Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
26-05-2024 16:23
Behavioral task
behavioral1
Sample
Expensive 3.1.exe
Resource
win11-20240508-en
General
-
Target
Expensive 3.1.exe
-
Size
73KB
-
MD5
6fb5db1fb4f6db383d3ec9635bafcc8f
-
SHA1
a2cc6012448bacc9d0cb0f5c5cfc88c2ced1c29e
-
SHA256
1c4c132a522839dcd922c7495f381c08c9a142fac9ba23da02b017599c0d2f56
-
SHA512
c0c87534b5f0e26631ea169c5540d5893d52b0dce1d0482cfc7916014af9e3d3101840d1e9e5e2b9b8ee2717e2f1976b3b7d2f7832e3e17197e8372292b32604
-
SSDEEP
1536:cZwa23E9lZVp7PmzogbZMuUW+b1pHjFGlqiyJ6SDOKJxENaM:cR2AlZrWog2uUW+b1pjBfOKJCR
Malware Config
Extracted
xworm
loss-winners.gl.at.ply.gg:61007
-
Install_directory
%AppData%
-
install_file
Expensive 3.1.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4692-1-0x0000000000630000-0x0000000000648000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2508 powershell.exe 1020 powershell.exe 1116 powershell.exe 3440 powershell.exe -
Executes dropped EXE 1 IoCs
Processes:
wjwwsk.exepid process 1240 wjwwsk.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Expensive 3.1.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\Expensive 3.1 = "C:\\Users\\Admin\\AppData\\Roaming\\Expensive 3.1.exe" Expensive 3.1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133612143021701395" chrome.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeExpensive 3.1.exechrome.exepid process 2508 powershell.exe 2508 powershell.exe 1020 powershell.exe 1020 powershell.exe 1116 powershell.exe 1116 powershell.exe 3440 powershell.exe 3440 powershell.exe 4692 Expensive 3.1.exe 4376 chrome.exe 4376 chrome.exe 4692 Expensive 3.1.exe 4692 Expensive 3.1.exe 4692 Expensive 3.1.exe 4692 Expensive 3.1.exe 4692 Expensive 3.1.exe 4692 Expensive 3.1.exe 4692 Expensive 3.1.exe 4692 Expensive 3.1.exe 4692 Expensive 3.1.exe 4692 Expensive 3.1.exe 4692 Expensive 3.1.exe 4692 Expensive 3.1.exe 4692 Expensive 3.1.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
Processes:
chrome.exepid process 4376 chrome.exe 4376 chrome.exe 4376 chrome.exe 4376 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Expensive 3.1.exepowershell.exepowershell.exepowershell.exepowershell.exeAUDIODG.EXEchrome.exedescription pid process Token: SeDebugPrivilege 4692 Expensive 3.1.exe Token: SeDebugPrivilege 2508 powershell.exe Token: SeDebugPrivilege 1020 powershell.exe Token: SeDebugPrivilege 1116 powershell.exe Token: SeDebugPrivilege 3440 powershell.exe Token: SeDebugPrivilege 4692 Expensive 3.1.exe Token: 33 3996 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3996 AUDIODG.EXE Token: SeShutdownPrivilege 4376 chrome.exe Token: SeCreatePagefilePrivilege 4376 chrome.exe Token: SeShutdownPrivilege 4376 chrome.exe Token: SeCreatePagefilePrivilege 4376 chrome.exe Token: SeShutdownPrivilege 4376 chrome.exe Token: SeCreatePagefilePrivilege 4376 chrome.exe Token: SeShutdownPrivilege 4376 chrome.exe Token: SeCreatePagefilePrivilege 4376 chrome.exe Token: SeShutdownPrivilege 4376 chrome.exe Token: SeCreatePagefilePrivilege 4376 chrome.exe Token: SeShutdownPrivilege 4376 chrome.exe Token: SeCreatePagefilePrivilege 4376 chrome.exe Token: SeShutdownPrivilege 4376 chrome.exe Token: SeCreatePagefilePrivilege 4376 chrome.exe Token: SeShutdownPrivilege 4376 chrome.exe Token: SeCreatePagefilePrivilege 4376 chrome.exe Token: SeShutdownPrivilege 4376 chrome.exe Token: SeCreatePagefilePrivilege 4376 chrome.exe Token: SeShutdownPrivilege 4376 chrome.exe Token: SeCreatePagefilePrivilege 4376 chrome.exe Token: SeShutdownPrivilege 4376 chrome.exe Token: SeCreatePagefilePrivilege 4376 chrome.exe Token: SeShutdownPrivilege 4376 chrome.exe Token: SeCreatePagefilePrivilege 4376 chrome.exe Token: SeShutdownPrivilege 4376 chrome.exe Token: SeCreatePagefilePrivilege 4376 chrome.exe Token: SeShutdownPrivilege 4376 chrome.exe Token: SeCreatePagefilePrivilege 4376 chrome.exe Token: SeShutdownPrivilege 4376 chrome.exe Token: SeCreatePagefilePrivilege 4376 chrome.exe Token: SeShutdownPrivilege 4376 chrome.exe Token: SeCreatePagefilePrivilege 4376 chrome.exe Token: SeShutdownPrivilege 4376 chrome.exe Token: SeCreatePagefilePrivilege 4376 chrome.exe Token: SeShutdownPrivilege 4376 chrome.exe Token: SeCreatePagefilePrivilege 4376 chrome.exe Token: SeShutdownPrivilege 4376 chrome.exe Token: SeCreatePagefilePrivilege 4376 chrome.exe Token: SeShutdownPrivilege 4376 chrome.exe Token: SeCreatePagefilePrivilege 4376 chrome.exe Token: SeShutdownPrivilege 4376 chrome.exe Token: SeCreatePagefilePrivilege 4376 chrome.exe Token: SeShutdownPrivilege 4376 chrome.exe Token: SeCreatePagefilePrivilege 4376 chrome.exe Token: SeShutdownPrivilege 4376 chrome.exe Token: SeCreatePagefilePrivilege 4376 chrome.exe Token: SeShutdownPrivilege 4376 chrome.exe Token: SeCreatePagefilePrivilege 4376 chrome.exe Token: SeShutdownPrivilege 4376 chrome.exe Token: SeCreatePagefilePrivilege 4376 chrome.exe Token: SeShutdownPrivilege 4376 chrome.exe Token: SeCreatePagefilePrivilege 4376 chrome.exe Token: SeShutdownPrivilege 4376 chrome.exe Token: SeCreatePagefilePrivilege 4376 chrome.exe Token: SeShutdownPrivilege 4376 chrome.exe Token: SeCreatePagefilePrivilege 4376 chrome.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
Processes:
chrome.exepid process 4376 chrome.exe 4376 chrome.exe 4376 chrome.exe 4376 chrome.exe 4376 chrome.exe 4376 chrome.exe 4376 chrome.exe 4376 chrome.exe 4376 chrome.exe 4376 chrome.exe 4376 chrome.exe 4376 chrome.exe 4376 chrome.exe 4376 chrome.exe 4376 chrome.exe 4376 chrome.exe 4376 chrome.exe 4376 chrome.exe 4376 chrome.exe 4376 chrome.exe 4376 chrome.exe 4376 chrome.exe 4376 chrome.exe 4376 chrome.exe 4376 chrome.exe 4376 chrome.exe 4376 chrome.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
chrome.exepid process 4376 chrome.exe 4376 chrome.exe 4376 chrome.exe 4376 chrome.exe 4376 chrome.exe 4376 chrome.exe 4376 chrome.exe 4376 chrome.exe 4376 chrome.exe 4376 chrome.exe 4376 chrome.exe 4376 chrome.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Expensive 3.1.exepid process 4692 Expensive 3.1.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Expensive 3.1.exechrome.exedescription pid process target process PID 4692 wrote to memory of 2508 4692 Expensive 3.1.exe powershell.exe PID 4692 wrote to memory of 2508 4692 Expensive 3.1.exe powershell.exe PID 4692 wrote to memory of 1020 4692 Expensive 3.1.exe powershell.exe PID 4692 wrote to memory of 1020 4692 Expensive 3.1.exe powershell.exe PID 4692 wrote to memory of 1116 4692 Expensive 3.1.exe powershell.exe PID 4692 wrote to memory of 1116 4692 Expensive 3.1.exe powershell.exe PID 4692 wrote to memory of 3440 4692 Expensive 3.1.exe powershell.exe PID 4692 wrote to memory of 3440 4692 Expensive 3.1.exe powershell.exe PID 4692 wrote to memory of 1240 4692 Expensive 3.1.exe wjwwsk.exe PID 4692 wrote to memory of 1240 4692 Expensive 3.1.exe wjwwsk.exe PID 4376 wrote to memory of 4712 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 4712 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 2364 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 2364 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 2364 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 2364 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 2364 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 2364 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 2364 