Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
21-12-2024 14:10
Static task
static1
Behavioral task
behavioral1
Sample
adobe_illustrator_keygen_by_KeyGenGuru.exe
Resource
win11-20241007-en
General
-
Target
adobe_illustrator_keygen_by_KeyGenGuru.exe
-
Size
7.4MB
-
MD5
985a830153c1ffe009a634b0b041c919
-
SHA1
6761313463d3f3174ddfbe2dc32e4596bea44594
-
SHA256
2a12d2607a06e86780d8f8514c4dd122ad364f42a9fdde5378bd0da4708c3d3a
-
SHA512
5c07df35119ff549713e3648ed9fbbb798db226544b9a616589ad7f0ce7be213884f72ac2999fa246c514a44726d2e36995ed2fdf39c47dcfaa8e5de76251ff5
-
SSDEEP
196608:ehcoA1/WuwMmahoCsAlHhsoiLqu+dxytXom/GBuSPE1WKM:jo8VXhoCsArsoiyOXoT3
Malware Config
Extracted
azorult
http://upqx.ru/1210776429.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Azorult family
-
Pony family
-
Executes dropped EXE 3 IoCs
pid Process 3572 keygen-pj.exe 776 keygen-step-1.exe 404 key.exe -
Loads dropped DLL 1 IoCs
pid Process 2040 rundll32.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts key.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook key.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SystemTemp chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language keygen-step-1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language keygen-pj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language key.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133792638779821821" chrome.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 360 chrome.exe 360 chrome.exe 5756 chrome.exe 5756 chrome.exe 5756 chrome.exe 5756 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 360 chrome.exe 360 chrome.exe 360 chrome.exe 360 chrome.exe 360 chrome.exe 360 chrome.exe 360 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeImpersonatePrivilege 404 key.exe Token: SeTcbPrivilege 404 key.exe Token: SeChangeNotifyPrivilege 404 key.exe Token: SeCreateTokenPrivilege 404 key.exe Token: SeBackupPrivilege 404 key.exe Token: SeRestorePrivilege 404 key.exe Token: SeIncreaseQuotaPrivilege 404 key.exe Token: SeAssignPrimaryTokenPrivilege 404 key.exe Token: SeImpersonatePrivilege 404 key.exe Token: SeTcbPrivilege 404 key.exe Token: SeChangeNotifyPrivilege 404 key.exe Token: SeCreateTokenPrivilege 404 key.exe Token: SeBackupPrivilege 404 key.exe Token: SeRestorePrivilege 404 key.exe Token: SeIncreaseQuotaPrivilege 404 key.exe Token: SeAssignPrimaryTokenPrivilege 404 key.exe Token: SeImpersonatePrivilege 404 key.exe Token: SeTcbPrivilege 404 key.exe Token: SeChangeNotifyPrivilege 404 key.exe Token: SeCreateTokenPrivilege 404 key.exe Token: SeBackupPrivilege 404 key.exe Token: SeRestorePrivilege 404 key.exe Token: SeIncreaseQuotaPrivilege 404 key.exe Token: SeAssignPrimaryTokenPrivilege 404 key.exe Token: SeImpersonatePrivilege 404 key.exe Token: SeTcbPrivilege 404 key.exe Token: SeChangeNotifyPrivilege 404 key.exe Token: SeCreateTokenPrivilege 404 key.exe Token: SeBackupPrivilege 404 key.exe Token: SeRestorePrivilege 404 key.exe Token: SeIncreaseQuotaPrivilege 404 key.exe Token: SeAssignPrimaryTokenPrivilege 404 key.exe Token: SeImpersonatePrivilege 404 key.exe Token: SeTcbPrivilege 404 key.exe Token: SeChangeNotifyPrivilege 404 key.exe Token: SeCreateTokenPrivilege 404 key.exe Token: SeBackupPrivilege 404 key.exe Token: SeRestorePrivilege 404 key.exe Token: SeIncreaseQuotaPrivilege 404 key.exe