hxxps://www[.]upload[.]ee/files/16588573/CAI21000-Patch-Kriggi[.]rar[.]html

Analysis

max time kernel
90s
max time network
92s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
25/05/2024, 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.upload.ee/files/16588573/CAI21000-Patch-Kriggi.rar.html

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000100000002aa26-162.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
3348	CAI.v21.0.0.0.Architect.exe

Loads dropped DLL 7 IoCs

pid	Process
3348	CAI.v21.0.0.0.Architect.exe
3348	CAI.v21.0.0.0.Architect.exe
3348	CAI.v21.0.0.0.Architect.exe
3348	CAI.v21.0.0.0.Architect.exe
3348	CAI.v21.0.0.0.Architect.exe
3348	CAI.v21.0.0.0.Architect.exe
3348	CAI.v21.0.0.0.Architect.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000200000002a99a-150.dat	upx
behavioral1/memory/3348-152-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/files/0x000100000002aa26-162.dat	upx
behavioral1/memory/3348-166-0x0000000010000000-0x000000001003B000-memory.dmp	upx
behavioral1/memory/3348-187-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/3348-188-0x0000000010000000-0x000000001003B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133611482980136374"	chrome.exe

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings	CAI.v21.0.0.0.Architect.exe
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	CAI.v21.0.0.0.Architect.exe
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	CAI.v21.0.0.0.Architect.exe
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2	CAI.v21.0.0.0.Architect.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\NodeSlot = "8"	CAI.v21.0.0.0.Architect.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	CAI.v21.0.0.0.Architect.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	CAI.v21.0.0.0.Architect.exe
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8	CAI.v21.0.0.0.Architect.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	CAI.v21.0.0.0.Architect.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000789966c455a1da016c3648beefaeda015d9708c0efaeda0114000000	CAI.v21.0.0.0.Architect.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 020000000100000000000000ffffffff	CAI.v21.0.0.0.Architect.exe
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell	CAI.v21.0.0.0.Architect.exe
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	CAI.v21.0.0.0.Architect.exe
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	CAI.v21.0.0.0.Architect.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\MRUListEx = ffffffff	CAI.v21.0.0.0.Architect.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\SniffedFolderType = "Generic"	CAI.v21.0.0.0.Architect.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\CAI21000-Patch-Kriggi.rar:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1912	chrome.exe
1912	chrome.exe
3348	CAI.v21.0.0.0.Architect.exe
3348	CAI.v21.0.0.0.Architect.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3632	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
3632	7zFM.exe
3632	7zFM.exe
3632	7zFM.exe
3632	7zFM.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3348	CAI.v21.0.0.0.Architect.exe
3348	CAI.v21.0.0.0.Architect.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 4632	1912	chrome.exe	77
PID 1912 wrote to memory of 4632	1912	chrome.exe	77
PID 1912 wrote to memory of 3628	1912	chrome.exe	78
PID 1912 wrote to memory of 3628	1912	chrome.exe	78
PID 1912 wrote to memory of 3628	1912	chrome.exe	78
PID 1912 wrote to memory of 3628	1912	chrome.exe	78
PID 1912 wrote to memory of 3628	1912	chrome.exe	78
PID 1912 wrote to memory of 3628	1912	chrome.exe	78
PID 1912 wrote to memory of 3628	1912	chrome.exe	78
PID 1912 wrote to memory of 3628	1912	chrome.exe	78
PID 1912 wrote to memory of 3628	1912	chrome.exe	78
PID 1912 wrote to memory of 3628	1912	chrome.exe	78
PID 1912 wrote to memory of 3628	1912	chrome.exe	78
PID 1912 wrote to memory of 3628	1912	chrome.exe	78
PID 1912 wrote to memory of 3628	1912	chrome.exe	78
PID 1912 wrote to memory of 3628	1912	chrome.exe	78
PID 1912 wrote to memory of 3628	1912	chrome.exe	78
PID 1912 wrote to memory of 3628	1912	chrome.exe	78
PID 1912 wrote to memory of 3628	1912	chrome.exe	78
PID 1912 wrote to memory of 3628	1912	chrome.exe	78
PID 1912 wrote to memory of 3628	1912	chrome.exe	78
PID 1912 wrote to memory of 3628	1912	chrome.exe	78
PID 1912 wrote to memory of 3628	1912	chrome.exe	78
PID 1912 wrote to memory of 3628	1912	chrome.exe	78
PID 1912 wrote to memory of 3628	1912	chrome.exe	78
PID 1912 wrote to memory of 3628	1912	chrome.exe	78
PID 1912 wrote to memory of 3628	1912	chrome.exe	78
PID 1912 wrote to memory of 3628	1912	chrome.exe	78
PID 1912 wrote to memory of 3628	1912	chrome.exe	78
PID 1912 wrote to memory of 3628	1912	chrome.exe	78
PID 1912 wrote to memory of 3628	1912	chrome.exe	78
PID 1912 wrote to memory of 3628	1912	chrome.exe	78
PID 1912 wrote to memory of 3628	1912	chrome.exe	78
PID 1912 wrote to memory of 1416	1912	chrome.exe	79
PID 1912 wrote to memory of 1416	1912	chrome.exe	79
PID 1912 wrote to memory of 2224	1912	chrome.exe	80
PID 1912 wrote to memory of 2224	1912	chrome.exe	80
PID 1912 wrote to memory of 2224	1912	chrome.exe	80
PID 1912 wrote to memory of 2224	1912	chrome.exe	80
PID 1912 wrote to memory of 2224	1912	chrome.exe	80
PID 1912 wrote to memory of 2224	1912	chrome.exe	80
PID 1912 wrote to memory of 2224	1912	chrome.exe	80
PID 1912 wrote to memory of 2224	1912	chrome.exe	80
PID 1912 wrote to memory of 2224	1912	chrome.exe	80
PID 1912 wrote to memory of 2224	1912	chrome.exe	80
PID 1912 wrote to memory of 2224	1912	chrome.exe	80
PID 1912 wrote to memory of 2224	1912	chrome.exe	80
PID 1912 wrote to memory of 2224	1912	chrome.exe	80
PID 1912 wrote to memory of 2224	1912	chrome.exe	80
PID 1912 wrote to memory of 2224	1912	chrome.exe	80
PID 1912 wrote to memory of 2224	1912	chrome.exe	80
PID 1912 wrote to memory of 2224	1912	chrome.exe	80
PID 1912 wrote to memory of 2224	1912	chrome.exe	80
PID 1912 wrote to memory of 2224	1912	chrome.exe	80
PID 1912 wrote to memory of 2224	1912	chrome.exe	80
PID 1912 wrote to memory of 2224	1912	chrome.exe	80
PID 1912 wrote to memory of 2224	1912	chrome.exe	80
PID 1912 wrote to memory of 2224	1912	chrome.exe	80
PID 1912 wrote to memory of 2224	1912	chrome.exe	80
PID 1912 wrote to memory of 2224	1912	chrome.exe	80
PID 1912 wrote to memory of 2224	1912	chrome.exe	80
PID 1912 wrote to memory of 2224	1912	chrome.exe	80
PID 1912 wrote to memory of 2224	1912	chrome.exe	80
PID 1912 wrote to memory of 2224	1912	chrome.exe	80

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.upload.ee/files/16588573/CAI21000-Patch-Kriggi.rar.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaf6bbab58,0x7ffaf6bbab68,0x7ffaf6bbab78
  2⤵
  PID:4632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1512 --field-trial-handle=1716,i,7167124019520700351,16655251771949125820,131072 /prefetch:2
  2⤵
  PID:3628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=1716,i,7167124019520700351,16655251771949125820,131072 /prefetch:8
  2⤵
  PID:1416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2180 --field-trial-handle=1716,i,7167124019520700351,16655251771949125820,131072 /prefetch:8
  2⤵
  PID:2224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2976 --field-trial-handle=1716,i,7167124019520700351,16655251771949125820,131072 /prefetch:1
  2⤵
  PID:3632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2984 --field-trial-handle=1716,i,7167124019520700351,16655251771949125820,131072 /prefetch:1
  2⤵
  PID:1124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4180 --field-trial-handle=1716,i,7167124019520700351,16655251771949125820,131072 /prefetch:1
  2⤵
  PID:3248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4188 --field-trial-handle=1716,i,7167124019520700351,16655251771949125820,131072 /prefetch:1
  2⤵
  PID:2456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4492 --field-trial-handle=1716,i,7167124019520700351,16655251771949125820,131072 /prefetch:1
  2⤵
  PID:1540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4692 --field-trial-handle=1716,i,7167124019520700351,16655251771949125820,131072 /prefetch:1
  2⤵
  PID:4912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4816 --field-trial-handle=1716,i,7167124019520700351,16655251771949125820,131072 /prefetch:1
  2⤵
  PID:1484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 --field-trial-handle=1716,i,7167124019520700351,16655251771949125820,131072 /prefetch:8
  2⤵
  PID:952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4124 --field-trial-handle=1716,i,7167124019520700351,16655251771949125820,131072 /prefetch:8
  2⤵
  PID:2140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4512 --field-trial-handle=1716,i,7167124019520700351,16655251771949125820,131072 /prefetch:1
  2⤵
  PID:2292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3220 --field-trial-handle=1716,i,7167124019520700351,16655251771949125820,131072 /prefetch:8
  2⤵
  - NTFS ADS
  PID:3484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4248 --field-trial-handle=1716,i,7167124019520700351,16655251771949125820,131072 /prefetch:1
  2⤵
  PID:608

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:412

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2720

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3632

C:\Users\Admin\Desktop\CAI.v21.0.0.0.Architect.exe
"C:\Users\Admin\Desktop\CAI.v21.0.0.0.Architect.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\7a22c601-c690-4c8a-aa16-8322055654ee.tmp

Filesize
7KB

MD5
06a3f2adf6ee56202cdab722dedbf590

SHA1
69a127eb12fe5c408bd18237be22dea4a13e94a8

SHA256
03aad2a3d043e897250b488c6c4c34d3f31fc7246257efdfa8a22a21ed6bda23

SHA512
acc0364bf830c15dacfc93d54e9f2568f751b5871d289c90232300465ed14d638e32bbac57d67608a89d5f743e513f3c574b58e8dbfa2fc88bdbc422841ffb7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
bb527d10a0bd7467af78097bb831ec19

SHA1
0ee4813370e15013b1e4642422202a82dea43095

SHA256
f9650190c33d8db304c709aef53bd576a84ea78fbcbd8756a4e5a1a4df550026

SHA512
ee2d3b1b7dcf0079fe017ba392e7bcf086a4689b330115f350ec86e3f7b4749f44922c93622cc6687ccfee0c773947914fceb241b889467aa202e2f2ad3dc0db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
bad00bacf396b45069afff3635c8978b

SHA1
93c08bd02852859aea0bd607db439f7e19ef33a5

SHA256
0a4ef74889e4d7c71831bce9862dacf19caa7c4506f72f5e6a882e8634806e76

SHA512
2a17f5317bd2091391e9efdf90a73261a33061aba18e0709e5c69a4efe80b2058d1de054efd7e97bae1101069765370ff033991d2bd764830d511c95c297bcad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
411c843e77a734a054e31c64f7f4a176

SHA1
a0b8d966504d6bd905127266b32806adf05e7975

SHA256
232061737cb030fc0a3085765a1e0820b9b3adca03eb11efbcb75b39c4925f5d

SHA512
308348ae6c810828cdbc14de678769b54d6e65d9790bf8e4e5a19a5de26c94ba00fcf133daa87d7e237c13705302629e91af7b0d57cb9f8fb67a238c4ba3461d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
c98fdb76e5275842e0b916529ab43fd7

SHA1
37467cbd1deddfd7d4928fee5aaa6c40afafad9e

SHA256
23df062ead1f17bca13cba20c850bc0164f4a072fc13518afb34217878d98f15

SHA512
78282ffb0adec6f718195ebc01aada229ad0a0b820e1e0701c60bc141451a1e702d4b5d75e4c59fcffc5998e95b581e510f4b9332f2b7c0852c435ad8903226d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
59438769ffe9eaaf875f7dfa5beab741

SHA1
991e1e9812f7749b7124b5bca3cdef5dea8ae12d

SHA256
01e78743a5e080368714e5f5170c89bb7fb8a483a915592611f605326c1d991f

SHA512
3290186feb10aabcf22b547f99f22b754a130934c4d6fd52d6408b88415dfacf897a988b59f664cc72379ec6123c31b29b03d3a9b84af0955b7fccd0f8aac6d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57f145.TMP

Filesize
48B

MD5
5ab1d5289d93944fe0405f4e401d885b

SHA1
0f85c4caeb42fe3fb4b56d4e82817b1fddd2a5e5

SHA256
1999114e25759cf4b4ad1d9680d34ec584784f45786dc59a5cc360b7cc90c239

SHA512
fc54bb356d5351be4f0e92b9fe72f5624a505f8b45bfc13cacc9c202afb5f28c114928268b76d8fe9bffd2864900fc2cca8116cfaf5ee65ee926bd613dd08fa4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
b368539ae6d05d74d67648c46aaf3104

SHA1
24bf00f78a937732acf4fe202e5b5c0b901f451a

SHA256
d5165d02affe9a5abcb22f5f51ffe37d2dbad5ed57d4fda2647ac9ad0baf1f0c

SHA512
aaf1495b04b8c2959f6cfe8cabf7c574de59123fc894435e03d05b0da9bc05c628b14be2b3b38e7c6d4259ecd26d20f482c222cb32d27f365611f98257a5ba60

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfABCD.tmp\SkinH.dll

Filesize
89KB

MD5
205e3693cb24b95018eaee62af86ae03

SHA1
038749709bb472031c000557e57857222619dcd5

SHA256
4954323e4532552e5b3691986d579fdce8ebe60b6ec1eb049658103e05c9d52d

SHA512
4115d76eb964e8c84810ca1cb7758c74ef80d99168f38fb9ce036cea58f69b6579eabc16527b529a7f390f220d71952cbbcda84d20a05ef881714cf2c9a645cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfABCD.tmp\System.dll

Filesize
11KB

MD5
5e5cb3de0b7b4e55b07653a46a79c5a9

SHA1
b710ef3fba5f5fc96c360fa1ac2bda3b6fd594e5

SHA256
2a0b423585ec60c5a2d32a900da7c159417fa2ca6354fc0292496e8d87deaa96

SHA512
840657e36304df53b1101df841560f24fd3d9fc4157385b82c803bff65940c6972636728bbe9d5f6492f63791cc18305c1fa27fd9085f6f3df08e9dabf16f80c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfABCD.tmp\ToolTips.dll

Filesize
4KB

MD5
9a0da2692764bb842411a8b9687ebbb7

SHA1
5c3a459faa08a704bdf162476897ad4580ae39bd

SHA256
28aeaa48c929188a0d169887cc3f16370741467ae49e1db59763f030710a6bbb

SHA512
814d686617df4fe9f50a93dac9428babff3a14836aa27b4666976379ec3fafcab65fd82d8886998fa65e7b59dc192ca067cf8b4cdeb8ef551812912d80dab8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfABCD.tmp\nsDialogs.dll

Filesize
9KB

MD5
0fd7365afe65ef31ba259cd98bd5a87c

SHA1
70e2a7e908ffd52db9e3757f6059c97a1793dc9c

SHA256
d839df3133331b68d7f7ca50b2636d25d80d7be9547f292a036c01122c9480d9

SHA512
bfc71e2d576785a393bc71a4769b3adb672f3373658d429cbb5b15750ba22fa54eba59357991f4b6933e4cf550d0e6ec8b2c49164781c0a506050be1fbf428e0

Download Submit
C:\Users\Admin\Desktop\CAI.v21.0.0.0.Architect.exe

Filesize
167KB

MD5
d6e494990878a9f321cd3ee879fa30d6

SHA1
954bdf462ab5fa5dbbfc9837800b8c6cc02c79e9

SHA256
14437864f6a610d39837717a91520591fca8cd0f493f9f2751ee80bc01e00e01

SHA512
b4893a3936cdd35999817006c846ee3d1f1d6566630d0d021ec895ac848098907f5216603067381978b2f6aa9f4941370d8aef5c29d4471046cf76baa0a5cc7a

Download Submit
C:\Users\Admin\Downloads\CAI21000-Patch-Kriggi.rar

Filesize
168KB

MD5
e180dfab6563bd1fdc9835842281bb32

SHA1
bbd3c36058ce9707ce6b08d8605825e52a2b8795

SHA256
cdc3c5e502ec2cf3fdc249183b82ad96c6a28ab0df47e7cf295308d2afdb8601

SHA512
3b19bccc86ac0c620201df4cc4bd139cfa1eb7d1e4c512157e801ecb018390827c7b6a256e40b6f994dce3acd54f22e1072687d35562ebc14cbc46bcad2ccf05

Download Submit
C:\Users\Admin\Downloads\CAI21000-Patch-Kriggi.rar:Zone.Identifier

Filesize
107B

MD5
03de64c3c4d735360600252f14f06e44

SHA1
ef18f9577be2e571d5873f1619d2df204a0084e7

SHA256
8abd67f9617ed72a87d77653f81c43e5a7d099412c45104dd9f95f5d745937fe

SHA512
8109b986b712e0d58c765e1a43b112d61d83adc745976cb09231ac1dec11809f17bf6cc0011f1e17ca5e4bc8d848372412308d9bcf29303e3704524d23d291d7

Download Submit
memory/3348-152-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/3348-166-0x0000000010000000-0x000000001003B000-memory.dmp

Filesize
236KB

Download
memory/3348-187-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/3348-188-0x0000000010000000-0x000000001003B000-memory.dmp

Filesize
236KB

Download