Analysis
-
max time kernel
218s -
max time network
221s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system -
submitted
09-03-2024 08:58
Static task
static1
General
-
Target
a049569e05f2779c0a7ee5878a1fc018f18d2a64cc3c218c3d4466f22cbf42c8.exe
-
Size
332KB
-
MD5
35f4dfda6011343654098c1cd97e05e7
-
SHA1
5a7c146826d6f17df66e5098ca73c9facea0a14c
-
SHA256
a049569e05f2779c0a7ee5878a1fc018f18d2a64cc3c218c3d4466f22cbf42c8
-
SHA512
9b1af4510984408b7b131e923899bb4b0dab3c6306f7f77b895f456b045cc235a1cc12813af4c94197959481631d02de0e3589cac9086ab35a0a26ff067100fb
-
SSDEEP
6144:l6TfhhKRMEKtfmA34rx+9IS/nZnwDk2Io9Io6fF3R/QDFpDm1JawWUSUWukeHPpf:qhhKQF/qvIo9Io6fFhupAJaj41Kepx
Malware Config
Extracted
gozi
-
build
216890
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4128 set thread context of 3908 4128 a049569e05f2779c0a7ee5878a1fc018f18d2a64cc3c218c3d4466f22cbf42c8.exe 73 -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\rescache\_merged\4183903823\810424605.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\3877292338.pri taskmgr.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133544484694314486" chrome.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings chrome.exe -
Suspicious behavior: EnumeratesProcesses 45 IoCs
pid Process 3040 chrome.exe 3040 chrome.exe 2900 7682b842ed75b69e23c5deecf05a45ee79c723d98cfb6746380d748145bfc1af.exe 2900 7682b842ed75b69e23c5deecf05a45ee79c723d98cfb6746380d748145bfc1af.exe 2772 chrome.exe 2772 chrome.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4128 a049569e05f2779c0a7ee5878a1fc018f18d2a64cc3c218c3d4466f22cbf42c8.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3040 chrome.exe Token: SeCreatePagefilePrivilege 3040 chrome.exe Token: SeShutdownPrivilege 3040 chrome.exe Token: SeCreatePagefilePrivilege 3040 chrome.exe Token: SeShutdownPrivilege 3040 chrome.exe Token: SeCreatePagefilePrivilege 3040 chrome.exe Token: SeShutdownPrivilege 3040 chrome.exe Token: SeCreatePagefilePrivilege 3040 chrome.exe Token: SeShutdownPrivilege 3040 chrome.exe Token: SeCreatePagefilePrivilege 3040 chrome.exe Token: SeShutdownPrivilege 3040 chrome.exe Token: SeCreatePagefilePrivilege 3040 chrome.exe Token: SeShutdownPrivilege 3040 chrome.exe Token: SeCreatePagefilePrivilege 3040 chrome.exe Token: SeShutdownPrivilege 3040 chrome.exe Token: SeCreatePagefilePrivilege 3040 chrome.exe Token: SeShutdownPrivilege 3040 chrome.exe Token: SeCreatePagefilePrivilege 3040 chrome.exe Token: SeShutdownPrivilege 3040 chrome.exe Token: SeCreatePagefilePrivilege 3040 chrome.exe Token: SeShutdownPrivilege 3040 chrome.exe Token: SeCreatePagefilePrivilege 3040 chrome.exe Token: SeShutdownPrivilege 3040 chrome.exe Token: SeCreatePagefilePrivilege 3040 chrome.exe Token: SeShutdownPrivilege 3040 chrome.exe Token: SeCreatePagefilePrivilege 3040 chrome.exe Token: SeShutdownPrivilege 3040 chrome.exe Token: SeCreatePagefilePrivilege 3040 chrome.exe Token: SeShutdownPrivilege 3040 chrome.exe Token: SeCreatePagefilePrivilege 3040 chrome.exe Token: SeShutdownPrivilege 3040 chrome.exe Token: SeCreatePagefilePrivilege 3040 chrome.exe Token: SeShutdownPrivilege 3040 chrome.exe Token: SeCreatePagefilePrivilege 3040 chrome.exe Token: SeShutdownPrivilege 3040 chrome.exe