Analysis
-
max time kernel
717s -
max time network
457s -
platform
windows11-21h2_x64 -
resource
win11-20231128-en -
resource tags
arch:x64arch:x86image:win11-20231128-enlocale:en-usos:windows11-21h2-x64system -
submitted
02-12-2023 22:09
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://chaosracer.io/assets/php-back/download.php
Resource
win10v2004-20231130-en
Behavioral task
behavioral2
Sample
http://chaosracer.io/assets/php-back/download.php
Resource
win11-20231128-en
General
-
Target
http://chaosracer.io/assets/php-back/download.php
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 5 IoCs
Processes:
resource yara_rule C:\Users\Admin\Downloads\Unconfirmed 830799.crdownload family_agenttesla C:\Users\Admin\Downloads\Chaos Racer.exe family_agenttesla C:\Users\Admin\Downloads\Chaos Racer.exe family_agenttesla behavioral2/memory/3560-265-0x00000000081D0000-0x00000000086A0000-memory.dmp family_agenttesla behavioral2/memory/3560-268-0x00000000081D0000-0x00000000086A0000-memory.dmp family_agenttesla -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
Chaos Racer.exemservice32.exemservice64.exepid process 3560 Chaos Racer.exe 4352 mservice32.exe 2604 mservice64.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
mservice32.exedescription ioc process File opened (read-only) \??\F: mservice32.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 api.db-ip.com 32 api.db-ip.com 11 myexternalip.com -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
msedge.exeChaos Racer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Chaos Racer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Chaos Racer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion Chaos Racer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Kills process with taskkill 9 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 2900 taskkill.exe 4832 taskkill.exe 1292 taskkill.exe 4856 taskkill.exe 3912 taskkill.exe 2076 taskkill.exe 3104 taskkill.exe 5108 taskkill.exe 3084 taskkill.exe -
Modifies registry class 2 IoCs
Processes:
msedge.exeMiniSearchHost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-3167230361-3851490586-2616496888-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 830799.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemservice32.exepid process 4956 msedge.exe 4956 msedge.exe 2404 msedge.exe 2404 msedge.exe 492 msedge.exe 492 msedge.exe 712 identity_helper.exe 712 identity_helper.exe 3020 msedge.exe 3020 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 4352 mservice32.exe 4352 mservice32.exe 4352 mservice32.exe 4352 mservice32.exe 4352 mservice32.exe 4352 mservice32.exe 4352 mservice32.exe 4352 mservice32.exe 4352 mservice32.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
Processes:
msedge.exepid process 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 3912 taskkill.exe Token: SeDebugPrivilege 2900 taskkill.exe Token: SeDebugPrivilege 2076 taskkill.exe Token: SeDebugPrivilege 4832 taskkill.exe Token: SeDebugPrivilege 3104 taskkill.exe Token: SeDebugPrivilege 1292 taskkill.exe Token: SeDebugPrivilege 4856 taskkill.exe Token: SeDebugPrivilege 5108 taskkill.exe Token: SeDebugPrivilege 3084 taskkill.exe -
Suspicious use of FindShellTrayWindow 63 IoCs
Processes:
msedge.exepid process 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
msedge.exepid process 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe 2404 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MiniSearchHost.exepid process 4360 MiniSearchHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 2404 wrote to memory of 4780 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 4780 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 2808 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 2808 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 2808 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 2808 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 2808 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 2808 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 2808 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 2808 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 2808 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 2808 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 2808 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 2808 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 2808 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 2808 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 2808 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 2808 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 2808 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 2808 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 2808 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 2808 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 2808 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 2808 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 2808 