Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
86s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14/06/2024, 17:27
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.Evo-gen.23207.8804.exe
Resource
win7-20240221-en
General
-
Target
SecuriteInfo.com.Win32.Evo-gen.23207.8804.exe
-
Size
1.8MB
-
MD5
fc8b4ad76d2b7b814f6fcaeed5d0af75
-
SHA1
b14cd344e70a5fec100925d32d08399671e4f434
-
SHA256
022c76f26770e2686b68a68ee6ed32d35d336308de995473d70c04f1ac6f83d2
-
SHA512
51743bf2bd10a993c9e097e19cb7f325483503b309a699be1b9e6686aeea77e987dcbedfee58ca3abf8b61b4410b71c0d9f73ae89d2603edd125f85465257347
-
SSDEEP
49152:z32SkrBRq+zNtYu3/UOXTqPsVNEYlv4jWBHSsY5B5AyZ:wrXtzL9vtqPuNEYliws
Malware Config
Extracted
amadey
4.21
0e6740
http://147.45.47.155
-
install_dir
9217037dc9
-
install_file
explortu.exe
-
strings_key
8e894a8a4a3d0da8924003a561cfb244
-
url_paths
/ku4Nor9/index.php
Extracted
amadey
8254624243
e76b71
http://77.91.77.81
-
install_dir
8254624243
-
install_file
axplong.exe
-
strings_key
90049e51fabf09df0d6748e0b271922e
-
url_paths
/Kiru9gu/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ SecuriteInfo.com.Win32.Evo-gen.23207.8804.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explortu.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f7bbf675c2.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SecuriteInfo.com.Win32.Evo-gen.23207.8804.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f7bbf675c2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f7bbf675c2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SecuriteInfo.com.Win32.Evo-gen.23207.8804.exe -
Executes dropped EXE 6 IoCs
pid Process 2444 explortu.exe 2676 explortu.exe 1796 f7bbf675c2.exe 2100 axplong.exe 452 c364feecc2.exe 1320 9c7dc8aef7.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Wine SecuriteInfo.com.Win32.Evo-gen.23207.8804.exe Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Wine explortu.exe Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Wine f7bbf675c2.exe Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Wine axplong.exe -
Loads dropped DLL 6 IoCs
pid Process 2992 SecuriteInfo.com.Win32.Evo-gen.23207.8804.exe 2444 explortu.exe 2444 explortu.exe 1796 f7bbf675c2.exe 2444 explortu.exe 2444 explortu.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\c364feecc2.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\c364feecc2.exe" explortu.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0006000000016c2e-106.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 18 IoCs
pid Process 2992 SecuriteInfo.com.Win32.Evo-gen.23207.8804.exe 2444 explortu.exe 1796 f7bbf675c2.exe 2100 axplong.exe 2676 explortu.exe 452 c364feecc2.exe 2676 explortu.exe 452 c364feecc2.exe 2676 explortu.exe 452 c364feecc2.exe 2676 explortu.exe 452 c364feecc2.exe 2676 explortu.exe 452 c364feecc2.exe 2676 explortu.exe 452 c364feecc2.exe 2676 explortu.exe 452 c364feecc2.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2444 set thread context of 2676 2444 explortu.exe 29 -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Tasks\explortu.job SecuriteInfo.com.Win32.Evo-gen.23207.8804.exe File created C:\Windows\Tasks\axplong.job f7bbf675c2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2992 SecuriteInfo.com.Win32.Evo-gen.23207.8804.exe 2444 explortu.exe 1796 f7bbf675c2.exe 2100 axplong.exe 2860 chrome.exe 2860 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe Token: SeShutdownPrivilege 2860 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2992 SecuriteInfo.com.Win32.Evo-gen.23207.8804.exe 1796 f7bbf675c2.exe 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe 2860 chrome.exe 2860 chrome.exe 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 2860 chrome.exe 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe 1320 9c7dc8aef7.