Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-05-2024 22:00
Static task
static1
General
-
Target
crypted.exe
-
Size
519KB
-
MD5
1b1c7e6e96667a6a758b22d444de57a7
-
SHA1
3eafd122d0814ee5aeb35a9bce975805a8cf6744
-
SHA256
e03518acef8a2fecee311fac04e11943e8b219815f02224a4ae30d5ecccf0f90
-
SHA512
2ed665526ec20b8c3d8a6854e25bcf44755e4bfd8f34b3770c3694e4b9cd8b2ad85d130830cb298aa18521f30038ef47e5d93225a5eb14039670f5ef626f91f7
-
SSDEEP
12288:ar9mi27cWO4AEcI9cCHEAJtv9QXmuP16k:6mfemcCflO1
Malware Config
Extracted
lumma
https://employhabragaomlsp.shop/api
https://museumtespaceorsp.shop/api
https://buttockdecarderwiso.shop/api
https://averageaattractiionsl.shop/api
https://femininiespywageg.shop/api
https://stalfbaclcalorieeis.shop/api
https://civilianurinedtsraov.shop/api
https://roomabolishsnifftwk.shop/api
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
MEMZ.exepid process 6024 MEMZ.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
crypted.exedescription pid process target process PID 2748 set thread context of 3048 2748 crypted.exe RegAsm.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133612345300884853" chrome.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
taskmgr.exechrome.exepid process 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5080 chrome.exe 5080 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
Processes:
chrome.exepid process 5080 chrome.exe 5080 chrome.exe 5080 chrome.exe 5080 chrome.exe 5080 chrome.exe 5080 chrome.exe 5080 chrome.exe 5080 chrome.exe 5080 chrome.exe 5080 chrome.exe 5080 chrome.exe 5080 chrome.exe 5080 chrome.exe 5080 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
vssvc.exetaskmgr.exechrome.exedescription pid process Token: SeBackupPrivilege 5392 vssvc.exe Token: SeRestorePrivilege 5392 vssvc.exe Token: SeAuditPrivilege 5392 vssvc.exe Token: SeDebugPrivilege 5696 taskmgr.exe Token: SeSystemProfilePrivilege 5696 taskmgr.exe Token: SeCreateGlobalPrivilege 5696 taskmgr.exe Token: 33 5696 taskmgr.exe Token: SeIncBasePriorityPrivilege 5696 taskmgr.exe Token: SeShutdownPrivilege 5080 chrome.exe Token: SeCreatePagefilePrivilege 5080 chrome.exe Token: SeShutdownPrivilege 5080 chrome.exe Token: SeCreatePagefilePrivilege 5080 chrome.exe Token: SeShutdownPrivilege 5080 chrome.exe Token: SeCreatePagefilePrivilege 5080 chrome.exe Token: SeShutdownPrivilege 5080 chrome.exe Token: SeCreatePagefilePrivilege 5080 chrome.exe Token: SeShutdownPrivilege 5080 chrome.exe Token: SeCreatePagefilePrivilege 5080 chrome.exe Token: SeShutdownPrivilege 5080 chrome.exe Token: SeCreatePagefilePrivilege 5080 chrome.exe Token: SeShutdownPrivilege 5080 chrome.exe Token: SeCreatePagefilePrivilege 5080 chrome.exe Token: SeShutdownPrivilege 5080 chrome.exe Token: SeCreatePagefilePrivilege 5080 chrome.exe Token: SeShutdownPrivilege 5080 chrome.exe Token: SeCreatePagefilePrivilege 5080 chrome.exe Token: SeShutdownPrivilege 5080 chrome.exe Token: SeCreatePagefilePrivilege 5080 chrome.exe Token: SeShutdownPrivilege 5080 chrome.exe Token: SeCreatePagefilePrivilege 5080 chrome.exe Token: SeShutdownPrivilege 5080 chrome.exe Token: SeCreatePagefilePrivilege 5080 chrome.exe Token: SeShutdownPrivilege 5080 chrome.exe Token: SeCreatePagefilePrivilege 5080 chrome.exe Token: SeShutdownPrivilege 5080 chrome.exe Token: SeCreatePagefilePrivilege 5080 chrome.exe Token: SeShutdownPrivilege 5080 chrome.exe Token: SeCreatePagefilePrivilege 5080 chrome.exe Token: SeShutdownPrivilege 5080 chrome.exe Token: SeCreatePagefilePrivilege 5080 chrome.exe Token: SeShutdownPrivilege 5080 chrome.exe Token: SeCreatePagefilePrivilege 5080 chrome.exe Token: SeShutdownPrivilege 5080 chrome.exe Token: SeCreatePagefilePrivilege 5080 chrome.exe Token: SeShutdownPrivilege 5080 chrome.exe Token: SeCreatePagefilePrivilege 5080 chrome.exe Token: SeShutdownPrivilege 5080 chrome.exe Token: SeCreatePagefilePrivilege 5080 chrome.exe Token: SeShutdownPrivilege 5080 chrome.exe Token: SeCreatePagefilePrivilege 5080 