Token: SeCreatePagefilePrivilege 3040 chrome.exe Token: SeShutdownPrivilege 3040 chrome.exe Token: SeCreatePagefilePrivilege 3040 chrome.exe Token: SeShutdownPrivilege 3040 chrome.exe Token: SeCreatePagefilePrivilege 3040 chrome.exe Token: SeShutdownPrivilege 3040 chrome.exe Token: SeCreatePagefilePrivilege 3040 chrome.exe Token: SeShutdownPrivilege 3040 chrome.exe Token: SeCreatePagefilePrivilege 3040 chrome.exe Token: SeShutdownPrivilege 3040 chrome.exe Token: SeCreatePagefilePrivilege 3040 chrome.exe Token: SeShutdownPrivilege 3040 chrome.exe Token: SeCreatePagefilePrivilege 3040 chrome.exe Token: SeShutdownPrivilege 3040 chrome.exe Token: SeCreatePagefilePrivilege 3040 chrome.exe Token: SeShutdownPrivilege 3040 chrome.exe Token: SeCreatePagefilePrivilege 3040 chrome.exe Token: SeShutdownPrivilege 3040 chrome.exe Token: SeCreatePagefilePrivilege 3040 chrome.exe Token: SeShutdownPrivilege 3040 chrome.exe Token: SeCreatePagefilePrivilege 3040 chrome.exe Token: SeShutdownPrivilege 3040 chrome.exe Token: SeCreatePagefilePrivilege 3040 chrome.exe Token: SeShutdownPrivilege 3040 chrome.exe Token: SeCreatePagefilePrivilege 3040 chrome.exe Token: SeShutdownPrivilege 3040 chrome.exe Token: SeCreatePagefilePrivilege 3040 chrome.exe Token: SeShutdownPrivilege 3040 chrome.exe Token: SeCreatePagefilePrivilege 3040 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 3040 chrome.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe 5116 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4128 wrote to memory of 3908 4128 a049569e05f2779c0a7ee5878a1fc018f18d2a64cc3c218c3d4466f22cbf42c8.exe 73 PID 4128 wrote to memory of 3908 4128 a049569e05f2779c0a7ee5878a1fc018f18d2a64cc3c218c3d4466f22cbf42c8.exe 73 PID 4128 wrote to memory of 3908 4128 a049569e05f2779c0a7ee5878a1fc018f18d2a64cc3c218c3d4466f22cbf42c8.exe 73 PID 4128 wrote to memory of 3908 4128 a049569e05f2779c0a7ee5878a1fc018f18d2a64cc3c218c3d4466f22cbf42c8.exe 73 PID 4128 wrote to memory of 3908 4128 a049569e05f2779c0a7ee5878a1fc018f18d2a64cc3c218c3d4466f22cbf42c8.exe 73 PID 3040 wrote to memory of 364 3040 chrome.exe 76 PID 3040 wrote to memory of 364 3040 chrome.exe 76 PID 3040 wrote to memory of 2968 3040 chrome.exe 78 PID 3040 wrote to memory of 2968 3040 chrome.exe 78 PID 3040 wrote to memory of 2968 3040 chrome.exe 78 PID 3040 wrote to memory of 2968 3040 chrome.exe 78 PID 3040 wrote to memory of 2968 3040 chrome.exe 78 PID 3040 wrote to memory of 2968 3040 chrome.exe 78 PID 3040 wrote to memory of 2968 3040 chrome.exe 78 PID 3040 wrote to memory of 2968 3040 chrome.exe 78 PID 3040 wrote to memory of 2968 3040 chrome.exe 78 PID 3040 wrote to memory of 2968 3040 chrome.exe 78 PID 3040 wrote to memory of 2968 3040 chrome.exe 78 PID 3040 wrote to memory of 2968 3040 chrome.exe 78 PID 3040 wrote to memory of 2968 3040 chrome.exe 78 PID 3040 wrote to memory of 2968 3040 chrome.exe 78 PID 3040 wrote to memory of 2968 3040 chrome.exe 78 PID 3040 wrote to memory of 2968 3040 chrome.exe 78 PID 3040 wrote to memory of 2968 3040 chrome.exe 78 PID 3040 wrote to memory of 2968 3040 chrome.exe 78 PID 3040 wrote to memory of 2968 3040 chrome.exe 78 PID 3040 wrote to memory of 2968 3040 chrome.exe 78 PID 3040 wrote to