Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24/01/2025, 09:28
Behavioral task
behavioral1
Sample
Stupid Monkey.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Stupid Monkey.exe
Resource
win10v2004-20241007-en
General
-
Target
Stupid Monkey.exe
-
Size
70KB
-
MD5
4c785ba0487bfec51faf4788d564ee9f
-
SHA1
786fdc994a71d7e02a556e3f720b41a096a789f5
-
SHA256
c81ae973db641e3c60912166be8979a60b95253ae290c145b9a2133ad7a2ebb8
-
SHA512
b6b7fbd58e1c3657a81d17a974fc609c1af29dab6489685d2eea5e1397e12853c17086a537f7607aef6833f358965788adc961b44eeff21530ff89f9776eee06
-
SSDEEP
1536:X7eLuJn1XH70d76kbDD0k2jF16K7HmTzOt5YP:X79hpb0YkbDLE57HmTzOts
Malware Config
Extracted
xworm
wood-matches.gl.at.ply.gg:23086
-
Install_directory
%ProgramData%
-
install_file
USB.exe
Extracted
discordrat
-
discord_token
MTMzMDMyNzc3MjM3NTAyNzgxMg.GWNm0N.hjhDXtec3jd5n3sEjWHGfGyOO28kBaPWiS-HPA
-
server_id
1330267614202560512
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral2/memory/428-282-0x0000000002610000-0x000000000261E000-memory.dmp disable_win_def -
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/memory/428-1-0x0000000000480000-0x0000000000498000-memory.dmp family_xworm behavioral2/files/0x000300000001e75d-278.dat family_xworm -
Discord RAT
A RAT written in C# using Discord as a C2.
-
Discordrat family
-
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1132 powershell.exe 4128 powershell.exe 5104 powershell.exe 5020 powershell.exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 5756 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation Stupid Monkey.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client Server Runtime Process.lnk Stupid Monkey.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client Server Runtime Process.lnk Stupid Monkey.exe -
Executes dropped EXE 3 IoCs
pid Process 872 tawcrm.exe 5488 Client Server Runtime Process 5660 Client Server Runtime Process -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Process = "C:\\ProgramData\\Client Server Runtime Process" Stupid Monkey.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 41 discord.com 36 discord.com 37 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 16 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2768 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 4128 powershell.exe 4128 powershell.exe 5104 powershell.exe 5104 powershell.exe 5020 powershell.exe 5020 powershell.exe 1132 powershell.exe 1132 powershell.exe 428 Stupid Monkey.exe 4012 msedge.exe 4012 msedge.exe 2128 msedge.exe 2128 msedge.exe 1368 chrome.exe 1368 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 2128 msedge.exe 2128 msedge.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 2128 msedge.exe 2128 msedge.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 428 Stupid Monkey.exe Token: SeDebugPrivilege 4128 powershell.exe Token: SeDebugPrivilege 5104 powershell.exe Token: SeDebugPrivilege 5020 powershell.exe Token: SeDebugPrivilege 1132 powershell.exe Token: SeDebugPrivilege 872 tawcrm.exe Token: SeShutdownPrivilege 1368 chrome.exe Token: SeCreatePagefilePrivilege 1368 chrome.exe Token: SeShutdownPrivilege 1368 chrome.exe Token: SeCreatePagefilePrivilege 1368 chrome.exe Token: SeDebugPrivilege 5488 Client Server Runtime Process Token: SeDebugPrivilege 5660 Client Server Runtime Process -
Suspicious use of FindShellTrayWindow 53 IoCs
pid Process 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 2128 msedge.exe 1368 chrome.exe -
Suspicious use of SendNotifyMessage 48 IoCs
