fb1aac41613b184907b5555fb6261e1f1266ca4626aa4da92ef10619d0d5fd3e

Resubmissions

11/10/2023, 09:34

231011-lj1z5sea31 4

11/10/2023, 09:29

231011-lfzmxafg75 3

Analysis

max time kernel
645s
max time network
622s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
11/10/2023, 09:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sublime_text_build_4152_x64.zip
Size

22.0MB
MD5

bb3ac74c8d7f4ea1a7a5a115dbbe3423
SHA1

65567ed8b5edf8939a717e7ec1d29fc20e8c2a3d
SHA256

fb1aac41613b184907b5555fb6261e1f1266ca4626aa4da92ef10619d0d5fd3e
SHA512

37e7a4973266bd30563ac707781d4e220e3b9fc8297ff7a394fe83cc2426a79159c545bdce4d14aaebe46578428b9771f410378ea83211738c9e7b7c77c6d88f
SSDEEP

393216:z47ICmxfHxDGBlZQYLMr2udiqk4xETp/BV9D0C37mcdBLsyVdLSU41jw29hR2nBq:z47ICY1alH02udXk4xEV/BV9D0+ScdJK

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4183903823\810424605.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	taskmgr.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	msinfo32.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMajorRelease	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMinorRelease	msinfo32.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133414905981339838"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe

Modifies registry class 46 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	sublime_text.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	sublime_text.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	sublime_text.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	sublime_text.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg	sublime_text.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	sublime_text.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	sublime_text.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	sublime_text.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	sublime_text.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	sublime_text.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	sublime_text.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	sublime_text.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Generic"	sublime_text.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	sublime_text.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	sublime_text.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	sublime_text.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	sublime_text.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\NodeSlot = "7"	sublime_text.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7	sublime_text.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	sublime_text.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	sublime_text.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	sublime_text.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	sublime_text.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg	sublime_text.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	sublime_text.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	sublime_text.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	sublime_text.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	sublime_text.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	sublime_text.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic"	sublime_text.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell	sublime_text.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	sublime_text.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	sublime_text.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	sublime_text.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	sublime_text.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	sublime_text.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	sublime_text.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	sublime_text.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	sublime_text.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	sublime_text.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	sublime_text.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	sublime_text.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2	sublime_text.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0	sublime_text.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	sublime_text.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	sublime_text.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
796	chrome.exe
796	chrome.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
3748	chrome.exe
3748	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3800	msinfo32.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
2816	Process not Found
3824	Process not Found
3852	Process not Found
4060	Process not Found
4844	Process not Found
824	Process not Found
4452	Process not Found
4112	Process not Found
1424	Process not Found
3396	Process not Found
4164	Process not Found
4788	Process not Found
3836	Process not Found
504	Process not Found
1864	Process not Found
4184	Process not Found
3552	Process not Found
964	Process not Found
164	Process not Found
3256	Process not Found
2764	Process not Found
5012	Process not Found
3524	Process not Found
4820	Process not Found
396	Process not Found
5112	Process not Found
2808	Process not Found
4764	Process not Found
304	Process not Found
5076	Process not Found
4388	Process not Found
2436	Process not Found
3456	Process not Found
4996	Process not Found
3788	Process not Found
200	Process not Found
3584	Process not Found
2252	Process not Found
2200	Process not Found
3232	Process not Found
316	Process not Found
3776	Process not Found
5100	Process not Found
3632	Process not Found
1248	Process not Found
1240	Process not Found
3228	Process not Found
4348	Process not Found
4396	Process not Found
1880	Process not Found
4312	Process not Found
308	Process not Found
2124	Process not Found
2552	Process not Found
4160	Process not Found
4864	Process not Found
3408	Process not Found
5032	Process not Found
5056	Process not Found
656	Process not Found
712	Process not Found
2968	Process not Found
1212	Process not Found
4380	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	796	chrome.exe
Token: SeCreatePagefilePrivilege	796	chrome.exe
Token: SeShutdownPrivilege	796	chrome.exe
Token: SeCreatePagefilePrivilege	796	chrome.exe
Token: SeShutdownPrivilege	796	chrome.exe
Token: SeCreatePagefilePrivilege	796	chrome.exe
Token: SeShutdownPrivilege	796	chrome.exe
Token: SeCreatePagefilePrivilege	796	chrome.exe
Token: SeShutdownPrivilege	796	chrome.exe
Token: SeCreatePagefilePrivilege	796	chrome.exe
Token: SeShutdownPrivilege	796	chrome.exe
Token: SeCreatePagefilePrivilege	796	chrome.exe
Token: SeShutdownPrivilege	796	chrome.exe
Token: SeCreatePagefilePrivilege	796	chrome.exe
Token: SeShutdownPrivilege	796	chrome.exe
Token: SeCreatePagefilePrivilege	796	chrome.exe
Token: SeShutdownPrivilege	796	chrome.exe
Token: SeCreatePagefilePrivilege	796	chrome.exe
Token: SeShutdownPrivilege	796	chrome.exe
Token: SeCreatePagefilePrivilege	796	chrome.exe
Token: SeShutdownPrivilege	796	chrome.exe
Token: SeCreatePagefilePrivilege	796	chrome.exe
Token: SeShutdownPrivilege	796	chrome.exe
Token: SeCreatePagefilePrivilege	796	chrome.exe
Token: SeShutdownPrivilege	796	chrome.exe
Token: SeCreatePagefilePrivilege	796	chrome.exe
Token: SeShutdownPrivilege	796	chrome.exe
Token: SeCreatePagefilePrivilege	796	chrome.exe
Token: SeShutdownPrivilege	796	chrome.exe
Token: SeCreatePagefilePrivilege	796	chrome.exe
Token: SeShutdownPrivilege	796	chrome.exe
Token: SeCreatePagefilePrivilege	796	chrome.exe
Token: SeShutdownPrivilege	796	chrome.exe
Token: SeCreatePagefilePrivilege	796	chrome.exe
Token: SeShutdownPrivilege	796	chrome.exe
Token: SeCreatePagefilePrivilege	796	chrome.exe
Token: SeShutdownPrivilege	796	chrome.exe
Token: SeCreatePagefilePrivilege	796	chrome.exe
Token: SeShutdownPrivilege	796	chrome.exe
Token: SeCreatePagefilePrivilege	796	chrome.exe
Token: SeShutdownPrivilege	796	chrome.exe
Token: SeCreatePagefilePrivilege	796	chrome.exe
Token: SeShutdownPrivilege	796	chrome.exe
Token: SeCreatePagefilePrivilege	796	chrome.exe
Token: SeShutdownPrivilege	796	chrome.exe
Token: SeCreatePagefilePrivilege	796	chrome.exe
Token: SeShutdownPrivilege	796	chrome.exe
Token: SeCreatePagefilePrivilege	796	chrome.exe
Token: SeShutdownPrivilege	796	chrome.exe
Token: SeCreatePagefilePrivilege	796	chrome.exe
Token: SeShutdownPrivilege	796	chrome.exe
