatePagefilePrivilege 4928 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4928 chrome.exe 4928 chrome.exe 4928 chrome.exe 4928 chrome.exe 4928 chrome.exe 4928 chrome.exe 4928 chrome.exe 4928 chrome.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4484 taskmgr.exe 4928 chrome.exe 4928 chrome.exe 4928 chrome.exe 4928 chrome.exe 4928 chrome.exe 4928 chrome.exe 4928 chrome.exe 4928 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3484 wrote to memory of 2508 3484 Jklmno.exe 98 PID 3484 wrote to memory of 2508 3484 Jklmno.exe 98 PID 3484 wrote to memory of 2508 3484 Jklmno.exe 98 PID 4928 wrote to memory of 928 4928 chrome.exe 114 PID 4928 wrote to memory of 928 4928 chrome.exe 114 PID 4928 wrote to memory of 1248 4928 chrome.exe 115 PID 4928 wrote to memory of 1248 4928 chrome.exe 115 PID 4928 wrote to memory of 1248 4928 chrome.exe 115 PID 4928 wrote to memory of 1248 4928 chrome.exe 115 PID 4928 wrote to memory of 1248 4928 chrome.exe 115 PID 4928 wrote to memory of 1248 4928 chrome.exe 115 PID 4928 wrote to memory of 1248 4928 chrome.exe 115 PID 4928 wrote to memory of 1248 4928 chrome.exe 115 PID 4928 wrote to memory of 1248 4928 chrome.exe 115 PID 4928 wrote to memory of 1248 4928 chrome.exe 115 PID 4928 wrote to memory of 1248 4928 chrome.exe 115 PID 4928 wrote to memory of 1248 4928 chrome.exe 115 PID 4928 wrote to memory of 1248 4928 chrome.exe 115 PID 4928 wrote to memory of 1248 4928 chrome.exe 115 PID 4928 wrote to memory of 1248 4928 chrome.exe 115 PID 4928 wrote to memory of 1248 4928 chrome.exe 115 PID 4928 wrote to memory of 1248 4928 chrome.exe 115 PID 4928 wrote to memory of 1248 4928 chrome.exe 115 PID 4928 wrote to memory of 1248 4928 chrome.exe 115 PID 4928 wrote to memory of 1248 4928 chrome.exe 115 PID 4928 wrote to memory of 1248 4928 chrome.exe 115 PID 4928 wrote to memory of 1248 4928 chrome.exe 115 PID 4928 wrote to memory of 1248 4928 chrome.exe 115 PID 4928 wrote to memory of 1248 4928 chrome.exe 115 PID 4928 wrote to memory of 1248 4928 chrome.exe 115 PID 4928 wrote to memory of 1248 4928 chrome.exe 115 PID 4928 wrote to memory of 1248 4928 chrome.exe 115 PID 4928 wrote to memory of 1248 4928 chrome.exe 115 PID 4928 wrote to memory of 1248 4928 chrome.exe 115 PID 4928 wrote to memory of 1248 4928 chrome.exe 115 PID 4928 wrote to memory of 1248 4928 chrome.exe 115 PID 4928 wrote to memory of 1248 4928 chrome.exe 115 PID 4928 wrote to memory of 1248 4928 chrome.exe 115 PID 4928 wrote to memory of 1248 4928 chrome.exe 115 PID 4928 wrote to memory of 1248 4928 chrome.exe 115 PID 4928 wrote to memory of 1248 4928 chrome.exe 115 PID 4928 wrote to memory of 1248 4928 chrome.exe 115 PID 4928 wrote to memory of 1248 4928 chrome.exe 115 PID 4928 wrote to memory of 828 4928 chrome.exe 116 PID 4928 wrote to memory of 828 4928 chrome.exe 116 PID 4928 wrote to memory of 4384 4928 chrome.exe 117 PID 4928 wrote to memory of 4384 4928 chrome.exe 117 PID 4928 wrote to memory of 4384 4928 chrome.exe 117 PID 4928 wrote to memory of 4384 4928 chrome.exe 117 PID 4928 wrote to memory of 4384 4928 chrome.exe 117 PID 4928 wrote to memory of 4384 4928 chrome.exe 117 PID 4928 wrote to memory of 4384 4928 chrome.exe 117 PID 4928 wrote to memory of 4384 4928 chrome.exe 117 PID 4928 wrote to memory of 4384 4928 chrome.exe 117 PID 4928 wrote to memory of 4384 4928 chrome.exe 117 PID 4928 wrote to memory of 4384 4928 chrome.exe 117 PID 4928 wrote to memory of 4384 4928 chrome.exe 117 PID 4928 wrote to memory of 4384 4928 chrome.exe 117 PID 4928 wrote to memory of 4384 4928 chrome.exe 117 PID 4928 wrote to memory of 4384 4928 chrome.exe 117 PID 4928 wrote to memory of 4384 4928 chrome.exe 117 PID 4928 wrote to memory of 4384 4928 chrome.exe 117 PID 4928 wrote to memory of 4384 4928 chrome.exe 117 PID 4928 wrote to memory of 4384 4928 chrome.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\iexpioreexe.exe"C:\Users\Admin\AppData\Local\Temp\iexpioreexe.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4920
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3080
-
C:\Windows\Jklmno.exeC:\Windows\Jklmno.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\Jklmno.exeC:\Windows\Jklmno.exe Win72⤵
- Executes dropped EXE
- Drops file in Windows directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4484
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8d7669758,0x7ff8d7669768,0x7ff8d76697782⤵PID:928
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1820 --field-trial-handle=1840,i,3171548708790829248,8478722570639528091,131072 /prefetch:22⤵PID:1248
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 --field-trial-handle=1840,i,3171548708790829248,8478722570639528091,131072 /prefetch:82⤵PID:828
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2272 --field-trial-handle=1840,i,3171548708790829248,8478722570639528091,131072 /prefetch:82⤵PID:4384
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3244 --field-trial-handle=1840,i,3171548708790829248,8478722570639528091,131072 /prefetch:12⤵PID:1660
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3260 --field-trial-handle=1840,i,3171548708790829248,8478722570639528091,131072 /prefetch:12⤵PID:3280
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4592 --field-trial-handle=1840,i,3171548708790829248,8478722570639528091,131072 /prefetch:12⤵PID:2228
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4780 --field-trial-handle=1840,i,3171548708790829248,8478722570639528091,131072 /prefetch:82⤵PID:1640
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4908 --field-trial-handle=1840,i,3171548708790829248,8478722570639528091,131072 /prefetch:82⤵PID:3132
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4780 --field-trial-handle=1840,i,3171548708790829248,8478722570639528091,131072 /prefetch:82⤵PID:3348
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5152 --field-trial-handle=1840,i,3171548708790829248,8478722570639528091,131072 /prefetch:82⤵PID:1468
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 --field-trial-handle=1840,i,3171548708790829248,8478722570639528091,131072 /prefetch:82⤵PID:760
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5312 --field-trial-handle=1840,i,3171548708790829248,8478722570639528091,131072 /prefetch:12⤵PID:4484
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3276 --field-trial-handle=1840,i,3171548708790829248,8478722570639528091,131072 /prefetch:12⤵PID:3584
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5200 --field-trial-handle=1840,i,3171548708790829248,8478722570639528091,131072 /prefetch:82⤵PID:3560
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1756 --field-trial-handle=1840,i,3171548708790829248,8478722570639528091,131072 /prefetch:82⤵PID:4296
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:1916
-
C:\Users\Admin\Desktop\iexpioreexe.exe"C:\Users\Admin\Desktop\iexpioreexe.exe"1⤵
- Executes dropped EXE
PID:4992
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
171KB
MD57a88e1edbba1ad7bd345eb14f1377a59
SHA1b299cf2eacc2d17d1f2fbda9391079b6f05fb022
SHA2563f6aa29738172f431b8e2af2e39cba0c2f91583d7bc23f988c7b7b35975bef2c
SHA51248870540a5e7aedf4513610e23dad5d37ff48dde92909345771f7235d4526893e65d11915b46191e62dbe6e9bed4626215703fc90932bdebed356568c1557f95
-
Filesize
22KB
MD5d6c096c975396af99e5e738e33188024
SHA151e974a36e3ffb129e3c59a780800fa096daa87f
SHA2565a0071c9783074335c5f0b70d556e22d3ce7f224ac98812f722cd581e4505962
SHA5122817a698aa8d82aa228748b393959f3b2a0e8e5589bd6cf0dcd51f2d37b6de81fa24c3ff4897f6210470dde10a3db2b11de593cbce00e228e3d9b994c521e5b7
-
Filesize
1KB
MD564f231ce4b7fcc6ad44503246cf464f9
SHA1f92a87d936e74c3125199190de6b02422320268c
SHA256e0237da7375ec953cdd61e8b2c4886e01811da8f391e3deaf6b94139593935ee
SHA5123887a3ef5ea09f692f89804ad6616a5c06455da1579606f476815585ea5095b5e642e461b54ed9307d798eafe4801b20bffa6dccce5e41a16c9638f0434fb3ca
-
Filesize
2KB
MD520f5bf641325ecd947b8ea07142a5276
SHA1ae09ef98a72fcbfa384ba3c524f1205c77afc425
SHA25602a6e8d6c34c6f3482c38a0efc2e95980ba9cb78039e9a546c335e9d95f01606
SHA51269bffab4338b13590714fca80c995a13ca4914cbe62cf34b6f7552556fdd1018890e780903d6c65062250645dc6c8e7278867d16a4520c3756027f98e777ab1b
-
Filesize
371B
MD5c5a6822a8ae473f99a2692aae8d6fa4d
SHA1816ca929d54eca34f28d92cb045a791665e52005
SHA256dd61eb6dcf0e12cced5150fd12e598017380b4d3a56b074bc2a117d3e3541521
SHA512d43136a36f849dbcdd2e72a6d276d0276c21bcfefaec76d45c6e5b0d4f6e29d7fa07ed3d0d9bd2e8655b228536985e3dd723276b8ed5cbb60f0a82f2943e1898
-
Filesize
705B
MD53b7a4028ade581af433bd8aa78c89f23
SHA1c45a46d90ccdf8b5e32a0cccd5c73a2426b8afef
SHA25675defa0d5e76fac662917cd4cd58a5e2c42252122bb77ebf2e65390da53479b6
SHA512e6207ae5e3283093464a05bcc57d2de80d3186d9dc9b797660dd271e6c877d940e6777a56fca6146c76f333884e887b80e1e4ec1a91e18d2b8bc15bfe92e40f8
-
Filesize
6KB
MD571d4617921510f0749876064e583b7b2
SHA115c782618cfc89977a059636a7b87888000e735e
SHA2561efb2ac934b561fe87cecb317b4b9314d74e6d8281d2d8e7d0f6053df28da99c
SHA512f612d41984f77ad0e69667c2ec9c05a7b029df7b71ef0bb0896627d3eeb33dd70c8e5058a3ce2fd8a59ca48df4b826e0ecefe863fc52cb7c220c311e9cfcac16
-
Filesize
6KB
MD559e235a8c837b81b12624ff857c05cc2
SHA1eea024b70dba8d6e361eb79e0902e3c7b00a1d4b
SHA256152cb2565df03d34d6cad26604b9978b0eeb8b96a73eb54ffb7b82cd44211d2b
SHA512e52117f78d0c695fe390b7856e22bbc73a8f815400a26d5ce608891ce51159f1c18b91ec5ed5fe12fb9708190403a98f9e2eb8d84a7a62a935288f337adf6911
-
Filesize
7KB
MD505b629e808166c5d2b2c2da4485de324
SHA1088773de02a9eea38a27a08de7fde30480b41b33
SHA2564fea7d675891f2792ef57b3c9d1a6349f5ee3353380eec2fb3da21b515d1fcfd
SHA51272b6278c2798bbcfd4d9a22bfa575b4de74c41c846d638e0abe7e6943138946e6fd166062562e163e122f8fd4adecb7a645dfc0edbdc9c71cc5cbe68500124c1
-
Filesize
15KB
MD579e01737d15712ef3d58daf6be0a3ea9
SHA1d51f4e450452e9d9e858f8ef34f1f9a19ee32f47
SHA256ee9ddceb1a0998ad02635ea4b74e8ee15e8028458757dc307f5ac2c95707788e
SHA51268a2d0913377c395369957de4c806cc78af46d46bdec5446d6cadc4845456f0b08cba6468859ce2b1bc0ba48bcc5c4989e9dd0fadbde094214869eeb97c72b11
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD5ee2215933a363fd3cf9e8525c3c66950
SHA1614b94b02e1571d205a86eed921608b34a3e0430
SHA25649491efd26c2555267920faf76519a1ea73cfa7f0dd6d4213cbbd7e9706bc3a2
SHA512230b6065fd65d745bc53913521dcceb5db57da4931bc972e61252568084992ff9b4e043f87af59ff03a723254ce93de3b40f81999935d9d66aa341c3c640ae4a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5898c0.TMP
Filesize48B
MD586fd299b8b9334f396c47563b15d738d
SHA1f5c43cbab22fa34ca112edb9b8c63cbbde59a7f7
SHA25648e22298fafcfd5fe213581d7ab738f02cb616601d6247cb491f10bd96b1bb1d
SHA512361f4d11ad4ba605b3830e9b45e864b0d73e4737778129d9fd15ac9357a8f577dddd3a5bf3350ac273382e98d1c69106705751c1913b90158fb9be186d33da10
-
Filesize
172KB
MD5f457eaff21368a59b62c6d90303a49e3
SHA163570778cb2deb8fde115484ef07cff6359621f6
SHA2568dbe83c50535dba88c3bde0de4458716533cef4a11539e913ec5fad79d80b83a
SHA512ceb1c9ce49e1f971f35678c552ee48c1a1afbad93f5934fbbba8e901ca872647f2e84580083749a69a5e7dc52a24b9f52e1a58606531327e179636e733127df3
-
Filesize
172KB
MD5a01f17b1a8d97a4289677881d72d33d4
SHA11902b7b3d2077f71b1b243054b9de56fdaec7d07
SHA256c3d21fc2176658f985c3367322b256d1a2a6aca7eed948f5fa612f6ae022b134
SHA51251ba459ae194d7055a84100e83cdf572e73c596c81732b3eab0f9312c4e0f318daa2d9f676803b80166db72c15af6d835dd1080d8982a3214e2d05c9763aa4a3
-
Filesize
98KB
MD539725846016528abf1e5e2a70c729500
SHA10aaf4aad18a4a2d03fa7ff625997c4458299ffb9
SHA25683986a5ff74eade3d580f10ebf8a267426493ecdcc1c0324502084bfdfa9643a
SHA51239019c568c0bcf1f63f6d4a650f41f6222dfc826a6ceb13f9fa04f833a8d9400273b8e50a50027352601f78403923e23d95ab93752a256eb0c271f56da013bb1
-
Filesize
97KB
MD52cfbda3f95852e999679974ed29d976d
SHA18fa49d42ec18b740e41001352d4c5c67799a8b82
SHA256ae2d2bda6e9c65b87ce7e03d2298542f173b72c07d476d9ef88e9a5e72d8c94a
SHA512f38f5c98d7232bff6b6430b86d1878d748c3596f76675473c5d6abbf098e90e9c01f5320d1fce73690aac0a63e959bdce421171789884011f609b9edc6be6a7e
-
Filesize
264KB
MD5c93d341639050b686a4126ce96ca106d
SHA1d7e4ec8bed4a8a71e1b2e4e7fe1051a6ccdcde46
SHA2561db534295a8f571b7516221cd2d341e3689c55f12aa72e91f050fce7263102e3
SHA512981b5eac39b9aca0625d94f57bfd02d29efb8fd1ab0a7ad890586e14c63a77e2fc66c087698bca1beb994a4b0b3d82ede10dc84f29e6da60ddc898d0419533bb
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
140KB
MD5667aca3b0011aebd3ac1eb04a929e79b
SHA17489d2101aaa8057fdfe8c22cca54df999f9bd7b
SHA256f10495057c282936b7d00e5bed9c2eb0efdcef1e23ef60ec6be4566fb2626be3
SHA512ddd335b9af141352409b1a94ca0020a581ba19b5cfa3edb9daad0805ce51d8a4d12ce6f5a4e0742db9cab7f92ae67f83b3a51f88dc018821aa0f8edf5e636b45
-
Filesize
140KB
MD5667aca3b0011aebd3ac1eb04a929e79b
SHA17489d2101aaa8057fdfe8c22cca54df999f9bd7b
SHA256f10495057c282936b7d00e5bed9c2eb0efdcef1e23ef60ec6be4566fb2626be3
SHA512ddd335b9af141352409b1a94ca0020a581ba19b5cfa3edb9daad0805ce51d8a4d12ce6f5a4e0742db9cab7f92ae67f83b3a51f88dc018821aa0f8edf5e636b45
-
Filesize
140KB
MD5667aca3b0011aebd3ac1eb04a929e79b
SHA17489d2101aaa8057fdfe8c22cca54df999f9bd7b
SHA256f10495057c282936b7d00e5bed9c2eb0efdcef1e23ef60ec6be4566fb2626be3
SHA512ddd335b9af141352409b1a94ca0020a581ba19b5cfa3edb9daad0805ce51d8a4d12ce6f5a4e0742db9cab7f92ae67f83b3a51f88dc018821aa0f8edf5e636b45
-
Filesize
140KB
MD5667aca3b0011aebd3ac1eb04a929e79b
SHA17489d2101aaa8057fdfe8c22cca54df999f9bd7b
SHA256f10495057c282936b7d00e5bed9c2eb0efdcef1e23ef60ec6be4566fb2626be3
SHA512ddd335b9af141352409b1a94ca0020a581ba19b5cfa3edb9daad0805ce51d8a4d12ce6f5a4e0742db9cab7f92ae67f83b3a51f88dc018821aa0f8edf5e636b45