memory of 2968 3040 chrome.exe 78 PID 3040 wrote to memory of 2968 3040 chrome.exe 78 PID 3040 wrote to memory of 2968 3040 chrome.exe 78 PID 3040 wrote to memory of 2968 3040 chrome.exe 78 PID 3040 wrote to memory of 2968 3040 chrome.exe 78 PID 3040 wrote to memory of 2968 3040 chrome.exe 78 PID 3040 wrote to memory of 2968 3040 chrome.exe 78 PID 3040 wrote to memory of 2968 3040 chrome.exe 78 PID 3040 wrote to memory of 2968 3040 chrome.exe 78 PID 3040 wrote to memory of 2968 3040 chrome.exe 78 PID 3040 wrote to memory of 2968 3040 chrome.exe 78 PID 3040 wrote to memory of 2968 3040 chrome.exe 78 PID 3040 wrote to memory of 2968 3040 chrome.exe 78 PID 3040 wrote to memory of 2968 3040 chrome.exe 78 PID 3040 wrote to memory of 2968 3040 chrome.exe 78 PID 3040 wrote to memory of 2968 3040 chrome.exe 78 PID 3040 wrote to memory of 2968 3040 chrome.exe 78 PID 3040 wrote to memory of 2968 3040 chrome.exe 78 PID 3040 wrote to memory of 3588 3040 chrome.exe 79 PID 3040 wrote to memory of 3588 3040 chrome.exe 79 PID 3040 wrote to memory of 3324 3040 chrome.exe 80 PID 3040 wrote to memory of 3324 3040 chrome.exe 80 PID 3040 wrote to memory of 3324 3040 chrome.exe 80 PID 3040 wrote to memory of 3324 3040 chrome.exe 80 PID 3040 wrote to memory of 3324 3040 chrome.exe 80 PID 3040 wrote to memory of 3324 3040 chrome.exe 80 PID 3040 wrote to memory of 3324 3040 chrome.exe 80 PID 3040 wrote to memory of 3324 3040 chrome.exe 80 PID 3040 wrote to memory of 3324 3040 chrome.exe 80 PID 3040 wrote to memory of 3324 3040 chrome.exe 80 PID 3040 wrote to memory of 3324 3040 chrome.exe 80 PID 3040 wrote to memory of 3324 3040 chrome.exe 80 PID 3040 wrote to memory of 3324 3040 chrome.exe 80 PID 3040 wrote to memory of 3324 3040 chrome.exe 80 PID 3040 wrote to memory of 3324 3040 chrome.exe 80 PID 3040 wrote to memory of 3324 3040 chrome.exe 80 PID 3040 wrote to memory of 3324 3040 chrome.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\a049569e05f2779c0a7ee5878a1fc018f18d2a64cc3c218c3d4466f22cbf42c8.exe"C:\Users\Admin\AppData\Local\Temp\a049569e05f2779c0a7ee5878a1fc018f18d2a64cc3c218c3d4466f22cbf42c8.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:3908
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff8d47a9758,0x7ff8d47a9768,0x7ff8d47a97782⤵PID:364
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1572 --field-trial-handle=1740,i,6287164183074699016,10035274841118650521,131072 /prefetch:22⤵PID:2968
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 --field-trial-handle=1740,i,6287164183074699016,10035274841118650521,131072 /prefetch:82⤵PID:3588
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2052 --field-trial-handle=1740,i,6287164183074699016,10035274841118650521,131072 /prefetch:82⤵PID:3324
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3012 --field-trial-handle=1740,i,6287164183074699016,10035274841118650521,131072 /prefetch:12⤵PID:4800
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3024 --field-trial-handle=1740,i,6287164183074699016,10035274841118650521,131072 /prefetch:12⤵PID:1856
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4420 --field-trial-handle=1740,i,6287164183074699016,10035274841118650521,131072 /prefetch:12⤵PID:996
