Analysis
-
max time kernel
592s -
max time network
562s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-06-2024 06:52
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://cdn.discordapp.com/attachments/1232825231312420997/1252503669698728087/PO-_RFL059210.zip?ex=66727471&is=667122f1&hm=5e1872bc711cb3f4269d51a83c5656aebd9a7168ce54a54e950f88b01d30196f&
Resource
win10v2004-20240508-en
General
Malware Config
Extracted
Protocol: ftp- Host:
ftp.skitz.com.ng - Port:
21 - Username:
[email protected] - Password:
Kosyano1@
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.skitz.com.ng - Port:
21 - Username:
[email protected] - Password:
Kosyano1@
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 5516 powershell.exe 2744 powershell.exe 744 powershell.exe 5636 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
PO- RFL059210.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation PO- RFL059210.exe -
Executes dropped EXE 4 IoCs
Processes:
PO- RFL059210.exePO- RFL059210.exePO- RFL059210.exePO- RFL059210.exepid process 3068 PO- RFL059210.exe 868 PO- RFL059210.exe 5928 PO- RFL059210.exe 2976 PO- RFL059210.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 130 api.ipify.org 131 ip-api.com 148 api.ipify.org 129 api.ipify.org -
Suspicious use of SetThreadContext 2 IoCs
Processes:
PO- RFL059210.exePO- RFL059210.exedescription pid process target process PID 3464 set thread context of 5680 3464 PO- RFL059210.exe PO- RFL059210.exe PID 3068 set thread context of 2976 3068 PO- RFL059210.exe PO- RFL059210.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4808 schtasks.exe 5180 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133631671481969614" chrome.exe -
Modifies registry class 1 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings chrome.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
chrome.exechrome.exepowershell.exePO- RFL059210.exepowershell.exePO- RFL059210.exepowershell.exepowershell.exePO- RFL059210.exepid process 4548 chrome.exe 4548 chrome.exe 2092 chrome.exe 2092 chrome.exe 5516 powershell.exe 5516 powershell.exe 5680 PO- RFL059210.exe 5680 PO- RFL059210.exe 5680 PO- RFL059210.exe 5636 powershell.exe 5636 powershell.exe 5636 powershell.exe 5516 powershell.exe 3068 PO- RFL059210.exe 3068 PO- RFL059210.exe 744 powershell.exe 744 powershell.exe 2744 powershell.exe 2744 powershell.exe 3068 PO- RFL059210.exe 3068 PO- RFL059210.exe 2744 powershell.exe 744 powershell.exe 2976 PO- RFL059210.exe 2976 PO- RFL059210.exe 2976 PO- RFL059210.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
chrome.exepid process 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exedescription pid process Token: SeShutdownPrivilege 4548 chrome.exe Token: SeCreatePagefilePrivilege 4548 chrome.exe Token: SeShutdownPrivilege 4548 chrome.exe Token: SeCreatePagefilePrivilege 4548 chrome.exe Token: SeShutdownPrivilege 4548 chrome.exe Token: SeCreatePagefilePrivilege 4548 chrome.exe Token: SeShutdownPrivilege 4548 chrome.exe Token: SeCreatePagefilePrivilege 4548 chrome.exe Token: SeShutdownPrivilege 4548 chrome.exe Token: SeCreatePagefilePrivilege 4548 chrome.exe Token: SeShutdownPrivilege 4548 chrome.exe Token: SeCreatePagefilePrivilege 4548 chrome.exe Token: SeShutdownPrivilege 4548 chrome.exe Token: SeCreatePagefilePrivilege 4548 chrome.exe Token: SeShutdownPrivilege 4548 chrome.exe Token: SeCreatePagefilePrivilege 4548 chrome.exe Token: SeShutdownPrivilege 4548 chrome.exe Token: SeCreatePagefilePrivilege 4548 chrome.exe Token: SeShutdownPrivilege 4548 chrome.exe Token: SeCreatePagefilePrivilege 4548 chrome.exe Token: SeShutdownPrivilege 4548 chrome.exe Token: SeCreatePagefilePrivilege 4548 chrome.exe Token: SeShutdownPrivilege 4548 chrome.exe Token: SeCreatePagefilePrivilege 4548 chrome.exe Token: SeShutdownPrivilege 4548 chrome.exe Token: SeCreatePagefilePrivilege 4548 chrome.exe Token: SeShutdownPrivilege 