Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows10-1703_x64 -
resource
win10-20240611-en -
resource tags
arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system -
submitted
04-10-2024 07:56
Static task
static1
Behavioral task
behavioral1
Sample
WIpGif4IRrFfamQ.exe
Resource
win10-20240611-en
General
-
Target
WIpGif4IRrFfamQ.exe
-
Size
751KB
-
MD5
102c9ce1c659517c4ea924c2044305b7
-
SHA1
942b0a7e2077eca38b9b6ff16d89722cbbbf7002
-
SHA256
b31cbc6ec2eb2b790c422f0f960bb1436106d92958703cb005ccdef38887e310
-
SHA512
eca6ed6a871e9fbee67feb73534bff544f052d6b3e1058a68b4602f159f089193f0f576384e6cd49373d50200d71bb4aeadd151c0fb81a77a6246849af2f39f6
-
SSDEEP
12288:L3TmP4kyFSnIZgc1D7COp2JwlmsxS4kZHtfi390V+KA7rC7LOmDZ:2gBOI9D7CO0JqTSRNfiQsG7LOmD
Malware Config
Extracted
Protocol: smtp- Host:
mail.pymetal.net - Port:
587 - Username:
[email protected] - Password:
21hnosgomezrecambios2021
Extracted
vipkeylogger
Protocol: smtp- Host:
mail.pymetal.net - Port:
587 - Username:
[email protected] - Password:
21hnosgomezrecambios2021 - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 1288 powershell.exe 2112 powershell.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
WIpGif4IRrFfamQ.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 WIpGif4IRrFfamQ.exe Key opened \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 WIpGif4IRrFfamQ.exe Key opened \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 WIpGif4IRrFfamQ.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
WIpGif4IRrFfamQ.exedescription pid process target process PID 1756 set thread context of 236 1756 WIpGif4IRrFfamQ.exe WIpGif4IRrFfamQ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
schtasks.exeWIpGif4IRrFfamQ.exeWIpGif4IRrFfamQ.exepowershell.exepowershell.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WIpGif4IRrFfamQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WIpGif4IRrFfamQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133725022994891107" chrome.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WIpGif4IRrFfamQ.exeWIpGif4IRrFfamQ.exepowershell.exepowershell.exechrome.exepid process 1756 WIpGif4IRrFfamQ.exe 1756 WIpGif4IRrFfamQ.exe 236 WIpGif4IRrFfamQ.exe 2112 powershell.exe 1288 powershell.exe 2112 powershell.exe 1288 powershell.exe 1288 powershell.exe 2112 powershell.exe 236 WIpGif4IRrFfamQ.exe 1180 chrome.exe 1180 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
Processes:
chrome.exepid process 1180 chrome.exe 1180 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WIpGif4IRrFfamQ.exepowershell.exepowershell.exeWIpGif4IRrFfamQ.exechrome.exedescription pid process Token: SeDebugPrivilege 1756 WIpGif4IRrFfamQ.exe Token: SeDebugPrivilege 1288 powershell.exe Token: SeDebugPrivilege 2112 powershell.exe Token: SeDebugPrivilege 236 WIpGif4IRrFfamQ.exe Token: SeShutdownPrivilege 1180 chrome.exe Token: SeCreatePagefilePrivilege 1180 chrome.exe Token: SeShutdownPrivilege 1180 chrome.exe Token: SeCreatePagefilePrivilege 1180 chrome.exe Token: SeShutdownPrivilege 1180 chrome.exe Token: SeCreatePagefilePrivilege 1180 chrome.exe Token: SeShutdownPrivilege 1180 chrome.exe Token: SeCreatePagefilePrivilege 1180 chrome.exe Token: SeShutdownPrivilege 1180 chrome.exe Token: SeCreatePagefilePrivilege 1180 chrome.exe Token: SeShutdownPrivilege 1180 chrome.exe Token: SeCreatePagefilePrivilege 1180 chrome.exe Token: SeShutdownPrivilege 1180 chrome.exe Token: SeCreatePagefilePrivilege 1180 chrome.exe Token: SeShutdownPrivilege 1180 chrome.exe Token: SeCreatePagefilePrivilege 1180 chrome.exe Token: SeShutdownPrivilege 1180 chrome.exe Token: SeCreatePagefilePrivilege 1180 chrome.exe Token: SeShutdownPrivilege 1180 chrome.exe Token: SeCreatePagefilePrivilege 1180 chrome.exe Token: SeShutdownPrivilege 1180 chrome.exe Token: SeCreatePagefilePrivilege 1180 chrome.exe Token: SeShutdownPrivilege 1180 chrome.exe Token: SeCreatePagefilePrivilege 1180 chrome.exe Token: SeShutdownPrivilege 1180 chrome.exe Token: SeCreatePagefilePrivilege 1180 chrome.exe Token: SeShutdownPrivilege 1180 chrome.exe Token: SeCreatePagefilePrivilege 1180 chrome.exe Token: SeShutdownPrivilege 1180 chrome.exe Token: SeCreatePagefilePrivilege 1180 chrome.exe Token: SeShutdownPrivilege 1180 chrome.exe Token: SeCreatePagefilePrivilege 1180 chrome.exe Token: SeShutdownPrivilege 1180 chrome.exe Token: SeCreatePagefilePrivilege 1180 chrome.exe Token: SeShutdownPrivilege 1180 chrome.exe Token: SeCreatePagefilePrivilege 1180 chrome.exe Token: SeShutdownPrivilege 1180 chrome.exe Token: SeCreatePagefilePrivilege 1180 chrome.exe Token: SeShutdownPrivilege 1180 chrome.exe Token: SeCreatePagefilePrivilege 1180 chrome.exe Token: SeShutdownPrivilege 1180 chrome.exe Token: SeCreatePagefilePrivilege 1180 chrome.exe Token: SeShutdownPrivilege 1180 chrome.exe Token: SeCreatePagefilePrivilege 1180 chrome.exe Token: SeShutdownPrivilege 1180 chrome.exe Token: SeCreatePagefilePrivilege 1180 chrome.exe Token: SeShutdownPrivilege 1180 chrome.exe Token: SeCreatePagefilePrivilege 1180 chrome.exe Token: SeShutdownPrivilege 1180 chrome.exe Token: SeCreatePagefilePrivilege 1180 chrome.exe Token: SeShutdownPrivilege 1180 chrome.exe Token: SeCreatePagefilePrivilege 1180 chrome.exe Token: SeShutdownPrivilege 1180 chrome.exe Token: SeCreatePagefilePrivilege 1180 chrome.exe Token: SeShutdownPrivilege 1180 chrome.exe Token: SeCreatePagefilePrivilege 1180 chrome.exe Token: SeShutdownPrivilege 1180 chrome.exe Token: SeCreatePagefilePrivilege 1180 chrome.exe Token: SeShutdownPrivilege 1180 chrome.exe Token: SeCreatePagefilePrivilege 1180 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
chrome.exepid process 1180 chrome.exe 1180 chrome.exe 1180 chrome.exe 1180 chrome.exe 1180 chrome.exe 1180 chrome.exe 1180 chrome.exe 1180 chrome.exe 1180 chrome.exe 1180 chrome.exe 1180 chrome.exe 1180 chrome.exe 1180 chrome.exe 1180 chrome.exe 1180 chrome.exe 1180 chrome.exe 1180 chrome.exe 1180 chrome.exe 1180 chrome.exe 1180 chrome.exe 1180 chrome.exe 1180 chrome.exe 1180 chrome.exe 1180 chrome.exe 1180 chrome.exe 1180 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
chrome.exepid process 1180 chrome.exe 1180 chrome.exe 1180 chrome.exe 1180 chrome.exe 1180 chrome.exe 1180 chrome.exe 1180 chrome.exe 1180 chrome.exe 1180 chrome.exe 1180 chrome.exe 1180 chrome.exe 1180 chrome.exe 1180 chrome.exe 1180 chrome.exe 1180 chrome.exe 1180 chrome.exe 1180 chrome.exe 1180 chrome.exe 1180 chrome.exe 1180 chrome.exe 1180 chrome.exe 1180 chrome.exe 1180 chrome.exe 1180 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
WIpGif4IRrFfamQ.exechrome.exedescription pid process target process PID 1756 wrote to memory of 1288 1756 WIpGif4IRrFfamQ.exe powershell.exe PID 1756 wrote to memory of 1288 1756 WIpGif4IRrFfamQ.exe powershell.exe PID 1756 wrote to memory of 1288 1756 WIpGif4IRrFfamQ.exe powershell.exe PID 1756 wrote to memory of 2112 1756 WIpGif4IRrFfamQ.exe powershell.exe PID 1756 wrote to memory of 2112 1756 WIpGif4IRrFfamQ.exe powershell.exe PID 1756 wrote to memory of 2112 1756 WIpGif4IRrFfamQ.exe powershell.exe PID 1756 wrote to memory of 1680 1756 WIpGif4IRrFfamQ.exe schtasks.exe PID 1756 wrote to memory of 1680 1756 WIpGif4IRrFfamQ.exe schtasks.exe PID 1756 wrote to memory of 1680 1756 WIpGif4IRrFfamQ.exe schtasks.exe PID 1756 wrote to memory of 236 1756 WIpGif4IRrFfamQ.exe WIpGif4IRrFfamQ.exe PID 1756 wrote to memory of 