Token: SeAssignPrimaryTokenPrivilege 404 key.exe Token: SeImpersonatePrivilege 404 key.exe Token: SeTcbPrivilege 404 key.exe Token: SeChangeNotifyPrivilege 404 key.exe Token: SeCreateTokenPrivilege 404 key.exe Token: SeBackupPrivilege 404 key.exe Token: SeRestorePrivilege 404 key.exe Token: SeIncreaseQuotaPrivilege 404 key.exe Token: SeAssignPrimaryTokenPrivilege 404 key.exe Token: SeShutdownPrivilege 360 chrome.exe Token: SeCreatePagefilePrivilege 360 chrome.exe Token: SeShutdownPrivilege 360 chrome.exe Token: SeCreatePagefilePrivilege 360 chrome.exe Token: SeShutdownPrivilege 360 chrome.exe Token: SeCreatePagefilePrivilege 360 chrome.exe Token: SeShutdownPrivilege 360 chrome.exe Token: SeCreatePagefilePrivilege 360 chrome.exe Token: SeShutdownPrivilege 360 chrome.exe Token: SeCreatePagefilePrivilege 360 chrome.exe Token: SeShutdownPrivilege 360 chrome.exe Token: SeCreatePagefilePrivilege 360 chrome.exe Token: SeShutdownPrivilege 360 chrome.exe Token: SeCreatePagefilePrivilege 360 chrome.exe Token: SeShutdownPrivilege 360 chrome.exe Token: SeCreatePagefilePrivilege 360 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 360 chrome.exe 360 chrome.exe 360 chrome.exe 360 chrome.exe 360 chrome.exe 360 chrome.exe 360 chrome.exe 360 chrome.exe 360 chrome.exe 360 chrome.exe 360 chrome.exe 360 chrome.exe 360 chrome.exe 360 chrome.exe 360 chrome.exe 360 chrome.exe 360 chrome.exe 360 chrome.exe 360 chrome.exe 360 chrome.exe 360 chrome.exe 360 chrome.exe 360 chrome.exe 360 chrome.exe 360 chrome.exe 360 chrome.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 360 chrome.exe 360 chrome.exe 360 chrome.exe 360 chrome.exe 360 chrome.exe 360 chrome.exe 360 chrome.exe 360 chrome.exe 360 chrome.exe 360 chrome.exe 360 chrome.exe 360 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1064 wrote to memory of 1312 1064 adobe_illustrator_keygen_by_KeyGenGuru.exe 77 PID 1064 wrote to memory of 1312 1064 adobe_illustrator_keygen_by_KeyGenGuru.exe 77 PID 1312 wrote to memory of 3572 1312 cmd.exe 81 PID 1312 wrote to memory of 3572 1312 cmd.exe 81 PID 1312 wrote to memory of 3572 1312 cmd.exe 81 PID 1312 wrote to memory of 776 1312 cmd.exe 82 PID 1312 wrote to memory of 776 1312 cmd.exe 82 PID 1312 wrote to memory of 776 1312 cmd.exe 82 PID 1312 wrote to memory of 2404 1312 cmd.exe 83 PID 1312 wrote to memory of 2404 1312 cmd.exe 83 PID 2404 wrote to memory of 860 2404 control.exe 84 PID 2404 wrote to memory of 860 2404 control.exe 84 PID 860 wrote to memory of 2040 860 rundll32.exe 85 PID 860 wrote to memory of 2040 860 rundll32.exe 85 PID 860 wrote to memory of 2040 860 rundll32.exe 85 PID 3572 wrote to memory of 404 3572 keygen-pj.exe 86 PID 3572 wrote to memory of 404 3572 keygen-pj.exe 86 PID 3572 wrote to memory of 404 3572 keygen-pj.exe 86 PID 404 wrote to memory of 1820 404 key.exe 87 PID 404 wrote to memory of 1820 404 key.exe 87 PID 404 wrote to memory of 1820 404 key.exe 87 PID 360 wrote to memory of 4620 360 chrome.exe 90 PID 360 wrote to memory of 4620 360 chrome.exe 90 PID 360 wrote to memory of 3352 360 chrome.exe 91 PID 360 wrote to memory of 3352 360 chrome.exe 91 PID 360 wrote to memory of 3352 360 chrome.exe 91 PID 360 wrote to memory of 3352 360 chrome.exe 91 PID 360 wrote to memory of 3352 360 chrome.exe 91 PID 360 wrote to memory of 3352 360 chrome.exe 91 PID 360 wrote to memory of 