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 2364 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 2364 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 2364 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 2364 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 2364 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 2364 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 2364 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 2364 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 2364 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 2364 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 2364 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 2364 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 2364 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 2364 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 2364 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 2364 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 2364 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 2364 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 2364 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 2364 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 2364 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 2364 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 2364 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 2364 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 2900 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 2900 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 3344 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 3344 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 3344 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 3344 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 3344 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 3344 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 3344 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 3344 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 3344 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 3344 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 3344 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 3344 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 3344 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 3344 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 3344 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 3344 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 3344 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 3344 4376 chrome.exe chrome.exe PID 4376 wrote to memory of 3344 4376 chrome.exe chrome.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Expensive 3.1.exe"C:\Users\Admin\AppData\Local\Temp\Expensive 3.1.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Expensive 3.1.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Expensive 3.1.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1020
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Expensive 3.1.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1116
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Expensive 3.1.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3440
-
-
C:\Users\Admin\AppData\Local\Temp\wjwwsk.exe"C:\Users\Admin\AppData\Local\Temp\wjwwsk.exe"2⤵
- Executes dropped EXE
PID:1240
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:4660
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004F01⤵
- Suspicious use of AdjustPrivilegeToken
PID:3996
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc1602ab58,0x7ffc1602ab68,0x7ffc1602ab782⤵PID:4712