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 2808 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 2808 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 2808 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 2808 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 2808 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 2808 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 2808 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 2808 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 2808 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 2808 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 2808 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 2808 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 2808 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 2808 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 2808 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 2808 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 2808 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 4956 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 4956 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 3064 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 3064 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 3064 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 3064 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 3064 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 3064 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 3064 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 3064 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 3064 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 3064 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 3064 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 3064 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 3064 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 3064 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 3064 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 3064 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 3064 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 3064 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 3064 2404 msedge.exe msedge.exe PID 2404 wrote to memory of 3064 2404 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://chaosracer.io/assets/php-back/download.php1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xe0,0xe4,0xe8,0xdc,0x10c,0x7ff9dacc3cb8,0x7ff9dacc3cc8,0x7ff9dacc3cd82⤵PID:4780
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,10986612034634113763,12532022991347661261,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:22⤵PID:2808
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,10986612034634113763,12532022991347661261,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4956 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,10986612034634113763,12532022991347661261,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:82⤵PID:3064
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10986612034634113763,12532022991347661261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:12⤵PID:4064
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10986612034634113763,12532022991347661261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:12⤵PID:676
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10986612034634113763,12532022991347661261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:12⤵PID:4352
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10986612034634113763,12532022991347661261,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:12⤵PID:3324
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10986612034634113763,12532022991347661261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:12⤵PID:4272
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1932,10986612034634113763,12532022991347661261,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5436 /prefetch:82⤵PID:3844
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10986612034634113763,12532022991347661261,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:12⤵PID:4764
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10986612034634113763,12532022991347661261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:12⤵PID:2220
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1932,10986612034634113763,12532022991347661261,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5800 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:492 -
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,10986612034634113763,12532022991347661261,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6180 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:712 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10986612034634113763,12532022991347661261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:12⤵PID:2960
