hxxps://www[.]dropbox[.]com/s/dl/2lp810ujkbrwovn/ThunderBird[.]rar

Analysis

max time kernel
252s
max time network
1693s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
14/07/2023, 20:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.dropbox.com/s/dl/2lp810ujkbrwovn/ThunderBird.rar

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
1260	Process not Found
1260	Process not Found
1260	Process not Found

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1712	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeRestorePrivilege	1712	7zFM.exe
Token: 35	1712	7zFM.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe
Token: SeShutdownPrivilege	2648	chrome.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
1712	7zFM.exe
2648	chrome.exe
1712	7zFM.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe
2648	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2780	2648	chrome.exe	28
PID 2648 wrote to memory of 2780	2648	chrome.exe	28
PID 2648 wrote to memory of 2780	2648	chrome.exe	28
PID 2648 wrote to memory of 2512	2648	chrome.exe	30
PID 2648 wrote to memory of 2512	2648	chrome.exe	30
PID 2648 wrote to memory of 2512	2648	chrome.exe	30
PID 2648 wrote to memory of 2512	2648	chrome.exe	30
PID 2648 wrote to memory of 2512	2648	chrome.exe	30
PID 2648 wrote to memory of 2512	2648	chrome.exe	30
PID 2648 wrote to memory of 2512	2648	chrome.exe	30
PID 2648 wrote to memory of 2512	2648	chrome.exe	30
PID 2648 wrote to memory of 2512	2648	chrome.exe	30
PID 2648 wrote to memory of 2512	2648	chrome.exe	30
PID 2648 wrote to memory of 2512	2648	chrome.exe	30
PID 2648 wrote to memory of 2512	2648	chrome.exe	30
PID 2648 wrote to memory of 2512	2648	chrome.exe	30
PID 2648 wrote to memory of 2512	2648	chrome.exe	30
PID 2648 wrote to memory of 2512	2648	chrome.exe	30
PID 2648 wrote to memory of 2512	2648	chrome.exe	30
PID 2648 wrote to memory of 2512	2648	chrome.exe	30
PID 2648 wrote to memory of 2512	2648	chrome.exe	30
PID 2648 wrote to memory of 2512	2648	chrome.exe	30
PID 2648 wrote to memory of 2512	2648	chrome.exe	30
PID 2648 wrote to memory of 2512	2648	chrome.exe	30
PID 2648 wrote to memory of 2512	2648	chrome.exe	30
PID 2648 wrote to memory of 2512	2648	chrome.exe	30
PID 2648 wrote to memory of 2512	2648	chrome.exe	30
PID 2648 wrote to memory of 2512	2648	chrome.exe	30
PID 2648 wrote to memory of 2512	2648	chrome.exe	30
PID 2648 wrote to memory of 2512	2648	chrome.exe	30
PID 2648 wrote to memory of 2512	2648	chrome.exe	30
PID 2648 wrote to memory of 2512	2648	chrome.exe	30
PID 2648 wrote to memory of 2512	2648	chrome.exe	30
PID 2648 wrote to memory of 2512	2648	chrome.exe	30
PID 2648 wrote to memory of 2512	2648	chrome.exe	30
PID 2648 wrote to memory of 2512	2648	chrome.exe	30
PID 2648 wrote to memory of 2512	2648	chrome.exe	30
PID 2648 wrote to memory of 2512	2648	chrome.exe	30
PID 2648 wrote to memory of 2512	2648	chrome.exe	30
PID 2648 wrote to memory of 2512	2648	chrome.exe	30
PID 2648 wrote to memory of 2512	2648	chrome.exe	30
PID 2648 wrote to memory of 2512	2648	chrome.exe	30
PID 2648 wrote to memory of 2524	2648	chrome.exe	32
PID 2648 wrote to memory of 2524	2648	chrome.exe	32
PID 2648 wrote to memory of 2524	2648	chrome.exe	32
PID 2648 wrote to memory of 2984	2648	chrome.exe	31
PID 2648 wrote to memory of 2984	2648	chrome.exe	31
PID 2648 wrote to memory of 2984	2648	chrome.exe	31
PID 2648 wrote to memory of 2984	2648	chrome.exe	31
PID 2648 wrote to memory of 2984	2648	chrome.exe	31
PID 2648 wrote to memory of 2984	2648	chrome.exe	31
PID 2648 wrote to memory of 2984	2648	chrome.exe	31
PID 2648 wrote to memory of 2984	2648	chrome.exe	31
PID 2648 wrote to memory of 2984	2648	chrome.exe	31
PID 2648 wrote to memory of 2984	2648	chrome.exe	31
PID 2648 wrote to memory of 2984	2648	chrome.exe	31
PID 2648 wrote to memory of 2984	2648	chrome.exe	31
PID 2648 wrote to memory of 2984	2648	chrome.exe	31
PID 2648 wrote to memory of 2984	2648	chrome.exe	31
PID 2648 wrote to memory of 2984	2648	chrome.exe	31
PID 2648 wrote to memory of 2984	2648	chrome.exe	31
PID 2648 wrote to memory of 2984	2648	chrome.exe	31
PID 2648 wrote to memory of 2984	2648	chrome.exe	31
PID 2648 wrote to memory of 2984	2648	chrome.exe	31