3352 360 chrome.exe 91 PID 360 wrote to memory of 3352 360 chrome.exe 91 PID 360 wrote to memory of 3352 360 chrome.exe 91 PID 360 wrote to memory of 3352 360 chrome.exe 91 PID 360 wrote to memory of 3352 360 chrome.exe 91 PID 360 wrote to memory of 3352 360 chrome.exe 91 PID 360 wrote to memory of 3352 360 chrome.exe 91 PID 360 wrote to memory of 3352 360 chrome.exe 91 PID 360 wrote to memory of 3352 360 chrome.exe 91 PID 360 wrote to memory of 3352 360 chrome.exe 91 PID 360 wrote to memory of 3352 360 chrome.exe 91 PID 360 wrote to memory of 3352 360 chrome.exe 91 PID 360 wrote to memory of 3352 360 chrome.exe 91 PID 360 wrote to memory of 3352 360 chrome.exe 91 PID 360 wrote to memory of 3352 360 chrome.exe 91 PID 360 wrote to memory of 3352 360 chrome.exe 91 PID 360 wrote to memory of 3352 360 chrome.exe 91 PID 360 wrote to memory of 3352 360 chrome.exe 91 PID 360 wrote to memory of 3352 360 chrome.exe 91 PID 360 wrote to memory of 3352 360 chrome.exe 91 PID 360 wrote to memory of 3352 360 chrome.exe 91 PID 360 wrote to memory of 3352 360 chrome.exe 91 PID 360 wrote to memory of 3352 360 chrome.exe 91 PID 360 wrote to memory of 3352 360 chrome.exe 91 PID 360 wrote to memory of 3132 360 chrome.exe 92 PID 360 wrote to memory of 3132 360 chrome.exe 92 PID 360 wrote to memory of 4828 360 chrome.exe 93 PID 360 wrote to memory of 4828 360 chrome.exe 93 PID 360 wrote to memory of 4828 360 chrome.exe 93 PID 360 wrote to memory of 4828 360 chrome.exe 93 PID 360 wrote to memory of 4828 360 chrome.exe 93 PID 360 wrote to memory of 4828 360 chrome.exe 93 PID 360 wrote to memory of 4828 360 chrome.exe 93 PID 360 wrote to memory of 4828 360 chrome.exe 93 PID 360 wrote to memory of 4828 360 chrome.exe 93 -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook key.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\adobe_illustrator_keygen_by_KeyGenGuru.exe"C:\Users\Admin\AppData\Local\Temp\adobe_illustrator_keygen_by_KeyGenGuru.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pj.exekeygen-pj.exe -pAevKviq48c3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:404 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240623843.bat" "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe" "5⤵
- System Location Discovery: System Language Discovery
PID:1820
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exekeygen-step-1.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:776
-
-
C:\Windows\System32\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.cpl",3⤵
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.cpl",4⤵
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.cpl",5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2040
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:360 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffb5fddcc40,0x7ffb5fddcc4c,0x7ffb5fddcc582⤵PID:4620
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1952,i,6745704848700812068,15101266975897738295,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1948 /prefetch:22⤵PID:3352
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1784,i,6745704848700812068,15101266975897738295,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1984 /prefetch:32⤵PID:3132
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2212,i,6745704848700812068,15101266975897738295,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2224 /prefetch:82⤵PID:4828
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,6745704848700812068,15101266975897738295,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3256 /prefetch:12⤵PID:4824
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,6745704848700812068,15101266975897738295,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3304 /prefetch:12⤵PID:1816
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3572,i,6745704848700812068,15101266975897738295,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4444 /prefetch:12⤵PID:3556
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4716,i,6745704848700812068,15101266975897738295,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4724 /prefetch:82⤵PID:3552
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4788,i,6745704848700812068,15101266975897738295,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4800 /prefetch:82⤵PID:1608
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4948,i,6745704848700812068,15101266975897738295,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4740 /prefetch:82⤵PID:2264
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5012,i,6745704848700812068,15101266975897738295,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5092 /prefetch:82⤵PID:4768
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5096,i,6745704848700812068,15101266975897738295,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5212 /prefetch:82⤵PID:2792
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4280,i,6745704848700812068,15101266975897738295,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5196 /prefetch:82⤵PID:2536
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5236,i,6745704848700812068,15101266975897738295,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5308 /prefetch:22⤵PID:3828
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5108,i,6745704848700812068,15101266975897738295,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5440 /prefetch:12⤵PID:5524
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4400,i,6745704848700812068,15101266975897738295,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4896 /prefetch:12⤵PID:4368
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=3112,i,6745704848700812068,15101266975897738295,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5420 /prefetch:12⤵PID:4276
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5464,i,6745704848700812068,15101266975897738295,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5468 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5756
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:2824
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:1976
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:424
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:3280
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5b5ad5caaaee00cb8cf445427975ae66c
SHA1dcde6527290a326e048f9c3a85280d3fa71e1e22
SHA256b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8
SHA51292f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
1008B
MD5d222b77a61527f2c177b0869e7babc24
SHA13f23acb984307a4aeba41ebbb70439c97ad1f268
SHA25680dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747
SHA512d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff
-
Filesize
649B
MD51ab7ba31e4250baaa4e9b526ce191229
SHA1b241cb5bb966256e676b78d24185efa30a069901
SHA25683aaef75868a5ad4d8b7964aeb20f7d5fcc6b77ea0f7bd8735a99c3330db6e48
SHA512ca80fcacc4b6d76f9d65af23e3edbcf482fee0a60f193ae3743fafae6cac5e701dcd5c348b44f9277b59197490f8e7dea5d23e84a9a64dadf1475beb00bb6b9c
-
Filesize
215KB
MD5d79b35ccf8e6af6714eb612714349097
SHA1eb3ccc9ed29830df42f3fd129951cb8b791aaf98
SHA256c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365
SHA512f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a
-
Filesize
216B
MD50c8b7fd13cdfde4453f8a45a411f478b
SHA1d36e96d54f1f0d3264ad09be21227c88180a4882
SHA25682a5e5c0dcd9c74ee2f20730263bd4a7237d4bba67b967fb9c9a35db98efe097
SHA51211bd05ab6eb08c4a3d3ba7e3ab6184e1bf0f552be58addfed67bb8fa637339ea2c85cf54212c734660322c44f018cb875327932eb2ec72801278613bb824e791
-
Filesize
2KB
MD5ef50aae9fbe2fbcb40524aa31f935e06
SHA1c2984169a31e7e93f4b8c4df8fd0385f2c904df0
SHA256e961cba0a53555d1640235f335d9070f5905e4923e570e62f7ea44e1773eda58
SHA512d6a868ea0fc7223e93e602b814a6ed1c810fb70678821f04b915d84eaeaba1d6f40ca462109925cf225ab8893fb11748a03a9956bb7f93424876b4a5809e171c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json
Filesize851B
MD507ffbe5f24ca348723ff8c6c488abfb8
SHA16dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA2566895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA5127ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json
Filesize854B
MD54ec1df2da46182103d2ffc3b92d20ca5
SHA1fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA2566c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d
-
Filesize
2KB
MD5d1a6c7a649e341a188626da1fec75d7f
SHA102a85173880517987aa00fd13d07dea05fc8a06f
SHA25603208eec614cf6dcc0aa3f3a05554726ad20cab3ff54c34667a79835889ad33f
SHA512d6718d2285efa3e199e6a71fafc7274408c510664cf4eb0383d6df5caf464fd0f6c5c29a8c55bf0d1d3989501e3c05c0ab8cc9a3d0be10c07f89e855b457e536
-
Filesize
6KB
MD56b2e795e2064d78cb7d8162c07d5981a
SHA11005057657cfb82eea4920b379a7241ce033dee2
SHA256c6cb27e6dc8d313e5156dfdf9facfcdb2715a04810dcc174a6d4137e5f490d41
SHA5128b90fe840aeba31c297c16e076867594c70d7819eb01b8858b0e674b9612a1a7af34d0c3a55fe40c6d57bd58cf0d051ae5629d3c6844f297490cfa2f65317797
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD57b433ba3603631b9955f91e19aea440b
SHA103f33add3f30e170648ee41fc5e8dc257e55017d
SHA2562d4a5c1ca11dfe43d8671234d4818469caee35b859a4661d84305265ce277aa1
SHA51294649035d264a616198e66613371d8b0c14a2873382de40ed28bccce6760e136a3efd2baea000e8291ef706a75892f831e86c01a528d368ac3b0d168d7cb9382
-
Filesize
1KB
MD58f341eb21e4e0d1e55a22abe440c5fe6
SHA1c65b3ef4099537f50d471e6736ff25f8b83526de
SHA256aef6b3b817abb9de8610be9402c666c1dcfb9ba3fa3926112809494182275a98
SHA512d333c7dd6698a191cedec4b2af16bede41a9e6b297849e4fd88181be139bd42395ae31e7cc1e3ca31e0de9f79f1b84ee505e408a4958d906349f92e29a2dd674
-
Filesize
356B
MD587e6e9ba1b3fa24eb39679df8fe1542a
SHA12c8c1c3118416f7afd726292c787d37d762897ce
SHA256ccd80de0be2ef308f44e39d0796987996ecc11a8e2e5c4d49749617b8348bd8a
SHA5121ff1ea06f62ab66327efc564945cc259dbd6ea8da11e578252837470b5f82bf1ceda3879b6250bd4df2b969e8bcf8e393eb1f758fe94f5b0523d41d05d99f019
-
Filesize
1KB
MD5dfcb19bff99988db7821d4cc76ed272f
SHA1ee76ea6c35e6fd4099170f873ceb9219d8b2798e
SHA2562d1dbcec5eb2be9e2a339b9053d5ddccc711d1437970477841bbb311466b1dfc
SHA5127cedc5ff7376dafa3b3d20d3fe790956ce15f7dffae7300ec9dab48483d1d77c1bd00d2e1ff77eff2fbb5cb04f76384481106d461239bc5acc51930ae3d46e9c
-
Filesize
1KB
MD59f7571d15d086b5e4c50668f0fdba800
SHA10f29b0d124042af9f518ddc2a07f3e5968ba2c0d
SHA256d06c35ce22b54ad7606fe0f05a22e70aa28a413291023ad77bcc0384bf042d85
SHA512de8a135db685414e3ac5d7c75ac175d9646c863c9e463404aff5262e043c1c318a8bfcb6f3e43fb7ed8281ac682730d6733d1042d7e4090516b583af81f4faa1
-
Filesize
9KB
MD57c4edc40ece217cee1853ba01d8e8ef5
SHA128052965dd9826a19374b26594f1cb61db220d6f
SHA2568ec76f9b71ce2a0f71b2e98393a2ea1a54f1bdf2603a7e988066bca1d92e5519
SHA512487517e1b60fbd55c9116a082cc8f9c7e22dd82e1f0450ef936250ae967e693823803a066316a5d62528e7c4ee809b5f35a7ff462e68b5e9efcec4fdf3063d6f
-
Filesize
9KB
MD527e27443bedaf9b541e9d4b886e4f5a6
SHA111eb997fa4e3e4e7d3eb1cdb2d6a0e26674dd9f7
SHA2563d85ce6c101d08dd27ebf027a69203d70e049da812f02f3d9f1a2f156fb10086
SHA5126ccbca961ae01319d3447faaf3c954e9b443f6389865ad57bc890ab7a6c44f9ad492f0cbed3e6419540f93546166ac12694b4ef22c9a8b27a6087ca375400704
-
Filesize
9KB
MD5fd51e3ef5a28731287d96e2897281a9b
SHA140eac1471be587cbdb0a0e8ab44c9573c01a0213
SHA2564f5c3ffbd00f372c7efb1d8fb1495513442dd6f4ba329f94a5fe657c9147c322
SHA512540d97b5f97d09e210ab108eb2eda276a2e78d43d11ea8ec6acf0bb284178d838a23ebb4aafd6dd36ae6b1da4d0c7ca1c68e537cd438de24586328989b0835c0
-
Filesize
9KB
MD5ff079e2e3829acc0ed8ae684feae2816
SHA191675eb7ca199d9ab4137b9dbe5eed2b1a93b79b
SHA256f6ea7552a939387dfd7e0b33532721ef159f61221ac6eb59ef8cb4997843c49f
SHA51214592b237f9ddaffbc0707bc0399d87658be86f288d36a3e6762a93ee645debe6aad9d39fdb619317ae44962213d789723551e829283641301aa79bdb40273e7
-
Filesize
9KB
MD5fb5574d047bb1ff4d560fea51ebd9259
SHA19444a62c1839ae98dce87a3f4e7607b1ed662ac5
SHA2567333001dbcdd006e85e0c3f2476169122b1c9207ce5eb3a0c6a52b9017736513
SHA5127a2f136a7007542c3c75900df6fdd8b2caaf1b02e54ce6be22af512d415a75d1144300ad7d78edf14285cb1168d6b756b2dd0b1a24dfe91ea877f7b31baa9b37
-
Filesize
9KB
MD5f6c794bf377543c18ab22b7e1873d5a2
SHA1a5feeb7c20a2d2c1325d5c0319eb865c8172680d
SHA256bb2e227aa003c755ccad8977bbf6aa4c0aeb25a1bb129c55da436f7f2febe888
SHA51267bd5da0030cd728b877970bbe923f07c739fbc1b8013e41e31e96f6d3e0a07962af785a08c565d34b41d753d10ed7b914559ebf8ef1992cb3f26345f839cf1a
-
Filesize
10KB
MD56ef70c6e9391a4e6029860d946741a02
SHA18141d3d708401bbbc815670e2d2adb74d8926ad1
SHA256dd606f28c5430a132f7b21089b1174fd4ee45e173ace265bcc9e6d2d56d84f32
SHA512b841c224c75912d12a089bdda73c02901ffa41d65c8b25adc25665ad817d68ef676f4deaa592b9a361ac2d806914815a7eb23f51ff010438d5e1fcbab54f84ab
-
Filesize
10KB
MD5b3e4efd9fdd8f63d4c05574f2cb5672d
SHA154196058a018a5130c8c31099f98ebe8d1f29613
SHA25698a634018e0b9a2011ec63e9cec0a28b1b78e6d9347e2fc274f5d07dc42f1ab0
SHA51261e1320f290671dbfd1014db441ab9b8a4664cababf0bbd4f94051b3364330bc8dddba4189968402379d33278ac0ca585ffb4abc956a7af9f07913fba36f6bab
-
Filesize
9KB
MD573d4c83e2aaa4b149f6eb52ca05df507
SHA13b764057a7904106424a64344fa8af824fa3c852
SHA256845c71e197917096a2406c221bc20a17b110ba3ff28337ca001b4c864f5df0a9
SHA51292cf8cefdae73ed03dce57293af87fd86ef20fe22690da0aa1b20f1acd4892023bbebd03c656448b753d1889c4770c5ce72b88bc240e4eb1f9aa47c00231669f
-
Filesize
15KB
MD57cc036e3b2cd213ec0a3f29347f995cc
SHA1a6c005bc79491c028069b63b5e3a9bf3e66ed209
SHA2564645c80b13c188518cc9057ae6bfb1be6f7fb4ea29f57d69176c7a285c9fdffe
SHA5120ed920b2fbd843b4576ec6ed603bfb54b5d609d53f7ab8a61cad325aec2bb57a659b7c66f660e2f922f29171a8be8d58054c609994cd044dac516fa94b71dcd7