4548 chrome.exe Token: SeCreatePagefilePrivilege 4548 chrome.exe Token: SeShutdownPrivilege 4548 chrome.exe Token: SeCreatePagefilePrivilege 4548 chrome.exe Token: SeShutdownPrivilege 4548 chrome.exe Token: SeCreatePagefilePrivilege 4548 chrome.exe Token: SeShutdownPrivilege 4548 chrome.exe Token: SeCreatePagefilePrivilege 4548 chrome.exe Token: SeShutdownPrivilege 4548 chrome.exe Token: SeCreatePagefilePrivilege 4548 chrome.exe Token: SeShutdownPrivilege 4548 chrome.exe Token: SeCreatePagefilePrivilege 4548 chrome.exe Token: SeShutdownPrivilege 4548 chrome.exe Token: SeCreatePagefilePrivilege 4548 chrome.exe Token: SeShutdownPrivilege 4548 chrome.exe Token: SeCreatePagefilePrivilege 4548 chrome.exe Token: SeShutdownPrivilege 4548 chrome.exe Token: SeCreatePagefilePrivilege 4548 chrome.exe Token: SeShutdownPrivilege 4548 chrome.exe Token: SeCreatePagefilePrivilege 4548 chrome.exe Token: SeShutdownPrivilege 4548 chrome.exe Token: SeCreatePagefilePrivilege 4548 chrome.exe Token: SeShutdownPrivilege 4548 chrome.exe Token: SeCreatePagefilePrivilege 4548 chrome.exe Token: SeShutdownPrivilege 4548 chrome.exe Token: SeCreatePagefilePrivilege 4548 chrome.exe Token: SeShutdownPrivilege 4548 chrome.exe Token: SeCreatePagefilePrivilege 4548 chrome.exe Token: SeShutdownPrivilege 4548 chrome.exe Token: SeCreatePagefilePrivilege 4548 chrome.exe Token: SeShutdownPrivilege 4548 chrome.exe Token: SeCreatePagefilePrivilege 4548 chrome.exe Token: SeShutdownPrivilege 4548 chrome.exe Token: SeCreatePagefilePrivilege 4548 chrome.exe Token: SeShutdownPrivilege 4548 chrome.exe Token: SeCreatePagefilePrivilege 4548 chrome.exe Token: SeShutdownPrivilege 4548 chrome.exe Token: SeCreatePagefilePrivilege 4548 chrome.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
Processes:
chrome.exe7zG.exepid process 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 2300 7zG.exe -
Suspicious use of SendNotifyMessage 26 IoCs
Processes:
chrome.exepid process 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe 4548 chrome.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
PO- RFL059210.exePO- RFL059210.exepid process 5680 PO- RFL059210.exe 2976 PO- RFL059210.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 4548 wrote to memory of 1784 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 1784 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4156 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4156 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4156 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4156 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4156 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4156 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4156 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4156 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4156 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4156 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4156 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4156 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4156 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4156 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4156 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4156 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4156 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4156 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4156 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4156 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4156 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4156 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4156 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4156 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4156 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4156 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4156 