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.dropbox.com/s/dl/2lp810ujkbrwovn/ThunderBird.rar
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef70c9758,0x7fef70c9768,0x7fef70c9778
  2⤵
  PID:2780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1144 --field-trial-handle=1104,i,16339505942464628318,629470535685608882,131072 /prefetch:2
  2⤵
  PID:2512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1568 --field-trial-handle=1104,i,16339505942464628318,629470535685608882,131072 /prefetch:8
  2⤵
  PID:2984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1484 --field-trial-handle=1104,i,16339505942464628318,629470535685608882,131072 /prefetch:8
  2⤵
  PID:2524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2240 --field-trial-handle=1104,i,16339505942464628318,629470535685608882,131072 /prefetch:1
  2⤵
  PID:2720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2252 --field-trial-handle=1104,i,16339505942464628318,629470535685608882,131072 /prefetch:1
  2⤵
  PID:2420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1448 --field-trial-handle=1104,i,16339505942464628318,629470535685608882,131072 /prefetch:2
  2⤵
  PID:1504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3680 --field-trial-handle=1104,i,16339505942464628318,629470535685608882,131072 /prefetch:8
  2⤵
  PID:2084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3648 --field-trial-handle=1104,i,16339505942464628318,629470535685608882,131072 /prefetch:8
  2⤵
  PID:2168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3704 --field-trial-handle=1104,i,16339505942464628318,629470535685608882,131072 /prefetch:1
  2⤵
  PID:1428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3964 --field-trial-handle=1104,i,16339505942464628318,629470535685608882,131072 /prefetch:1
  2⤵
  PID:976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4128 --field-trial-handle=1104,i,16339505942464628318,629470535685608882,131072 /prefetch:8
  2⤵
  PID:1300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4108 --field-trial-handle=1104,i,16339505942464628318,629470535685608882,131072 /prefetch:8
  2⤵
  PID:1176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4068 --field-trial-handle=1104,i,16339505942464628318,629470535685608882,131072 /prefetch:1
  2⤵
  PID:2424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=1360 --field-trial-handle=1104,i,16339505942464628318,629470535685608882,131072 /prefetch:1
  2⤵
  PID:2060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4316 --field-trial-handle=1104,i,16339505942464628318,629470535685608882,131072 /prefetch:1
  2⤵
  PID:1176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4300 --field-trial-handle=1104,i,16339505942464628318,629470535685608882,131072 /prefetch:8
  2⤵
  PID:2976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4328 --field-trial-handle=1104,i,16339505942464628318,629470535685608882,131072 /prefetch:1
  2⤵
  PID:2860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4512 --field-trial-handle=1104,i,16339505942464628318,629470535685608882,131072 /prefetch:8
  2⤵
  PID:1372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=2316 --field-trial-handle=1104,i,16339505942464628318,629470535685608882,131072 /prefetch:1
  2⤵
  PID:2640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3804 --field-trial-handle=1104,i,16339505942464628318,629470535685608882,131072 /prefetch:8
  2⤵
  PID:2204

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1488

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\ThunderBird.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000026

Filesize
171KB

MD5
7a88e1edbba1ad7bd345eb14f1377a59

SHA1
b299cf2eacc2d17d1f2fbda9391079b6f05fb022

SHA256
3f6aa29738172f431b8e2af2e39cba0c2f91583d7bc23f988c7b7b35975bef2c

SHA512
48870540a5e7aedf4513610e23dad5d37ff48dde92909345771f7235d4526893e65d11915b46191e62dbe6e9bed4626215703fc90932bdebed356568c1557f95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
c29d5008b9366dec5cc828a44cb34fc6

