Analysis
-
max time kernel
38s -
max time network
42s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
20/12/2022, 13:46
Static task
static1
Behavioral task
behavioral1
Sample
b511ecd47d22a84f307091da88c9a31f2c3bb763970b597a272936b4f2a6726c.exe
Resource
win7-20220812-en
General
-
Target
b511ecd47d22a84f307091da88c9a31f2c3bb763970b597a272936b4f2a6726c.exe
-
Size
4.6MB
-
MD5
1149579eb5df3bc7dcebb2e463b24417
-
SHA1
0bf20cad723541dc19fbe24d930f6c801a5a99bb
-
SHA256
b511ecd47d22a84f307091da88c9a31f2c3bb763970b597a272936b4f2a6726c
-
SHA512
8084de607d1e7566660dbcc68e271602f8013a8f8f3ee88f0c468dd5492be1ef3fb74b1f79456ba057772744c2dcfcb3f2373c2a5464ee76845e9f774c9e7b07
-
SSDEEP
98304:gVxKTOLtxrGqnwEZr9zhYrTaUKnR8jTNDJAKRHpQZ1ubZXZ:qhxrGQN9qqNR8jTNtpJg1uVXZ
Malware Config
Extracted
danabot
49.0.50.0:57
51.0.52.0:0
53.0.54.0:1200
55.0.56.0:65535
-
type
loader
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1432 Tyiotphai.exe -
Loads dropped DLL 2 IoCs
pid Process 2000 b511ecd47d22a84f307091da88c9a31f2c3bb763970b597a272936b4f2a6726c.exe 2000 b511ecd47d22a84f307091da88c9a31f2c3bb763970b597a272936b4f2a6726c.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1224 chrome.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2000 set thread context of 1288 2000 b511ecd47d22a84f307091da88c9a31f2c3bb763970b597a272936b4f2a6726c.exe 27 PID 1288 set thread context of 944 1288 rundll32.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 45 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature b511ecd47d22a84f307091da88c9a31f2c3bb763970b597a272936b4f2a6726c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data b511ecd47d22a84f307091da88c9a31f2c3bb763970b597a272936b4f2a6726c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Signature rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor b511ecd47d22a84f307091da88c9a31f2c3bb763970b597a272936b4f2a6726c.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 b511ecd47d22a84f307091da88c9a31f2c3bb763970b597a272936b4f2a6726c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet b511ecd47d22a84f307091da88c9a31f2c3bb763970b597a272936b4f2a6726c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier b511ecd47d22a84f307091da88c9a31f2c3bb763970b597a272936b4f2a6726c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier b511ecd47d22a84f307091da88c9a31f2c3bb763970b597a272936b4f2a6726c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString b511ecd47d22a84f307091da88c9a31f2c3bb763970b597a272936b4f2a6726c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 b511ecd47d22a84f307091da88c9a31f2c3bb763970b597a272936b4f2a6726c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform ID rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet b511ecd47d22a84f307091da88c9a31f2c3bb763970b597a272936b4f2a6726c.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor b511ecd47d22a84f307091da88c9a31f2c3bb763970b597a272936b4f2a6726c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz b511ecd47d22a84f307091da88c9a31f2c3bb763970b597a272936b4f2a6726c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform ID b511ecd47d22a84f307091da88c9a31f2c3bb763970b597a272936b4f2a6726c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Signature b511ecd47d22a84f307091da88c9a31f2c3bb763970b597a272936b4f2a6726c.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString b511ecd47d22a84f307091da88c9a31f2c3bb763970b597a272936b4f2a6726c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier b511ecd47d22a84f307091da88c9a31f2c3bb763970b597a272936b4f2a6726c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information b511ecd47d22a84f307091da88c9a31f2c3bb763970b597a272936b4f2a6726c.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 b511ecd47d22a84f307091da88c9a31f2c3bb763970b597a272936b4f2a6726c.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 b511ecd47d22a84f307091da88c9a31f2c3bb763970b597a272936b4f2a6726c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID b511ecd47d22a84f307091da88c9a31f2c3bb763970b597a272936b4f2a6726c.