4c10d3ddeba414775ebb5af4da5b7bb17ae52a92831fe09244f63c36b2c77f34

Resubmissions

15-04-2023 15:00

230415-sdk53aed76 7

15-04-2023 14:56

230415-sazt2sga3s 10

15-04-2023 14:44

230415-r39z2sfh9v 10

Analysis

max time kernel
65s
max time network
69s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
15-04-2023 15:00

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

PowerPoint[1].zip
Size

66KB
MD5

196611c89b3b180d8a638d11d50926ed
SHA1

aa98b312dc0e9d7e59bef85b704ad87dc6c582d5
SHA256

4c10d3ddeba414775ebb5af4da5b7bb17ae52a92831fe09244f63c36b2c77f34
SHA512

19d60abf83b4a4fe5701e38e0c84f9492232ceb95b267ae5859c049cea12fee2328a5d26ffd850e38307fb10cb3955b7e5e49d916856c929442d45b87071d724
SSDEEP

1536:bnTpZDj+PE7ixJWt6/RXHNrqCRRSc5si4YJ5lyf1FDwTqV:npt2E7ix9Fp1qcCZI7yfa2

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

sys3.exe

pid process

4124 sys3.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

[email protected]sys3.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 [email protected]
File opened for modification \??\PHYSICALDRIVE0 sys3.exe

pid	process
4124	sys3.exe

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	[email protected]
File opened for modification	\??\PHYSICALDRIVE0	sys3.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

Processes:

LogonUI.exechrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133260444679823615"	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings chrome.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

chrome.exe

pid process

2968 chrome.exe
2968 chrome.exe
2968 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exe

pid process

2968 chrome.exe
2968 chrome.exe
2968 chrome.exe
2968 chrome.exe
2968 chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeCreatePagefilePrivilege	2968	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

Processes:

chrome.exe

pid	process
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

3384 LogonUI.exe

pid	process
3384	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2968 wrote to memory of 4896	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 4896	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3984	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3984	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3984	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3984	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3984	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3984	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3984	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3984	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3984	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3984	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3984	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3984	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3984	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3984	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3984	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3984	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3984	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3984	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3984	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3984	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3984	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3984	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3984	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3984	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3984	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3984	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3984	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3984	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3984	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3984	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3984	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3984	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3984	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3984	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3984	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3984	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3984	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3984	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3920	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3920	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3804	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3804	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3804	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3804	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3804	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3804	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3804	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3804	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3804	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3804	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3804	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3804	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3804	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3804	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3804	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3804	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3804	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3804	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3804	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3804	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3804	2968	chrome.exe	chrome.exe
PID 2968 wrote to memory of 3804	2968	chrome.exe	chrome.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\PowerPoint[1].zip
1⤵
PID:2496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xd0,0xd4,0xd8,0xac,0xdc,0x7ffd70419758,0x7ffd70419768,0x7ffd70419778
2⤵
PID:4896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1828 --field-trial-handle=1868,i,6210938664979353383,9201645314042864229,131072 /prefetch:8
2⤵
PID:3920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1660 --field-trial-handle=1868,i,6210938664979353383,9201645314042864229,131072 /prefetch:2
2⤵
PID:3984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2100 --field-trial-handle=1868,i,6210938664979353383,9201645314042864229,131072 /prefetch:8
2⤵
PID:3804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3012 --field-trial-handle=1868,i,6210938664979353383,9201645314042864229,131072 /prefetch:1
2⤵
PID:3568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2528 --field-trial-handle=1868,i,6210938664979353383,9201645314042864229,131072 /prefetch:1
2⤵
PID:2680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4396 --field-trial-handle=1868,i,6210938664979353383,9201645314042864229,131072 /prefetch:1
2⤵
PID:4040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4524 --field-trial-handle=1868,i,6210938664979353383,9201645314042864229,131072 /prefetch:8
2⤵
PID:3080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4672 --field-trial-handle=1868,i,6210938664979353383,9201645314042864229,131072 /prefetch:8
2⤵
PID:3428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4836 --field-trial-handle=1868,i,6210938664979353383,9201645314042864229,131072 /prefetch:8
2⤵
PID:4460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4572 --field-trial-handle=1868,i,6210938664979353383,9201645314042864229,131072 /prefetch:8
2⤵
PID:4172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 --field-trial-handle=1868,i,6210938664979353383,9201645314042864229,131072 /prefetch:8
2⤵
PID:5012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4956 --field-trial-handle=1868,i,6210938664979353383,9201645314042864229,131072 /prefetch:1
2⤵
PID:5064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3092 --field-trial-handle=1868,i,6210938664979353383,9201645314042864229,131072 /prefetch:1
2⤵
PID:232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4656 --field-trial-handle=1868,i,6210938664979353383,9201645314042864229,131072 /prefetch:8
2⤵
PID:4408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 --field-trial-handle=1868,i,6210938664979353383,9201645314042864229,131072 /prefetch:8
2⤵
PID:4428

