Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
18-07-2024 10:00
Behavioral task
behavioral1
Sample
nursultan alpha.exe
Resource
win11-20240709-en
General
-
Target
nursultan alpha.exe
-
Size
2.1MB
-
MD5
5a7e4da699bce68005b413cdd318e9de
-
SHA1
cee6614980f50810d19c3c18d242d97400078a75
-
SHA256
b27372b955d8e6cf46a3d36826511468504f8d58b5f24720351bf85f123cfea5
-
SHA512
7dafdd1ba9941b2f332f596ceefb6e9e07768f63586a4a21b4a31bbe66b890e62935a38e82a7665b1154c66fe015b4ff68144885389fdc4318670f8c878cad3c
-
SSDEEP
49152:UbA30/p0cfOZx9yRLMjyDYfG0TssZGe4lbY:UbTbfO40r3TssTgY
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4344 228 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3132 228 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 464 228 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4880 228 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4404 228 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1836 228 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4836 228 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4912 228 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 228 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3636 228 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2108 228 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3300 228 schtasks.exe -
Processes:
resource yara_rule C:\AgentDriversavesrefmonitor\browserFontdll.exe dcrat behavioral1/memory/3824-17-0x0000000000400000-0x00000000005D8000-memory.dmp dcrat -
Executes dropped EXE 2 IoCs
Processes:
browserFontdll.exesysmon.exepid process 3824 browserFontdll.exe 676 sysmon.exe -
Drops file in Windows directory 1 IoCs
Processes:
chrome.exedescription ioc process File opened for modification C:\Windows\SystemTemp chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133657704779371208" chrome.exe -
Modifies registry class 2 IoCs
Processes:
nursultan alpha.exebrowserFontdll.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings nursultan alpha.exe Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings browserFontdll.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2108 schtasks.exe 3300 schtasks.exe 3132 schtasks.exe 4404 schtasks.exe 1836 schtasks.exe 3636 schtasks.exe 4912 schtasks.exe 2000 schtasks.exe 4344 schtasks.exe 464 schtasks.exe 4880 schtasks.exe 4836 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
browserFontdll.exesysmon.exechrome.exechrome.exepid process 3824 browserFontdll.exe 3824 browserFontdll.exe 3824 browserFontdll.exe 3824 browserFontdll.exe 3824 browserFontdll.exe 3824 browserFontdll.exe 3824 browserFontdll.exe 3824 browserFontdll.exe 3824 browserFontdll.exe 676 sysmon.exe 676 sysmon.exe 676 sysmon.exe 676 sysmon.exe 676 sysmon.exe 676 sysmon.exe 676 sysmon.exe 676 sysmon.exe 676 sysmon.exe 896 chrome.exe 896 chrome.exe 1904 chrome.exe 1904 chrome.exe 1904 chrome.exe 1904 chrome.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
sysmon.exepid process 676 sysmon.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
Processes:
chrome.exepid process 896 chrome.exe 896 chrome.exe 896 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