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4784 --field-trial-handle=1740,i,6287164183074699016,10035274841118650521,131072 /prefetch:82⤵PID:4280
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4784 --field-trial-handle=1740,i,6287164183074699016,10035274841118650521,131072 /prefetch:82⤵PID:3936
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4524 --field-trial-handle=1740,i,6287164183074699016,10035274841118650521,131072 /prefetch:12⤵PID:2344
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3664 --field-trial-handle=1740,i,6287164183074699016,10035274841118650521,131072 /prefetch:12⤵PID:436
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5296 --field-trial-handle=1740,i,6287164183074699016,10035274841118650521,131072 /prefetch:12⤵PID:4888
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 --field-trial-handle=1740,i,6287164183074699016,10035274841118650521,131072 /prefetch:82⤵PID:2924
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3156 --field-trial-handle=1740,i,6287164183074699016,10035274841118650521,131072 /prefetch:12⤵PID:4388
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3220 --field-trial-handle=1740,i,6287164183074699016,10035274841118650521,131072 /prefetch:82⤵PID:4916
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5784 --field-trial-handle=1740,i,6287164183074699016,10035274841118650521,131072 /prefetch:82⤵PID:4468
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5616 --field-trial-handle=1740,i,6287164183074699016,10035274841118650521,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2772
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:4420
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1796
-
C:\Users\Admin\Desktop\virus\7682b842ed75b69e23c5deecf05a45ee79c723d98cfb6746380d748145bfc1af.exe"C:\Users\Admin\Desktop\virus\7682b842ed75b69e23c5deecf05a45ee79c723d98cfb6746380d748145bfc1af.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2900
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5116
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
120B
MD51e273f17ee69787b07da1f0916fdf6b4
SHA1e691206b56d252a4143ca78d1fef547f3303d6ed
SHA256e93b4a0ce3ceaae7ed56235c11eb07ce199cab4d8ebbfe3bfd651d0548350daf
SHA512b4df1f76c443fe06f8f4448d4b6b2c26d3b0c62e39dcb189550b57c8b4064c0921256deafcd846a00c3079be92fb282ab82279a8a237e754e19f293a004e94f4
-
Filesize
1KB
MD59e96caf0672cec37f325a0908427f746
SHA151b786a6561cf691ff3351b2914928c3a437bfcc
SHA256e7936f1eb8adec181897500ae1b815c4277a19c7d994b8de51e1f39cbe09eb3e
SHA51228117727f2609297030e4e2ab591b3e5ea1e23f688b6102e45fe152ab8d556ef69c05c2aae6a1f5b36bbda1774429812f78d395cc281d2ff45df400f7373214e
-
Filesize
2KB
MD5706a1ef251e577832b1e02cb8f2bc2a2
SHA1f53f3a5529118b906cb080da64bce416387d7b43
SHA256053ce920f5ede4b76f4cfa5c965a55e06c910a4435e727e8a7d0a257d845db63
SHA51207e9e87e5a4601b8ff7464a230ee6f47d333d59e2c02d1d5d0408cd5ea900088a331a8907f7b9ffa1533d5c650009c88ea5e920a616567de93e2d17b2b81c0ce
-
Filesize
1KB
MD590453c24ffcf5f913ba3cbc0119b6624
SHA14e875db7fd1520aab9bc3213ab7fe03641483b66
SHA256909b954d109edbd02a538413fc5c6f152694749b2320cf03225c2b5485d47fc8
SHA5127cbc8632d9d21d76ab63a162b1ffb8c85b444f0a2ff621bb7e0e4037d7c19b9e6572f5dc1ffdada962f3cfd69b9741fe389e867f40f37cf7531d37fa06fa95b1
