cobaltstrike | hxxp://185[.]74[.]222[.]145[:]64

Resubmissions

16/12/2023, 06:43

231216-hhfe9scbh4 10

16/12/2023, 05:16

231216-fyd62acae9 10

Analysis

max time kernel
300s
max time network
289s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
16/12/2023, 05:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://185.74.222.145:64

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

http://185.74.222.145:676/y6Dj

http://185.74.222.145:676/PPDy

Attributes

user_agent
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Blocklisted process makes network request 10 IoCs

flow	pid	Process
56	3900	powershell.exe
57	3900	powershell.exe
58	3900	powershell.exe
59	3900	powershell.exe
62	3900	powershell.exe
68	3900	powershell.exe
73	3900	powershell.exe
77	3900	powershell.exe
79	3900	powershell.exe
81	3900	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
3232	sjdsn.exe
4980	sjhduieo.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4708	notepad.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1436	chrome.exe
1436	chrome.exe
3900	powershell.exe
3900	powershell.exe
1016	chrome.exe
1016	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1436	chrome.exe
1436	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe
Token: SeShutdownPrivilege	1436	chrome.exe
Token: SeCreatePagefilePrivilege	1436	chrome.exe

Suspicious use of FindShellTrayWindow 56 IoCs

pid	Process
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1436 wrote to memory of 4040	1436	chrome.exe	47
PID 1436 wrote to memory of 4040	1436	chrome.exe	47
PID 1436 wrote to memory of 3632	1436	chrome.exe	85
PID 1436 wrote to memory of 3632	1436	chrome.exe	85
PID 1436 wrote to memory of 3632	1436	chrome.exe	85
PID 1436 wrote to memory of 3632	1436	chrome.exe	85
PID 1436 wrote to memory of 3632	1436	chrome.exe	85
PID 1436 wrote to memory of 3632	1436	chrome.exe	85
PID 1436 wrote to memory of 3632	1436	chrome.exe	85
PID 1436 wrote to memory of 3632	1436	chrome.exe	85
PID 1436 wrote to memory of 3632	1436	chrome.exe	85
PID 1436 wrote to memory of 3632	1436	chrome.exe	85
PID 1436 wrote to memory of 3632	1436	chrome.exe	85
PID 1436 wrote to memory of 3632	1436	chrome.exe	85
PID 1436 wrote to memory of 3632	1436	chrome.exe	85
PID 1436 wrote to memory of 3632	1436	chrome.exe	85
PID 1436 wrote to memory of 3632	1436	chrome.exe	85
PID 1436 wrote to memory of 3632	1436	chrome.exe	85
PID 1436 wrote to memory of 3632	1436	chrome.exe	85
PID 1436 wrote to memory of 3632	1436	chrome.exe	85
PID 1436 wrote to memory of 3632	1436	chrome.exe	85
PID 1436 wrote to memory of 3632	1436	chrome.exe	85
PID 1436 wrote to memory of 3632	1436	chrome.exe	85
PID 1436 wrote to memory of 3632	1436	chrome.exe	85
PID 1436 wrote to memory of 3632	1436	chrome.exe	85
PID 1436 wrote to memory of 3632	1436	chrome.exe	85
PID 1436 wrote to memory of 3632	1436	chrome.exe	85
PID 1436 wrote to memory of 3632	1436	chrome.exe	85
PID 1436 wrote to memory of 3632	1436	chrome.exe	85
PID 1436 wrote to memory of 3632	1436	chrome.exe	85
PID 1436 wrote to memory of 3632	1436	chrome.exe	85
PID 1436 wrote to memory of 3632	1436	chrome.exe	85
PID 1436 wrote to memory of 3632	1436	chrome.exe	85
PID 1436 wrote to memory of 3632	1436	chrome.exe	85
PID 1436 wrote to memory of 3632	1436	chrome.exe	85
PID 1436 wrote to memory of 3632	1436	chrome.exe	85
PID 1436 wrote to memory of 3632	1436	chrome.exe	85
PID 1436 wrote to memory of 3632	1436	chrome.exe	85
PID 1436 wrote to memory of 3632	1436	chrome.exe	85
PID 1436 wrote to memory of 3632	1436	chrome.exe	85
PID 1436 wrote to memory of 4544	1436	chrome.exe	86
PID 1436 wrote to memory of 4544	1436	chrome.exe	86
PID 1436 wrote to memory of 4972	1436	chrome.exe	87
PID 1436 wrote to memory of 4972	1436	chrome.exe	87
PID 1436 wrote to memory of 4972	1436	chrome.exe	87
PID 1436 wrote to memory of 4972	1436	chrome.exe	87
PID 1436 wrote to memory of 4972	1436	chrome.exe	87
PID 1436 wrote to memory of 4972	1436	chrome.exe	87
PID 1436 wrote to memory of 4972	1436	chrome.exe	87
PID 1436 wrote to memory of 4972	1436	chrome.exe	87
PID 1436 wrote to memory of 4972	1436	chrome.exe	87
PID 1436 wrote to memory of 4972	1436	chrome.exe	87
PID 1436 wrote to memory of 4972	1436	chrome.exe	87
PID 1436 wrote to memory of 4972	1436	chrome.exe	87
PID 1436 wrote to memory of 4972	1436	chrome.exe	87
PID 1436 wrote to memory of 4972	1436	chrome.exe	87
PID 1436 wrote to memory of 4972	1436	chrome.exe	87