browserFontdll.exesysmon.exechrome.exedescription pid process Token: SeDebugPrivilege 3824 browserFontdll.exe Token: SeDebugPrivilege 676 sysmon.exe Token: SeShutdownPrivilege 896 chrome.exe Token: SeCreatePagefilePrivilege 896 chrome.exe Token: SeShutdownPrivilege 896 chrome.exe Token: SeCreatePagefilePrivilege 896 chrome.exe Token: SeShutdownPrivilege 896 chrome.exe Token: SeCreatePagefilePrivilege 896 chrome.exe Token: SeShutdownPrivilege 896 chrome.exe Token: SeCreatePagefilePrivilege 896 chrome.exe Token: SeShutdownPrivilege 896 chrome.exe Token: SeCreatePagefilePrivilege 896 chrome.exe Token: SeShutdownPrivilege 896 chrome.exe Token: SeCreatePagefilePrivilege 896 chrome.exe Token: SeShutdownPrivilege 896 chrome.exe Token: SeCreatePagefilePrivilege 896 chrome.exe Token: SeShutdownPrivilege 896 chrome.exe Token: SeCreatePagefilePrivilege 896 chrome.exe Token: SeShutdownPrivilege 896 chrome.exe Token: SeCreatePagefilePrivilege 896 chrome.exe Token: SeShutdownPrivilege 896 chrome.exe Token: SeCreatePagefilePrivilege 896 chrome.exe Token: SeShutdownPrivilege 896 chrome.exe Token: SeCreatePagefilePrivilege 896 chrome.exe Token: SeShutdownPrivilege 896 chrome.exe Token: SeCreatePagefilePrivilege 896 chrome.exe Token: SeShutdownPrivilege 896 chrome.exe Token: SeCreatePagefilePrivilege 896 chrome.exe Token: SeShutdownPrivilege 896 chrome.exe Token: SeCreatePagefilePrivilege 896 chrome.exe Token: SeShutdownPrivilege 896 chrome.exe Token: SeCreatePagefilePrivilege 896 chrome.exe Token: SeShutdownPrivilege 896 chrome.exe Token: SeCreatePagefilePrivilege 896 chrome.exe Token: SeShutdownPrivilege 896 chrome.exe Token: SeCreatePagefilePrivilege 896 chrome.exe Token: SeShutdownPrivilege 896 chrome.exe Token: SeCreatePagefilePrivilege 896 chrome.exe Token: SeShutdownPrivilege 896 chrome.exe Token: SeCreatePagefilePrivilege 896 chrome.exe Token: SeShutdownPrivilege 896 chrome.exe Token: SeCreatePagefilePrivilege 896 chrome.exe Token: SeShutdownPrivilege 896 chrome.exe Token: SeCreatePagefilePrivilege 896 chrome.exe Token: SeShutdownPrivilege 896 chrome.exe Token: SeCreatePagefilePrivilege 896 chrome.exe Token: SeShutdownPrivilege 896 chrome.exe Token: SeCreatePagefilePrivilege 896 chrome.exe Token: SeShutdownPrivilege 896 chrome.exe Token: SeCreatePagefilePrivilege 896 chrome.exe Token: SeShutdownPrivilege 896 chrome.exe Token: SeCreatePagefilePrivilege 896 chrome.exe Token: SeShutdownPrivilege 896 chrome.exe Token: SeCreatePagefilePrivilege 896 chrome.exe Token: SeShutdownPrivilege 896 chrome.exe Token: SeCreatePagefilePrivilege 896 chrome.exe Token: SeShutdownPrivilege 896 chrome.exe Token: SeCreatePagefilePrivilege 896 chrome.exe Token: SeShutdownPrivilege 896 chrome.exe Token: SeCreatePagefilePrivilege 896 chrome.exe Token: SeShutdownPrivilege 896 chrome.exe Token: SeCreatePagefilePrivilege 896 chrome.exe Token: SeShutdownPrivilege 896 chrome.exe Token: SeCreatePagefilePrivilege 896 chrome.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
Processes:
chrome.exepid process 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe -
Suspicious use of SendNotifyMessage 16 IoCs
Processes:
chrome.exepid process 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe 896 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