Token: SeCreatePagefilePrivilege	796	chrome.exe
Token: SeShutdownPrivilege	796	chrome.exe
Token: SeCreatePagefilePrivilege	796	chrome.exe
Token: SeShutdownPrivilege	796	chrome.exe
Token: SeCreatePagefilePrivilege	796	chrome.exe
Token: SeShutdownPrivilege	796	chrome.exe
Token: SeCreatePagefilePrivilege	796	chrome.exe
Token: SeShutdownPrivilege	796	chrome.exe
Token: SeCreatePagefilePrivilege	796	chrome.exe
Token: SeShutdownPrivilege	796	chrome.exe
Token: SeCreatePagefilePrivilege	796	chrome.exe
Token: SeShutdownPrivilege	796	chrome.exe
Token: SeCreatePagefilePrivilege	796	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
4416	taskmgr.exe
796	chrome.exe
796	chrome.exe
4416	taskmgr.exe
796	chrome.exe
796	chrome.exe
4416	taskmgr.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
4416	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
796	chrome.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe
4416	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4744	sublime_text.exe
4744	sublime_text.exe
4744	sublime_text.exe
936	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 796 wrote to memory of 5016	796	chrome.exe	71
PID 796 wrote to memory of 5016	796	chrome.exe	71
PID 796 wrote to memory of 2548	796	chrome.exe	76
PID 796 wrote to memory of 2548	796	chrome.exe	76
PID 796 wrote to memory of 2548	796	chrome.exe	76
PID 796 wrote to memory of 2548	796	chrome.exe	76
PID 796 wrote to memory of 2548	796	chrome.exe	76
PID 796 wrote to memory of 2548	796	chrome.exe	76
PID 796 wrote to memory of 2548	796	chrome.exe	76
PID 796 wrote to memory of 2548	796	chrome.exe	76
PID 796 wrote to memory of 2548	796	chrome.exe	76
PID 796 wrote to memory of 2548	796	chrome.exe	76
PID 796 wrote to memory of 2548	796	chrome.exe	76
PID 796 wrote to memory of 2548	796	chrome.exe	76
PID 796 wrote to memory of 2548	796	chrome.exe	76
PID 796 wrote to memory of 2548	796	chrome.exe	76
PID 796 wrote to memory of 2548	796	chrome.exe	76
PID 796 wrote to memory of 2548	796	chrome.exe	76
PID 796 wrote to memory of 2548	796	chrome.exe	76
PID 796 wrote to memory of 2548	796	chrome.exe	76
PID 796 wrote to memory of 2548	796	chrome.exe	76
PID 796 wrote to memory of 2548	796	chrome.exe	76
PID 796 wrote to memory of 2548	796	chrome.exe	76
PID 796 wrote to memory of 2548	796	chrome.exe	76
PID 796 wrote to memory of 2548	796	chrome.exe	76
PID 796 wrote to memory of 2548	796	chrome.exe	76
PID 796 wrote to memory of 2548	796	chrome.exe	76
PID 796 wrote to memory of 2548	796	chrome.exe	76
PID 796 wrote to memory of 2548	796	chrome.exe	76
PID 796 wrote to memory of 2548	796	chrome.exe	76
PID 796 wrote to memory of 2548	796	chrome.exe	76
PID 796 wrote to memory of 2548	796	chrome.exe	76
PID 796 wrote to memory of 2548	796	chrome.exe	76
PID 796 wrote to memory of 2548	796	chrome.exe	76
PID 796 wrote to memory of 2548	796	chrome.exe	76
PID 796 wrote to memory of 2548	796	chrome.exe	76
PID 796 wrote to memory of 2548	796	chrome.exe	76
PID 796 wrote to memory of 2548	796	chrome.exe	76
PID 796 wrote to memory of 2548	796	chrome.exe	76
PID 796 wrote to memory of 2548	796	chrome.exe	76
PID 796 wrote to memory of 4560	796	chrome.exe	75
PID 796 wrote to memory of 4560	796	chrome.exe	75
PID 796 wrote to memory of 216	796	chrome.exe	74
PID 796 wrote to memory of 216	796	chrome.exe	74
PID 796 wrote to memory of 216	796	chrome.exe	74
PID 796 wrote to memory of 216	796	chrome.exe	74
PID 796 wrote to memory of 216	796	chrome.exe	74
PID 796 wrote to memory of 216	796	chrome.exe	74
PID 796 wrote to memory of 216	796	chrome.exe	74
PID 796 wrote to memory of 216	796	chrome.exe	74
PID 796 wrote to memory of 216	796	chrome.exe	74
PID 796 wrote to memory of 216	796	chrome.exe	74
PID 796 wrote to memory of 216	796	chrome.exe	74
PID 796 wrote to memory of 216	796	chrome.exe	74
PID 796 wrote to memory of 216	796	chrome.exe	74
PID 796 wrote to memory of 216	796	chrome.exe	74
PID 796 wrote to memory of 216	796	chrome.exe	74
PID 796 wrote to memory of 216	796	chrome.exe	74
PID 796 wrote to memory of 216	796	chrome.exe	74
PID 796 wrote to memory of 216	796	chrome.exe	74
PID 796 wrote to memory of 216	796	chrome.exe	74
PID 796 wrote to memory of 216	796	chrome.exe	74
PID 796 wrote to memory of 216	796	chrome.exe	74
PID 796 wrote to memory of 216	796	chrome.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\sublime_text_build_4152_x64.zip
1⤵
PID:592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7fffde869758,0x7fffde869768,0x7fffde869778
  2⤵
  PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2096 --field-trial-handle=1588,i,17959661010803639982,2474641259068032365,131072 /prefetch:8
  2⤵
  PID:216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1900 --field-trial-handle=1588,i,17959661010803639982,2474641259068032365,131072 /prefetch:8
  2⤵
  PID:4560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1588,i,17959661010803639982,2474641259068032365,131072 /prefetch:2
  2⤵
  PID:2548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2996 --field-trial-handle=1588,i,17959661010803639982,2474641259068032365,131072 /prefetch:1
  2⤵
  PID:2564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2972 --field-trial-handle=1588,i,17959661010803639982,2474641259068032365,131072 /prefetch:1
  2⤵
  PID:2084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4512 --field-trial-handle=1588,i,17959661010803639982,2474641259068032365,131072 /prefetch:1
  2⤵
  PID:5068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4360 --field-trial-handle=1588,i,17959661010803639982,2474641259068032365,131072 /prefetch:8
  2⤵
  PID:3548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4636 --field-trial-handle=1588,i,17959661010803639982,2474641259068032365,131072 /prefetch:8
  2⤵
  PID:4320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 --field-trial-handle=1588,i,17959661010803639982,2474641259068032365,131072 /prefetch:8
  2⤵
  PID:4840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4892 --field-trial-handle=1588,i,17959661010803639982,2474641259068032365,131072 /prefetch:8
  2⤵
  PID:2068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4768 --field-trial-handle=1588,i,17959661010803639982,2474641259068032365,131072 /prefetch:1
  2⤵
  PID:4620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3180 --field-trial-handle=1588,i,17959661010803639982,2474641259068032365,131072 /prefetch:1
  2⤵
  PID:3956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 --field-trial-handle=1588,i,17959661010803639982,2474641259068032365,131072 /prefetch:8
  2⤵
  PID:4160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4408 --field-trial-handle=1588,i,17959661010803639982,2474641259068032365,131072 /prefetch:1
  2⤵
  PID:2100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4424 --field-trial-handle=1588,i,17959661010803639982,2474641259068032365,131072 /prefetch:8
  2⤵
  PID:2084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5296 --field-trial-handle=1588,i,17959661010803639982,2474641259068032365,131072 /prefetch:8
  2⤵
  PID:3004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4764 --field-trial-handle=1588,i,17959661010803639982,2474641259068032365,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3748