SHA1
7ca377258b125cdb279b3e38f8033603ec4fc61f

SHA256
35677b873a505662f7429ae2f6069b2b8de8366deed39c5514870182694ac783

SHA512
6bd30347a63504644ac82d0201f20c5a8b8efa419ac641c113d055206e42640dbc885eb1748cb8eb00590f609816f6b0c23ea6f246ddbc94616b7b2599531c0e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index~RFf7bbf69.TMP

Filesize
600B

MD5
1776549a98027d3e7b4d5005a09d096b

SHA1
32177a1ef5de58aaedc804dd8c8f2539af71d48e

SHA256
9afce9e657164bb36817642788dc29bf74ce21837e882f4609bb0d1305964726

SHA512
71d8648abcfb778dc886732f3a01e75493591ae14609ab7694bd7b6d9fe16750712750f3979392ad3777de834c8a9a83e1077d1950bb5fc5bdef920dab21cc01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
a31e99a91531efb878b01ff851d61872

SHA1
422414569e15ebe9e2f306a95979ff2388846d42

SHA256
5661654015832eb260493abcd1b8b98a8a546b253723992feacedfd71944c89b

SHA512
d8a0ab5ec7ae8766efd7834ca020928bbb0a8f6b7991902732ce14cd005098640bd755f6f0716a83891c330c20ec5f1d15b373133135a76e8e6abc4379c58b6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
7c907a33ee49c69aa0bbdab92e3da46c

SHA1
321d89a1159811fb4deb2f1191fdf27e8b05c9ba

SHA256
56f9c66eadc83a29799ab3fbe6f7807ce6213a10023c372f4d4bda594bdf1a17

SHA512
0b730cf4244864845b7acbe5509425c7e678ff72cabff5f567c1fcd7e540aabfeae68cb4d38e2a74545dc27bc9bcb0d3c9db86b6f1c0fdc0f728fb62d32fe7c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
bfd16f1f9349f4d85eaff7f091108f24

SHA1
f1ee0ba4e05a080d87275eb550ffa4b48f234d02

SHA256
8a1038c9fa6a8008d068ac244fb73e8938e99691e80a147b5cf12a1dd6d09e27

SHA512
90c48cd11d7525bc41ef6e22b5a2378b5394f9074265e51f53132aa95e06b3e4b192b116f4f3d57f680bf741cb12ceacfe5447adbd971ceb35e8f28820008785

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
34ae9d6e4bd44d49f00fe49a8b8ebce1

SHA1
30d6127d1183857b4f9652303d4d917f740b70c6

SHA256
ed7a2a2d06bc1e796d42b082e6b33264288fdffdc37ad9bfe49bfa27394a5dea

SHA512
d37a22a5dbca6ac473dfcd9dd3547c4bd98d100974b95a638ac3341e09a67906ccb23b37799cec96211f3c6f8625d4e91c4ded1d2a31043a5d6c817664f8a8a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
fa8bda176530dc18d91181aa1d08de48

SHA1
6b08d59a2816c77798e7512408f638c542823681

SHA256
64f781ded4dbe56c1188c80e41a96231c21ab98a0b2a2a8202c6c38c0db9c158

SHA512
89955abd2d3249bb5a7d005c5ae4cfbf6d71f8ab5eb9212751f635398aa839490137ac027e70794f0e6f26445c7fcca671afea7d52061d49d37e025149546696

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
83f5cd41b84a257766df2bf7bbece0f1

SHA1
1fbfb42d8141b761c6c40bdd6e28bd8938411135

SHA256
190a2ea6c55e7bfd9428bc0629f64c4202184637488b0862b59fb29057de89c0

SHA512
50b43c93343882d6ae970ebe73cbbd1e473874893ca7bc5654cd163835a6c2ca30526e8ee977ab2456a7fe67b335f974ca0edeadce5f160dd93da35a480d4141

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
852B

MD5
286c87424d8edc66e7583ee77159bd69

SHA1
87c5fca1ddbc5015e011570722e391c5dbb8864f

SHA256
1afad9a839b43028ce7e167930183f9a37c29ef272b43a91a1173b6c6b508c3e

SHA512
d68c8da61f41c671e58f0986bfb019ffe957537e01f851f943e3ce299c6deccdcdcfde1d37441e555f6ec59d2d3ce5728e1aefb7528c91c30db8d12f00cf311f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
689B

MD5
79861b2350e03c5d8e5a4d7a600a2bf0

SHA1
5ab7f54ab537188609da37e1a44681bbc75ab015

SHA256
4c5b3ae83986fee3b7c4991be4014d1d0f897c5ec4fdd4b865739d9c4920fdfe

SHA512
056cbcc1e535ff07c0dd7b7e483539db263e9f9d4967bf5e108600d7edb03ea1982981ba9c1c6768520b1572959d24946dc79c8e1bdc6084ef4c4e150e177102

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
809e2ea2781a2f67b037020df5e752d3

SHA1
8131b48a6428179f2ff2407c59fbae12d9f7d64c

SHA256
b1871c8dc33cd4217dde835ebe21c4f7fe7a5d7e403cf8525fe2e3f7ae1cc62c

SHA512
4e54f5e6fdbf990bf9b8c8bb09dcc238db353a54df930eb184ee28404ca5dbf0af45a36b78efaf967a7995673d9c6a5af4868196bb1e8773a909ab66406fc385

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
af3c398eb2586d7267d70264d0f85f84

SHA1
a90b2b3b814d9339d538c56d3973dd1dcf289cfc

SHA256
db8a8b70c7cfceefa6ebb01dbcf9bb88936617454a100d9a2a14ff5dd01159a0

SHA512
6270b03fa3976e33a7577bfd827263c7c31f33247fd1e74586f67eb8347610895241428fcab784a55f020ccfaaf920848c7ada8f4afbc9ced31f9596ec512252

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ddf9ed47f92e29666121192d9c1c17f0

SHA1
684ee95c2ad493bb49370b858fc9675474016fa7

SHA256
dda278dccb1fb8c0045af196a2f7a3f7a1630712191f58ffe6e81d7ea6fcfbad

SHA512
51c14456b823144cdac37ac7e50cbdfb60ec7f9bcbba61cd2df795ec035ab3acaca930c30cbf4901beb351d32ab69d4aa03c7852b5503f50ca484b7ed7560e25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
b652497ac8e1167e7b891229815c00de

SHA1
6dc8d306c594e6ee74cfbf668ee2b5609d4ced34

SHA256
5a04b72cb685ae9b127c176fbf9cfeed862489f0d56fb2c95c2b611f21294c49

SHA512
08f582e57b163624b2964611452ddeaa9904038a3b7ed8c9e41fce8353800d441cdc98c8f4811535c7a0602c0d6cd6c028e863ab2aea0df464df08b6475f0254

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
51a136f6f72e50c057c7db10fb504f69

SHA1
4ed0333c16585b3625aecf83d9c1ead525c70eee

SHA256
b8aea122019a177c01cd5c08046bda7300f1afa599f37199afe139b9ed7dc550

SHA512
e73b849fbbf18bf4a833b34b331cd9e99453ce51700b4d8a82f2469a2ab3e7014d2ac2539ccb336b8f23754e4ed84a866fa11c44098214c05508f4db6ca1a088

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
6061145612bdacf2963f97e9bbcf7763

SHA1
79c73f06f78432c1e62c4b29cfce6d766355a8de

SHA256
376afceca8e1cdb1b69015910fe80b3497496038335b058e3b6cda64f8bcbd20

SHA512
92240b8471a4129a6d9719a52c9bd9d7e9ea8f1a07c2eba695339052202c739092849a32f8d240e65936b2e7767a721a74dfb379bcdc2835d584ee2ccc8feaac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT~RFf7777ee.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
89KB

MD5
355915cc18a933c3aa5ba2b4cd7ce726

SHA1
58d3725061e1b39a71ce271e2d963203065ea75b

SHA256
d343b276ec1dfadb33f4c11ecf13ca6d6b8fd160bc42d4b724e04ebc6b1357ff

SHA512
db9c8440317bd4f0734bbf31a92233253172358f30f3b2f08b04ad60346c01b8a447f6e6ff46fab5b0e2d79452973466319d08b3f300f30458b540e4f27cb884