chrome.exe Token: SeShutdownPrivilege 5080 chrome.exe Token: SeCreatePagefilePrivilege 5080 chrome.exe Token: SeShutdownPrivilege 5080 chrome.exe Token: SeCreatePagefilePrivilege 5080 chrome.exe Token: SeShutdownPrivilege 5080 chrome.exe Token: SeCreatePagefilePrivilege 5080 chrome.exe Token: SeShutdownPrivilege 5080 chrome.exe Token: SeCreatePagefilePrivilege 5080 chrome.exe Token: SeShutdownPrivilege 5080 chrome.exe Token: SeCreatePagefilePrivilege 5080 chrome.exe Token: SeShutdownPrivilege 5080 chrome.exe Token: SeCreatePagefilePrivilege 5080 chrome.exe Token: SeShutdownPrivilege 5080 chrome.exe Token: SeCreatePagefilePrivilege 5080 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exechrome.exepid process 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5080 chrome.exe 5080 chrome.exe 5080 chrome.exe 5080 chrome.exe 5080 chrome.exe 5080 chrome.exe 5080 chrome.exe 5080 chrome.exe 5080 chrome.exe 5080 chrome.exe 5080 chrome.exe 5080 chrome.exe 5080 chrome.exe 5080 chrome.exe 5080 chrome.exe 5080 chrome.exe 5080 chrome.exe 5080 chrome.exe 5080 chrome.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exechrome.exepid process 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5696 taskmgr.exe 5080 chrome.exe 5080 chrome.exe 5080 chrome.exe 5080 chrome.exe 5080 chrome.exe 5080 chrome.exe 5080 chrome.exe 5080 chrome.exe 5080 chrome.exe 5080 chrome.exe 5080 chrome.exe 5080 chrome.exe 5080 chrome.exe 5080 chrome.exe 5080 chrome.exe 5080 chrome.exe 5080 chrome.exe 5080 chrome.exe 5080 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
crypted.exechrome.exedescription pid process target process PID 2748 wrote to memory of 3048 2748 crypted.exe RegAsm.exe PID 2748 wrote to memory of 3048 2748 crypted.exe RegAsm.exe PID 2748 wrote to memory of 3048 2748 crypted.exe RegAsm.exe PID 2748 wrote to memory of 3048 2748 crypted.exe RegAsm.exe PID 2748 wrote to memory of 3048 2748 crypted.exe RegAsm.exe PID 2748 wrote to memory of 3048 2748 crypted.exe RegAsm.exe PID 2748 wrote to memory of 3048 2748 crypted.exe RegAsm.exe PID 2748 wrote to memory of 3048 2748 crypted.exe RegAsm.exe PID 2748 wrote to memory of 3048 2748 crypted.exe RegAsm.exe PID 5080 wrote to memory of 6088 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 6088 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 5320 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 5320 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 5320 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 5320 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 5320 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 5320 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 5320 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 5320 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 5320 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 5320 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 5320 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 5320 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 5320 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 5320 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 5320 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 5320 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 5320 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 5320 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 5320 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 5320 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 5320 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 5320 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 5320 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 5320 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 5320 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 5320 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 5320 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 5320 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 5320 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 5320 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 5320 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 5352 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 5352 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 2820 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 2820 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 2820 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 2820 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 2820 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 2820 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 2820 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 2820 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 2820 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 2820 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 2820 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 2820 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 2820 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 2820 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 2820 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 2820 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 2820 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 2820 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 2820 5080 chrome.exe chrome.exe PID 5080 wrote to memory of 2820 5080 chrome.exe chrome.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\crypted.exe"C:\Users\Admin\AppData\Local\Temp\crypted.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:3048
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4180,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4080 /prefetch:81⤵PID:1008
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault0d2f48f8h6470h433ch9544h2ac67a40edf11⤵PID:1228
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService1⤵PID:5232
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5392
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5696
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault27b73f3dhc136h49edhbd26ha39ab218f48a1⤵PID:5856
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fffe3c9ab58,0x7fffe3c9ab68,0x7fffe3c9ab782⤵PID:6088
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1780 --field-trial-handle=1964,i,17983366771422628456,8056230956171068421,131072 /prefetch:22⤵PID:5320
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 --field-trial-handle=1964,i,17983366771422628456,8056230956171068421,131072 /prefetch:82⤵PID:5352
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1436 --field-trial-handle=1964,i,17983366771422628456,8056230956171068421,131072 /prefetch:82⤵PID:2820
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3136 --field-trial-handle=1964,i,17983366771422628456,8056230956171068421,131072 /prefetch:12⤵PID:1704
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3168 --field-trial-handle=1964,i,17983366771422628456,8056230956171068421,131072 /prefetch:12⤵PID:5704
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3656 --field-trial-handle=1964,i,17983366771422628456,8056230956171068421,131072 /prefetch:12⤵PID:5992
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4488 --field-trial-handle=1964,i,17983366771422628456,8056230956171068421,131072 /prefetch:82⤵PID:732
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4644 --field-trial-handle=1964,i,17983366771422628456,8056230956171068421,131072 /prefetch:82⤵PID:5676
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4660 --field-trial-handle=1964,i,17983366771422628456,8056230956171068421,131072 /prefetch:12⤵PID:4392
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4512 --field-trial-handle=1964,i,17983366771422628456,8056230956171068421,131072 /prefetch:12⤵PID:5596
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4508 --field-trial-handle=1964,i,17983366771422628456,8056230956171068421,131072 /prefetch:12⤵PID:6600