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1932,10986612034634113763,12532022991347661261,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3104 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3020 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,10986612034634113763,12532022991347661261,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1264 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3972 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,10986612034634113763,12532022991347661261,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2500 /prefetch:22⤵PID:3260
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4084
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2540
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1908
-
C:\Users\Admin\Downloads\Chaos Racer.exe"C:\Users\Admin\Downloads\Chaos Racer.exe"1⤵
- Executes dropped EXE
- Enumerates system info in registry
PID:3560 -
C:\Users\Admin\AppData\Local\Temp\mservice32.exe"C:\Users\Admin\AppData\Local\Temp\mservice32.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:4352 -
C:\Windows\system32\taskkill.exe"taskkill.exe" /PID 2808 /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3912 -
C:\Windows\system32\taskkill.exe"taskkill.exe" /PID 4956 /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2900 -
C:\Windows\system32\taskkill.exe"taskkill.exe" /PID 4764 /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2076 -
C:\Windows\system32\taskkill.exe"taskkill.exe" /PID 2404 /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4832 -
C:\Windows\system32\taskkill.exe"taskkill.exe" /PID 4780 /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3104 -
C:\Windows\system32\taskkill.exe"taskkill.exe" /PID 676 /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1292 -
C:\Windows\system32\taskkill.exe"taskkill.exe" /PID 3064 /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4856 -
C:\Windows\system32\taskkill.exe"taskkill.exe" /PID 2220 /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5108 -
C:\Windows\system32\taskkill.exe"taskkill.exe" /PID 2960 /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3084 -
C:\Users\Admin\AppData\Local\Temp\mservice64.exe"C:\Users\Admin\AppData\Local\Temp\mservice64.exe"2⤵
- Executes dropped EXE
PID:2604
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:412
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3348
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4360
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5439cc96156cf343dade9345e6add733d
SHA112ae10c8d3698eaa2111449a8b7c972e52e82485
SHA256760c7f67c10f0a7b2539697f083b5ecf5286596fb90b2de115e9fbad518c8071
SHA5129f3081c7857a3e7155c1b1170b8c706445b0044eaac6dce45ef95a89ff7e96544a3b6d2d05bbf20cfc6585ba5001c3b24c242600db59c3201db5fa4d8ca1a995
-
Filesize
116KB
MD58989bc5fc6f52d9c37dd72e2868e5441
SHA1d1918e9a208f3589439bf504dccdb84e06465d92
SHA2568be4baae74a5b7ce40dde2dcd2819a6eb056ef702a98be5cd0b6957daa986ced
SHA5123185009e9f1786dc981dcf36b0e1117e461d488cdcaa1313fcccade638b5891c44581f9db18bdf0af1029c518b952c557db6433d0c70ffc4ee8a00c681036c93
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
366B
MD5279ae02e565357ee88bbfa40ad97dd50
SHA198681f7244f4e226718224f0bcd8b3a5ba00b23e
SHA256d23cb0892878ec0d27457ffcdfa875e747f0e7ac75bfa6141f14a5fc45e5b0cf
SHA51252c7359731f499815141359b86e370b2d80166b526291344de37934ab1568e5bfccbb17461ae6128b1150776268e97ac2e34add423e110bcb88ad4d9e9042e03
-
Filesize
5KB
MD558c04d110e3e2b293559d6a9518c1f53
SHA1ec9d3c65d5c6ed7849490927d2caf05032573144
SHA25674bf0add2706c6a0a09e0cd77aea2e8e1a6a48bcaf4c4aa093af8ce48e1c5a9f
SHA512bd8e856b420ffb98d8ae1598dead1fa6fc71a8fb8365bc0fa4f763987a725e308eec1003d023ee45877f44ebd5bd1e6d554b52e12e424cdf600b334c5e85394f
-
Filesize
5KB
MD55bf758ec42d8ab1f1a86407ed90c00c3
SHA142a6a364d6ae488ab06d38a1de713aeb40ef77e1
SHA2562879a7cf3b4bcc9c6432714993400f14bb269b493bb0333c3fb863aeb7b035e9
SHA512b2804a5fad92afd15478724d35b0211ae1173cc079ed412870e2ed49337845794048c867554065d20567db5fbe05538c014ebc17c3887650ece47a5d6f9ab067
-
Filesize
25KB
MD579395b1f4f46e89853c8d6bbbd6c2f04
SHA10a472822c6880c0ceb6a6fa4c10475f36bf6d461
SHA256582476e23fda961585f75f73f8ed5d354955ed11b6887ba7b98bc5500037b9f5
SHA512d4eab6989ee85a8084a2b5f65baf6730aa4a08c3ab351434214613e996804605f0abd0cd65d25f0fc07a0cc2a1d949686481392c6dbb4654ed2f7e1dc8831ee7
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
48KB
MD52f64ff5caa28beea2451a8bd4a0825af
SHA1412f08054c5a720293a936fdb4b2145df7c948c3
SHA256ae5a8c2c877890ee16863e36f47330b7d7034427ac7c9df2b760a15f213ac017
SHA512299f388b1deed2078c6e14c20685cac3294868c049d5018ebb9c10560ccbfc9509048e53f3a3541c84d759cdd9c7c0d798634c17406deefe5fcb79c3f226ff2d
-
Filesize
48KB
MD521c1ff7e61a1ac1eda29bbdcd0aa66de
SHA131bb6f7b5cc13c2f8509cc3955a6fa4a40017189
SHA256363046d039b7c48b287c1434778f1f9cf0182df6111deebd13a22b8a604d0235
SHA512426beeb826dfdc9c8437dc126ef55874c301e4a0b99fd687bbd29a725dc06904cc72da6714b681a5aa39bbeba607819136a2757d3a799d119237a9f51c1c69b5
-
Filesize
20KB
MD52a029687e73114ebcb4fad10c0114e8a
SHA1f09cbbed46b9f8c731568bdcee13024e89bda397