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
89KB

MD5
c0ea9037efcabd26f509b8b1e1813348

SHA1
e669049ac3b1b695274ccd950393023f20f8edc4

SHA256
0c9c422b9fcbb2ee87c16e834d3542e17d9bc827f4a05106d3bcf143f54449bd

SHA512
b1e1c4c7ccd6f9281bac5a875dd9db16b951324b1acc81b06fcbb84db9e6c8be510b8246e9e28d13496d3479462f8bb131efe9990c24e8e25d3c21c9b648a52d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
89KB

MD5
ffdc2b6c37bdc2ac66937b5fca152391

SHA1
db3412d43185291024947ec62ae6de68ca2c7f06

SHA256
d870e4ca9f39cbfc7350154f0338c2359c1cd1c4f848ce531513bf8fd23eaeb6

SHA512
da9bf6d083d34dda893ccdf121706483acda5e71fa641ce9f2b53549f42461ab4abf16773943f772acf02e4a3d56be076d72846a058f164e2ec395d05702fcc0

Download Submit
C:\Users\Admin\Desktop\ThunderBird.exe

Filesize
47.0MB

MD5
794340f45de887fb5ff3ffe1c11a4e6d

SHA1
b8d7bba33a9763936f169249d7b71809233c52c5

SHA256
b4c3d5aef9813e7e1c14480b0090609a9665d86fafc5f8e2a0f4f432a400b32c

SHA512
c7eefb264eaa0adf77065a5c7a752325b025689ce6613e06875a3313e90dcfb4375bdf339b5601668fda97a3bb1598d964ac56b324a6315bf6994b125e2382be

Download Submit
C:\Users\Admin\Downloads\ThunderBird.rar

Filesize
16.0MB

MD5
4b4f0de594a228dc3af6daf1cefbe34e

SHA1
1668a457a86ef4cb5d6893f401ca94d0914ea522

SHA256
8edb7700c5546aa3eab8234a6015d719ba912d198dd70335fbc5cb1e58ac814b

SHA512
355bb9f4fe044aed94d1ebdcbf230a7d5823d673a477054d2086e66e3a76ffe6dbd858eb5b82d99a1a998bdcf2946f24e67ad64757fb05926e484517e6295664

Download Submit
C:\Users\Admin\Downloads\ThunderBird.rar.crdownload

Filesize
16.0MB

MD5
4b4f0de594a228dc3af6daf1cefbe34e

SHA1
1668a457a86ef4cb5d6893f401ca94d0914ea522

SHA256
8edb7700c5546aa3eab8234a6015d719ba912d198dd70335fbc5cb1e58ac814b

SHA512
355bb9f4fe044aed94d1ebdcbf230a7d5823d673a477054d2086e66e3a76ffe6dbd858eb5b82d99a1a998bdcf2946f24e67ad64757fb05926e484517e6295664

Download Submit
\Users\Admin\Desktop\ThunderBird.exe

Filesize
47.0MB

MD5
794340f45de887fb5ff3ffe1c11a4e6d

SHA1
b8d7bba33a9763936f169249d7b71809233c52c5

SHA256
b4c3d5aef9813e7e1c14480b0090609a9665d86fafc5f8e2a0f4f432a400b32c

SHA512
c7eefb264eaa0adf77065a5c7a752325b025689ce6613e06875a3313e90dcfb4375bdf339b5601668fda97a3bb1598d964ac56b324a6315bf6994b125e2382be

Download Submit
\Users\Admin\Desktop\ThunderBird.exe

Filesize
47.0MB

MD5
794340f45de887fb5ff3ffe1c11a4e6d

SHA1
b8d7bba33a9763936f169249d7b71809233c52c5

SHA256
b4c3d5aef9813e7e1c14480b0090609a9665d86fafc5f8e2a0f4f432a400b32c

SHA512
c7eefb264eaa0adf77065a5c7a752325b025689ce6613e06875a3313e90dcfb4375bdf339b5601668fda97a3bb1598d964ac56b324a6315bf6994b125e2382be

Download Submit
\Users\Admin\Desktop\ThunderBird.exe

Filesize
47.0MB

MD5
794340f45de887fb5ff3ffe1c11a4e6d

SHA1
b8d7bba33a9763936f169249d7b71809233c52c5

SHA256
b4c3d5aef9813e7e1c14480b0090609a9665d86fafc5f8e2a0f4f432a400b32c

SHA512
c7eefb264eaa0adf77065a5c7a752325b025689ce6613e06875a3313e90dcfb4375bdf339b5601668fda97a3bb1598d964ac56b324a6315bf6994b125e2382be

Download Submit