nursultan alpha.exeWScript.execmd.exebrowserFontdll.execmd.exechrome.exedescription pid process target process PID 1396 wrote to memory of 2888 1396 nursultan alpha.exe WScript.exe PID 1396 wrote to memory of 2888 1396 nursultan alpha.exe WScript.exe PID 1396 wrote to memory of 2888 1396 nursultan alpha.exe WScript.exe PID 1396 wrote to memory of 3852 1396 nursultan alpha.exe WScript.exe PID 1396 wrote to memory of 3852 1396 nursultan alpha.exe WScript.exe PID 1396 wrote to memory of 3852 1396 nursultan alpha.exe WScript.exe PID 2888 wrote to memory of 3004 2888 WScript.exe cmd.exe PID 2888 wrote to memory of 3004 2888 WScript.exe cmd.exe PID 2888 wrote to memory of 3004 2888 WScript.exe cmd.exe PID 3004 wrote to memory of 3824 3004 cmd.exe browserFontdll.exe PID 3004 wrote to memory of 3824 3004 cmd.exe browserFontdll.exe PID 3824 wrote to memory of 4596 3824 browserFontdll.exe cmd.exe PID 3824 wrote to memory of 4596 3824 browserFontdll.exe cmd.exe PID 4596 wrote to memory of 4284 4596 cmd.exe w32tm.exe PID 4596 wrote to memory of 4284 4596 cmd.exe w32tm.exe PID 4596 wrote to memory of 676 4596 cmd.exe sysmon.exe PID 4596 wrote to memory of 676 4596 cmd.exe sysmon.exe PID 896 wrote to memory of 3268 896 chrome.exe chrome.exe PID 896 wrote to memory of 3268 896 chrome.exe chrome.exe PID 896 wrote to memory of 488 896 chrome.exe chrome.exe PID 896 wrote to memory of 488 896 chrome.exe chrome.exe PID 896 wrote to memory of 488 896 chrome.exe chrome.exe PID 896 wrote to memory of 488 896 chrome.exe chrome.exe PID 896 wrote to memory of 488 896 chrome.exe chrome.exe PID 896 wrote to memory of 488 896 chrome.exe chrome.exe PID 896 wrote to memory of 488 896 chrome.exe chrome.exe PID 896 wrote to memory of 488 896 chrome.exe chrome.exe PID 896 wrote to memory of 488 896 chrome.exe chrome.exe PID 896 wrote to memory of 488 896 chrome.exe chrome.exe PID 896 wrote to memory of 488 896 chrome.exe chrome.exe PID 896 wrote to memory of 488 896 chrome.exe chrome.exe PID 896 wrote to memory of 488 896 chrome.exe chrome.exe PID 896 wrote to memory of 488 896 chrome.exe chrome.exe PID 896 wrote to memory of 488 896 chrome.exe chrome.exe PID 896 wrote to memory of 488 896 chrome.exe chrome.exe PID 896 wrote to memory of 488 896 chrome.exe chrome.exe PID 896 wrote to memory of 488 896 chrome.exe chrome.exe PID 896 wrote to memory of 488 896 chrome.exe chrome.exe PID 896 wrote to memory of 488 896 chrome.exe chrome.exe PID 896 wrote to memory of 488 896 chrome.exe chrome.exe PID 896 wrote to memory of 488 896 chrome.exe chrome.exe PID 896 wrote to memory of 488 896 chrome.exe chrome.exe PID 896 wrote to memory of 488 896 chrome.exe chrome.exe PID 896 wrote to memory of 488 896 chrome.exe chrome.exe PID 896 wrote to memory of 488 896 chrome.exe chrome.exe PID 896 wrote to memory of 488 896 chrome.exe chrome.exe PID 896 wrote to memory of 488 896 chrome.exe chrome.exe PID 896 wrote to memory of 488 896 chrome.exe chrome.exe PID 896 wrote to memory of 488 896 chrome.exe chrome.exe PID 896 wrote to memory of 3332 896 chrome.exe chrome.exe PID 896 wrote to memory of 3332 896 chrome.exe chrome.exe PID 896 wrote to memory of 2708 896 chrome.exe chrome.exe PID 896 wrote to memory of 2708 896 chrome.exe chrome.exe PID 896 wrote to memory of 2708 896 chrome.exe chrome.exe PID 896 wrote to memory of 2708 896 chrome.exe chrome.exe PID 896 wrote to memory of 2708 896 chrome.exe chrome.exe PID 896 wrote to memory of 2708 896 chrome.exe chrome.exe PID 896 wrote to memory of 2708 896 chrome.exe chrome.exe PID 896 wrote to memory of 2708 896 chrome.exe chrome.exe PID 896 wrote to memory of 2708 896 chrome.exe chrome.exe PID 896 wrote to memory of 2708 896 chrome.exe chrome.exe PID 896 wrote to memory of 2708 896 chrome.exe chrome.exe PID 896 wrote to memory of 2708 896 chrome.exe chrome.exe PID 896 wrote to memory of 2708 896 chrome.exe chrome.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\nursultan alpha.exe"C:\Users\Admin\AppData\Local\Temp\nursultan alpha.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\AgentDriversavesrefmonitor\cN02MCsoKlkD.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\AgentDriversavesrefmonitor\KXGsF5yeLPYE.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\AgentDriversavesrefmonitor\browserFontdll.exe"C:\AgentDriversavesrefmonitor\browserFontdll.exe"4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HtOmJBUb95.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:4284
-
C:\Users\Default User\sysmon.exe"C:\Users\Default User\sysmon.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:676 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\AgentDriversavesrefmonitor\file.vbs"2⤵PID:3852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default User\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\AgentDriversavesrefmonitor\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\AgentDriversavesrefmonitor\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\AgentDriversavesrefmonitor\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\AgentDriversavesrefmonitor\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\AgentDriversavesrefmonitor\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\AgentDriversavesrefmonitor\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3300
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:3048
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8193fcc40,0x7ff8193fcc4c,0x7ff8193fcc582⤵PID:3268
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1952,i,6762704712696002863,998027752371499797,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=1948 /prefetch:22⤵PID:488
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1752,i,6762704712696002863,998027752371499797,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2080 /prefetch:32⤵PID:3332
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2216,i,6762704712696002863,998027752371499797,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2392 /prefetch:82⤵PID:2708
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,6762704712696002863,998027752371499797,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3092 /prefetch:12⤵PID:1804
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3112,i,6762704712696002863,998027752371499797,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3300 /prefetch:12⤵PID:4600
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3516,i,6762704712696002863,998027752371499797,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4432 /prefetch:12⤵PID:692
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4744,i,6762704712696002863,998027752371499797,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4784 /prefetch:82⤵PID:3460
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4824,i,6762704712696002863,998027752371499797,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4820 /prefetch:82⤵PID:4964
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5088,i,6762704712696002863,998027752371499797,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4268 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1904
-
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"1⤵PID:4736
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:3956
-
C:\Windows\System32\DataExchangeHost.exeC:\Windows\System32\DataExchangeHost.exe -Embedding1⤵PID:2768
-
C:\Windows\System32\DataExchangeHost.exeC:\Windows\System32\DataExchangeHost.exe -Embedding1⤵PID:32
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1332
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50B
MD5fdee2979f8de0e9a4a11bfecb268b97a
SHA12cdf74132e975745894a81db47814ff38e43a71c
SHA2569bf130c323cb7fee0ab32dfdd9e4065ede767babd5f763e96ebbe5f09f577028
SHA512281be0377447c63debf6d35b52a21c9b193ada7b9c153685cf99963d31dcff89070f167477be99f5fd959be1894bd59725023c1b1c1f5078fadecade14ca7557
-
Filesize
1.8MB
MD5692f6967406106fc784223f04ec69b8c
SHA1e6e174a86f9df6041a00d38f2b39506456f60602
SHA256424468b014466c994112ec496e18fd5d7a693b28b411c0ca52229704cd2ef574
SHA51214f14d50e76c2c179cb3c2b1ea1861fe0776b8eb7cb5798b277a1bf7fca2cd11e79a3355d28c36130deb4a916e462e314b38b346f7069ca86d765826ff14408f
-
Filesize
215B
MD5a732935b7511a789de0a7fe84b991d42
SHA1b99ae053d5df9684f12da7ad90e6e8a56c9d0b4e
SHA256b686a1c9ece16e8bf2e95a769128b30c047f14413dadddfc422f288dd6e8aa99
SHA512e9b249a2419e5dbdd0e9cfd238f1f6e1559bdd1efc0264d52b4f4bb5fa10b128138a54d2060cecab4f62f815fafc952329a1e8377b756fd8178e4f41d87273d1
-
Filesize
34B
MD5677cc4360477c72cb0ce00406a949c61
SHA1b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA5127cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a
-
Filesize
649B
MD5478d3edeb0c728356a3519a1afdf597a
SHA10b33447cd1b1bd1b6d4b5d1334558f448f7b62b2
SHA25625123c8ab67616853daf1e06713e04c4d72fa44b90db6b3cf7efc52dc2fa4feb
SHA51292bfb1ddbf903bdcc47db6dfaf92c49ab2c50f2fd09347e052bd80f5f22b26718fcd58d8149729d6cf46de72481dd6ad7764fd696f186c9f1e2370c8d8108fe8
-
Filesize
1KB
MD530a73516efb330f2db2803d8d068785e
SHA17e097cbd815ebee0e8eb93bb9ee1398060dd39c1
SHA2567a86607cbc764505ceb637fd44782f57c4933422a25c85a453b1ab6d3f46ef73
SHA51290ac92bec8e87bd17078d99bf2414466c1a641f50a0e90825e40c7737747eb32645a1e0bec7890fe63dbd4fb36bd653cd644abc471255b5d431e1d2ca181e61b
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD50d07a10aa8b93566a430dac874131367
SHA17402ab93725ad41d29e7b5177994c205ec642aa5
SHA256361d7d24937f674dfc37d57556aa98fef81c6f37c5b5eea97ca3d264cc006dc6
SHA51236e1f8a174f17529d1e9f62f0f3a6c2ba07cadae15231b499fcbc7d4eb6b7ae9ae050d14249e304906d1405a345b6b9c4fe1362f8dcd49639cd440a77ce2e81f
-
Filesize
8KB
MD512d180afc4a16b740c31047c4c1d0fbe
SHA1a5017b458c370736d4a53cbb2a1557b1d80cbf9b
SHA256fd9ca022894150aad33a792aa7aae93c2caf36fbd052428950e6bdc6aa00e70f
SHA5128c94bb9008b77630d5c1b55c58ecf751256cb46ad3f0a7b1cac7fd82beefc478f341f4c4ec86de1686d50c12c7ee45e0353eb29fafef00123dbb3ff4c1bfba64
-
Filesize
9KB
MD580433f6c2c311c6c3e8351337110c288
SHA151c8eabbca84802ba663873061a267f97a24e592
SHA256f07d519a8e158e94b3e23b8433f99a22b741f898ed28d239882f8f3a711d8b69
SHA512754541d630e8193cf90f29a1e291253ce40f13ff57c32f3978523c87b69d6f047e3e051ba0c1fc2e3cadc9c30476b51a534c27954ae4fc83d68e3931292fda74
-
Filesize
9KB
MD5acb958483c98c9f281748550a00095a7
