matiex | abfc5a0bbf24e3dbc1c76c0734ea0b1ed6a0d5ff6f44f2a5a3e4e2f9317118c3

Resubmissions

27-07-2024 05:11

240727-fvc5kaygpl 10

25-07-2024 01:26

240725-btj49szbrl 10

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
27-07-2024 05:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d991f93327f70488011bf06ba799930_JaffaCakes118.exe
Size

730KB
MD5

6d991f93327f70488011bf06ba799930
SHA1

1b630a8c337cc48f9ec41cccc4352f51e7d51e71
SHA256

abfc5a0bbf24e3dbc1c76c0734ea0b1ed6a0d5ff6f44f2a5a3e4e2f9317118c3
SHA512

181be4ad5a549d51461fd8c9a470abac2895f51b5ec1cdba6927644ca0e8fb91663d8635ed5c98f4a90ae2752eb98b3235f106ee2d009cc885bdf6d0faadfe70
SSDEEP

12288:tFda+FdahcQS8zfwkD/j1UGmy7eaqwVlXN8eR5dKFLtnoAf:8cn8zfwa1Dmyxrd8eqLt

Score

10^/10

matiex collection credential_access discovery execution keylogger spyware stealer

Malware Config

Extracted

Family

matiex

Credentials

Protocol: smtp
Host:
smtp.privateemail.com
Port:
587
Username:
[email protected]
Password:
MARYolanmauluogwo@ever

Signatures

Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main payload 5 IoCs

resource	yara_rule
behavioral1/memory/2784-15-0x0000000000400000-0x0000000000476000-memory.dmp	family_matiex
behavioral1/memory/2784-21-0x0000000000400000-0x0000000000476000-memory.dmp	family_matiex
behavioral1/memory/2784-25-0x0000000000400000-0x0000000000476000-memory.dmp	family_matiex
behavioral1/memory/2784-23-0x0000000000400000-0x0000000000476000-memory.dmp	family_matiex
behavioral1/memory/2784-17-0x0000000000400000-0x0000000000476000-memory.dmp	family_matiex

Beds Protector Packer 1 IoCs

Detects Beds Protector packer used to load .NET malware.

resource	yara_rule
behavioral1/memory/2632-3-0x0000000004A10000-0x0000000004AB6000-memory.dmp	beds_protector

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe	Powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe	Powershell.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	6d991f93327f70488011bf06ba799930_JaffaCakes118.exe
Key opened	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	6d991f93327f70488011bf06ba799930_JaffaCakes118.exe
Key opened	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	6d991f93327f70488011bf06ba799930_JaffaCakes118.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2632 set thread context of 2784	2632	6d991f93327f70488011bf06ba799930_JaffaCakes118.exe	32

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2800	Powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2736	2784	WerFault.exe	32