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3208

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3968

C:\Users\Admin\AppData\Local\Temp\Temp1_PowerPoint.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_PowerPoint.zip\[email protected]"
1⤵
- Writes to the Master Boot Record (MBR)
PID:5060

C:\Users\Admin\AppData\Local\Temp\sys3.exe
C:\Users\Admin\AppData\Local\Temp\\sys3.exe
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:4124

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ad2055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3384

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
371B

MD5
a3e5945052d5b3bdb0275387b0596d37

SHA1
d10e20086c7b52b57eabcf892544151fb0f8c479

SHA256
c18d4e771f4dc4e6be15f6a8d8c91c9a938c0154ed43960f7914edce502650ad

SHA512
fdcc98528b4d809bc48a11a36d5530e858fcbc1c13a5bc0702c1d0fb323a412eec9de6c50a6e9170be57eefb081fe412ba6f25956424b7493cbb708723822a8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
5df07c64774fd010c1bde5683cf2321a

SHA1
c175b1b046a8dd9294b11ab7ff0fa2afcae1509c

SHA256
b0d6dde425896abadfe38cc6b8368ce1b69a1e191ee69e72451c4d33c8fa70cb

SHA512
ce10884272f07614c0bc941d6cd2a3b2676e1ef3c268090a648c3c41a69545b8b2156ec373bfa7ca5a0406b8211df5d96193d6f68e1450bb23c022cac07aabf4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
fa60031c1a9c5d4e4b79ca1479e03f82

SHA1
2df67e6e469092ccf63728e29ee36c29787c9e24

SHA256
22f534455edc51767a23acb0c35ef1bdeaae03a6c615788889252258f4fd0ea8

SHA512
6c901a40a82f29c6ccf18a6546bc828381e87e320c4e2202c49c47a789674f84e95ad71f97bd09614e72b578e6011c4cf164c4c7a4d72d967b41b2730d792b1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
38a74e510360a2e3466d0eca69ed18f9

SHA1
048705c57c335319c87dbfdf84f35e1af1a783b3

SHA256
a58b5e97a5bb59e672146a3e1087e381c2a6b82b488261b7e78d70406fbd7651

SHA512
3860b563772f5e8ba0f78d6414602f371c4a7950f687017306a725fb03fde308da3acce843e259cd5ab42e71b78991b7e1b72a1667336e524154507b58fbc929

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
af54c383af8d65184ab3461c5d91fffe

SHA1
c657a2e24593dc932606ab3db92133b4a38cf515

SHA256
22cf76079f11c19e7cbd04e4577d776f51776258f8f997ff20cd31578b8d34ad

SHA512
10a3045b241f039fd0bdb6078cf79ba863b61eeec2d1a52b70b5c25dd40ee20f7e6a5fd199ddfcb4f7a1327b03cf44fbe5090a95bfe0d049bcad3b6d68332777

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
a64eaa9f0cbf8a9693c50f95c4968b9a

SHA1
a3f9b5b1df3043cde47134aef8b1401ed3c022bf

SHA256
1f55fb851013bf3c2d87152673e90817ddec9eb35e4cd909d0a48a6071c4ab86

SHA512
c74b4f0008aca63a4d52a2bbb24a39199cde6874efd279d19ecff20bc5313f4e2b3d5152a512ecf2d0b885b226fc3f74b7f4c232898603c62b9e1fe54b0e539a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
199KB