SHA1da4879a814a3697e6fdea1b094f781f3be42f46f
SHA256385678eb7573b34b551900c4cfcbff0e73885403d64e3a634abac853c9b580ac
SHA5121241afa7046ad094627ca6b55a676c5da87eeead57aff91c52dd02a2806af23fe0754955ca29bc0132738185732d29be3f5d1fc7b2dac08221838d3a42655469
-
Filesize
9KB
MD5184d7eb1c4ea0009df5a57c40c90f91b
SHA18dc083b859ef8812e2fbb8599bfb7713b54b7484
SHA2569733276f0ca8e1b06a03d9a802d9d35e61f637f2a215b344bea874549d77f051
SHA512e8d3eccde8e2f8deba88979e84bf9d2b9b1e7d720e8d3ac6034a754ca625fbcf2692fbb18377bd703f357ba090a0998bef032f3e0b91f4b03ba05ea270696dfe
-
Filesize
9KB
MD58347ff7b9de909d755d2adb261d30168
SHA1f83d720224c9da250d400c54142685de979fbe85
SHA256eefb332f34ffd8ded2eeb02e8a26784af578405d2e2462e034cd56417d38644a
SHA5124100affa12942690f3a5d5ffae702b15dc75bdee7666063b8a54299168b4294110b1718f53188b67f90f134c9ffb14815a5f40a220972357324659afacafeb82
-
Filesize
9KB
MD5e1a8ffc7ab32ea1ac3161bca74481b8e
SHA132ab9b09a1b5cddcc177f5e1342d5fc86da05f82
SHA256c264e05d977a38dceec0f45b00463ab5f83c1cc92eb3cced5ddc8cdaee2960b1
SHA51250f5600f0f01ceedf67639799e8b73f002e1cdadb4c865de15d6f4ad43fd26fada943b9527b8ec1b4ec2e4b8e3ab81b06b69eed11cc4770a0cb0f67722610198
-
Filesize
8KB
MD5e1dc8160fcefcfe270ff78ec6e17066d
SHA1d7d26b67bfd59438f2ec76c63f6702c207f38d84
SHA256a0db669b80e63fc5008b4a1f4424a74abf08ed2a46b53909771a8e2d472700d6
SHA512222dd7c739e7cae853404ae0eb7157ff75de1c288be174b429d33ced30576e24c56be24aa72c85c82476c1d0eb6683b52fafbc8887f0507c98646e2a1d93b253
-
Filesize
9KB
MD585e36dcfe09bef3d25e1e8fc907dc59f
SHA1c8616521b3a5248b3cf22ef0a1897d2e1010ade9
SHA256bffaff64bb68f98dc1037ee841ce0ad1dad469ccbbc523092984a4ec257b6794
SHA512ca8da7489ef79ba23fbba2a3ac2fb4faaebeec7ae248ee37d9030c7ab0b74695dc48e54bdf95e8a03279569d9d6256dc14a83d3d427fb66ecda883901e7da24f
-
Filesize
15KB
MD5c83eb404483578b825ffd7bf9933d094
SHA1c2bc6973a24b2ce9d1741edfc23e8e2bb109f8e4
SHA2567862dc2c0d4396e3b245eb634e910867be4bf1b3e56f7fbfffd8ea840d6d5256
SHA512a67397dc353e67780423f142d15298067f6c780a461b67613b20414a24079e91338554ef9b7d43c15d06924d1c14b9d12a57696993781bd05767693904884a09
-
Filesize
185KB
MD5dcd4e5e4d68385d61e23b60aaa86123d
SHA1a8dfb8f9ac80033fe4f3f7c392349a2d2f9795c9
SHA256c418294f78ddb7e6acdc36caeedf45a8c9086f7d8d4e9479778728dd985cc0f4
SHA512abea6ab6ce401489e342639f63e5ea97aa9677559fe5834d2d81e9a2492f3b97a56edf7faae0b755c633f3bc056c6d587f373fe079364f2f3db36ac76bdf76f2
-
Filesize
185KB
MD55d9d375cd7111972d077256a172cc524
SHA19274eaa1023ea825025348f8f73c0e8060455e60
SHA256baadd3ecdbabaade4517f39790d1581b8979148bf739954cbbea365974f2f6d0
SHA512bb533117f217d1200dc37c84230d15c68ab981f63f5af91d9981cbb9ec69702f0c81f3cbf4f14ac963e087a3174152f5c9f7730a421f1c7571a4b3d5e925587f
-
Filesize
197B
MD5041b30b4252eadb4478a9e1be03ac798
SHA1061e0006e110f887f80f0011a324b4b0f4cbb8c4
SHA256c3845cc7c15e8b29605f4a235ceada80688f45910bc2a0a11abad0dcd0c0f823
SHA5121611b156c4d892bfbb7dac78ffab184e43d5c2f94f4ae04d013ae9bec9625175f5bdd49cf25377a1c11adfbcf69f6d495d6c3f04b31a061d572453a70b1d574e
-
Filesize
500B
MD52d1ca205014a5ea212e734350572f6fb
SHA107b126291faa1c56f71a33502e9e145ebd125595
SHA256a2206b97e99f69f6d8e6fc481559a329ae494f04e8041f913befd8f7969db123
SHA5122dcadc410058ae970d5ef90d9a9f531ebc2d3c211aa7b6763ff6fabef4f470a3f71f2f705eeca2dc9b3764e5d0b917753fdf6de2f1c17feece92030eeda89695
-
Filesize
536B
MD50642fc7f42ce5b7d267326b9ba3318fb