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4880

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4416

C:\Windows\system32\msinfo32.exe
"C:\Windows\system32\msinfo32.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
PID:3800

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3796

C:\Users\Admin\Desktop\sublime_text_build_4152_x64\sublime_text.exe
"C:\Users\Admin\Desktop\sublime_text_build_4152_x64\sublime_text.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4744
- C:\Users\Admin\Desktop\sublime_text_build_4152_x64\plugin_host-3.3.exe
  /C/Users/Admin/Desktop/sublime_text_build_4152_x64/plugin_host-3.3.exe 4744 /C/Users/Admin/Desktop/sublime_text_build_4152_x64/sublime_text.exe /C/Users/Admin/Desktop/sublime_text_build_4152_x64/Data /C/Users/Admin/Desktop/sublime_text_build_4152_x64/Data /C/Users/Admin/Desktop/sublime_text_build_4152_x64/Packages
  2⤵
  PID:2036
- C:\Users\Admin\Desktop\sublime_text_build_4152_x64\plugin_host-3.8.exe
  /C/Users/Admin/Desktop/sublime_text_build_4152_x64/plugin_host-3.8.exe 4744 /C/Users/Admin/Desktop/sublime_text_build_4152_x64/sublime_text.exe /C/Users/Admin/Desktop/sublime_text_build_4152_x64/Data /C/Users/Admin/Desktop/sublime_text_build_4152_x64/Data /C/Users/Admin/Desktop/sublime_text_build_4152_x64/Packages
  2⤵
  PID:672

C:\Users\Admin\Desktop\sublime_text_build_4152_x64\update_installer.exe
"C:\Users\Admin\Desktop\sublime_text_build_4152_x64\update_installer.exe"
1⤵
PID:2452

C:\Users\Admin\Desktop\sublime_text_build_4152_x64\sublime_text.exe
"C:\Users\Admin\Desktop\sublime_text_build_4152_x64\sublime_text.exe"
1⤵
PID:2564
- C:\Users\Admin\Desktop\sublime_text_build_4152_x64\plugin_host-3.8.exe
  /C/Users/Admin/Desktop/sublime_text_build_4152_x64/plugin_host-3.8.exe 2564 /C/Users/Admin/Desktop/sublime_text_build_4152_x64/sublime_text.exe /C/Users/Admin/Desktop/sublime_text_build_4152_x64/Data /C/Users/Admin/Desktop/sublime_text_build_4152_x64/Data /C/Users/Admin/Desktop/sublime_text_build_4152_x64/Packages
  2⤵
  PID:220
- C:\Users\Admin\Desktop\sublime_text_build_4152_x64\plugin_host-3.3.exe
  /C/Users/Admin/Desktop/sublime_text_build_4152_x64/plugin_host-3.3.exe 2564 /C/Users/Admin/Desktop/sublime_text_build_4152_x64/sublime_text.exe /C/Users/Admin/Desktop/sublime_text_build_4152_x64/Data /C/Users/Admin/Desktop/sublime_text_build_4152_x64/Data /C/Users/Admin/Desktop/sublime_text_build_4152_x64/Packages
  2⤵
  PID:1112