236 1756 WIpGif4IRrFfamQ.exe WIpGif4IRrFfamQ.exe PID 1756 wrote to memory of 236 1756 WIpGif4IRrFfamQ.exe WIpGif4IRrFfamQ.exe PID 1756 wrote to memory of 236 1756 WIpGif4IRrFfamQ.exe WIpGif4IRrFfamQ.exe PID 1756 wrote to memory of 236 1756 WIpGif4IRrFfamQ.exe WIpGif4IRrFfamQ.exe PID 1756 wrote to memory of 236 1756 WIpGif4IRrFfamQ.exe WIpGif4IRrFfamQ.exe PID 1756 wrote to memory of 236 1756 WIpGif4IRrFfamQ.exe WIpGif4IRrFfamQ.exe PID 1756 wrote to memory of 236 1756 WIpGif4IRrFfamQ.exe WIpGif4IRrFfamQ.exe PID 1180 wrote to memory of 2464 1180 chrome.exe chrome.exe PID 1180 wrote to memory of 2464 1180 chrome.exe chrome.exe PID 1180 wrote to memory of 2060 1180 chrome.exe chrome.exe PID 1180 wrote to memory of 2060 1180 chrome.exe chrome.exe PID 1180 wrote to memory of 2060 1180 chrome.exe chrome.exe PID 1180 wrote to memory of 2060 1180 chrome.exe chrome.exe PID 1180 wrote to memory of 2060 1180 chrome.exe chrome.exe PID 1180 wrote to memory of 2060 1180 chrome.exe chrome.exe PID 1180 wrote to memory of 2060 1180 chrome.exe chrome.exe PID 1180 wrote to memory of 2060 1180 chrome.exe chrome.exe PID 1180 wrote to memory of 2060 1180 chrome.exe chrome.exe PID 1180 wrote to memory of 2060 1180 chrome.exe chrome.exe PID 1180 wrote to memory of 2060 1180 chrome.exe chrome.exe PID 1180 wrote to memory of 2060 1180 chrome.exe chrome.exe PID 1180 wrote to memory of 2060 1180 chrome.exe chrome.exe PID 1180 wrote to memory of 2060 1180 chrome.exe chrome.exe PID 1180 wrote to memory of 2060 1180 chrome.exe chrome.exe PID 1180 wrote to memory of 2060 1180 chrome.exe chrome.exe PID 1180 wrote to memory of 2060 1180 chrome.exe chrome.exe PID 1180 wrote to memory of 2060 1180 chrome.exe chrome.exe PID 1180 wrote to memory of 2060 1180 chrome.exe chrome.exe PID 1180 wrote to memory of 2060 1180 chrome.exe chrome.exe PID 1180 wrote to memory of 2060 1180 chrome.exe chrome.exe PID 1180 wrote to memory of 2060 1180 chrome.exe chrome.exe PID 1180 wrote to memory of 2060 1180 chrome.exe chrome.exe PID 1180 wrote to memory of 2060 1180 chrome.exe chrome.exe PID 1180 wrote to memory of 2060 1180 chrome.exe chrome.exe PID 1180 wrote to memory of 2060 1180 chrome.exe chrome.exe PID 1180 wrote to memory of 2060 1180 chrome.exe chrome.exe PID 1180 wrote to memory of 2060 1180 chrome.exe chrome.exe PID 1180 wrote to memory of 2060 1180 chrome.exe chrome.exe PID 1180 wrote to memory of 2060 1180 chrome.exe chrome.exe PID 1180 wrote to memory of 2060 1180 chrome.exe chrome.exe PID 1180 wrote to memory of 2060 1180 chrome.exe chrome.exe PID 1180 wrote to memory of 2060 1180 chrome.exe chrome.exe PID 1180 wrote to memory of 2060 1180 chrome.exe chrome.exe PID 1180 wrote to memory of 2060 1180 chrome.exe chrome.exe PID 1180 wrote to memory of 2060 1180 chrome.exe chrome.exe PID 1180 wrote to memory of 2060 1180 chrome.exe chrome.exe PID 1180 wrote to memory of 2060 1180 chrome.exe chrome.exe PID 1180 wrote to memory of 4340 1180 chrome.exe chrome.exe PID 1180 wrote to memory of 4340 1180 chrome.exe chrome.exe PID 1180 wrote to memory of 4272 1180 chrome.exe chrome.exe PID 1180 wrote to memory of 4272 1180 chrome.exe chrome.exe PID 1180 wrote to memory of 4272 1180 chrome.exe chrome.exe PID 1180 wrote to memory of 4272 1180 chrome.exe chrome.exe PID 1180 wrote to memory of 4272 1180 chrome.exe chrome.exe -
outlook_office_path 1 IoCs
Processes:
WIpGif4IRrFfamQ.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 WIpGif4IRrFfamQ.exe -
outlook_win_path 1 IoCs
Processes:
WIpGif4IRrFfamQ.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 WIpGif4IRrFfamQ.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\WIpGif4IRrFfamQ.exe"C:\Users\Admin\AppData\Local\Temp\WIpGif4IRrFfamQ.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\WIpGif4IRrFfamQ.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1288 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AcEnrS.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2112 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AcEnrS" /XML "C:\Users\Admin\AppData\Local\Temp\tmp654.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\WIpGif4IRrFfamQ.exe"C:\Users\Admin\AppData\Local\Temp\WIpGif4IRrFfamQ.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:236
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --single-argument C:\Users\Admin\Desktop\SelectCompress.shtml1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff8fe089758,0x7ff8fe089768,0x7ff8fe0897782⤵PID:2464
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1588 --field-trial-handle=1800,i,13089231003617226886,16222101569483445054,131072 /prefetch:22⤵PID:2060
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1888 --field-trial-handle=1800,i,13089231003617226886,16222101569483445054,131072 /prefetch:82⤵PID:4340
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2124 --field-trial-handle=1800,i,13089231003617226886,16222101569483445054,131072 /prefetch:82⤵PID:4272
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1800,i,13089231003617226886,16222101569483445054,131072 /prefetch:12⤵PID:2868
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3200 --field-trial-handle=1800,i,13089231003617226886,16222101569483445054,131072 /prefetch:12⤵PID:1564
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4508 --field-trial-handle=1800,i,13089231003617226886,16222101569483445054,131072 /prefetch:82⤵PID:1292
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4752 --field-trial-handle=1800,i,13089231003617226886,16222101569483445054,131072 /prefetch:82⤵PID:1624
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4804 --field-trial-handle=1800,i,13089231003617226886,16222101569483445054,131072 /prefetch:82⤵PID:244
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3732 --field-trial-handle=1800,i,13089231003617226886,16222101569483445054,131072 /prefetch:82⤵PID:5020
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:3924
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD500a650553ad17ec496bd526a3e04e365
SHA18a718adfa110fe63dbdd229b3f4f31c2665ce863
SHA256ee560c85e6022c4adb6f299a38fab6ffc867b91779d785d192e712a5f941b491
SHA51226519e733108692ca138b339bebc28021a9b1c4e1ddeb7e9aa3a25c7e4e0e4cb10ce6c3f51c15c35f4a7dbd3f12fb85e4e28d3ecabb6088cc5371dc694803321
-
Filesize
323KB
MD59860d6471b179cc3aa8d304b043b1d47
SHA16dd52c249432b74003d0d4321b95e21b5f1b2cca
SHA256b903df7975813b21a714483464583f391030a0acb895b0451aa1e19308143d78
SHA51298f4314c53cc1f00443a734c6f9ba3f205af9a3da58412cedfbd7a65a8c40c7875c3aafbc653138894564d498190f1b71133a3401560372a49f67dcd5c844d12
-
Filesize
150KB
MD5c28a7ebe36927049773a08570c9236b0
SHA179b8d24cfac1bcdf1d1e5e1c0dd373e78b35f01f
SHA256edf18240137f16f1a7696c6d87b22f1d644205f27a81fb7091acf968d13436ad
SHA5127f6af7dac7c24b4b272aeda868c7f6a5f7c89f8e47a4dee9e41486b5c1e9398a6bc2bb549c3461068e8e0a7d12eecbee66ce207c56c1fdf3992ef67fe9a06c19
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
2KB
MD5db01a2c1c7e70b2b038edf8ad5ad9826
SHA1540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
1KB
MD55c320d91cc876dee9663fe8a5518cfb9
SHA10c6849dfaed77fa1aa0a8b89aa42ec10a946e4ca
SHA256ceafa0a28ae321dbd795d514d9c8e26291956e73522a1d5b7eb4a967adeac4c9
SHA5128ea491e9ebda2acd3a71523d6ebaf4b6f872fe5ea67bce39aca9661e7d2a45ddf3d2b1c19dfe8c16fffe5a3de9410599b97fc79e2d52d56828eeaea7630d1153
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e