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status b511ecd47d22a84f307091da88c9a31f2c3bb763970b597a272936b4f2a6726c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz b511ecd47d22a84f307091da88c9a31f2c3bb763970b597a272936b4f2a6726c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information b511ecd47d22a84f307091da88c9a31f2c3bb763970b597a272936b4f2a6726c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies registry class 24 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 7e0074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f3c0008000400efbe00000000000000002a000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff rundll32.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_Classes\Local Settings rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff rundll32.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff rundll32.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = 00000000ffffffff rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = ffffffff rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f44471a0359723fa74489c55595fe6b30ee0000 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 4c003100000000000000000010004c6f63616c00380008000400efbe00000000000000002a000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 = 4a0031000000000000000000102054656d700000360008000400efbe00000000000000002a00000000000000000000000000000000000000000000000000540065006d007000000014000000 rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\NodeSlot = "2" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1288 rundll32.exe 992 chrome.exe 1224 chrome.exe 1224 chrome.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1432 Tyiotphai.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1432 Tyiotphai.exe 1288 rundll32.exe 1224 chrome.exe 944 rundll32.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 1432 Tyiotphai.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1224 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2000 wrote to memory of 1432 2000 b511ecd47d22a84f307091da88c9a31f2c3bb763970b597a272936b4f2a6726c.exe 26 PID 2000 wrote to memory of 1432 2000 b511ecd47d22a84f307091da88c9a31f2c3bb763970b597a272936b4f2a6726c.exe 26 PID 2000 wrote to memory of 1432 2000 b511ecd47d22a84f307091da88c9a31f2c3bb763970b597a272936b4f2a6726c.exe 26 PID 2000 wrote to memory of 1432 2000 b511ecd47d22a84f307091da88c9a31f2c3bb763970b597a272936b4f2a6726c.exe 26 PID 2000 wrote to memory of 1288 2000 b511ecd47d22a84f307091da88c9a31f2c3bb763970b597a272936b4f2a6726c.exe 27 PID 2000 wrote to memory of 1288 2000 b511ecd47d22a84f307091da88c9a31f2c3bb763970b597a272936b4f2a6726c.exe 27 PID 2000 wrote to memory of 1288 2000 b511ecd47d22a84f307091da88c9a31f2c3bb763970b597a272936b4f2a6726c.exe 27 PID 2000 wrote to memory of 1288 2000 b511ecd47d22a84f307091da88c9a31f2c3bb763970b597a272936b4f2a6726c.exe 27 PID 2000 wrote to memory of 1288 2000 b511ecd47d22a84f307091da88c9a31f2c3bb763970b597a272936b4f2a6726c.exe 27 PID 2000 wrote to memory of 1288 2000 b511ecd47d22a84f307091da88c9a31f2c3bb763970b597a272936b4f2a6726c.exe 27 PID 2000 wrote to memory of 1288 2000 b511ecd47d22a84f307091da88c9a31f2c3bb763970b597a272936b4f2a6726c.exe 27 PID 2000 wrote to memory of 1288 2000 b511ecd47d22a84f307091da88c9a31f2c3bb763970b597a272936b4f2a6726c.exe 27 PID 1224 wrote to memory of 760 1224 chrome.exe 29 PID 1224 wrote to memory of 760 1224 chrome.exe 29 PID 1224 wrote to memory of 760 1224 chrome.exe 29 PID 1224 wrote to memory of 2008 1224 chrome.exe 30 PID 1224 wrote to memory of 2008 1224 chrome.exe 30 PID 1224 wrote to memory of 2008 1224 chrome.exe 30 PID 1224 wrote to memory of 2008 1224 chrome.exe 30 PID 1224 wrote to memory of 2008 1224 chrome.exe 30 PID 1224 wrote to memory of 2008 1224 chrome.exe 30 PID 1224 wrote to memory of 2008 1224 chrome.exe 30 PID 1224 wrote to memory of 2008 1224 chrome.exe 30 PID 1224 wrote to memory of 2008 1224 chrome.exe 30 PID 1224 wrote to memory of 2008 1224 chrome.exe 30 PID 1224 wrote to memory of 2008 1224 chrome.exe 30 PID 1224 wrote to memory of 2008 1224 chrome.exe 30 PID 1224 wrote to memory of 2008 1224 chrome.exe 30 PID 1224 wrote to memory of 2008 1224 chrome.exe 30 PID 1224 wrote to memory of 2008 1224 chrome.exe 30 PID 1224 wrote to memory of 2008 1224 chrome.exe 30 PID 1224 wrote to memory of 2008 1224 chrome.exe 30 PID 1224 