C:\Users\Admin\Desktop\sublime_text_build_4152_x64\sublime_text.exe
"C:\Users\Admin\Desktop\sublime_text_build_4152_x64\sublime_text.exe" C:\Users\Admin\Desktop\n.py
1⤵
PID:5092
- C:\Users\Admin\Desktop\sublime_text_build_4152_x64\plugin_host-3.3.exe
  /C/Users/Admin/Desktop/sublime_text_build_4152_x64/plugin_host-3.3.exe 5092 /C/Users/Admin/Desktop/sublime_text_build_4152_x64/sublime_text.exe /C/Users/Admin/Desktop/sublime_text_build_4152_x64/Data /C/Users/Admin/Desktop/sublime_text_build_4152_x64/Data /C/Users/Admin/Desktop/sublime_text_build_4152_x64/Packages
  2⤵
  PID:960
- C:\Users\Admin\Desktop\sublime_text_build_4152_x64\plugin_host-3.8.exe
  /C/Users/Admin/Desktop/sublime_text_build_4152_x64/plugin_host-3.8.exe 5092 /C/Users/Admin/Desktop/sublime_text_build_4152_x64/sublime_text.exe /C/Users/Admin/Desktop/sublime_text_build_4152_x64/Data /C/Users/Admin/Desktop/sublime_text_build_4152_x64/Data /C/Users/Admin/Desktop/sublime_text_build_4152_x64/Packages
  2⤵
  PID:4240

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a99055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
a5cdb7b188dc168614d9e61d9a647c88

SHA1
23aa3c09d92b84cdbc6a3b34134f2efc2028d1da

SHA256
15e9accbea97ef829635fefe1c9731c5213020c5fef2a3a37b1a51d3ac77c570

SHA512
b922c0b06b02624e79e80b42828bb1a944c40c1d90c017c757254d6f0008b1ba0363d5e0fa6b2fcb58c519641a5b0e5cf1b9cf452dbc2c567329d1c54e7f343f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
21a2939f77ca739e222b45566e872e54

SHA1
4da4e9ecd78ef246709ec097041bc553185dc76d

SHA256
43d60ff00b8722044834eadeff3429110cdb8f27d93976be48fbecc3528dbc7f

SHA512
0c3920817eb110ac5411d31469841819904b54730088641dcd1f6960c186f9ba4270b4e076cae93c3746b89ef2e59d7d738c1059dfbeaaa988e5b084115fde9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
56d7d1183825756fa1129ef9e22187aa

SHA1
92f6985229487c50a2002dd3e93255a2e4435553

SHA256
fe00be100772271301009030358fe36e292809fa816162ab1ed97182dc347714

SHA512
dd9baf86ace10c2302e17d3261782071a7d34b6e7242fefcc6d584a2643da56cfd5d4b7e94d3ffd693d182b7c425a5333d75135bce74a8fdedba1e11aad3ec11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
d979da6134e0f0f5baeedf5bf04ad7f9

SHA1
5c243c5a15acc16da690681f0d044d18b365940b

SHA256
14cab608ae6ee6275f9c94a7acf1e1e4f8fbe666c6749fdb3e24df19775f6c24

SHA512
4602765daec6a54e8ecfd4067d0b1d4088f76a666e2abc5447170bd4e9f3ed901c2061ef1369f6493c8bc36dec693950f542f021883410447a049276a230b265

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
d1fbc7d3ce0cbf6f3f21107b723064a5

SHA1
1d10579b3a6f881dd18e82cc0cbc7f3fffb49412

SHA256
1a19ff5b0a84605e7de45372eee723baa0ac7b089af7d8b479a7dfaa637bec36

SHA512
4e89614a3e12bc258cb028e0c1a5f6e5be3a2bbd405c4ae2a2fbac38b8f61e2c9ae28a25f1f0d1bbca43279f1b4bb4a3d06a59bb4cf25fc6ca94fe95714b3ce9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
21c3a5fe0d8ae6b61d0ca987f761dae7

SHA1
8e49ad86e470769e73769d54140cd7f0d33f0df0

SHA256
4d281407cdee7d09e4658861591f76ebcea6fa5c680268f45841c7e7ba2ac329

SHA512
b063e1242e09aedeba67d39b34349f1266b8a0f54ba27c213a591e1521de17ade44faaef3cd752c9c707576ad22e8aceeb4dd21e34c79d5726880234f90b7439

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0cd552d26f24f01a0a0bb3c0f8bd824c

SHA1
6c33e8df8bcf85b520a117fa5501cb7afc1a06df

SHA256
8bad360ea0cdbb435a75cec46b29ccc2bd5afaa624d300c7c7421e66ef2a4d98

SHA512
b37c678382fb4b2ecdee7f7ecaf4757d6314630e83c5b061d89d547fc5231911bfc86ea6607f04022042ec3c6775dab27ea974a0e527cebe05fa4a2a4289e13e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f5431fb39880423750fb25d1d1d71fb5

