hxxps://shop[.]awesomatix[.]com/auth

max time kernel
22s
max time network
25s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2023, 22:41

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://shop.awesomatix.com/auth

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "245"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133361809282768326"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3880	chrome.exe
3880	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3880	chrome.exe
3880	chrome.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe
Token: SeShutdownPrivilege	3880	chrome.exe
Token: SeCreatePagefilePrivilege	3880	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe
3880	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4776	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3880 wrote to memory of 860	3880	chrome.exe	81
PID 3880 wrote to memory of 860	3880	chrome.exe	81
PID 3880 wrote to memory of 1280	3880	chrome.exe	83
PID 3880 wrote to memory of 1280	3880	chrome.exe	83
PID 3880 wrote to memory of 1280	3880	chrome.exe	83
PID 3880 wrote to memory of 1280	3880	chrome.exe	83
PID 3880 wrote to memory of 1280	3880	chrome.exe	83
PID 3880 wrote to memory of 1280	3880	chrome.exe	83
PID 3880 wrote to memory of 1280	3880	chrome.exe	83
PID 3880 wrote to memory of 1280	3880	chrome.exe	83
PID 3880 wrote to memory of 1280	3880	chrome.exe	83
PID 3880 wrote to memory of 1280	3880	chrome.exe	83
PID 3880 wrote to memory of 1280	3880	chrome.exe	83
PID 3880 wrote to memory of 1280	3880	chrome.exe	83
PID 3880 wrote to memory of 1280	3880	chrome.exe	83
PID 3880 wrote to memory of 1280	3880	chrome.exe	83
PID 3880 wrote to memory of 1280	3880	chrome.exe	83
PID 3880 wrote to memory of 1280	3880	chrome.exe	83
PID 3880 wrote to memory of 1280	3880	chrome.exe	83
PID 3880 wrote to memory of 1280	3880	chrome.exe	83
PID 3880 wrote to memory of 1280	3880	chrome.exe	83
PID 3880 wrote to memory of 1280	3880	chrome.exe	83
PID 3880 wrote to memory of 1280	3880	chrome.exe	83
PID 3880 wrote to memory of 1280	3880	chrome.exe	83
PID 3880 wrote to memory of 1280	3880	chrome.exe	83
PID 3880 wrote to memory of 1280	3880	chrome.exe	83
PID 3880 wrote to memory of 1280	3880	chrome.exe	83
PID 3880 wrote to memory of 1280	3880	chrome.exe	83
PID 3880 wrote to memory of 1280	3880	chrome.exe	83
PID 3880 wrote to memory of 1280	3880	chrome.exe	83
PID 3880 wrote to memory of 1280	3880	chrome.exe	83
PID 3880 wrote to memory of 1280	3880	chrome.exe	83
PID 3880 wrote to memory of 1280	3880	chrome.exe	83
PID 3880 wrote to memory of 1280	3880	chrome.exe	83
PID 3880 wrote to memory of 1280	3880	chrome.exe	83
PID 3880 wrote to memory of 1280	3880	chrome.exe	83
PID 3880 wrote to memory of 1280	3880	chrome.exe	83
PID 3880 wrote to memory of 1280	3880	chrome.exe	83
PID 3880 wrote to memory of 1280	3880	chrome.exe	83
PID 3880 wrote to memory of 1280	3880	chrome.exe	83
PID 3880 wrote to memory of 4424	3880	chrome.exe	84
PID 3880 wrote to memory of 4424	3880	chrome.exe	84
PID 3880 wrote to memory of 1960	3880	chrome.exe	85
PID 3880 wrote to memory of 1960	3880	chrome.exe	85
PID 3880 wrote to memory of 1960	3880	chrome.exe	85
PID 3880 wrote to memory of 1960	3880	chrome.exe	85
PID 3880 wrote to memory of 1960	3880	chrome.exe	85
PID 3880 wrote to memory of 1960	3880	chrome.exe	85
PID 3880 wrote to memory of 1960	3880	chrome.exe	85
PID 3880 wrote to memory of 1960	3880	chrome.exe	85
PID 3880 wrote to memory of 1960	3880	chrome.exe	85
PID 3880 wrote to memory of 1960	3880	chrome.exe	85
PID 3880 wrote to memory of 1960	3880	chrome.exe	85
PID 3880 wrote to memory of 1960	3880	chrome.exe	85
PID 3880 wrote to memory of 1960	3880	chrome.exe	85
PID 3880 wrote to memory of 1960	3880	chrome.exe	85
PID 3880 wrote to memory of 1960	3880	chrome.exe	85
PID 3880 wrote to memory of 1960	3880	chrome.exe	85
PID 3880 wrote to memory of 1960	3880	chrome.exe	85
PID 3880 wrote to memory of 1960	3880	chrome.exe	85
PID 3880 wrote to memory of 1960	3880	chrome.exe	85
PID 3880 wrote to memory of 1960	3880	chrome.exe	85
PID 3880 wrote to memory of 1960	3880	chrome.exe	85
PID 3880 wrote to memory of 1960	3880	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://shop.awesomatix.com/auth
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd1d429758,0x7ffd1d429768,0x7ffd1d429778
  2⤵
  PID:860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1744 --field-trial-handle=1880,i,526881489033743775,6985469782860048691,131072 /prefetch:2
  2⤵
  PID:1280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1880,i,526881489033743775,6985469782860048691,131072 /prefetch:8
  2⤵
  PID:4424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2204 --field-trial-handle=1880,i,526881489033743775,6985469782860048691,131072 /prefetch:8
  2⤵
  PID:1960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2976 --field-trial-handle=1880,i,526881489033743775,6985469782860048691,131072 /prefetch:1
  2⤵
  PID:1608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2968 --field-trial-handle=1880,i,526881489033743775,6985469782860048691,131072 /prefetch:1
  2⤵
  PID:1804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4668 --field-trial-handle=1880,i,526881489033743775,6985469782860048691,131072 /prefetch:8
  2⤵
  PID:2636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4676 --field-trial-handle=1880,i,526881489033743775,6985469782860048691,131072 /prefetch:8
  2⤵
  PID:3456

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3588

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3991855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4776

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
17a7006ee88673f0f2e54864fbd2c4dc

SHA1
dbce2e9036d3e7fbd6518ae0de320fe95863c4ac

SHA256
a23d8ac8955c3633d12f36d21279ec3fbf4422e4359b617a7ec66b546ed923ba

SHA512
5dac715ebce49af1b74369e391077129ccdc4a2a0e22289d09bd77b1ca35cda25452f97a68ce39e5249a6df1fc5ed979663732536c5c2e51ca126263f0532e85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
669250f2521de1a32415612247ed1df9

SHA1
81cda1ab9f3e4b6a3866fdbe8e817672ad7d551e

SHA256
0cbd5161e837d3b673c4c59761a18dc8ba4b741c1baaad9454a11a610e5800e1

SHA512
dc9755f7dd08a6bf36fe302c9d50a43dc44c33a2bdafbc6b993355b55903235a4a2b0e778cdcb67c51250a06d59d68fd2a2ea1f1ce2c7d3c13ba1feaa670e72a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
87KB

MD5
f50fc5d4cdbc232f1cbb21d39ec28c36

SHA1
07d28b563dcd468debc425ef83eca8a0a8673397

SHA256
28c280d4289871f42ef86c66347f0f388879d3cb0a54c9dfc633b15855440403

SHA512
7a5c8f8048237106575f8ef172c77a74e31bfb06a1a2ae9e7d33bb522facc3017239529a31243c87b737f76d2b3d7b60d3c78c889638f8b966d88b47ea857b20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit

Resubmissions

Analysis