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4156 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4156 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4156 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4156 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 2208 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 2208 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4684 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4684 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4684 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4684 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4684 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4684 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4684 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4684 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4684 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4684 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4684 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4684 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4684 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4684 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4684 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4684 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4684 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4684 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4684 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4684 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4684 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4684 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4684 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4684 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4684 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4684 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4684 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4684 4548 chrome.exe chrome.exe PID 4548 wrote to memory of 4684 4548 chrome.exe chrome.exe
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/1232825231312420997/1252503669698728087/PO-_RFL059210.zip?ex=66727471&is=667122f1&hm=5e1872bc711cb3f4269d51a83c5656aebd9a7168ce54a54e950f88b01d30196f&1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcd330ab58,0x7ffcd330ab68,0x7ffcd330ab782⤵PID:1784
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1604 --field-trial-handle=1824,i,13763062389787673213,12723734151104595574,131072 /prefetch:22⤵PID:4156
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1824,i,13763062389787673213,12723734151104595574,131072 /prefetch:82⤵PID:2208
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2184 --field-trial-handle=1824,i,13763062389787673213,12723734151104595574,131072 /prefetch:82⤵PID:4684
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1824,i,13763062389787673213,12723734151104595574,131072 /prefetch:12⤵PID:3828
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3068 --field-trial-handle=1824,i,13763062389787673213,12723734151104595574,131072 /prefetch:12⤵PID:4956
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4580 --field-trial-handle=1824,i,13763062389787673213,12723734151104595574,131072 /prefetch:82⤵PID:1608
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 --field-trial-handle=1824,i,13763062389787673213,12723734151104595574,131072 /prefetch:82⤵PID:4060
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4932 --field-trial-handle=1824,i,13763062389787673213,12723734151104595574,131072 /prefetch:82⤵PID:4960
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5032 --field-trial-handle=1824,i,13763062389787673213,12723734151104595574,131072 /prefetch:82⤵PID:4888
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4684 --field-trial-handle=1824,i,13763062389787673213,12723734151104595574,131072 /prefetch:12⤵PID:3736