pid Process 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 2128 msedge.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe 1368 chrome.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 428 Stupid Monkey.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 428 wrote to memory of 4128 428 Stupid Monkey.exe 90 PID 428 wrote to memory of 4128 428 Stupid Monkey.exe 90 PID 428 wrote to memory of 5104 428 Stupid Monkey.exe 92 PID 428 wrote to memory of 5104 428 Stupid Monkey.exe 92 PID 428 wrote to memory of 5020 428 Stupid Monkey.exe 97 PID 428 wrote to memory of 5020 428 Stupid Monkey.exe 97 PID 428 wrote to memory of 1132 428 Stupid Monkey.exe 101 PID 428 wrote to memory of 1132 428 Stupid Monkey.exe 101 PID 428 wrote to memory of 2768 428 Stupid Monkey.exe 103 PID 428 wrote to memory of 2768 428 Stupid Monkey.exe 103 PID 428 wrote to memory of 872 428 Stupid Monkey.exe 111 PID 428 wrote to memory of 872 428 Stupid Monkey.exe 111 PID 2128 wrote to memory of 3324 2128 msedge.exe 119 PID 2128 wrote to memory of 3324 2128 msedge.exe 119 PID 2128 wrote to memory of 1568 2128 msedge.exe 120 PID 2128 wrote to memory of 1568 2128 msedge.exe 120 PID 2128 wrote to memory of 1568 2128 msedge.exe 120 PID 2128 wrote to memory of 1568 2128 msedge.exe 120 PID 2128 wrote to memory of 1568 2128 msedge.exe 120 PID 2128 wrote to memory of 1568 2128 msedge.exe 120 PID 2128 wrote to memory of 1568 2128 msedge.exe 120 PID 2128 wrote to memory of 1568 2128 msedge.exe 120 PID 2128 wrote to memory of 1568 2128 msedge.exe 120 PID 2128 wrote to memory of 1568 2128 msedge.exe 120 PID 2128 wrote to memory of 1568 2128 msedge.exe 120 PID 2128 wrote to memory of 1568 2128 msedge.exe 120 PID 2128 wrote to memory of 1568 2128 msedge.exe 120 PID 2128 wrote to memory of 1568 2128 msedge.exe 120 PID 2128 wrote to memory of 1568 2128 msedge.exe 120 PID 2128 wrote to memory of 1568 2128 msedge.exe 120 PID 2128 wrote to memory of 1568 2128 msedge.exe 120 PID 2128 wrote to memory of 1568 2128 msedge.exe 120 PID 2128 wrote to memory of 1568 2128 msedge.exe 120 PID 2128 wrote to memory of 1568 2128 msedge.exe 120 PID 2128 wrote to memory of 1568 2128 msedge.exe 120 PID 2128 wrote to memory of 1568 2128 msedge.exe 120 PID 2128 wrote to memory of 1568 2128 msedge.exe 120 PID 2128 wrote to memory of 1568 2128 msedge.exe 120 PID 2128 wrote to memory of 1568 2128 msedge.exe 120 PID 2128 wrote to memory of 1568 2128 msedge.exe 120 PID 2128 wrote to memory of 1568 2128 msedge.exe 120 PID 2128 wrote to memory of 1568 2128 msedge.exe 120 PID 2128 wrote to memory of 1568 2128 msedge.exe 120 PID 2128 wrote to memory of 1568 2128 msedge.exe 120 PID 2128 wrote to memory of 1568 2128 msedge.exe 120 PID 2128 wrote to memory of 1568 2128 msedge.exe 120 PID 2128 wrote to memory of 1568 2128 msedge.exe 120 PID 2128 wrote to memory of 1568 2128 msedge.exe 120 PID 2128 wrote to memory of 1568 2128 msedge.exe 120 PID 2128 wrote to memory of 1568 2128 msedge.exe 120 PID 2128 wrote to memory of 1568 2128 msedge.exe 120 PID 2128 wrote to memory of 1568 2128 msedge.exe 120 PID 2128 wrote to memory of 1568 2128 msedge.exe 120 PID 2128 wrote to memory of 1568 2128 msedge.exe 120 PID 2128 wrote to memory of 4012 2128 msedge.exe 121 PID 2128 wrote to memory of 4012 2128 msedge.exe 121 PID 2128 wrote to memory of 1072 2128 msedge.exe 122 PID 2128 wrote to memory of 1072 2128 msedge.exe 122 PID 2128 wrote to memory of 1072 2128 msedge.exe 122 PID 2128 wrote to memory of 1072 2128 msedge.exe 122 PID 2128 wrote to memory of 1072 2128 msedge.exe 122 PID 2128 wrote to memory of 1072 2128 msedge.exe 122 PID 2128 wrote to memory of 1072 2128 msedge.exe 122 PID 2128 wrote to memory of 1072 2128 msedge.exe 122 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Stupid Monkey.exe"C:\Users\Admin\AppData\Local\Temp\Stupid Monkey.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Stupid Monkey.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4128
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Stupid Monkey.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5104