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6d991f93327f70488011bf06ba799930_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6d991f93327f70488011bf06ba799930_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2800	Powershell.exe
2232	chrome.exe
2232	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2800	Powershell.exe
Token: SeDebugPrivilege	2784	6d991f93327f70488011bf06ba799930_JaffaCakes118.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 2800	2632	6d991f93327f70488011bf06ba799930_JaffaCakes118.exe	30
PID 2632 wrote to memory of 2800	2632	6d991f93327f70488011bf06ba799930_JaffaCakes118.exe	30
PID 2632 wrote to memory of 2800	2632	6d991f93327f70488011bf06ba799930_JaffaCakes118.exe	30
PID 2632 wrote to memory of 2800	2632	6d991f93327f70488011bf06ba799930_JaffaCakes118.exe	30
PID 2632 wrote to memory of 2784	2632	6d991f93327f70488011bf06ba799930_JaffaCakes118.exe	32
PID 2632 wrote to memory of 2784	2632	6d991f93327f70488011bf06ba799930_JaffaCakes118.exe	32
PID 2632 wrote to memory of 2784	2632	6d991f93327f70488011bf06ba799930_JaffaCakes118.exe	32
PID 2632 wrote to memory of 2784	2632	6d991f93327f70488011bf06ba799930_JaffaCakes118.exe	32
PID 2632 wrote to memory of 2784	2632	6d991f93327f70488011bf06ba799930_JaffaCakes118.exe	32
PID 2632 wrote to memory of 2784	2632	6d991f93327f70488011bf06ba799930_JaffaCakes118.exe	32
PID 2632 wrote to memory of 2784	2632	6d991f93327f70488011bf06ba799930_JaffaCakes118.exe	32
PID 2632 wrote to memory of 2784	2632	6d991f93327f70488011bf06ba799930_JaffaCakes118.exe	32
PID 2632 wrote to memory of 2784	2632	6d991f93327f70488011bf06ba799930_JaffaCakes118.exe	32
PID 2784 wrote to memory of 2736	2784	6d991f93327f70488011bf06ba799930_JaffaCakes118.exe	35
PID 2784 wrote to memory of 2736	2784	6d991f93327f70488011bf06ba799930_JaffaCakes118.exe	35
PID 2784 wrote to memory of 2736	2784	6d991f93327f70488011bf06ba799930_JaffaCakes118.exe	35
PID 2784 wrote to memory of 2736	2784	6d991f93327f70488011bf06ba799930_JaffaCakes118.exe	35
PID 2232 wrote to memory of 1940	2232	chrome.exe	42
PID 2232 wrote to memory of 1940	2232	chrome.exe	42
PID 2232 wrote to memory of 1940	2232	chrome.exe	42
PID 2232 wrote to memory of 2496	2232	chrome.exe	43
PID 2232 wrote to memory of 2496	2232	chrome.exe	43
PID 2232 wrote to memory of 2496	2232	chrome.exe	43
PID 2232 wrote to memory of 2496	2232	chrome.exe	43
PID 2232 wrote to memory of 2496	2232	chrome.exe	43
PID 2232 wrote to memory of 2496	2232	chrome.exe	43
PID 2232 wrote to memory of 2496	2232	chrome.exe	43
PID 2232 wrote to memory of 2496	2232	chrome.exe	43
PID 2232 wrote to memory of 2496	2232	chrome.exe	43
PID 2232 wrote to memory of 2496	2232	chrome.exe	43
PID 2232 wrote to memory of 2496	2232	chrome.exe	43
PID 2232 wrote to memory of 2496	2232	chrome.exe	43
PID 2232 wrote to memory of 2496	2232	chrome.exe	43
PID 2232 wrote to memory of 2496	2232	chrome.exe	43
PID 2232 wrote to memory of 2496	2232	chrome.exe	43
PID 2232 wrote to memory of 2496	2232	chrome.exe	43
PID 2232 wrote to memory of 2496	2232	chrome.exe	43
PID 2232 wrote to memory of 2496	2232	chrome.exe	43
PID 2232 wrote to memory of 2496	2232	chrome.exe	43
PID 2232 wrote to memory of 2496	2232	chrome.exe	43
PID 2232 wrote to memory of 2496	2232	chrome.exe	43
PID 2232 wrote to memory of 2496	2232	chrome.exe	43
PID 2232 wrote to memory of 2496	2232	chrome.exe	43
PID 2232 wrote to memory of 2496	2232	chrome.exe	43
PID 2232 wrote to memory of 2496	2232	chrome.exe	43
PID 2232 wrote to memory of 2496	2232	chrome.exe	43
PID 2232 wrote to memory of 2496	2232	chrome.exe	43
PID 2232 wrote to memory of 2496	2232	chrome.exe	43
PID 2232 wrote to memory of 2496	2232	chrome.exe	43
PID 2232 wrote to memory of 2496	2232	chrome.exe	43
PID 2232 wrote to memory of 2496	2232	chrome.exe	43
PID 2232 wrote to memory of 2496	2232	chrome.exe	43
PID 2232 wrote to memory of 2496	2232	chrome.exe	43
PID 2232 wrote to memory of 2496	2232	chrome.exe	43
PID 2232 wrote to memory of 2496	2232	chrome.exe	43
PID 2232 wrote to memory of 2496	2232	chrome.exe	43
PID 2232 wrote to memory of 2496	2232	chrome.exe	43
PID 2232 wrote to memory of 2496	2232	chrome.exe	43
PID 2232 wrote to memory of 2496	2232	chrome.exe	43
PID 2232 wrote to memory of 1788	2232	chrome.exe	44
PID 2232 wrote to memory of 1788	2232	chrome.exe	44
PID 2232 wrote to memory of 1788	2232	chrome.exe	44
PID 2232 wrote to memory of 1988	2232	chrome.exe	45
PID 2232 wrote to memory of 1988	2232	chrome.exe	45

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	6d991f93327f70488011bf06ba799930_JaffaCakes118.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	6d991f93327f70488011bf06ba799930_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\6d991f93327f70488011bf06ba799930_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6d991f93327f70488011bf06ba799930_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
  "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\6d991f93327f70488011bf06ba799930_JaffaCakes118.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'
  2⤵
  - Drops startup file
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2800
- C:\Users\Admin\AppData\Local\Temp\6d991f93327f70488011bf06ba799930_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\6d991f93327f70488011bf06ba799930_JaffaCakes118.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:2784
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 1188
    3⤵
    - Program crash
    PID:2736

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\ResumeSync.ex_
1⤵
- Modifies registry class
PID:1896

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2956

C:\Windows\System32\control.exe
"C:\Windows\System32\control.exe" SYSTEM
1⤵
PID:1868