-
Filesize
1KB
MD5bbf9dcdb0e1186f70650134e29bf6205
SHA1acec37731ca3455dbeceffce3d6825ea8601853c
SHA2566fffdf8ae6bcd31499938b372773e0cc12e253e768e3d69e2d6f6bf5009ac83c
SHA51230423cdfee3f54f1052d0b724164392d4a5a7a0f29401dbfaae53b7ed29d7c874c68f6c8192a34d3f15085ae36eb1915131097699df83f1ad3091921cd885c91
-
Filesize
371B
MD55fcb15161d58544120be287fb0140dd7
SHA11670cce869f0a76bd0c6d3d8bc570524d258cf20
SHA2569c8c96ab7554e7d1335f6c3cc220e08c3a094d59cd42476ac589a09bfda45634
SHA512c15fbae0fdb54d0f02954b4bd5be50a57cde4778bfd549f0bf7de0085ffe9951b372fcf278744d2a029b155b525c399e531fca2174d6186a506da879ec555e50
-
Filesize
371B
MD5e1932f93b087327e2983866fa11fe658
SHA1283393b4dc344de1955aefe006ba2d8b84536fed
SHA256c91adab6d87f17dacfb04d725aeeba169febead03e0f83188d105f897c9d2e07
SHA512a4aa7db33c9873747da3ae7e1a513f44389abc9918c5b076279b3c0f347a84eb40059a9bf994377c66e2cb91069780fe01fe6a1ebb6210cfa53cdaaf50dc482c
-
Filesize
8KB
MD5e084a87beff499c88740ca3583e6fe24
SHA16ab98bd3c45978e1092ac23ef175a09b391f00a6
SHA25633249d8326373e80a60412be54eb660c9e7e288c594701066945318ac79eaf40
SHA512f1b2b8d932a87154f669ee43e4d202a0b2245c61a59119a0a5bf7272e08dc4a751a82c1eb8b0acc2d3616fe814e1beb973351930ed631907d075b9ece230b302
-
Filesize
8KB
MD5a0343acdccdf0340bd295025027c871f
SHA1c1fc146486c094d21fe76fa7451f7723bbb820b9
SHA25664194280b316a87e0e5c2b8176653cfc147916d3f44136778a504b070255f30b
SHA51274ca825d756a3583acf95be7d22338aefe7a710bba42587da717be540b37b10769fbcd67657042a582250fc87a691607fca2f42a8ebdeffb3d80f2cb191a2729
-
Filesize
7KB
MD5bd324042a16aca4b0afbd05783c42e0a
SHA16d1f16096ba313cd89b95d06d0f26b0372de69e5
SHA256ef1780916f177c6e335ef87638de7d8fcdeee96ddebc44f88f454314deadecbd
SHA512c7045e73e81de9444f60e63777bcd035505e35655f750fd3aec5c166613167516b031b160508ecd93406d0e3d45f05aa1f6adfeef034e98c34429974952b4e94
-
Filesize
258KB
MD5b86b16fbd1818cbb638c6baa97c64868
SHA113ddd3f4e319083013486fe5d69abf9128b8bdee
SHA2563e11b6d5e770e42d1d95544e0555ecbbdf6cfd957b41bb41f20f164111b479ef
SHA5122046bfbaec0c5c7884c978372a59533ffed1e215de42448963427d9f46e03022002956e3dcf88f28cc816f2c0c2257cd91d1a1d9389d51b2a3414ef9d80a7c8e
-
Filesize
109KB
MD50e8aa4666b24a21512a7cc6fb2b42fa3
SHA11cf0c781f1f26f49d217160d45077f93f9d9b469
SHA256b4f4942d1f930f13c4d76287fb572e80398f5610987325ce7009b35300dd6615
SHA512fba802dfd9cfb50a6102f8631bb552c5507f011e107cd947474f8ed7b8b40c98077aa84fce8f67f032b42e7c2b5e0d4a6c2770115b645a161a3a60ddad66ef7e
-
Filesize
93KB
MD5d423b11fcde56fe8675226298a9cf863
SHA12ac6735506364ff363d1f504cb612ae9f85fe0ce
SHA2563fe6e05b32e753ab2b46bca4fd65aa2e4a0281ecc9e36dab25b0e336985e6c34
SHA5128dd12c1ed633f245285f88f6524456f70ba41c385b6d5dd37ebe23bdaced46e214129b7ea0219510e0927e7d1052c8ce2cc04f6eb82b8b418ed42e5ae061750f
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
C:\Users\Admin\Downloads\7682b842ed75b69e23c5deecf05a45ee79c723d98cfb6746380d748145bfc1af.zip.crdownload
Filesize256KB
MD5cfc331cbcb0d62f6b3dd31c4032109bd
SHA109d915a6e9cbfe02869cb035b9762eb0ee15b822
SHA256b56601c1bfa1c8327c0d2573c9424aed6a67e74ea890e558f6c0b80d1c78410b
SHA5125e9640a6e40a2b754d5d9c42630bc2363be8a4f84bee18a8f743e6017e57e739f28dde191ee333473af97ef47c322c8c721f28d40e218d5b5532364f8d465d7e