SHA256fe6e92a5b020858bbdd8089533c6f22703bc5927e22f689c384164096705b11b
SHA512211dc45e2bb5739bcf863c44ca8132f92e895b3c95d074929aa4338698d53c6ccb3a8e2f23180260d9226073f4f5cd21a200010a7a224de7c8ac2e1cc853730d
-
Filesize
120B
MD5a397e5983d4a1619e36143b4d804b870
SHA1aa135a8cc2469cfd1ef2d7955f027d95be5dfbd4
SHA2569c70f766d3b84fc2bb298efa37cc9191f28bec336329cc11468cfadbc3b137f4
SHA5124159ea654152d2810c95648694dd71957c84ea825fcca87b36f7e3282a72b30ef741805c610c5fa847ca186e34bde9c289aaa7b6931c5b257f1d11255cd2a816
-
Filesize
11B
MD5b29bcf9cd0e55f93000b4bb265a9810b
SHA1e662b8c98bd5eced29495dbe2a8f1930e3f714b8
SHA256f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4
SHA512e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011
-
Filesize
11KB
MD5c8f00604be150ddf554ed2c796cd96be
SHA1a8c0ed548f869d1183daf94438a8d19b05521493
SHA256bc4e0d3c9a5031453cc8b8df90efe2be64be754340d741f720fcff3000ba0399
SHA512de021e347f0c68929e61857ca3b1826482dd63f75308fc61a127029a0cf09e4184a4126d8d33ea1227f14fd2cd571f76d5806027242b15a21e327077422e0ce8
-
Filesize
11KB
MD5c8f00604be150ddf554ed2c796cd96be
SHA1a8c0ed548f869d1183daf94438a8d19b05521493
SHA256bc4e0d3c9a5031453cc8b8df90efe2be64be754340d741f720fcff3000ba0399
SHA512de021e347f0c68929e61857ca3b1826482dd63f75308fc61a127029a0cf09e4184a4126d8d33ea1227f14fd2cd571f76d5806027242b15a21e327077422e0ce8
-
Filesize
10KB
MD55bf628102f796aa20ccf95cf0e3c1dd7
SHA1589ce095d1cd90d0f5786179983e60daf267b3c4
SHA256fe4d9ba6378bb00a3d0a43a36e2117d6e3bab40d1f86ee797439f4a0990fddf1
SHA512178fa021077a88e8707237ab2ca94abe3639ef86ed3767103b6d5de5aa81f85b27ad3627455b16a00fe7415b6b9e85fc3041965003130d48effe2620110b6059
-
Filesize
10KB
MD5562841c3a6f60f00cd90b9059aa47f0f
SHA1d6e48c57b77937e4e6054d602120f163e4932579
SHA2560d45d55884a67218312a7bc3762b17cee93a0d1eda39c76646df792bd3a20aa6
SHA51205e3cb7453215ef4968168a3515ca23f07db3ff2a43f7941b76f8abec9ce9bbc939f493725f8181b80c998ebc0d19ebb498d110ed7b4f0dec11f12445a9a5f3f
-
Filesize
20KB
MD522be08f683bcc01d7a9799bbd2c10041
SHA12efb6041cf3d6e67970135e592569c76fc4c41de
SHA256451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457
SHA5120eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD522f3f0e6445ae7b8979f821c52ef26f7
SHA1c8c1d103e3bb79c9a19991d3077197333e0efdd6
SHA2567494d6548e2af69efbba8619ec8d99f29dc36889cb08e6855e14dfc30ca71127
SHA512877f39779d5794e691d8092fbe622eb921e2396275f7fab38448ed0aedd42bc8b04429eedfbee045d64a75322b3b87a1358fea32ab957fa49002e7f3e72da55e
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD5bf578ec243ca1d586bd6e40250db83bd
SHA12e429f71cb9b6cd61ff617b4666105684637cb2c
SHA256d60cb8ff0c98fe68ba862fd84ed41d2a1148d56c8cd9f7f8b960fdfa60c6db00
SHA51230a6ff54eed467ee7ed5fc23692a634b5e75b3c70b161f61c9c395f4088764a1f71faeb7cfc0cb8df8bf82cd16b66ac3fbdb5f917c55f2c900338ff8ab55b6dd
-
Filesize
3.6MB
MD50e66e87272133b2eec7350dedb1c2afe
SHA16a44feec95ada7afc306ef339ac542af6390a87e
SHA256ae1d41d281843c262664c0b1af77004f617aeace2134593a7ff4b67dc8a5d3a0
SHA5122f250916a7ef549c875d7a64bb3df8bb22a3cc7420bfd58929a35555eea76d4ccbe12aef7966cd92c529aa8fbd0a62a269f9385567cf23d0779310b3f195acb1
-
Filesize
3.6MB
MD50e66e87272133b2eec7350dedb1c2afe
SHA16a44feec95ada7afc306ef339ac542af6390a87e
SHA256ae1d41d281843c262664c0b1af77004f617aeace2134593a7ff4b67dc8a5d3a0
SHA5122f250916a7ef549c875d7a64bb3df8bb22a3cc7420bfd58929a35555eea76d4ccbe12aef7966cd92c529aa8fbd0a62a269f9385567cf23d0779310b3f195acb1
-
Filesize
720KB
MD5e322d24ebf478487ab5af289e9eac1bb
SHA1a4b50806adbcb38f15b486f0fed734faccd709ed
SHA256e7502bd80687ebc02775a9b9e1d3c7dcca124617c2b9a1daf402edb25fab414a
SHA51200083782d21539d71886f08e6a673442f1fb0f648bf4b7c30b5560c4fe629586204a3a70c1c4e04ad2a5e70c9afa8e1fe4ecad68203a21c173046c3fe48b950d
-
Filesize
720KB
MD5e322d24ebf478487ab5af289e9eac1bb
SHA1a4b50806adbcb38f15b486f0fed734faccd709ed
SHA256e7502bd80687ebc02775a9b9e1d3c7dcca124617c2b9a1daf402edb25fab414a
SHA51200083782d21539d71886f08e6a673442f1fb0f648bf4b7c30b5560c4fe629586204a3a70c1c4e04ad2a5e70c9afa8e1fe4ecad68203a21c173046c3fe48b950d
-
Filesize
154.0MB
MD5367deb240dcaa6a997fb2b3439a7a8b3
SHA10182cdffd241ff90bd2c2ac8a680360a16223aa6
SHA25635fd94e70ca896543498de925cd7abc84b7b2731d4af5295a1a4ade31dc07930
SHA51203f59defd4be1a4e49bb0ad67a337881a9cddced208aeaaedae502c757cab630e6056b86534e017294c80ca0b55d43f60ac28c30ca1f9c36c418133cde92f6a8
-
Filesize
154.0MB
MD5367deb240dcaa6a997fb2b3439a7a8b3
SHA10182cdffd241ff90bd2c2ac8a680360a16223aa6
SHA25635fd94e70ca896543498de925cd7abc84b7b2731d4af5295a1a4ade31dc07930
SHA51203f59defd4be1a4e49bb0ad67a337881a9cddced208aeaaedae502c757cab630e6056b86534e017294c80ca0b55d43f60ac28c30ca1f9c36c418133cde92f6a8
-
Filesize
154.0MB
MD5367deb240dcaa6a997fb2b3439a7a8b3
SHA10182cdffd241ff90bd2c2ac8a680360a16223aa6
SHA25635fd94e70ca896543498de925cd7abc84b7b2731d4af5295a1a4ade31dc07930
SHA51203f59defd4be1a4e49bb0ad67a337881a9cddced208aeaaedae502c757cab630e6056b86534e017294c80ca0b55d43f60ac28c30ca1f9c36c418133cde92f6a8
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e