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3432 --field-trial-handle=1964,i,17983366771422628456,8056230956171068421,131072 /prefetch:12⤵PID:6916
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3476 --field-trial-handle=1964,i,17983366771422628456,8056230956171068421,131072 /prefetch:12⤵PID:6956
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5044 --field-trial-handle=1964,i,17983366771422628456,8056230956171068421,131072 /prefetch:82⤵PID:7048
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5112 --field-trial-handle=1964,i,17983366771422628456,8056230956171068421,131072 /prefetch:82⤵PID:7056
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4580 --field-trial-handle=1964,i,17983366771422628456,8056230956171068421,131072 /prefetch:82⤵PID:6416
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4604 --field-trial-handle=1964,i,17983366771422628456,8056230956171068421,131072 /prefetch:82⤵PID:6456
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5036 --field-trial-handle=1964,i,17983366771422628456,8056230956171068421,131072 /prefetch:82⤵PID:6536
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level2⤵PID:404
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff6712cae48,0x7ff6712cae58,0x7ff6712cae683⤵PID:4996
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=4628 --field-trial-handle=1964,i,17983366771422628456,8056230956171068421,131072 /prefetch:12⤵PID:7116
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=3464 --field-trial-handle=1964,i,17983366771422628456,8056230956171068421,131072 /prefetch:12⤵PID:6320
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=3420 --field-trial-handle=1964,i,17983366771422628456,8056230956171068421,131072 /prefetch:12⤵PID:6356
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4720 --field-trial-handle=1964,i,17983366771422628456,8056230956171068421,131072 /prefetch:82⤵PID:6280
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4596 --field-trial-handle=1964,i,17983366771422628456,8056230956171068421,131072 /prefetch:82⤵PID:6244
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=4676 --field-trial-handle=1964,i,17983366771422628456,8056230956171068421,131072 /prefetch:12⤵PID:4568
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=4092 --field-trial-handle=1964,i,17983366771422628456,8056230956171068421,131072 /prefetch:12⤵PID:6576
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=3404 --field-trial-handle=1964,i,17983366771422628456,8056230956171068421,131072 /prefetch:12⤵PID:1540
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3368 --field-trial-handle=1964,i,17983366771422628456,8056230956171068421,131072 /prefetch:82⤵PID:6368
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3152 --field-trial-handle=1964,i,17983366771422628456,8056230956171068421,131072 /prefetch:82⤵PID:5920
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5356 --field-trial-handle=1964,i,17983366771422628456,8056230956171068421,131072 /prefetch:82⤵PID:5932
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4688 --field-trial-handle=1964,i,17983366771422628456,8056230956171068421,131072 /prefetch:82⤵PID:1008
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5372 --field-trial-handle=1964,i,17983366771422628456,8056230956171068421,131072 /prefetch:82⤵PID:6792
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4960 --field-trial-handle=1964,i,17983366771422628456,8056230956171068421,131072 /prefetch:82⤵PID:3008
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe"2⤵
- Executes dropped EXE
PID:6024
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:4108
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
59KB
MD57626aade5004330bfb65f1e1f790df0c
SHA197dca3e04f19cfe55b010c13f10a81ffe8b8374b
SHA256cdeaef4fa58a99edcdd3c26ced28e6d512704d3a326a03a61d072d3a287fd60e
SHA512f7b1b34430546788a7451e723a78186c4738b3906cb2bca2a6ae94b1a70f9f863b2bfa7947cc897dfb88b6a3fe98030aa58101f5f656812ff10837e7585e3f74
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