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD5a0bdd57be83c2a324e12a6f15f1c9494
SHA1cf52110c2e17458623946c0c57ef373e6e55d8cb
SHA25608353a683a01f22e897936d47309c164aa3cc6f4e812b50f4f70758a645c894c
SHA51253913e63086fc336f83ba768b9ccf69435b79eb83fe8eeb3387ea589dadedde12674196fe9de8924e7bbdc02225f66c8033bf55345c6396a3f829296003332a5
-
Filesize
231KB
MD5cb6200cd3f2e3343fa82a546258dd3ba
SHA1e6c2388ecbfe263f9d9f4c4277ff33ac0b77f911
SHA256eb60b062eb81c1c313a1e8dbccb4dfb2d0332930a72b3544eba3c32cde93e187
SHA5121e7dd91fe91490a1ebd55e40c9ceb861d218833cb3deeae7964e73bbe6d25dbe5db8f207c82f4b70e958a31c14df074d4022cd04607366e8cb53b9101b6f9c5e
-
Filesize
231KB
MD59655f8cc6a9b11d33962ec6502990489
SHA1222a707c7ecf85ae8e18722efab9b79b3cad3062
SHA2561d33cffdc204e680404330d7be176325a84e80e3c9b36bf9fa0c9ffb76e44b94
SHA51249e036860ba667f4accdb9b7f0fc57044906e3716e9f7a9901f7d79a676332690407ed3880283101ea63da362100dc3f05ffc72b3eeeb460cee375f99cbe1e8c
-
Filesize
231KB
MD50fba22d76ae70ab05320b6c438952f34
SHA1062539bfc10465f2f27c8bc31b0ee1d0136f41dc
SHA2562a3f7c90cf4cd7ee9741b53e4d85870d6394e9214d33aa4a7dde923a68c5c98b
SHA512faae8dde10734051ec22b43a29583cbf494db28a85dff801d92fcca1ffb15dcb59bf51e32a64e3c4c3d34f0d3c1858d13318acb4a91a84e7434abbb4ceb7e77f
-
Filesize
94B
MD53880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
Filesize
363KB
MD5c0f34f38475aa244c9c8696aeed709a5
SHA10194b56c80c4b5192873400fdc96ce7d8df682a2
SHA256831c985a5c9cc76c7c3de456f2eafeeba65a8930ef5e2aecc69fc7bd739f1046
SHA51215defe7601a9d49325719b746422ddc60492935d3e34db058ed7f726cfeff0b3dac6faf2bcb9113ce14bdf9e8d295bef33931fd23e58c995cc6a4f42fa310ced
-
Filesize
112KB
MD543eb47b71c9f1003adc2d0f108d2679c
SHA15965eb51d289dc79ab56cb995d47f371472d4846
SHA256913ee402508d3b9e7e55e1051f16a358ce78c19b4e07c6f234f4b73602802fa1
SHA5127713cfcf2e1aae2ddc4dab14f4f7f1a4f5a414f87f75a2371fe261edceb9882b935a6044dd0fd1b88fc11cc9b044672fb14a91987806e3afff9df74fd6f5eee0
-
Filesize
13.4MB
MD5aa79dca9f3deb13d500bf6cee06cf668
SHA1dc757b8184d2814476215e43baf3d19d9b30e2ed
SHA2560b33526690650b18acbfa8f4cfd0674081f2d817ff7ef79db1b3cf458896740e
SHA512c7fd915a9fbb68b626ce82cb88d737983e85fa294b4e514d2c4f53467baa197e031463fdb62101c2e5395d0c9a386f8e7ae5d019bd5f0544c0c77c0f439aeded
-
Filesize
97B
MD5b7da5b5251bfd8f57cbac943155601a9
SHA1133751b2b7a68a92ad1e21417dd4d2b1d44cc2da
SHA256023d11aa3cbc04bc1591c0bb608f35da7c124f8a30c57accaf6be067b889c2ee
SHA5127e71857c603dee06fc7a63a8a0e7cfb7f18d24b676c0a3df45f5b011f638a84faf4bb5d69ebc2c5a998482c4bbad1b726c43aa6e5669d3762f263a56d4e47368
-
Filesize
103KB
MD52fbf80a7ba32f036bb97a2d0d909283c
SHA1ed00a832320f3806ef3ecacfb54356e55b8e713f
SHA256aaa583789b2a7d918ab2654f48b2f401588f43f8b835ea176ea4276c59bed4ee
SHA512a74ec6ffc270d3800f673aa83a76d6dc59857a71791470a4e09653bbfc18ec192b8949566ab15adaf923a3f9b54d568f6de93ad36df70357450d3effb09160ef
-
Filesize
150KB
MD514937b985303ecce4196154a24fc369a
SHA1ecfe89e11a8d08ce0c8745ff5735d5edad683730
SHA25671006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff
SHA5121d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c
-
Filesize
711B
MD5558659936250e03cc14b60ebf648aa09
SHA132f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA2562445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA5121632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84