SHA185b7350394efbed719c67caa4dfae89cb88a180b
SHA2562a9ddb13a3548c8db11ada8d431f12128f517ad13a1e7491bbb355b251888f44
SHA5123baecb7db511efbe9c129798c77a3dd37a55a6b6920198ac461ea322b280c3d42795dc2dc7c6e12a3aa159734b5175f977ec8453f6689bbd0689b409a771abe4
-
Filesize
2KB
MD539ff6f593a7be6233b7a48d46cbc41be
SHA1642f16c5b1700c07d526a3f2939d44d430f7d802
SHA25622d4e3b5538e4e1d533cef0c55cea91d5593f0e37b72187418eb66a540f059ab
SHA512f2d0cc77b68e50ee487434bda14383155fab6c01cab68ed5905cb93ce3d1fa4ca805dc4c0e65e41a68c849bb814074c911e71048f46157a9869662ca7a1e10bc
-
Filesize
208KB
MD57b1de804c7132b39f08f1bbe0ae1eaf5
SHA1f58c91ccacfe6f3bf025b6f173c416f08549c8db
SHA256d088af2953d80cf4816f6b9b37ebd0572afe326d79ae4d9195f4e6abc3ed1ed9
SHA512defd7e4149a526c46221da4d894440c00e897eb2c8d150343783968810d6f5fa6b5eabba77ae4bd55974dded504685454a5ece01d15c699943e7ee8d3ebe36eb
-
Filesize
170KB
MD53033e9e412e0d5395b59b98adc31c249
SHA16a7d15501fb54d58d12d4eb062c4ebc09d2ad0c9
SHA2560af9026c257256c51b828f4cf91f083ef408d4d1d71b2043a3b4fade4b5f04ad
SHA512cbfba7f08ecb7a7fa7ed59d7701d8479d3fdbaa97223f470172d212816dffa68099801f1da039bed33caf936379a1de20e642b9d337d4b3dd9924e57c3f5205b
-
Filesize
190KB
MD58f76a4f0ac1e98b8198ac59e88b31f24
SHA1d9d5de2280290582c2b6931a246803e157f1f517
SHA256a4253a8c38e49368735495b2a805ca992f5b55caf7218c8538fc0bcf749a13a1
SHA5127069223437912cae41df50193ea36bc65266b13b88f540558d56fb0b1b0c4ae9d271ab766b75c584fc040555512dee7622b3572977abbd9ba826fe94e2f5ee49
-
Filesize
170KB
MD59d870766fef062ab27718d84fa3975da
SHA18d17db7ceb69918837580691a51cc13127893a37
SHA256ab5716060c7c29ccf4de6db6d070ff494db84695263d3760f10eb8afa8baa46e
SHA51203e4a961e45da10cfcced6671d0c9704efa487cf714bb273bab2bfaee490e5af9a920f8378ee0e3c2e30b4efe025761435f18f914b9f160e0f5fa4469e880e01
-
Filesize
198KB
MD5fafc85e330bddd3ceef2eb1dca2db6bd
SHA1536dee0f08e15b6a39e4a2208be6ff79e66c5970
SHA256cb9ce75f2b519689318f93a8537d4d30f0c42df92e2d011fe6293724149116b2
SHA5122f48ab32c16edcfefc4c82542a6f1938c4c8880f60be998cea7a90e863c138293ea02a6e2a54d423d026e7018b86abe2b8e329369a9ec01faf359c6dc20ff8c2
-
Filesize
123KB
MD5115e615d661dbfbaec47c405c512f397
SHA1b8a33def674249e7df48b1b7275fe8c33d082318
SHA2565cdbbaa978c68bee63a06ea5803208de06231af79df6d22bce7f94cad0e97eeb
SHA51259c6fe44e5a5645193532f716dbfb2d53d7fcf877b604dfdb68c9a9e82542da396726e88ea1d3d8caa7a9de14a2c4ec73feacc620d7a3ed1a76d8c8e59513ede
-
Filesize
129KB
MD52691ec57dbddb53b43789d2fd71f8b50
SHA1df60dee93b99bd23c9d5fdacd8cbc746e2310259
SHA25697d17c64586bc8c2b652dc21a322fdf66dfb532493cdf9146e81f127a5edb0f6
SHA512ea52d6e72ce23434a5f6a9472429a00d3c9a1d0c422cbde5b663b986f36a1131dc81a68009f94a45303bf0f9f976800615b1e9533108456a69cf10d6c2b336cb
-
Filesize
123KB
MD593401c4e17db0ae7315a802720e96044
SHA1583e146105c281fc03d4ecb8a54a2950686cebd1
SHA256a744a7d52784681f07e1e6c78918c0aaadbd44ec4b0b811be38161091a52129b
SHA512a233b84107a36c153dad5806fb2b103fa1a4bba1f1ad603135415f7108c27a4678cf68b0a02d2768c176ce92444429ba2faf65fe08b33c957aabc345a8983799
-
Filesize
135KB
MD50d26a520e0ca208e847436dd3ea5d1cd
SHA15ed632a04559b978dcf150307eb424fb1ed36557
SHA256bbd59d604aeaa9ce880ef022ae8f3dc9c22269ea9ddb5cedbf2460d50979b2d1
SHA512f49ff6e36151dfbc793baca5fae8c2827aca2e61a720524d11522c7a50f2f638996f08db5bdd6984724788cb895fa8185e6e5da20f88897835f0b235324ed1d4
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e