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1924,i,18264764220460334713,10934933561604197874,131072 /prefetch:22⤵PID:2364
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1852 --field-trial-handle=1924,i,18264764220460334713,10934933561604197874,131072 /prefetch:82⤵PID:2900
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2216 --field-trial-handle=1924,i,18264764220460334713,10934933561604197874,131072 /prefetch:82⤵PID:3344
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1924,i,18264764220460334713,10934933561604197874,131072 /prefetch:12⤵PID:2508
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3088 --field-trial-handle=1924,i,18264764220460334713,10934933561604197874,131072 /prefetch:12⤵PID:3908
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4224 --field-trial-handle=1924,i,18264764220460334713,10934933561604197874,131072 /prefetch:12⤵PID:1572
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3812 --field-trial-handle=1924,i,18264764220460334713,10934933561604197874,131072 /prefetch:82⤵PID:916
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4460 --field-trial-handle=1924,i,18264764220460334713,10934933561604197874,131072 /prefetch:82⤵PID:3216
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4680 --field-trial-handle=1924,i,18264764220460334713,10934933561604197874,131072 /prefetch:82⤵PID:3604
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4520 --field-trial-handle=1924,i,18264764220460334713,10934933561604197874,131072 /prefetch:82⤵PID:4336
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4532 --field-trial-handle=1924,i,18264764220460334713,10934933561604197874,131072 /prefetch:82⤵PID:1208
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4684 --field-trial-handle=1924,i,18264764220460334713,10934933561604197874,131072 /prefetch:82⤵PID:2228
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4760 --field-trial-handle=1924,i,18264764220460334713,10934933561604197874,131072 /prefetch:82⤵PID:1600
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4476 --field-trial-handle=1924,i,18264764220460334713,10934933561604197874,131072 /prefetch:82⤵PID:2824
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4728 --field-trial-handle=1924,i,18264764220460334713,10934933561604197874,131072 /prefetch:12⤵PID:4864
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:3452
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2872
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\ExitPop.bat" "1⤵PID:3960
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD58549965e79860b9a4d1d0f5b1d2e4eb8
SHA1306900330f5718a718c244344b68577b1243b3b3
SHA25619674ba87f51b7a9200e0ee2f9153ad4c324e1a500e3db3fcf5ad636142603e8
SHA5124d192ee9c277c0aeae3a937cd75276ccd36fbff8307274d5ee6f3bc6b8bc3dab89bad027dd8a8f8119fad7c026933e3789aa54a94eb95243e0e621439b0414ef
-
Filesize
264KB
MD5b0a7c19900467c6dbbf3516a78abf27c
SHA152aa0e03422798956a0fb95f0c0c8807d2df9f64
SHA25618635ecf8e41fd1bd21629d7c360e7da1f7b99cd3f83f2fede6dddf587437d4c
SHA51267e99223bceca79fe3bdb952d4abe77fb28e929597b9f0bfa4f6b211dd9829a214a61b0bc60b7a5b0a3d7837f47453e651b4c8d48503d7b4cb199f1031c09375
-
Filesize
2KB
MD5fadf323bb0c6bcb39fba186728461cc0
SHA1650d35a00a6726701fdd8456db25cbfb860b8084
SHA25683aeb67d29731b3572ef171ae4b149626ce22440ce9354f60723c6f4df69fdb5
SHA512c2c1995544cc2adccbb72ebab46cbdafc4318bad6cbbfeb40993b6fac0e8677f513ab435eb248fc7f2c68fc6e653f80d269fc6e57df5db3298eb94591d2ffe35
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD559fe9b8cac331803d2551015089c6c57
SHA1f6711e0585f898d9b38e4b98cde242bb1ed1ec62
SHA25642ced1708b62924241dad1973999b401f9c082e9da8d0d7d06282ae9ed1a3031
SHA512ca4a9ecf8fa8d48ccf65b272788fba203d46d541b63aca70e82b15c3693b3c05b447ab28ac241ee9b2fa68531f39305f7e5b810764b8fb9011746f6324873ed0