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Client Server Runtime Process'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5020
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Client Server Runtime Process'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1132
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Client Server Runtime Process" /tr "C:\ProgramData\Client Server Runtime Process"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2768
-
-
C:\Users\Admin\AppData\Local\Temp\tawcrm.exe"C:\Users\Admin\AppData\Local\Temp\tawcrm.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:872
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall set allprofiles state off2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0x11c,0x12c,0x7ff839bf46f8,0x7ff839bf4708,0x7ff839bf47182⤵PID:3324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,3392352006061037081,11436793902182466980,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:22⤵PID:1568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,3392352006061037081,11436793902182466980,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,3392352006061037081,11436793902182466980,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:82⤵PID:1072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,3392352006061037081,11436793902182466980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:12⤵PID:2732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,3392352006061037081,11436793902182466980,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:12⤵PID:4416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,3392352006061037081,11436793902182466980,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:12⤵PID:5228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,3392352006061037081,11436793902182466980,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:12⤵PID:5284
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4196
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2116
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1368 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff83616cc40,0x7ff83616cc4c,0x7ff83616cc582⤵PID:4200
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1864,i,7014491555198819610,5039004368188151697,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1856 /prefetch:22⤵PID:2352
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2188,i,7014491555198819610,5039004368188151697,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2196 /prefetch:32⤵PID:2960
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,7014491555198819610,5039004368188151697,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2236 /prefetch:82⤵PID:3136
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,7014491555198819610,5039004368188151697,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3168 /prefetch:12⤵PID:4120
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3360,i,7014491555198819610,5039004368188151697,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3428 /prefetch:12⤵PID:4696
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4412,i,7014491555198819610,5039004368188151697,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4572 /prefetch:12⤵PID:5204
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:5196
-
C:\ProgramData\Client Server Runtime Process"C:\ProgramData\Client Server Runtime Process"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5488
-
C:\ProgramData\Client Server Runtime Process"C:\ProgramData\Client Server Runtime Process"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5660
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD54c785ba0487bfec51faf4788d564ee9f
SHA1786fdc994a71d7e02a556e3f720b41a096a789f5
SHA256c81ae973db641e3c60912166be8979a60b95253ae290c145b9a2133ad7a2ebb8