690B
MD5f55a77399a49fc94dfbc33557cd4fc1e
SHA160bdf0ec8f8eddc06780a51f6d30cd507a5926f0
SHA2563fe785f71eba4ded4f670017de14b21f2d181c8f4e29056c9ade461eba8a1c89
SHA51264d45bf160c6addc19b46e7eb280c9ca0ab3f59ee0747b9272370ad490e7493fb89d897e5ece2b179935222ddf44ccea263eeb112bf9e3206cce900bfdefdb1c
-
Filesize
1KB
MD5bd99adf36513061d4baa4427ecafadb5
SHA101ea9373ab4e14f30d13bf974376e674b7df91f3
SHA256bc11900f22bf33fecac1f874963ff1dfd91ce63f8793505dd2da72146017a21a
SHA5120e4a64a8058c3f0aa3d789123d48f74374a8a4221e220bea4a3f22cb0531f1320d159bf69716be3030c18c902c1f4b071fed0682096e68ee635131042260eef1
-
Filesize
690B
MD540896ce2c5226c0a391c88d04ba88ac7
SHA1acd0b242c3a64fb4374a4521c0130332237f1b26
SHA25699747c423f6c7256dc598c735ada0cc61b8c9c1ffa5bfb0ca2f307f6c293ac94
SHA512460779adc2ba9c7e6dd44e95eb2bbd679b6071def0c835d7a6b5db627f9f838d91fbd4edc8d65702d6615e70ec9b02c54aaad2f3e7d1771be1f0fbf9919dd6e6
-
Filesize
7KB
MD54080e223eea26d711473f37a4dae50f7
SHA1ebb75b156f28e663aa04f32c32f0ec220200487f
SHA2564dfc3138b403fc47b737a454dc08b547b752fa1b0f899af20e7c4f5f736ff0a1
SHA512a22465abb9890113d3cacf57bb00c8958be3e3fcacff1d9346dad02d5d3008967114c0309bc31699f930136f43f4c45b29d35bceb2467a92d4bcb5eaa51bc446
-
Filesize
8KB
MD56fd9d0c686c2da11c9c7653be98439ad
SHA186a093327559837318f38e8d2df25a811f1158b3
SHA256c25cebf60106c277ab73a54aed35f18efe02c32ffafee8317813db868cb6db34
SHA51269e5ee8f9a8f4ba4b571d73996e06a12a20050c2a393f32b8e08ca1604eb4e4aecbed0faf22f3208eb9875106c226c8d9292b17b4fd7188af9712125f45e8f73
-
Filesize
8KB
MD546644e9d00d70a8918b4edb24cf59043
SHA1ab2cd74bb2f19aab27de2b9e2b1ffebf972d30ae
SHA2563403451e3a229eb93b4b6dbdb084fe730e0a8dd4af6daa65063bfb4b68ff906d
SHA512ec87d5e6f20b46d50685696b0770ed7397dc845510b599d76a122a688379c759d3af7bb28faeefdc14275cc1c764e37bcb74da3063de3b4a038a979c36db0410
-
Filesize
16KB
MD524e409ad6e04a9bee1e909fa4036bbcd
SHA159746788646041610093ba1fabe23731606701a7
SHA256333dfdd91b2e69bf342a6aa2b07b91f6608a11e46a654e91258d165edb8274ab
SHA512e96e8df208d1fa933e7f92206d3e34bd3b3cd615410cbadd3c101642401540c4564fc5f727ec4e67e2d737103e22f1071f80f29809eb0e90ad7d8e626f3c076c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize56B
MD5ae1bccd6831ebfe5ad03b482ee266e4f
SHA101f4179f48f1af383b275d7ee338dd160b6f558a
SHA2561b11047e738f76c94c9d15ee981ec46b286a54def1a7852ca1ade7f908988649
SHA512baf7ff6747f30e542c254f46a9678b9dbf42312933962c391b79eca6fcb615e4ba9283c00f554d6021e594f18c087899bc9b5362c41c0d6f862bba7fb9f83038
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe5a14d1.TMP
Filesize120B
MD557ef14e29ee6d4b80b8f3d70ce457efe
SHA1ea9dc3c260009de5ef0e5ba558dbffc4321e57f1
SHA256b3dee9482ad5acbb7697549cb2b825266a91c0b359586b417ca2e9074b4f1b30
SHA512a7cc583cba141f12bec605b1f7dd717e48dab56b0a7d3229f9f47c8de30e17b8c15f1374654bb77435bd60a8307edb23e09410cd4c94882056c99b2d9402f990
-
Filesize
260KB
MD5afd9683aa4aacf5524e1a1c51b35bc13
SHA19044470fbb2ab43cfff8ad72a1a21b283c18ee2e
SHA2567175133e3e5c5b29931b3df52013aeffcbd2c8b90be719bae324b34778b1bf9e
SHA512a950e54e7ce6596e50c25b8de3ed68d2edd3e3d0506a71edb40219cfa2761b06150d1c0141a5f55ea0614543420e20a67e835d8dce73cd12c453bd30585301cc
-
Filesize
260KB
MD555e99e6494bc3b5f98c8f7c56a033b2d
SHA173276f73816851107678f701be2c7b16491733ac
SHA256310bbe23fdcba9be4e2368706a2f27ab784442767301fd0f7ce5f2e8e815cf66
SHA5120f04a447ed4a31958e251807661f03782329764be833ea976ea0174a0a82864f6bd0bd2cb5dab09cc6cb439049e64d5d62c2d30edb21e9c8837389318d717684
-
Filesize
260KB
MD502535d324f8975cf7b53b93dd643817f
SHA1fd7e8ad2510d1f527289c445952a81473164f98f
SHA25626030233fe185348244a57f7003676046ba4381147f0c940dce6b09a529c2141
SHA512d11875690139b9b88386ff23c4ee8a6128d8673fdd120dac6ba28925e867a967306b4ea036299a2f1eef5113d441d5ff41bb25b36ff397aa208ef7065d199d90
-
Filesize
16KB
MD51d5ad9c8d3fee874d0feb8bfac220a11
SHA1ca6d3f7e6c784155f664a9179ca64e4034df9595
SHA2563872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff
SHA512c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e