-
Filesize
524B
MD5f0f8425aca81f5b941af0da0e3ec7cb3
SHA1deb0f87a224117386b8ab0cb2b390ddba2e2d388
SHA256c7f02222a1d21213df2ec3542a729206d1affec1465d545926d98f4ab52f1e4e
SHA5128d2ca442807976d815f77a8ffe0a5fdf79eb470979a892878344a69ce6ea6db4febb7ca053bf078809b7dcd12f04ad8da3fedacf325d00b6cdffed75844031b1
-
Filesize
6KB
MD512da1485b90428f63f89773072d9fc08
SHA1165be9bd02b340d3e49136b5fd12beafc09d9d56
SHA2561b18af35dfb8e48d6a081d5286efe1134da84acecc86d610be24fde8195c3155
SHA5123f0ef806eba7542ce2f56216a11aa78b4e722e2035482e6a8b15a3a5b3dfa301d49470f7f88e352014fa21e30121397cf55d0923772f084c318ac573fd236394
-
Filesize
16KB
MD56fcbd1856adf797bf146b8b57932523c
SHA16cbff00f6a4279f01937cbed5985b74c06bade6e
SHA256620e25085318170046dc69e412a31315a45f25e513678d50ae9289a5a15b24fc
SHA5126e51f42015b6dfd9fd575c2619ff3136daad84cdab8e085c3c70afb6c4d5aedabe4304d5304657ee17f162eef55d7c64293a4dc216f3559993d35f5bb9370f0a
-
Filesize
257KB
MD541fd5bfa79bc7cec425bc99225347057
SHA19a2919b474aff4d6f827d8509b655f14577db733
SHA256214a82e15e703fcfec88e6a0b5bbf410a9adec04cc7d1b3864697cba2a060d6a
SHA512fde049bc08462907660005fca697c78653fd96c7318e296bbcb547205282c3812cc2dc6057a4c8cb1e0e94669c3acecc7f2a75bd790860d4706c95b02129946a
-
Filesize
263KB
MD5ed8f3a1a8695881fc4a7f3559049b82d
SHA167079b73f445a82d7ff384b041884a938e96087c
SHA2566741fd5d8eadf23b8bb300f91b5157a4d5cc638c148b9154810e0cbf7e7e5c69
SHA51260e0156ca43d44557d36cd7938e22696fc168290d01880487e797ccc8d3baaf29b3aa4b926a462b8d07df9828a335f50ebc210d44203f4c3f897b36659cafa15
-
Filesize
262KB
MD51640eec85369a2c588a33e35b8dd3287
SHA12e0eadc2ce52790a26b0a5bc400ca5e1e983d1cc
SHA256305a1cf9987da904e8be0a44f93b5ba039f008fd2e7839e8826c8be49a85b813
SHA5122c31714fc3ebbe6299f64618db10217f63e80e8df9523a3949148f4c5e609f843f1214e7f693376428e5bc5745876349d8baf09d8e6690049c5a66099eedafb2
-
Filesize
86KB
MD598ca1f3aacb786b24cfd27fd3dc8242a
SHA1eea22ce036496ed23120ae07e8bf776a385b0400
SHA2560e68b7e1ef20b1794ba67f483947565c204c021106d0d4c1eade80447200c142
SHA5123b8e90ff7955efdc373f10487a0e71f369026c9e2df90053efa412b201deeddc047c5df12f101257c1008d5cc7815c58331c9513802955f5556717affe6bdce2
-
Filesize
83KB
MD5c53db6bcf44bc1ed853f420aaf5e8b4e
SHA1387f9deb6fbfb1b0937bffe9eef750dc918431a5
SHA2567b2e1c0e600b9a849426c8e5d300abe72ac2795b3a1d0ff9050c34623e85c382
SHA512730db9ccfa356c0eb6c359c0d5aefdee7a99c22c69600f825c494fd4e6bf3935a86d3d4ae8c6d6fd29569f688c4863c3daed8ea6ad6f56c862dfcd984e33a0f2
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
944B
MD52e8eb51096d6f6781456fef7df731d97
SHA1ec2aaf851a618fb43c3d040a13a71997c25bda43
SHA25696bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864
SHA5120a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2
-
Filesize
944B
MD5050567a067ffea4eb40fe2eefebdc1ee
SHA16e1fb2c7a7976e0724c532449e97722787a00fec
SHA2563952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e
SHA512341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259
-
Filesize
944B
MD580707036df540b6657f9d443b449e3c3
SHA1b3e7d5d97274942164bf93c8c4b8a9b68713f46f
SHA2566651e5f976619cef991deef61776cf43d4c4b3d7c551dd2192b647df71586ab0
SHA51265e41e9e730fed4f7a7d3f6f35875a16948b897f87c8c70b371fd0ac7f0951814f6a75e7698665194bbc65a3665a684e7be229e7e24193b50483ae7e55eebf4f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
5.6MB
MD58235f398b63cb2b0926edf528a56ad35
SHA1668ff71112d6bf289b70659d063d524481c19b0f
SHA2560091be76fcfaadfb4d45f22ce3cb5189fd919ee89cfb901c9eed7f6a6aa61c6a
SHA51251cf7794ea120ebaad6d53b2722f35e57b1d28b5365e53a74d945f45d180d6a5bfe3b27f963485c53079103947e552c88631485ba49a160a4b09c9afd4a66674
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e