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2676 explortu.exe 452 c364feecc2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2992 wrote to memory of 2444 2992 SecuriteInfo.com.Win32.Evo-gen.23207.8804.exe 28 PID 2992 wrote to memory of 2444 2992 SecuriteInfo.com.Win32.Evo-gen.23207.8804.exe 28 PID 2992 wrote to memory of 2444 2992 SecuriteInfo.com.Win32.Evo-gen.23207.8804.exe 28 PID 2992 wrote to memory of 2444 2992 SecuriteInfo.com.Win32.Evo-gen.23207.8804.exe 28 PID 2444 wrote to memory of 2676 2444 explortu.exe 29 PID 2444 wrote to memory of 2676 2444 explortu.exe 29 PID 2444 wrote to memory of 2676 2444 explortu.exe 29 PID 2444 wrote to memory of 2676 2444 explortu.exe 29 PID 2444 wrote to memory of 2676 2444 explortu.exe 29 PID 2444 wrote to memory of 2676 2444 explortu.exe 29 PID 2444 wrote to memory of 2676 2444 explortu.exe 29 PID 2444 wrote to memory of 2676 2444 explortu.exe 29 PID 2444 wrote to memory of 2676 2444 explortu.exe 29 PID 2444 wrote to memory of 2676 2444 explortu.exe 29 PID 2444 wrote to memory of 2676 2444 explortu.exe 29 PID 2444 wrote to memory of 2676 2444 explortu.exe 29 PID 2444 wrote to memory of 1796 2444 explortu.exe 31 PID 2444 wrote to memory of 1796 2444 explortu.exe 31 PID 2444 wrote to memory of 1796 2444 explortu.exe 31 PID 2444 wrote to memory of 1796 2444 explortu.exe 31 PID 1796 wrote to memory of 2100 1796 f7bbf675c2.exe 32 PID 1796 wrote to memory of 2100 1796 f7bbf675c2.exe 32 PID 1796 wrote to memory of 2100 1796 f7bbf675c2.exe 32 PID 1796 wrote to memory of 2100 1796 f7bbf675c2.exe 32 PID 2444 wrote to memory of 452 2444 explortu.exe 34 PID 2444 wrote to memory of 452 2444 explortu.exe 34 PID 2444 wrote to memory of 452 2444 explortu.exe 34 PID 2444 wrote to memory of 452 2444 explortu.exe 34 PID 2444 wrote to memory of 1320 2444 explortu.exe 35 PID 2444 wrote to memory of 1320 2444 explortu.exe 35 PID 2444 wrote to memory of 1320 2444 explortu.exe 35 PID 2444 wrote to memory of 1320 2444 explortu.exe 35 PID 1320 wrote to memory of 2860 1320 9c7dc8aef7.exe 36 PID 1320 wrote to memory of 2860 1320 9c7dc8aef7.exe 36 PID 1320 wrote to memory of 2860 1320 9c7dc8aef7.exe 36 PID 1320 wrote to memory of 2860 1320 9c7dc8aef7.exe 36 PID 2860 wrote to memory of 320 2860 chrome.exe 37 PID 2860 wrote to memory of 320 2860 chrome.exe 37 PID 2860 wrote to memory of 320 2860 chrome.exe 37 PID 2860 wrote to memory of 1444 2860 chrome.exe 39 PID 2860 wrote to memory of 1444 2860 chrome.exe 39 PID 2860 wrote to memory of 1444 2860 chrome.exe 39 PID 2860 wrote to memory of 1444 2860 chrome.exe 39 PID 2860 wrote to memory of 1444 2860 chrome.exe 39 PID 2860 wrote to memory of 1444 2860 chrome.exe 39 PID 2860 wrote to memory of 1444 2860 chrome.exe 39 PID 2860 wrote to memory of 1444 2860 chrome.exe 39 PID 2860 wrote to memory of 1444 2860 chrome.exe 39 PID 2860 wrote to memory of 1444 2860 chrome.exe 39 PID 2860 wrote to memory of 1444 2860 chrome.exe 39 PID 2860 wrote to memory of 1444 2860 chrome.exe 39 PID 2860 wrote to memory of 1444 2860 chrome.exe 39 PID 2860 wrote to memory of 1444 2860 chrome.exe 39 PID 2860 wrote to memory of 1444 2860 chrome.exe 39 PID 2860 wrote to memory of 1444 2860 chrome.exe 39 PID 2860 wrote to memory of 1444 2860 chrome.exe 39 PID 2860 wrote to memory of 1444 2860 chrome.exe 39 PID 2860 wrote to memory of 1444 2860 chrome.exe 39 PID 2860 wrote to memory of 1444 2860 chrome.exe 39 PID 2860 wrote to memory of 1444 2860 chrome.exe 39 PID 2860 wrote to memory of 1444 2860 chrome.exe 39 PID 2860 wrote to memory of 1444 2860 chrome.exe 39 PID 2860 wrote to memory of 1444 2860 chrome.exe 39 PID 2860 wrote to memory of 1444 2860 chrome.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Evo-gen.23207.8804.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Evo-gen.23207.8804.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2676
-
-
C:\Users\Admin\1000015002\f7bbf675c2.exe"C:\Users\Admin\1000015002\f7bbf675c2.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2100
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000016001\c364feecc2.exe"C:\Users\Admin\AppData\Local\Temp\1000016001\c364feecc2.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:452
-
-
C:\Users\Admin\AppData\Local\Temp\1000017001\9c7dc8aef7.exe"C:\Users\Admin\AppData\Local\Temp\1000017001\9c7dc8aef7.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7849758,0x7fef7849768,0x7fef78497785⤵PID:320