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5164 --field-trial-handle=1824,i,13763062389787673213,12723734151104595574,131072 /prefetch:12⤵PID:4532
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5292 --field-trial-handle=1824,i,13763062389787673213,12723734151104595574,131072 /prefetch:82⤵PID:1076
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5448 --field-trial-handle=1824,i,13763062389787673213,12723734151104595574,131072 /prefetch:82⤵PID:1040
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4852 --field-trial-handle=1824,i,13763062389787673213,12723734151104595574,131072 /prefetch:12⤵PID:5336
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=2760 --field-trial-handle=1824,i,13763062389787673213,12723734151104595574,131072 /prefetch:12⤵PID:5832
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3232 --field-trial-handle=1824,i,13763062389787673213,12723734151104595574,131072 /prefetch:12⤵PID:6028
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3888 --field-trial-handle=1824,i,13763062389787673213,12723734151104595574,131072 /prefetch:82⤵PID:5312
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4412 --field-trial-handle=1824,i,13763062389787673213,12723734151104595574,131072 /prefetch:82⤵PID:1068
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3176 --field-trial-handle=1824,i,13763062389787673213,12723734151104595574,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2092
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:3964
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4256,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=1304 /prefetch:81⤵PID:4428
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3412
-
C:\Users\Admin\AppData\Local\Temp\Temp1_PO-_RFL059210.zip\PO- RFL059210.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_PO-_RFL059210.zip\PO- RFL059210.exe"1⤵
- Suspicious use of SetThreadContext
PID:3464 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Temp1_PO-_RFL059210.zip\PO- RFL059210.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5636 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\boGqOzICn.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5516 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\boGqOzICn" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4EC8.tmp"2⤵
- Creates scheduled task(s)
PID:4808 -
C:\Users\Admin\AppData\Local\Temp\Temp1_PO-_RFL059210.zip\PO- RFL059210.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_PO-_RFL059210.zip\PO- RFL059210.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5680
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\PO-_RFL059210\" -spe -an -ai#7zMap24235:88:7zEvent44811⤵
- Suspicious use of FindShellTrayWindow
PID:2300
-
C:\Users\Admin\Downloads\PO-_RFL059210\PO- RFL059210.exe"C:\Users\Admin\Downloads\PO-_RFL059210\PO- RFL059210.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:3068 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads\PO-_RFL059210\PO- RFL059210.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2744 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\boGqOzICn.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:744 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\boGqOzICn" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB17A.tmp"2⤵
- Creates scheduled task(s)
PID:5180 -
C:\Users\Admin\Downloads\PO-_RFL059210\PO- RFL059210.exe"C:\Users\Admin\Downloads\PO-_RFL059210\PO- RFL059210.exe"2⤵
- Executes dropped EXE
PID:868 -
C:\Users\Admin\Downloads\PO-_RFL059210\PO- RFL059210.exe"C:\Users\Admin\Downloads\PO-_RFL059210\PO- RFL059210.exe"2⤵
- Executes dropped EXE
PID:5928 -
C:\Users\Admin\Downloads\PO-_RFL059210\PO- RFL059210.exe"C:\Users\Admin\Downloads\PO-_RFL059210\PO- RFL059210.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2976
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SDRSVC1⤵PID:5432