PID 1436 wrote to memory of 4972	1436	chrome.exe	87
PID 1436 wrote to memory of 4972	1436	chrome.exe	87
PID 1436 wrote to memory of 4972	1436	chrome.exe	87
PID 1436 wrote to memory of 4972	1436	chrome.exe	87
PID 1436 wrote to memory of 4972	1436	chrome.exe	87
PID 1436 wrote to memory of 4972	1436	chrome.exe	87
PID 1436 wrote to memory of 4972	1436	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://185.74.222.145:64
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd82de9758,0x7ffd82de9768,0x7ffd82de9778
  2⤵
  PID:4040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1864,i,16320659248365117974,17806668513353231674,131072 /prefetch:2
  2⤵
  PID:3632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1864,i,16320659248365117974,17806668513353231674,131072 /prefetch:8
  2⤵
  PID:4544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2192 --field-trial-handle=1864,i,16320659248365117974,17806668513353231674,131072 /prefetch:8
  2⤵
  PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2840 --field-trial-handle=1864,i,16320659248365117974,17806668513353231674,131072 /prefetch:1
  2⤵
  PID:3580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2832 --field-trial-handle=1864,i,16320659248365117974,17806668513353231674,131072 /prefetch:1
  2⤵
  PID:4412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4652 --field-trial-handle=1864,i,16320659248365117974,17806668513353231674,131072 /prefetch:8
  2⤵
  PID:1388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 --field-trial-handle=1864,i,16320659248365117974,17806668513353231674,131072 /prefetch:8
  2⤵
  PID:1092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1600 --field-trial-handle=1864,i,16320659248365117974,17806668513353231674,131072 /prefetch:8
  2⤵
  PID:3724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5224 --field-trial-handle=1864,i,16320659248365117974,17806668513353231674,131072 /prefetch:8
  2⤵
  PID:3016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5116 --field-trial-handle=1864,i,16320659248365117974,17806668513353231674,131072 /prefetch:8
  2⤵
  PID:3288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4744 --field-trial-handle=1864,i,16320659248365117974,17806668513353231674,131072 /prefetch:8
  2⤵
  PID:4444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5356 --field-trial-handle=1864,i,16320659248365117974,17806668513353231674,131072 /prefetch:8
  2⤵
  PID:1444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1600 --field-trial-handle=1864,i,16320659248365117974,17806668513353231674,131072 /prefetch:8
  2⤵
  PID:3448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1600 --field-trial-handle=1864,i,16320659248365117974,17806668513353231674,131072 /prefetch:8
  2⤵
  PID:3192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5320 --field-trial-handle=1864,i,16320659248365117974,17806668513353231674,131072 /prefetch:8
  2⤵
  PID:4476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5356 --field-trial-handle=1864,i,16320659248365117974,17806668513353231674,131072 /prefetch:8
  2⤵
  PID:1808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4984 --field-trial-handle=1864,i,16320659248365117974,17806668513353231674,131072 /prefetch:8
  2⤵
  PID:2436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5332 --field-trial-handle=1864,i,16320659248365117974,17806668513353231674,131072 /prefetch:8
  2⤵
  PID:2744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3984 --field-trial-handle=1864,i,16320659248365117974,17806668513353231674,131072 /prefetch:8
  2⤵
  PID:1340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 --field-trial-handle=1864,i,16320659248365117974,17806668513353231674,131072 /prefetch:8
  2⤵
  PID:2864
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" "C:\Users\Admin\Downloads\ak12sd3.ps1"
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 --field-trial-handle=1864,i,16320659248365117974,17806668513353231674,131072 /prefetch:8
  2⤵
  PID:5096
- C:\Users\Admin\Downloads\sjdsn.exe
  "C:\Users\Admin\Downloads\sjdsn.exe"
  2⤵
  - Executes dropped EXE
  PID:3232
- C:\Users\Admin\Downloads\sjhduieo.exe
  "C:\Users\Admin\Downloads\sjhduieo.exe"
  2⤵
  - Executes dropped EXE
  PID:4980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1104 --field-trial-handle=1864,i,16320659248365117974,17806668513353231674,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1016