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1116 --field-trial-handle=1380,i,7551658881780452889,14736804658120396563,131072 /prefetch:25⤵PID:1444
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1524 --field-trial-handle=1380,i,7551658881780452889,14736804658120396563,131072 /prefetch:85⤵PID:1564
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1596 --field-trial-handle=1380,i,7551658881780452889,14736804658120396563,131072 /prefetch:85⤵PID:2300
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1300 --field-trial-handle=1380,i,7551658881780452889,14736804658120396563,131072 /prefetch:15⤵PID:1956
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2276 --field-trial-handle=1380,i,7551658881780452889,14736804658120396563,131072 /prefetch:15⤵PID:2528
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1600 --field-trial-handle=1380,i,7551658881780452889,14736804658120396563,131072 /prefetch:25⤵PID:2480
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2256 --field-trial-handle=1380,i,7551658881780452889,14736804658120396563,131072 /prefetch:15⤵PID:1332
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=2612 --field-trial-handle=1380,i,7551658881780452889,14736804658120396563,131072 /prefetch:15⤵PID:2008
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2684 --field-trial-handle=1380,i,7551658881780452889,14736804658120396563,131072 /prefetch:85⤵PID:380
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4024 --field-trial-handle=1380,i,7551658881780452889,14736804658120396563,131072 /prefetch:85⤵PID:1972
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2764
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD5968738b2e2195b1832c22111707056c9
SHA15eaf65e358cbd03037a013d66d0d5cd9a5b4a814
SHA2561d3c0765dcb4126631f69596b257a2348f069b4ed94e4236c0b7eeb7ad036e88
SHA512be5f86b39316ff6b5ddfdb4cb4ad7793b1f47db3af314c2d28fe1f9245adf67da6905b4d8367b8b3cafc06a843a0925477800bb0bafa7fd1b2c9b97c53aadc23
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
Filesize
523B
MD558686704a5a959a7b482e8677954605a
SHA18666360840a74dce10424d31ecfd6b5e4d9f529e
SHA2567b11e2886256553d8999651fd8321b452641a12cb541eaea64af6bf592ecba47
SHA51231a9ca5fe898a274df47fc6a2dcf0b2ccca127a457c29b7aa698f0bd1e390413e942c9c565588d5b50c247f97ae1822a81938981850f93f0c6a7549bdb7a9cb6
-
Filesize
6KB
MD5f8cd21b4b1209ef5271ac78602885f02
SHA1d297ccc21b0e252c2436c599abcaab37c83e7273
SHA256f9d1e4c054be2a1476c1fde5641c47769442bd1cf63e08a15142a6bca62eac2a
SHA512cbe6a1c91085803c5e6660a0b19a90f267d892c83cf6d71d1fbae6ac74207b818f3364cfa2ada9e5bd1f4e1baa3d2e1490567eb55badeb2e794c6bf289046bd7
-
Filesize
6KB
MD52fd819f920d619fb5b627436a9583b50
SHA169ae89d23b40cd4fd2f5117a244b5e814c723da3
SHA256aad38b9413e11336376f9885936214129586b175010f1f642b5cc772da5080a8
SHA512f00851ebeac1c85f3fe05df774e2bde8df8b9bb476ccf4bca788f6688d4b93b18cd2af93248e5dcfb31ddf7cfc75022bb6b072b867ce9dd0763b2eea39ed00c2
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
1.3MB
MD54df1cfc527e6d3c41e55d9cd3875da91
SHA14fbf821677e89092fc9fca187156567400eb58ef
SHA2569ef03efe91ce1703bc8ac3e00e66b1df1fe7c2c3b16a749c4b368880a497716d
SHA5125d097db08305c218b9479aa75980d97d08adf9bd80f45cf9048d3e3e1ac8aa07e0083c649c033546cf462351628ac6ae16338b316c3a9a14c9c59d1f132c5851
-
Filesize
1.1MB
MD57bfabd6b6e6aa0215774178186b74bff
SHA147a69bda96fbda42a396a5dfbd3faf4d8d4e5a42
SHA256b21d08aadf56a468e46a9885d7f2eced32779342c2eaa431cef72c0fd72284ab
SHA512c2fbe8241dbf05c13b739744ea94af7583ee2fbd945dd8b860745b0da21fe8480bb815f2d67ae07fbe85b4a2f8bff319bc48b6ad9c628b4e4675a892029efc9b
-
Filesize
14B
MD5d16e380c392f995d9bef5c264f468a7b
SHA1840a457c43a7c92110cb533b3e404087c8256fef
SHA2569df91c0bef23625cbb6a6f5989b2db45c7129b86c51a4837e4403c28b3e0c86d
SHA5129e74a5e3e7c0793093db9e3b64b6d0e14de37a62dc1b09673dbab3346ee737c7b6313d2749e4508b26a4d7851de860fb4a81083b4cdce5be785d42b93f0aae70
-
Filesize
1.8MB
MD5fc8b4ad76d2b7b814f6fcaeed5d0af75
SHA1b14cd344e70a5fec100925d32d08399671e4f434
SHA256022c76f26770e2686b68a68ee6ed32d35d336308de995473d70c04f1ac6f83d2
SHA51251743bf2bd10a993c9e097e19cb7f325483503b309a699be1b9e6686aeea77e987dcbedfee58ca3abf8b61b4410b71c0d9f73ae89d2603edd125f85465257347