wrote to memory of 2008 1224 chrome.exe 30 PID 1224 wrote to memory of 2008 1224 chrome.exe 30 PID 1224 wrote to memory of 2008 1224 chrome.exe 30 PID 1224 wrote to memory of 2008 1224 chrome.exe 30 PID 1224 wrote to memory of 2008 1224 chrome.exe 30 PID 1224 wrote to memory of 2008 1224 chrome.exe 30 PID 1224 wrote to memory of 2008 1224 chrome.exe 30 PID 1224 wrote to memory of 2008 1224 chrome.exe 30 PID 1224 wrote to memory of 2008 1224 chrome.exe 30 PID 1224 wrote to memory of 2008 1224 chrome.exe 30 PID 1224 wrote to memory of 2008 1224 chrome.exe 30 PID 1224 wrote to memory of 2008 1224 chrome.exe 30 PID 1224 wrote to memory of 2008 1224 chrome.exe 30 PID 1224 wrote to memory of 2008 1224 chrome.exe 30 PID 1224 wrote to memory of 2008 1224 chrome.exe 30 PID 1224 wrote to memory of 2008 1224 chrome.exe 30 PID 1224 wrote to memory of 2008 1224 chrome.exe 30 PID 1224 wrote to memory of 2008 1224 chrome.exe 30 PID 1224 wrote to memory of 2008 1224 chrome.exe 30 PID 1224 wrote to memory of 2008 1224 chrome.exe 30 PID 1224 wrote to memory of 2008 1224 chrome.exe 30 PID 1224 wrote to memory of 2008 1224 chrome.exe 30 PID 1224 wrote to memory of 2008 1224 chrome.exe 30 PID 1224 wrote to memory of 2008 1224 chrome.exe 30 PID 1224 wrote to memory of 992 1224 chrome.exe 31 PID 1224 wrote to memory of 992 1224 chrome.exe 31 PID 1224 wrote to memory of 992 1224 chrome.exe 31 PID 1224 wrote to memory of 1436 1224 chrome.exe 32 PID 1224 wrote to memory of 1436 1224 chrome.exe 32 PID 1224 wrote to memory of 1436 1224 chrome.exe 32 PID 1224 wrote to memory of 1436 1224 chrome.exe 32 PID 1224 wrote to memory of 1436 1224 chrome.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\b511ecd47d22a84f307091da88c9a31f2c3bb763970b597a272936b4f2a6726c.exe"C:\Users\Admin\AppData\Local\Temp\b511ecd47d22a84f307091da88c9a31f2c3bb763970b597a272936b4f2a6726c.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Users\Admin\AppData\Local\Temp\Tyiotphai.exe"C:\Users\Admin\AppData\Local\Temp\Tyiotphai.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1432
-
-
C:\Windows\syswow64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#612⤵
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1288 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 307723⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:944
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --no-first-run --no-default-browser-check --silent-launch --disable-backgrounding-occluded-windows --disable-background-timer-throttling --ran-launcher --profile-directory="Default"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fefab64f50,0x7fefab64f60,0x7fefab64f702⤵PID:760
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1140,10297704846824431950,14056046502614918070,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1148 /prefetch:22⤵PID:2008
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1140,10297704846824431950,14056046502614918070,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1388 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:992
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1140,10297704846824431950,14056046502614918070,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1696 /prefetch:82⤵PID:1436
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5dfa7517406bc186cbc7e7e72491f34e2
SHA1e98c6f327a66a9ecd4c0746e8ef19ae53b2bb8b7
SHA2565b6ea9afdebfce6aafda78bbc6f9a9d81494436e4b159122bbc3122355d7a44b
SHA5122644fb9a879e65aaf99fadb3664772b072cd3ced1f4b8a6b89e149b28588bc0e0a6b5d5d72f0decf31b83875ae87a009c298b3cc036a442c725142297dc8ecda
-
Filesize
1.4MB
MD5dfa7517406bc186cbc7e7e72491f34e2
SHA1e98c6f327a66a9ecd4c0746e8ef19ae53b2bb8b7
SHA2565b6ea9afdebfce6aafda78bbc6f9a9d81494436e4b159122bbc3122355d7a44b
SHA5122644fb9a879e65aaf99fadb3664772b072cd3ced1f4b8a6b89e149b28588bc0e0a6b5d5d72f0decf31b83875ae87a009c298b3cc036a442c725142297dc8ecda
-
Filesize
1.4MB
MD5dfa7517406bc186cbc7e7e72491f34e2
SHA1e98c6f327a66a9ecd4c0746e8ef19ae53b2bb8b7
SHA2565b6ea9afdebfce6aafda78bbc6f9a9d81494436e4b159122bbc3122355d7a44b
SHA5122644fb9a879e65aaf99fadb3664772b072cd3ced1f4b8a6b89e149b28588bc0e0a6b5d5d72f0decf31b83875ae87a009c298b3cc036a442c725142297dc8ecda