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4356

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Users\Admin\Downloads\ak12sd3.ps1'"
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:3900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
1f653db2cf0b06a5e620c64ce1b592a4

SHA1
896409241f9abc28739bb3c11f8cbee19e549a21

SHA256
256e8d2b9df997b6940abb08efd5ac1421e45ff2f337f837a74b12ab9a4c0ec3

SHA512
b3a2d2978002519abd51ffb0e217fa59d5c6a01982854e80785e36424a3060e3e813e023bacccc5eb09375093317db84090ffcc34040a0c37a502601e515d5b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2327b25eac846609a87c0850de9d2b9b

SHA1
e3bcde8f4c8ffba39f5dc417e2bce616b1337fef

SHA256
217c653be16f73bd7ee4009a1d8dd2886db267e81877cbab3fcfd43b67bfed53

SHA512
744c5059a3d4dba505d84eba148fff018b46d38adc1497a22f094b88a2829d01021a95f97edaba9be228bba14d578520512153dc573c69073da69f9e39e99c41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5d9f2e906cb294c2ca95e51a3b8afc59

SHA1
346631780335cc2b1674a8171d7add9ebbed76f5

SHA256
8cee82cac910f44901c1fec14c7587c2543e002d819395fb988aa69f9a231dd5

SHA512
5811c1ff99295a214ef13b1bdf6ac8b84227d94c1623e00f9026cd93404b16479dd39be5025de27ebbdd979314003743bae4838fc20e44bcea7a83748c611ee6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
176f81a270d32b71de1ff86ed0136cf1

SHA1
f4ccf84f830e2f51ba53206dcefbe39872bf9651

SHA256
a870b234514ee10a12f91955d749974e40a67cea9bba6c08c47376601feae4ce

SHA512
0d26a0b12809b95acbca018dccfab2ca43babe65da06d04c27d3ce072e9af19a1cbf9816253e151c248710ae31eaa0c4bdef476c40c04f2e1cc358c918ee41fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
317b4377067c63662f67ac5725d84122

SHA1
0860e8325ca6e90ad60441e07500310dd5fd793b

SHA256
40a7f36c69e9ac66fdaf2ed723a543d0e4ba81e65dee9716a814d2b0fee6ea4e

SHA512
1344fed8590f7e25ad377e0c0972db895a04b2831060976d00a888aa882d0eaa6ebdec094ceb95fa2a2e7e0642b41d3fc8060ade9f5b9863d57d69e6dee3ba47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
9a24c1c143c41544cf06addec345e6d8

SHA1
387f09cdf4593082cf256977a9a9255218074334

SHA256
fa4dc1e81189efbdd51767341a2de1b6d6659712758c38cf7984376f43ae2ff8

SHA512
e2a35838fbe9970579082ce87c415d575be530b132bbd177484e306c41d6046e8dc3798124ff300c118a32ea8c3c058ebcd04df681fc0722de8a55dd5a9fabb9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
103KB

MD5
a403a91f3445706e75ad2944d0c7f16b

SHA1
6273e5cc9ffa1b00979da78212c505a5d6552747

SHA256
6c20359d4ace4e60c04544786f1802d16a9afe82f58f8923adf32d334f4cf422

SHA512
8127acc4db12f669c046b159270ac46738c2b4aff7b94873bdbfb0e2d27209551c9403ec9fc705a85922dd487d1f825daa5d1c9dc99675e0a934f93860d77aec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
111KB

MD5
c0ccd5c2bfc91f96bfa16fe982b14b0b

SHA1
7969f47bd225067145e524a20f3a092244578a1f

SHA256
a298c864c7b5eeeb71216f9ef641f381dc1b882ef5106102fa9a50c947f58bc7

SHA512
b160ce3e3853a1eb60295dfa2f825674432e567f2d71e9ee49f2407359b2f48f1c606722eabc02afd98a435c3c582c437269b22cc6ac69cf980cf617b066c1f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58b1b7.TMP

Filesize
97KB

MD5
575447bcdde0b8ed1b7d56405524099e

SHA1
3666d921fb1173379fc7b448a71df6a9d5f7c399

SHA256
0cfc7cdbd15674d3aba0ea852a3670d2e9f0ab8a5cc49a213819d15dfc7bd9dc

SHA512
d974b30ece49302e6caaab18e022890cdd85dc063e548cdad68e5d4b9d8671c4d9f148399dca14533c3b503528d7a500d942c6a30b3d999182967c591b570e42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_flgasppv.2si.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 652830.crdownload