MD5
132c014379a05e8d63da649b1bda07ba

SHA1
75e6d51f6e334f1267b2c694907fea1871d38219

SHA256
3f6cf0176a76f8875fee0274ff2b0142f09e042ed77291dfe26d256e37101d8c

SHA512
be704be53f97ed202d50d94d9efd5fa4025919c1c03609618168a2a807a7cdb43dae9d5dd3d9c2940f21bfc12c55b75787844d534360304bbbb16f3709cb9b4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
199KB

MD5
2fe6b9af7d58d4a0d341c4f8240a2a4b

SHA1
c29b68acc83ce9d0ab89d02e0b9f7e4de3b059b7

SHA256
03d1caa2051bcf1622336c791c3da0e7d54ba3632d30cd6f6c9e570e519eb636

SHA512
59aa7928fb817fd546fcdeba124bef0bfa2ffa0f86743f85db45a6d0f878462dad16a6350c9167ab5e119abf36a10faa227ab8e792585e219555f365d0f88ee9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
103KB

MD5
6f83ec198df2ff441416bb64288142b0

SHA1
be019d87015e7dd8562d7b4da5a89002bd29d884

SHA256
be130c1419024f1821b8028f4b4ba519d7e69f15c632cf90e051b32798da61ee

SHA512
4155938964101f26741a959052de139da4ad989b0e6abd05771c33012fff3be5dedf4294a854d9bf8145f31c87212d02896f9859c9a0d2f1bb6b2178ab3ba19e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe579635.TMP
Filesize
92KB

MD5
79fed7624e260ac693bf7701fdcd9538

SHA1
7e1e95a293828e68e18fa87d7be142c97ca4c0db

SHA256
ef4dada9e2904802ec06b8fd017c7b39cc5a64a79fb462ce5a3928d911d6183e

SHA512
a143d8009e2b608d02d42368047befed62bc5f4b6cce309588dbd8dc4b0f7b146ea3bea2c30c30a4cf8c400671016a3fadf8381c648b00510afdc8dff3bbe103

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys3.exe
Filesize
136KB

MD5
70108103a53123201ceb2e921fcfe83c

SHA1
c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3

SHA256
9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d

SHA512
996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys3.exe
Filesize
136KB

MD5
70108103a53123201ceb2e921fcfe83c

SHA1
c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3

SHA256
9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d

SHA512
996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b

Download Submit
C:\Users\Admin\AppData\Local\Temp\systm.txt
Filesize
80B

MD5
34e19002be90417747f58e44cc1700ea

SHA1
6833d1e76b4e78f5a25cc9e74df2505b8c2956d2

SHA256
18cba779ba620fc897cc5adf01a88582f240765119e1e459da76709454355b06

SHA512
1ed2cec9f6c56d5d6cdd16a89b23fcabe0f3906a8924ad7f005f3fa1904b26d412fe76b12eb846ff8eb1ce092c22dad173741d43daa54160ef3620acb9df8133

Download Submit
C:\Users\Admin\Downloads\PowerPoint.zip
Filesize
66KB

MD5
196611c89b3b180d8a638d11d50926ed

SHA1
aa98b312dc0e9d7e59bef85b704ad87dc6c582d5

SHA256
4c10d3ddeba414775ebb5af4da5b7bb17ae52a92831fe09244f63c36b2c77f34

SHA512
19d60abf83b4a4fe5701e38e0c84f9492232ceb95b267ae5859c049cea12fee2328a5d26ffd850e38307fb10cb3955b7e5e49d916856c929442d45b87071d724

Download Submit
\??\pipe\crashpad_2968_VEEUIHMFSKGQFQXX
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/5060-324-0x000000002AA00000-0x000000002AA24000-memory.dmp

Filesize
144KB

Download
memory/5060-330-0x000000002AA00000-0x000000002AA24000-memory.dmp

Filesize
144KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads