Analysis
-
max time kernel
130s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
04-07-2024 01:49
Static task
static1
Behavioral task
behavioral1
Sample
9a501e3c19a488ab6672598e26af59a019c471aaf67adcd1dba4734d7a2b9e48.exe
Resource
win7-20240508-en
General
-
Target
9a501e3c19a488ab6672598e26af59a019c471aaf67adcd1dba4734d7a2b9e48.exe
-
Size
2.4MB
-
MD5
05dda1c444fe4feda4771f75598d55d7
-
SHA1
3369deefd76ea12c621aad635547be857720d7d8
-
SHA256
9a501e3c19a488ab6672598e26af59a019c471aaf67adcd1dba4734d7a2b9e48
-
SHA512
01c7897fa5995332c466035f62e45faf12ff0cead90655df53c0b493833656c177b53594a0d8300c792fc43d2f6daa577e3f949f6e9118c950472d1a85ac6160
-
SSDEEP
49152:rLZkC1yr3UfAdY31fHI7/IBIf0qHKSrynh7ncz9g+rVbKE6psgHC3:HZkC1OUS2ZowBWpBrIcCpsoC
Malware Config
Extracted
stealc
jony
http://85.28.47.4
-
url_path
/920475a59bac849d.php
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
CAAKKFHCFI.exeexplorti.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ CAAKKFHCFI.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
CAAKKFHCFI.exeexplorti.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion CAAKKFHCFI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion CAAKKFHCFI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe -
Executes dropped EXE 3 IoCs
Processes:
CAAKKFHCFI.exeexplorti.execb02199efa.exepid Process 2896 CAAKKFHCFI.exe 1548 explorti.exe 1096 cb02199efa.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
CAAKKFHCFI.exeexplorti.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Wine CAAKKFHCFI.exe Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Wine explorti.exe -
Loads dropped DLL 5 IoCs
Processes:
9a501e3c19a488ab6672598e26af59a019c471aaf67adcd1dba4734d7a2b9e48.execmd.exeCAAKKFHCFI.exeexplorti.exepid Process 2984 9a501e3c19a488ab6672598e26af59a019c471aaf67adcd1dba4734d7a2b9e48.exe 2984 9a501e3c19a488ab6672598e26af59a019c471aaf67adcd1dba4734d7a2b9e48.exe 2592 cmd.exe 2896 CAAKKFHCFI.exe 1548 explorti.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/files/0x0006000000016d45-124.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
9a501e3c19a488ab6672598e26af59a019c471aaf67adcd1dba4734d7a2b9e48.exeCAAKKFHCFI.exeexplorti.exepid Process 2984 9a501e3c19a488ab6672598e26af59a019c471aaf67adcd1dba4734d7a2b9e48.exe 2896 CAAKKFHCFI.exe 1548 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
CAAKKFHCFI.exedescription ioc Process File created C:\Windows\Tasks\explorti.job CAAKKFHCFI.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
9a501e3c19a488ab6672598e26af59a019c471aaf67adcd1dba4734d7a2b9e48.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 9a501e3c19a488ab6672598e26af59a019c471aaf67adcd1dba4734d7a2b9e48.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 9a501e3c19a488ab6672598e26af59a019c471aaf67adcd1dba4734d7a2b9e48.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
9a501e3c19a488ab6672598e26af59a019c471aaf67adcd1dba4734d7a2b9e48.exeCAAKKFHCFI.exeexplorti.exechrome.exepid Process 2984 9a501e3c19a488ab6672598e26af59a019c471aaf67adcd1dba4734d7a2b9e48.exe 2984 9a501e3c19a488ab6672598e26af59a019c471aaf67adcd1dba4734d7a2b9e48.exe 2896 CAAKKFHCFI.exe 1548 explorti.exe 800 chrome.exe 800 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exedescription pid Process Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe Token: SeShutdownPrivilege 800 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
CAAKKFHCFI.execb02199efa.exechrome.exepid Process 2896 CAAKKFHCFI.exe 1096 cb02199efa.exe 1096 cb02199efa.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 1096 cb02199efa.exe 1096 cb02199efa.exe 800 chrome.exe 800 chrome.exe 1096 cb02199efa.exe 1096 cb02199efa.exe 1096 cb02199efa.exe 1096 cb02199efa.exe 1096 cb02199efa.exe 1096 cb02199efa.exe 1096 cb02199efa.exe 1096 cb02199efa.exe 1096 cb02199efa.exe 1096 cb02199efa.exe 1096 cb02199efa.exe 1096 cb02199efa.exe 1096 cb02199efa.exe 1096 cb02199efa.exe 1096 cb02199efa.exe 1096 cb02199efa.exe 1096 cb02199efa.exe 1096 cb02199efa.exe 1096 cb02199efa.exe 1096 cb02199efa.exe 1096 cb02199efa.exe 1096 cb02199efa.exe 1096 cb02199efa.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
cb02199efa.exechrome.exepid Process 1096 cb02199efa.exe 1096 cb02199efa.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 800 chrome.exe 1096 cb02199efa.exe 1096 cb02199efa.exe 1096 cb02199efa.exe 1096 cb02199efa.exe 1096 cb02199efa.exe 1096 cb02199efa.exe 1096 cb02199efa.exe 1096 cb02199efa.exe 1096 cb02199efa.exe 1096 cb02199efa.exe 1096 cb02199efa.exe 1096 cb02199efa.exe 1096 cb02199efa.exe 1096 cb02199efa.exe 1096 cb02199efa.exe 1096 cb02199efa.exe 1096 cb02199efa.exe 1096 cb02199efa.exe 1096 cb02199efa.exe 1096 cb02199efa.exe 1096 cb02199efa.exe 1096 cb02199efa.exe 1096 cb02199efa.exe 1096 cb02199efa.exe 1096 cb02199efa.exe 1096 cb02199efa.exe 1096 cb02199efa.exe 1096 cb02199efa.exe 1096 cb02199efa.exe 1096 cb02199efa.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
9a501e3c19a488ab6672598e26af59a019c471aaf67adcd1dba4734d7a2b9e48.exepid Process 2984 9a501e3c19a488ab6672598e26af59a019c471aaf67adcd1dba4734d7a2b9e48.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9a501e3c19a488ab6672598e26af59a019c471aaf67adcd1dba4734d7a2b9e48.execmd.exeCAAKKFHCFI.exeexplorti.execb02199efa.exechrome.exedescription pid Process procid_target PID 2984 wrote to memory of 2592 2984 9a501e3c19a488ab6672598e26af59a019c471aaf67adcd1dba4734d7a2b9e48.exe 29 PID 2984 wrote to memory of 2592 2984 9a501e3c19a488ab6672598e26af59a019c471aaf67adcd1dba4734d7a2b9e48.exe 29 PID 2984 wrote to memory of 2592 2984 9a501e3c19a488ab6672598e26af59a019c471aaf67adcd1dba4734d7a2b9e48.exe 29 PID 2984 wrote to memory of 2592 2984 9a501e3c19a488ab6672598e26af59a019c471aaf67adcd1dba4734d7a2b9e48.exe 29 PID 2984 wrote to memory of 2484 2984 9a501e3c19a488ab6672598e26af59a019c471aaf67adcd1dba4734d7a2b9e48.exe 31 PID 2984 wrote to memory of 2484 2984 9a501e3c19a488ab6672598e26af59a019c471aaf67adcd1dba4734d7a2b9e48.exe 31 PID 2984 wrote to memory of 2484 2984 9a501e3c19a488ab6672598e26af59a019c471aaf67adcd1dba4734d7a2b9e48.exe 31 PID 2984 wrote to memory of 2484 2984 9a501e3c19a488ab6672598e26af59a019c471aaf67adcd1dba4734d7a2b9e48.exe 31 PID 2592 wrote to memory of 2896 2592 cmd.exe 33 PID 2592 wrote to memory of 2896 2592 cmd.exe 33 PID 2592 wrote to memory of 2896 2592 cmd.exe 33 PID 2592 wrote to memory of 2896 2592 cmd.exe 33 PID 2896 wrote to memory of 1548 2896 CAAKKFHCFI.exe 34 PID 2896 wrote to memory of 1548 2896 CAAKKFHCFI.exe 34 PID 2896 wrote to memory of 1548 2896 CAAKKFHCFI.exe 34 PID 2896 wrote to memory of 1548 2896 CAAKKFHCFI.exe 34 PID 1548 wrote to memory of 1096 1548 explorti.exe 35 PID 1548 wrote to memory of 1096 1548 explorti.exe 35 PID 1548 wrote to memory of 1096 1548 explorti.exe 35 PID 1548 wrote to memory of 1096 1548 explorti.exe 35 PID 1096 wrote to memory of 800 1096 cb02199efa.exe 36 PID 1096 wrote to memory of 800 1096 cb02199efa.exe 36 PID 1096 wrote to memory of 800 1096 cb02199efa.exe 36 PID 1096 wrote to memory of 800 1096 cb02199efa.exe 36 PID 800 wrote to memory of 1420 800 chrome.exe 37 PID 800 wrote to memory of 1420 800 chrome.exe 37 PID 800 wrote to memory of 1420 800 chrome.exe 37 PID 800 wrote to memory of 1616 800 chrome.exe 39 PID 800 wrote to memory of 1616 800 chrome.exe 39 PID 800 wrote to memory of 1616 800 chrome.exe 39 PID 800 wrote to memory of 1616 800 chrome.exe 39 PID 800 wrote to memory of 1616 800 chrome.exe 39 PID 800 wrote to memory of 1616 800 chrome.exe 39 PID 800 wrote to memory of 1616 800 chrome.exe 39 PID 800 wrote to memory of 1616 800 chrome.exe 39 PID 800 wrote to memory of 1616 800 chrome.exe 39 PID 800 wrote to memory of 1616 800 chrome.exe 39 PID 800 wrote to memory of 1616 800 chrome.exe 39 PID 800 wrote to memory of 1616 800 chrome.exe 39 PID 800 wrote to memory of 1616 800 chrome.exe 39 PID 800 wrote to memory of 1616 800 chrome.exe 39 PID 800 wrote to memory of 1616 800 chrome.exe 39 PID 800 wrote to memory of 1616 800 chrome.exe 39 PID 800 wrote to memory of 1616 800 chrome.exe 39 PID 800 wrote to memory of 1616 800 chrome.exe 39 PID 800 wrote to memory of 1616 800 chrome.exe 39 PID 800 wrote to memory of 1616 800 chrome.exe 39 PID 800 wrote to memory of 1616 800 chrome.exe 39 PID 800 wrote to memory of 1616 800 chrome.exe 39 PID 800 wrote to memory of 1616 800 chrome.exe 39 PID 800 wrote to memory of 1616 800 chrome.exe 39 PID 800 wrote to memory of 1616 800 chrome.exe 39 PID 800 wrote to memory of 1616 800 chrome.exe 39 PID 800 wrote to memory of 1616 800 chrome.exe 39 PID 800 wrote to memory of 1616 800 chrome.exe 39 PID 800 wrote to memory of 1616 800 chrome.exe 39 PID 800 wrote to memory of 1616 800 chrome.exe 39 PID 800 wrote to memory of 1616 800 chrome.exe 39 PID 800 wrote to memory of 1616 800 chrome.exe 39 PID 800 wrote to memory of 1616 800 chrome.exe 39 PID 800 wrote to memory of 1616 800 chrome.exe 39 PID 800 wrote to memory of 1616 800 chrome.exe 39 PID 800 wrote to memory of 1616 800 chrome.exe 39 PID 800 wrote to memory of 1616 800 chrome.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a501e3c19a488ab6672598e26af59a019c471aaf67adcd1dba4734d7a2b9e48.exe"C:\Users\Admin\AppData\Local\Temp\9a501e3c19a488ab6672598e26af59a019c471aaf67adcd1dba4734d7a2b9e48.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CAAKKFHCFI.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Users\Admin\AppData\Local\Temp\CAAKKFHCFI.exe"C:\Users\Admin\AppData\Local\Temp\CAAKKFHCFI.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Users\Admin\AppData\Local\Temp\1000007001\cb02199efa.exe"C:\Users\Admin\AppData\Local\Temp\1000007001\cb02199efa.exe"5⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account6⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6f69758,0x7fef6f69768,0x7fef6f697787⤵PID:1420
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1184 --field-trial-handle=1312,i,10208785073653443035,17958248920947140870,131072 /prefetch:27⤵PID:1616
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1496 --field-trial-handle=1312,i,10208785073653443035,17958248920947140870,131072 /prefetch:87⤵PID:1664
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1620 --field-trial-handle=1312,i,10208785073653443035,17958248920947140870,131072 /prefetch:87⤵PID:348
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2276 --field-trial-handle=1312,i,10208785073653443035,17958248920947140870,131072 /prefetch:17⤵PID:2212
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2280 --field-trial-handle=1312,i,10208785073653443035,17958248920947140870,131072 /prefetch:17⤵PID:2420
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2644 --field-trial-handle=1312,i,10208785073653443035,17958248920947140870,131072 /prefetch:17⤵PID:3012
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1576 --field-trial-handle=1312,i,10208785073653443035,17958248920947140870,131072 /prefetch:27⤵PID:760
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3460 --field-trial-handle=1312,i,10208785073653443035,17958248920947140870,131072 /prefetch:87⤵PID:1968
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\KKJDGDHIDB.exe"2⤵PID:2484
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2696
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
1KB
MD554db59b55986b0943e6901f08a194425
SHA17b03bbc396dd4632b8ac1b6db3ae98863c81df00
SHA256ebfd4fb0d397c7671c29e3c36d15bddfe5abb59985a2506ddde524d1e8b37aa8
SHA512328ba28012b67d4a6acf5af01a718a56efa1aede4d0d3f3ce80d749e24b77f1f8c4375fe6045e14476a2a9cc1265869be5748fba868c44f74c929ecfeec15cef
-
Filesize
6KB
MD53f22e78ddd2b00531582f7d132f4578b
SHA1a6482dc38f29851e466a4664ff2d38b43d335ae2
SHA256eb38d2412ac9479fdb5a61f653ef6cf4de8836da93c419e231322c7a72909eaf
SHA512c7cf3536c4701dd93170914213da36db73db28571486727d9b97aa9742264564d09d1f4af2ed17ad02462352ffe9dd2aa87aefabf69afa86b8d15394c3eefcee
-
Filesize
6KB
MD5574199df84723c095c202fd7f587ba68
SHA1f57d335d33a01fbffef5c90f2384d78e53874c6e
SHA25608eaa1416cffa9353fd24fdab30e0097f22db7a6e6548f468255511f8102340f
SHA512152239c76714dd05a45c2ee0f0deec803a1c7b6e7597a5239121de9254bda00aee4b7ce680f996a49af3b594fb6cfcf863b67c77a99e78ed10b80983171e05cc
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
1.1MB
MD508adf93a86b983edaee843e01f85fddb
SHA11647634a1bdf17e3944046992f03e52ccbbc9f7c
SHA2561ef265a69a824b0ad8781771c35265868c58e56264461d74e825ef473c57161e
SHA51260d37930bf6845cea06eaa3d7a48b97d17ff2b24cc8725814b4aae9ce2de2fd5964e690489b8e9f9126bb57b685191bb922640a4d6c123d9749845075224ae0e
-
Filesize
1.8MB
MD5d7695d73a7f4b98447dbebff21720788
SHA138d17f524b7e0e4e15c03ab808ee79dff618e088
SHA256a2af4191c71b061b4869588d8e64911f1934b784675fc40018ff40333fbd8540
SHA512f7b5d31cbb5ef533392afc19e0364185bd14f8e1c1536f55d9a04e79ea8226b053e9c1529f4ebc22ccd6ea015efd793aa2fe6885c94716704b965d8a25a8bc5c
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571