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1392,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=3992 /prefetch:81⤵PID:2724
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
203KB
MD599916ce0720ed460e59d3fbd24d55be2
SHA1d6bb9106eb65e3b84bfe03d872c931fb27f5a3db
SHA25607118bf4bbc3ba87d75cbc11ddf427219a14d518436d7f3886d75301f897edaf
SHA5128d3d52e57806d1850b57bffee12c1a8d9e1a1edcf871b2395df5c889991a183a8d652a0636d5452068f5ef78d37e08ce10b2b2f4e05c3e3c0f2f2230310418a8
-
Filesize
1KB
MD5e325ed8b2b6f481ff9ddd25cd319bcca
SHA143a5c09036e482dd0bec2473f3cda9e431a97c1d
SHA256b7e1ecdb4af427fd0bd4cb4dfa4d1dde4ab93ec680fb62eae2c051168e21c421
SHA512ec51685f850f5ea68c5daa47c7aecdb225df89350a488131b285ecaf69484acfad770856dc89d3daed32a4af7c49d565b82b9ab6e7b6af188b0e584dd479d603
-
Filesize
4KB
MD550cca2b201bf6a71a97b8015ec6c5799
SHA16ca2228478d71d13bdc159f72aa45b35726b204a
SHA2563e5dd7c2623b2c052611598f0e45d6f9670b956dc1d5ec8b62f7adcc1565670b
SHA512a02776b95440e3449242f63c3aa197a54a5f7f0b5fca478bbf2c0d179a563071720c9fec0431563dcb2f3a934cab21b3305715ae447cd9ecd81058070cb1d47c
-
Filesize
3KB
MD5d89b6aa6bd1d498f144a4c638db0640a
SHA1b225c8e98792389d37bdecdde29e3444f7a4c7c2
SHA25635a88c4042fac92aa351e15e4163afa68d684bf20691b3129b5d2b9a8c89ed18
SHA5121b8abcb5a937e51d888519370cbb340bd9406ed68910459fe803a9d6c43312a6b0e2c248a36de74e5047ee71e09d34965152b23fd3c1b9e30298792ce9e902d0
-
Filesize
4KB
MD5ed65bd74c9f0b4fbb7a4cd6b877dd6cc
SHA1657b67fcd4cbe2f3413c4997eba9144f8b2a709a
SHA256201a90e4c379466d4e379e2cedf7d8749dddc3eaf26619b1585a25d3a35cdc1f
SHA512b55f80d0519c2b928e4656ced0466ee81ba4a284c3668d329b03cd9b9ff1e0f4a61c38608dad36234b1a8eeb04998ca6f67e4511d9d7eca4d56ce3f49c9cd126
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD5464304413974aaee895b246226a34761
SHA1e764a5cfcff725c40a299ee889be9d6dfca14e4e
SHA256c4fe8a15d7e214397a750af74148222f4bc92402c28e6f2a2d8d6a06827f04eb
SHA512f01a9d7090d620652d4fc81655981be67f24e09512626f96207a1b0fe82bff0aee3a1653475243eeb1198e0075e8ca2d07e73f198f25f85be3bb4b1d403b74f9
-
Filesize
858B
MD5856c7cbeacfec83167c21393f3846143
SHA1d70ca560005b69a1ff1c47555dd92116eb5b2fdc
SHA2562b6c2aa8d0af3d32910858384e6a5e82e2f531014eb5112f78dda5220b9efcd4
SHA51296da349925389524c516b2ce7c8d5cd33e57b25a3110c2486e25b6f06857c55118a75a8cc4b45e043914a9ecb4af455a1527b67e593dc0064e04ead5a064f9c3
-
Filesize
8KB
MD57af4d1d5c237c59cc57c859b636831de
SHA11e3ff39b32f26600137bac7265933682c444a786
SHA256be14a1de226febfd5125b7733e0f90aa4632c7dd6fa7f699c74a1b559521b1ad
SHA512aee7884afdf2895215c958171daf65311d95b03c3c9fec6abdd3c06cd755a881b2369fdc458339c2e37c6a9074400680ce57e59fa6b8f292a70a8b2ed7bd554b
-
Filesize
8KB
MD52f44d52c824b1c43c020f02313f21355
SHA151add3095430187f66f447c9febfda7a8e8cc57b
SHA25677604cc9e8a6ba57ed9b132c8e8db32d4461875835c7ffd62ee760ec1ddb6318
SHA5128a97ecdd4d3ce8d3a65c3d0e4977fdd0be6b86400615354b9d9dd60842398fe329760f2ef0421b43d826eecc2e3f4e5438fe293f8c2c7b54a2d4c07b030d32cd
-
Filesize
7KB
MD50c0dd795186ac6160e960459a050dea4
SHA1e0d8feef411387040298aff8ef48d4ab19c4c3e7
SHA2567870ab29f6406ccbfcf8b002da1ef363796595800b63ace8957f1107cab70600
SHA5127db9ddd63d2654bfde8a77a1e5b644159ab2ca884fd55d45daaf9e844d7f978c699ac8e84fcda7c7722f925a28951e28e2e5abc863eff9e6e9dad4e3129cf62a
-
Filesize
7KB
MD5b4c495b0d0ab92a7ff87ac5bb3b63c4a
SHA1cc1c40656e2e46108b26cf3f14fd26d6ba21eaf9
SHA256e2c010f2334e231d639473357f676b676648377d70c4b222d07874c187628575
SHA51226e1bb87e53ab9c676ac74511bf9addbd8c3d58154e435ab56b95a52c7d58cb93b7adedf94ddb884039e93cf89104b49cabc3f8198aa90c42e0ed26ba09f6baa
-
Filesize
7KB
MD5b307f441ee8ec07b4f3f9b9882ccb270
SHA139fe65d7116e1941f22e7779a932e6a5924220a0
SHA2563d67998b0ddc4b76d0cbc165b6388720ca60b365141a70983555656929c26fb5
SHA51273000bf2c4b88aa7d98353e004bb80b1a045557e98badbe5346b099e3215a417a03577a68891841a587bd765ee6b089c4a0d18c5e481e810cacd5809e6a05925