SHA1
53972639a2b795394eaa0b944dd6cfa53d5f448e

SHA256
a04b2901e5424de14882b08a4a7dbec6bb07720a988b7e287879f4f0b4df0e97

SHA512
1677b1a97156513b2becc85b9680ef69d86863a34c0060b228704dfda02fec2f86929e5b2b03e54cfa39b398078172eab2f8e1d913a8ebc0f90d1a808a660f76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
cecbb19b6c6fe41ea05a4ce1f2fc49c5

SHA1
59fcdc17f985db27afe51dafbc2e488926b2ecb4

SHA256
f5fc6fef75e8012166150e326250f275f0cf0c8be6a3e6e5032e65ff6adc32be

SHA512
d2bea2934ea2adc2845f05162cabed5722d21eba337ebe7c99cab83c094a2e8f06a7be647ea0078d133e41d9475bd7b4996d6fe12c3a78720dbbad4ca0ac8f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5a9930134e1eb2a2974b54d4fd361a14

SHA1
ec994d4f0de731c9dd689e5da4426d164b39e539

SHA256
b4b8efb36c03c51cc1a971af528e606b0bbed5105e57d1fff5b7414346556f3e

SHA512
a814ec00c8c4a9139e341f9867d1bdf3c7792454617bcbd8beb83422ca04a80dac295df1808a440ca5aef4594a122c8d48d033b237d241741e061d94af04f245

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c63f9b5f2fc74c52862e93417dd5c9d9

SHA1
3f0042cf4e91de7b5c71861576ce24986e730317

SHA256
60f74b04192279cda1d7db252f17e5b8c01a691424f0010f019724860dc9b859

SHA512
34f981a1d06d01b976600a3fe8ae582610076703a0c7e1c58917ff9dafdac6e907979a8a57a79c7c46c46a3c48bdf2a83e458cd57d1c709f74d100a4373d65bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
20f4a7a8c911998e9b268d93feddf3e5

SHA1
a680668f24cbcf4f13f1f752354e1a40b030c080

SHA256
9de3c117eb514e2c3210cc8532d5e924fd022068108a198d3b4d8e492062bc59

SHA512
e1815444ec6248b4a9a5fbb6e5efb787d3f401f988e230303dbf27b584c3fa5c12a133b945ae5f295bf4193d553c664165b848d371979f2f9819b0b907d027dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
204KB

MD5
2254ee044580f137f56b3e8088b6e3c8

SHA1
7cec5665183c740a8cbb5db5709ea3ed974e3a3c

SHA256
3e905b1ff3694d7e26d6037d38dc8c86d43e3da04ce1b2600b3f2931a92cea26

SHA512
6df57e19d27582020f6f5d04c6fce868e74d79da7ecf874b0f02d281f04260cdc4a9aa354e34c8ac17902c3c0348c2f3074a0bc912e867244dc5c0310f8ac2cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
204KB

MD5
d71f6f0ae74fe310d3d9f91674d5ee9c

SHA1
64d421471b016d6a5df4b8914e30ed13461839f0

SHA256
dd8c7a8e7bbff833d85bccef51506bba9359c16c65806a66fb215b32cc4b05f7

SHA512
e87cf09467a5facf3838489c400f72c6ce4684ed6d0e1180aa3814efb9ad73aaaa6863a64aad067b730f0e245e7d90182d3bbd516ed638f04a31923ff1f59234

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
204KB

MD5
24bddb25253671623ac2f2684bd445da

SHA1
8b3cfada3fe819f474a67b2bd93649f181ca72a7

SHA256
58ca03ff26a925f75eb21544b7524306e1168d4df2a43df10492aa89a5476a83

SHA512
eae01b4f1050cb59984892f2bda3abdfee54c6f3b215a484d5095c5b433c003f2f6b1dda4d1811385ddb705f1d23309a029c5be8bd8225bdaf91f443b6d4a9f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
106KB

MD5
6d26574cc0953cca19ef403f17aa743e

SHA1
f530307b037a91481da5861e62856714d57ffa40

SHA256
6fa78ce22f77dcae2ac6d7b0369f576b46298b0c45fbdbaa5867ba68e3d82425

SHA512
2fbeb95414376abb7d2e6aee90d551f802ae55235f4992c64b6e76b4736b59f3f502bc1d6375a7f0cd750c3a2bb317aa933a9f955bbfa90ac9fbf23b70004ac7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
99KB

MD5
e89109c79b09542bb0bebdcc91536bf8

SHA1
1574af988797d133fb034d4a238321a62118fb17

SHA256
9d9676750bbca220287368b260c13c125025ed97a00d1c6bd253913674832605

SHA512
5b4349df4280958fe643194d120b5395918c5ee40d7f941efd4eace7c9ced80e1a8474a691b0ed7d55f67f5b65f36c6358717fb1ab248bd574a56445fccc5a1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58ca6f.TMP

Filesize
93KB

MD5
64ee8c99429f0d5df01a4af6ac784bbd

SHA1
fa3c9f2b6ab9e1fdde604daaf727cc7f64857fce

SHA256
4b908d71665b26a9b63bf717a227452581fb1ca09b00450f3b62cfd694f4314a

SHA512
433bb98ca333e135870915b3dcdc588ba5263cdb6d267726c3cbefdc74957b68ce94aea29dbc0470b4b3ce6dc24abd2479f3806feffdf4b7c76d4b4065c5745f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
7a0f988b461e6e2c730c1a976d53a006

SHA1
2389b725425c48bbacfd96028952e5ed4ee7b2d7

SHA256
07326f620389ac1ebeb8d33266e5fe23a4e63ff1fcad0ff92a6e37d85d26c63f

SHA512
246643daff0485c7acb0242c9151d61e50c4e9f217289ab09b458253c9282ab1b75e454b731688c953a9cdaf539c107a4fcff0e594d85496f1072555b842495f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Desktop\sublime_text_build_4152_x64\Data\Cache\Default\Startup.cache

Filesize
399KB

MD5
812d6cbcf7d7193df2f22170e3016182

SHA1
443b52d231d93d599bf456b14006ce0ede8c431e

SHA256
1b79ccf9f18cb738dfb3e7010fd5e35fd3ab7a5e499a8248cbf438292dd40be1

SHA512
85e871867c2d4c0778d5b16e7f9d9cf5848227afc69c3200ee1e33052d959ee4f471b4fe7f2829a459d9947f4c8816885ede78378270cd0fff4892a4348c75f7

Download Submit
C:\Users\Admin\Desktop\sublime_text_build_4152_x64\Data\Cache\Default\Startup.cache

Filesize
399KB

MD5
645963a2fc31368d6764cfce7311cfa7

SHA1
a48abafa77577997f603a4709e6a1b8d263b4cce

SHA256
595ff9653d796142e258694855b5a09dbd031727bbc3f67ff2ecf9e0f27336b4

SHA512
9c3a9ecd74838b530578becf496f4db07be0aab4ed1d52d68a4582a194e0d52163abea19786f9f9542832af3ba79c0c6c03dd46ee407ea947f8f0265e000d4eb

Download Submit
C:\Users\Admin\Desktop\sublime_text_build_4152_x64\Data\Cache\Python\Python.sublime-syntax.rcache

Filesize
463KB

MD5
3b64efb9c704c6108db5bf6e10785160

SHA1
37eed9da6ae27c624d5de3c4cdbd639c13d9532e

SHA256
702a798ded53646d4574b72139df7457ce04d733a040dc3ecfa1fdc4c9cccb33

SHA512
051247edf28d8a8063b7d451abbfd1b87e27ed7acb42d46c0c9f46f5b002e4c8b47a0da17897156d864bc7db789bc5381a86c4f1cfb8d38ffcfdba8dd26e037c

Download Submit
C:\Users\Admin\Desktop\sublime_text_build_4152_x64\Data\Cache\Text\Plain text.tmLanguage.rcache

Filesize
172B

MD5
fad0a39c7272b48206c073c3d2adacc2

SHA1
9367263532d0824af320c8d4de93c2c7a73cc074

SHA256
74ab5580fc8c4c35d439ef3f819aeb2bbd9be3039015b2dd3eac789afcda05c1

SHA512
71dfd30858234744da63b54bf0bbe112c51f7a93dca426f78495e42fc33ecad0283d2cbad239c4ba8600e9f6d1704c63544aa05041ea30a0f0f39a4924aaecdb

Download Submit
C:\Users\Admin\Desktop\sublime_text_build_4152_x64\Data\Cache\__pycache__\install\Lib\python38\sublime.cpython-38.opt-1.pyc

Filesize
140KB

MD5
1c54e461dff87d3c67caa4e8702b7984

SHA1
942f38acf3a9e381f07cbab80a3623999c8835b5

SHA256
9325ba1c9c3505f0788015970a4f4e10f7a6493e45b4459b5b49115ff19d95b7

SHA512
b8c85245759f27911686a3e613be482471845d531aac6274e1a810746355545726892224c62ae12b31c7b4c7cb2fc459ce94befe7caa8db1edb0774fb5d7d181

Download Submit
C:\Users\Admin\Desktop\sublime_text_build_4152_x64\Data\Cache\__pycache__\install\Lib\python38\sublime_plugin.cpython-38.opt-1.pyc

Filesize
72KB

MD5
0c016bf6120a5ab05cef08d67dc19f97

SHA1
dc759573aead993158f91c9445e84f69f0c58e69

SHA256
dd2e3310b615e84223062fa09685b041c8450674ce63d0daaefd217d5f0ce85a

SHA512
53ec1a2170369de739e3dc7b73f30389f6f6b798426bc7fde58da97c73e76d1b8cb7b8d52fe396b81ee15f3588369c5a081633a74b5bd8d9ee62730f8e0fb0e0

Download Submit
C:\Users\Admin\Desktop\sublime_text_build_4152_x64\Data\Cache\__pycache__\install\Lib\python3\certifi\__init__.cpython-38.opt-1.pyc

Filesize
286B

MD5
9da62f43e960ea8ca0dabb2dd95afa12

SHA1
01a8f7d70e8eac294e6e735f9160c407f925c209

SHA256
cb5d8a368f6f3c4ab5de60caffe07d943c0805e5ca76b5a0645580bfad718784

SHA512
a5a52e1b7780cee92e812e5237b45225db94ae56ffb99eebdef9e016991100d1f748621fbe232c32c30dc8b50be7ea04e5de309dee21bcf414c907c0ea6d44bc

Download Submit
C:\Users\Admin\Desktop\sublime_text_build_4152_x64\Data\Cache\__pycache__\install\Lib\python3\certifi\core.cpython-38.opt-1.pyc

Filesize
1KB

MD5
a8d7ef6676f191f5a3571d1d78769197

SHA1
ed69a14eb15c7349beb69ed949d67fae31e5cdcd

SHA256
76e8c50cfcaae695d5eba8a394869e9722863c29a6cac2c223e0580643ad44e6

SHA512
63e98c16ac51b1f4a33cb7fe4bd606d9911a479bd51cbc1f1e8d69c5920559b907ceb049c64da7bbef02b8a2268306cf0ebb14a1a61036b50fefcf6d53821acf

Download Submit
C:\Users\Admin\Desktop\sublime_text_build_4152_x64\Data\Local\Auto Save Temp Session.sublime_session

Filesize
17KB

MD5
a43fc125516fbbc998d7f636eb959912

SHA1
8c4a5bc8ddf5ededf751bdd127748b0794be013b

SHA256
51f855010d6f56172069b2719f0f64ee66e8c099094270be6bf6fd0765f6c564

SHA512
a78328402885c16fa3883fc759b5bfeb43a4557574df1bce60a62f3689d445cba6ed4ab0a7de90262a4d942782e07a4a75c7b1806d5161b98899bd6ffdbdd793

Download Submit
C:\Users\Admin\Desktop\sublime_text_build_4152_x64\Data\Local\Session.sublime_session

Filesize
11KB

MD5
6b4586cf5e46619e04ae1364878ac75b

SHA1
54434e1c7a8ff0d8b398f6563b8b737ac088d8c3

SHA256
305120b98ed27384f98953ef0d2f718020b3a15f6535c3189608c772a1467b2b

SHA512
4466ec2dceb4e17842a5e0423cb9fa97b46850f3d99ce1c1ef9096f3048ede48cf5be7e4436ec73e385792a0cff59842855882576995475b14b3b9e325d49877

Download Submit
C:\Users\Admin\Desktop\sublime_text_build_4152_x64\Data\Local\Session.sublime_session

Filesize
12KB

MD5
b93c7374c4a4277cd90f73e60ecb3bb1

SHA1
0dbf2c700ac5429695ad5187f6402563cf3a563c

SHA256
30afbbfcf6a2886c536407daf8e5dbb2f55a8f8b4c1a6beeeeab0082dc2c85fb

SHA512
9375fa889521bb76611ccb78745b00c4ae19faf6b9bbdff3c83e5b06ce07f78556fc96522faeab3ca0d9ef72572708deadff97f981ed7a684cb3799735953972

Download Submit
C:\Users\Admin\Downloads\sublime_text_build_4152_x64.zip.crdownload

Filesize
22.0MB

MD5
bb3ac74c8d7f4ea1a7a5a115dbbe3423

SHA1
65567ed8b5edf8939a717e7ec1d29fc20e8c2a3d

SHA256
fb1aac41613b184907b5555fb6261e1f1266ca4626aa4da92ef10619d0d5fd3e

SHA512
37e7a4973266bd30563ac707781d4e220e3b9fc8297ff7a394fe83cc2426a79159c545bdce4d14aaebe46578428b9771f410378ea83211738c9e7b7c77c6d88f

Download Submit