Filesize
1.9MB

MD5
84ac5bc8923c9efac313cefb83028d66

SHA1
55242518eba4aa39c6221a72885b4b195a468c38

SHA256
33cb66c84213932b37696653edb0a8522c30d57b9614ed7dcf7d8d0765aa904b

SHA512
4689072a7bd62e2297dbd9070eccb68163297ba1fec6fc9416bebd7598cd4d59719b677e2d187f3c25bece70d164210c48e4d5510b267eba00b0de1f0c64e375

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 749083.crdownload

Filesize
19KB

MD5
52c68d1f2b5e9809323785ba02188315

SHA1
4e54237e8cb5e261b97df01520e18e4b605d19ca

SHA256
2f9c3e25906dfede820b081f130f77b6cadc270f63e7f385e9ed8f3a7ac9d574

SHA512
35b9b037dcec740e302bbd4e79895423f0c2c340ffd9037350b081fca44dce79bcebb1a219471a1bcba7fa4eb383a7f5c86bd8804767c84dc4897f637e0dd0ec

Download Submit
C:\Users\Admin\Downloads\ak12sd3.ps1

Filesize
3KB

MD5
d0993087feee9d132bf5291e67ce7a4c

SHA1
34e29e2284ce70e02b935a1d6eaf775bd9d8916d

SHA256
593e19e58bd2fecad92114a6aed1b5049066990bc62f2c6d5df8cce3a6cf9ce6

SHA512
57e5bbd01bb46d6992c50dfc17a7ddb3c638a3f0d37b2b0fa1c43e4fb5ab5fdda7f564f57444bc683bcae37822665af2a1d06ccbe93071bfd57ca6d228abe90a

Download Submit
C:\Users\Admin\Downloads\sjdsn.exe

Filesize
871KB

MD5
759d9c7aadec371ec32028df0d9819d0

SHA1
a62d2af0a926425dff824cc3d7c59d38337b1cfd

SHA256
945b7015f0467e7dc5851344f81871728a0a3fe84c36c22c032e88c32324854d

SHA512
12df27a3a7ed8ceeda237a4e91b3e52f9b5f8b1597ce19dbd889de4062e9fa0c38201e7259a6bddc4ca3c9e0b63333a76a95998a046ff651c2105b678efcbf5d

Download Submit
C:\Users\Admin\Downloads\sjdsn.exe

Filesize
786KB

MD5
6ece1da4dbbd7fd1917accb793df3988

SHA1
f83a0c9d6f457bce3fb38294f5c3b36f61b875f4

SHA256
f7df6bc8c171b58e3ab53ca2092fa0386b7860e2504e667c7ea4de38bed98876

SHA512
722241f27ca57677096e8342f21f851fcb72e59f4159be2da06fcb7e8877ffafba667dd14e56f653c0fd5a4ecdcff25a67b019c9583b59b811327b18fb27754b

Download Submit
memory/3900-166-0x0000028BDBAF0000-0x0000028BDBB00000-memory.dmp

Filesize
64KB

Download
memory/3900-163-0x00007FFD70360000-0x00007FFD70E21000-memory.dmp

Filesize
10.8MB

Download
memory/3900-167-0x0000028BDBBA0000-0x0000028BDBBA1000-memory.dmp

Filesize
4KB

Download
memory/3900-164-0x0000028BDBAF0000-0x0000028BDBB00000-memory.dmp

Filesize
64KB

Download
memory/3900-165-0x0000028BDBAF0000-0x0000028BDBB00000-memory.dmp

Filesize
64KB

Download
memory/3900-190-0x00007FFD70360000-0x00007FFD70E21000-memory.dmp

Filesize
10.8MB

Download
memory/3900-191-0x0000028BDBAF0000-0x0000028BDBB00000-memory.dmp

Filesize
64KB

Download
memory/3900-192-0x0000028BDBAF0000-0x0000028BDBB00000-memory.dmp

Filesize
64KB

Download
memory/3900-193-0x0000028BDBAF0000-0x0000028BDBB00000-memory.dmp

Filesize
64KB

Download
memory/3900-162-0x0000028BDBC30000-0x0000028BDBC52000-memory.dmp

Filesize
136KB

Download
memory/3900-205-0x00007FFD70360000-0x00007FFD70E21000-memory.dmp

Filesize
10.8MB

Download
memory/4980-184-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/4980-194-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download