SHA512b6b7fbd58e1c3657a81d17a974fc609c1af29dab6489685d2eea5e1397e12853c17086a537f7607aef6833f358965788adc961b44eeff21530ff89f9776eee06
-
Filesize
1KB
MD5e5780873d90a28d16c06feb2786e1989
SHA11267dc713a042cd4514ad19420d9cdba133163b1
SHA2565192532541430ffc922aa5f4624f96c875ab214c025b8156bcf1e7b2b425a9ca
SHA512fa23f1fc43282bc81e90846a30fee4c1bb5cca0b026471663de12235a55508a740d87a9014f264c7c08becdd147ef1db4b030d0ab81eecacd97da77e88de69c0
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD5013a2f30646c75a2526263e18561abe2
SHA1d4dba92dc1a367608c25ccf422d247bfc5a8487a
SHA25699c87c40188f895c2b40e24569ac6303f7cc2e4f7fb7a10623572d9bc593003b
SHA51268835fe96a785fc2d7101c29e7c78ee2bb027f7a1dd8ccf4fe3ffd47fc3ec14596dca82020d3d736f8ada0c8d9ffe2c8fe06d162eae2b25ea53cde83279edf23
-
Filesize
8KB
MD50edd9f232bb6a7bb2194842e9033c7c4
SHA1cabb5524b48c170e44649504b180afbaef65ea85
SHA25685ef75ff4f62968c535d2ecdc17db835f715a748be4b32d6de6eca0e0263003b
SHA5128b844833ceef44b7648c57f5a8216d4dc7252288d82756fc8c61291207782694efa9073775f724de324559957140b98216f833b9d9ce32319b33b785e2ed3a5c
-
Filesize
116KB
MD5f61740adc569ea7440eaf029e2d42342
SHA19f9831a912efbfbd4fde109abeaca88a6b32ae53
SHA256106d246ead393a2a6f83bfa310c06ebd720c34b42e599833428215c982c1632c
SHA512f92a0adb5627c50ee5d712850a5521c52d1ed568f2d0729e954652cee67a99cd247053a38bf7b38f8c6befed8f91db71b764e0bf6c57577c8d25f144a4b94fb7
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
152B
MD58749e21d9d0a17dac32d5aa2027f7a75
SHA1a5d555f8b035c7938a4a864e89218c0402ab7cde
SHA256915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304
SHA512c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a
-
Filesize
152B
MD534d2c4f40f47672ecdf6f66fea242f4a
SHA14bcad62542aeb44cae38a907d8b5a8604115ada2
SHA256b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33
SHA51250fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
5KB
MD5caa6ce991074ee8eb90e15c01c4105c6
SHA1f2ca635a174bbdc856d7864c1ca2e8f9bf2362f3
SHA256290baf606a334aa015178af09d3f44e2dd030d8f58c706eb47f6a7b080888365
SHA5121ad72e72d2c31198ea189ab4654c4ca91157671405a47f388b493ea678bb33fd735f3ee74796adb06d5316139862b6903dd710cd58fd19e789cc537d10c83826
-
Filesize
6KB
MD5dbe953029b008c1c725d50830017b1d5
SHA17079769522c270ae27ace783a1a94b825e6a80b1
SHA25670eedc4505ecbd4473a49374464a151f2a49e505c8bd91346b1cd1d2a56dc4dd
SHA5120b49f649632d793d8b245ad4c6a0f0ea43f76e8174152e37780c85eb116d782d8d4e27fe4284e065fd317e993ea0ab7ec3774e2d10dc5ccefd2d59056e633c20
-
Filesize
10KB
MD5f1cfadf47deb9b7a2413dc4e12bdcfbb
SHA1c01beefc181eb30798bd06a43aa634f85156b9ce
SHA256c0884dc77cd72280638a65efb75451dbcd06118acff6040e0c5a35ebee97a02b
SHA5127b304ce441001d5084c06243fed8338c3d7cf766ec53fbad56bfcbcb14f34bf0e0ef67d9707d95b9a8d7e24daee9c1249ce96e03675c9b68e8b24a2086d79ccf
-
Filesize
944B
MD52979eabc783eaca50de7be23dd4eafcf
SHA1d709ce5f3a06b7958a67e20870bfd95b83cad2ea
SHA256006cca90e78fbb571532a83082ac6712721a34ea4b21f490058ffb3f521f4903
SHA51292bc433990572d9427d0c93eef9bd1cc23fa00ed60dd0c9c983d87d3421e02ce3f156c6f88fe916ef6782dbf185cbce083bc0094f8c527f302be6a37d1c53aba
-
Filesize
944B
MD515dde0683cd1ca19785d7262f554ba93
SHA1d039c577e438546d10ac64837b05da480d06bf69
SHA256d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961
SHA51257c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672
-
Filesize
944B
MD522310ad6749d8cc38284aa616efcd100
SHA1440ef4a0a53bfa7c83fe84326a1dff4326dcb515
SHA25655b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf
SHA5122ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
78KB
MD524b361200a5fc61a62657c8ef7886d1f
SHA1a6e4602b47f50e943603c5164bd6750e3b58a5ef
SHA2567f4b62dd5a02a17056e390f59bca7a314d40bc3e8928307a56b558033dd58bb7
SHA512a1081da6c801dbe649b25c7bc7fce26a20d22b574df0b9b0050ec8089acc29f86f28f77bdbd3610210452255162939832c7a7e35344a9335981e0fef4cd4542a