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD5d055256ccacc6f48b2a8ea32b60cf816
SHA1b28384912d57894993fbbe70a4223fcd469f8559
SHA256b40fd73d84eb2ec93f7d23e7458dfb0896c4125d92ee90a47f79406216c4afe4
SHA512dd2f1823d7ff2b0c4e67af40c406a2f733b1163eba328b387d588d606a78a13fc56690d2d2f6b12b4b9f8dcf3add7a7a3144a3fafcc227556c54d1940a4342ba
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58dacb.TMP
Filesize48B
MD5c6dfb2ff081edab20b2c95b3a184cd78
SHA1ab6ee3c92d22978e05ab92f65da7f8d86580a19e
SHA2565b5487d33b1bd4c1c0a6df73395a750357630117a0a0ac290ac93d12d83d6c4b
SHA5127bdd1cecd1e66996a2d14a61928778c4c88d1326c690f9dfa6c3072f754b0d2eba538522c3434fbddcbfb15dd5f483f74f20e70df2aa327f9b590113c3166c08
-
Filesize
255KB
MD57c35b2f0f52dbb4a604e9337d3090e95
SHA1718ffef54414b56d5ed7cc8a64865517e1f6d233
SHA256613d5d7979599b62e3c4a5fffec2dfc0d2feb203d540f1cadcf924e3a7b664ae
SHA5125e8cb53b5b2fc243c042de0b9e009b7fe82b4a57070e399be4b1cb1f70128d0917aabe47cc017eb8f9ec08a056159b4b8c1b472c93be65b77e4257bb16fbe642
-
Filesize
255KB
MD55081f23bc6aca7edf750cec772017d87
SHA1e25969a6bb845c1a0b4379a13632275bdf5c69db
SHA256c2adf454bd821cac948f52888824b56245e7a03c2ea03e80b2d5ce9d204771d6
SHA512aec13e44f1895d5a1567707d835613cab5eaa79a8afb458f87071d1ac3ac6e264f270c0f07580faf7047574b7df2e495d56fa02ae953965c4fe1eb97a0793c3c
-
Filesize
97KB
MD58175b977f98677ec9735e242c94606e2
SHA153672cc225402a00fe17d50d458ac57b7a84a999
SHA256372fa4fb8f48dfd4fc7419332df1ee6f831d79525b6251fb03995094542d66fd
SHA512bd6e94b7116b18891eaad8cbe24d05be3dc10d7ef9add276604cd8cc66288e60f751e50f625814d6e3f89959d49851b0d1f76b7b81a0dec061fa380f4d7cd887
-
Filesize
97KB
MD5177ddbfe0b0ef3be001242cbcbec772c
SHA19d026602d7e53ab3eabee76e4486bf46e9cf4bfa
SHA25600a4b74b1fbb08c1c403a3e2b9cd7c3281566741d891d511cae02533604806e2
SHA51277be55fac286485017d9d44df62cf479c38c2c046c3358c7a666954e2ef061c1595433743c9991ba7f110c72ba032b1567d24d2cbcb59646929623a6674f3e28
-
Filesize
94KB
MD55878e5970fd60fffd67bfb9971e61eab
SHA1ac53090fcfadab7fcef7efa1527f1f3c77968ae8
SHA256fd2d027bb2b0ca5eaa34655982f064590a442318c8a6e32e29add1fd4b6d1f5b
SHA512f080e7c97eda9cd1b10727b85e981632cf90b5be76ee657ee9d6c655147892a9a3780d7bfe350b6189df9b2b677e28bbef7c0bd0f0d4659dcb17b379200e3b83
-
Filesize
1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
18KB
MD5ebc87807f9d066f289e76012f8284f9f
SHA19b44532a9f3dd1b2f8f3d6aab87ae9db232015a7
SHA2566ef08f64dbeec0e9a1a516c4e539f60c87ba8a65003be0f8e8da48b423f4702f
SHA51214296da0ea40f6db87c469dc57c618f1c318e5d160e92e58cbb3dfe55099a604a1be64a8e21c6ab80374a9c6c2eb66b8eff8cfa5c7fa67c2a74506f78ad1d689
-
Filesize
18KB
MD5817a31ea640717a7112b22bbfe475e95
SHA1a7635094587e325ef9ed188e66bd2ffb0fe333bf
SHA2563c98dd9525fae3da4c979eaa8bc85cf8155d824de2b373ba31c6a361fd0f9520
SHA5129ec74fb262f71ce24f89e71c7d59646b08a55bd0a7b9892a32c0ae9b662e84954ac6defcd4600cbecf3c8c4023223c338dc619ffe11aee514dbdabdd8e0245b8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5248832d758c1554cbb173eadabcad945
SHA155c7b88271317b0f3bdd8de9b0945dafd2e3ec64
SHA256ac557fd0b28dafbd6e40b7fbf2b8c88e7b7418c95a4ddd4cb6d40dcac84be28e
SHA512cfd569e8c5cfd318a1b11e7e2633a84a8677e7f14ce786926434031141f6dae2129899964a608ecbb6109532902569f719722e80334a91a27858d41b64bc518a
-
Filesize
965KB
MD5516082e6812f9dde63d4a71b009df547
SHA142cd1e677954aca055ea3115ee0fdfcbf16aeb55
SHA2567b67c0f996e0269e247d02bc46dd38ee8c230945b534dea1c6e40bc3f9a32993
SHA5127bede19f3280f9828df9429d5ecc379bcfbbc729b9fbfd2f9bd532ba40237aee9c103222ba4016b7fd1aae837c7a870f69dfc423c94144a2242687e9cd248128
-
Filesize
729KB
MD594cf5a54615a314eb96130936e16de9e
SHA1c671ec37ab5a8d000cf4748c711c28b27e8d5b63
SHA25613c0cb7baccd5901a55e3de5b5c3e1142b878dbded0df8ee088169510a35731d
SHA512b69a0f5f9d23179b4872409be13fa0ce3e69f4ba881995b3d8dbcd368ca4db3f0438172708a9a5f765c9f87cb836882a57f705c4d5ba319cbc0977216f0769cd
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e