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:1856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6fe9758,0x7fef6fe9768,0x7fef6fe9778
  2⤵
  PID:1940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 --field-trial-handle=1344,i,2307384860485556086,2742205472486890236,131072 /prefetch:2
  2⤵
  PID:2496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1544 --field-trial-handle=1344,i,2307384860485556086,2742205472486890236,131072 /prefetch:8
  2⤵
  PID:1788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1648 --field-trial-handle=1344,i,2307384860485556086,2742205472486890236,131072 /prefetch:8
  2⤵
  PID:1988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2324 --field-trial-handle=1344,i,2307384860485556086,2742205472486890236,131072 /prefetch:1
  2⤵
  PID:1068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2344 --field-trial-handle=1344,i,2307384860485556086,2742205472486890236,131072 /prefetch:1
  2⤵
  PID:2480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=3228 --field-trial-handle=1344,i,2307384860485556086,2742205472486890236,131072 /prefetch:2
  2⤵
  PID:2692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1436 --field-trial-handle=1344,i,2307384860485556086,2742205472486890236,131072 /prefetch:1
  2⤵
  PID:2684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3656 --field-trial-handle=1344,i,2307384860485556086,2742205472486890236,131072 /prefetch:8
  2⤵
  PID:1560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3748 --field-trial-handle=1344,i,2307384860485556086,2742205472486890236,131072 /prefetch:1
  2⤵
  PID:1876

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\82297f3c-c477-4282-aafa-faf36b0b078b.tmp

Filesize
312KB

MD5
8a13104581977cd74a520bc4be2fde3e

SHA1
b0df73a562d1018d7aab998a2ea98e63a6802037

SHA256
799e9cbb98999ae43c509ca8f2d86e7b9ba34c5aa2b921e471266b0b19393c8a

SHA512
33c0a7d8692474c2fa67ef1560f034127e9e36248457f41a1becc203636501facffbae76d11a53c8c76d97003ce7c9b129f9944f68f65df993be2a91d7bd5f6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.xvideos.com_0.indexeddb.leveldb\CURRENT~RFf781075.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5e54ab4786e4ea77a4897cd8a75c3a7d

SHA1
5594970629c3d411cb5f4b9f2a0c7d4d3dd04946

SHA256
0497940e027a2ee0a7ce4a86eff462a0d3f9508b8326301dd3eeb6b3556a81f7

SHA512
a2b7658921fe3f5a9e998ed8e0deb5d95807dffa58fa567d9f53f15803bc52318e4fc12303c26f2be8e481e52df4a2c967215b51f1ee80030338f46f2b1cc56f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
d13a4e2a7d0eb7e846b2246761de67e3

SHA1
699346d53be14d49f46a0caedd79701c5b01355d

SHA256
2bbdc866817704bd6ff0ee7fe6689f9107b071dc17eca3654c2fa37fb1bcc9f2

SHA512
88aa3a2fac136af08e5a2a9ebdf1a8fb6968d96cbb3c9466269fc464ba1363edaf1f35eee0a3bc8e3e1079e2843c341932897c57a813098038d1e75f8139c5d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
312KB

MD5
4793e0755c1987c839de7d6f0276559e

SHA1
920d80e9d6716ba804645f44008aa35ab4126a98

SHA256
6dc306893c7345f93c78b235bff7e18824ca295b6ac692cd5a7bb307857743ce

SHA512
0bcf91b5cf3c8691e0c0f60c4f1d4f28fce36dd68667c882f253c96dd191e0404bf1b618e43f16e9621c9eabaf21ce8bf0e2e7d0dabd60b3d213e5ad0e536c36

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC52.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
memory/2632-3-0x0000000004A10000-0x0000000004AB6000-memory.dmp

Filesize
664KB

Download
memory/2632-10-0x00000000005D0000-0x00000000005E6000-memory.dmp

Filesize
88KB

Download
memory/2632-2-0x0000000074480000-0x0000000074B6E000-memory.dmp

Filesize
6.9MB

Download
memory/2632-1-0x0000000001270000-0x000000000132C000-memory.dmp

Filesize
752KB

Download
memory/2632-26-0x0000000074480000-0x0000000074B6E000-memory.dmp

Filesize
6.9MB

Download
memory/2632-0-0x000000007448E000-0x000000007448F000-memory.dmp

Filesize
4KB

Download
memory/2784-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2784-17-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2784-13-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2784-23-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2784-25-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2784-21-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2784-15-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2784-11-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2800-28-0x000000006F300000-0x000000006F8AB000-memory.dmp

Filesize
5.7MB

Download
memory/2800-9-0x000000006F300000-0x000000006F8AB000-memory.dmp

Filesize
5.7MB

Download
memory/2800-8-0x000000006F300000-0x000000006F8AB000-memory.dmp

Filesize
5.7MB

Download
memory/2800-7-0x000000006F300000-0x000000006F8AB000-memory.dmp

Filesize
5.7MB

Download
memory/2800-6-0x000000006F301000-0x000000006F302000-memory.dmp

Filesize
4KB

Download