hxxp://vencord[.]com

Analysis

max time kernel
149s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
23/02/2024, 22:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://vencord.com

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133532020138288175"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4028	chrome.exe
4028	chrome.exe
6004	chrome.exe
6004	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4028	chrome.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
668	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe
Token: SeShutdownPrivilege	4028	chrome.exe
Token: SeCreatePagefilePrivilege	4028	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe
4028	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
568	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 4952	4028	chrome.exe	64
PID 4028 wrote to memory of 4952	4028	chrome.exe	64
PID 4028 wrote to memory of 2536	4028	chrome.exe	82
PID 4028 wrote to memory of 2536	4028	chrome.exe	82
PID 4028 wrote to memory of 2536	4028	chrome.exe	82
PID 4028 wrote to memory of 2536	4028	chrome.exe	82
PID 4028 wrote to memory of 2536	4028	chrome.exe	82
PID 4028 wrote to memory of 2536	4028	chrome.exe	82
PID 4028 wrote to memory of 2536	4028	chrome.exe	82
PID 4028 wrote to memory of 2536	4028	chrome.exe	82
PID 4028 wrote to memory of 2536	4028	chrome.exe	82
PID 4028 wrote to memory of 2536	4028	chrome.exe	82
PID 4028 wrote to memory of 2536	4028	chrome.exe	82
PID 4028 wrote to memory of 2536	4028	chrome.exe	82
PID 4028 wrote to memory of 2536	4028	chrome.exe	82
PID 4028 wrote to memory of 2536	4028	chrome.exe	82
PID 4028 wrote to memory of 2536	4028	chrome.exe	82
PID 4028 wrote to memory of 2536	4028	chrome.exe	82
PID 4028 wrote to memory of 2536	4028	chrome.exe	82
PID 4028 wrote to memory of 2536	4028	chrome.exe	82
PID 4028 wrote to memory of 2536	4028	chrome.exe	82
PID 4028 wrote to memory of 2536	4028	chrome.exe	82
PID 4028 wrote to memory of 2536	4028	chrome.exe	82
PID 4028 wrote to memory of 2536	4028	chrome.exe	82
PID 4028 wrote to memory of 2536	4028	chrome.exe	82
PID 4028 wrote to memory of 2536	4028	chrome.exe	82
PID 4028 wrote to memory of 2536	4028	chrome.exe	82
PID 4028 wrote to memory of 2536	4028	chrome.exe	82
PID 4028 wrote to memory of 2536	4028	chrome.exe	82
PID 4028 wrote to memory of 2536	4028	chrome.exe	82
PID 4028 wrote to memory of 2536	4028	chrome.exe	82
PID 4028 wrote to memory of 2536	4028	chrome.exe	82
PID 4028 wrote to memory of 2536	4028	chrome.exe	82
PID 4028 wrote to memory of 2536	4028	chrome.exe	82
PID 4028 wrote to memory of 2536	4028	chrome.exe	82
PID 4028 wrote to memory of 2536	4028	chrome.exe	82
PID 4028 wrote to memory of 2536	4028	chrome.exe	82
PID 4028 wrote to memory of 2536	4028	chrome.exe	82
PID 4028 wrote to memory of 2536	4028	chrome.exe	82
PID 4028 wrote to memory of 2536	4028	chrome.exe	82
PID 4028 wrote to memory of 4956	4028	chrome.exe	83
PID 4028 wrote to memory of 4956	4028	chrome.exe	83
PID 4028 wrote to memory of 236	4028	chrome.exe	84
PID 4028 wrote to memory of 236	4028	chrome.exe	84
PID 4028 wrote to memory of 236	4028	chrome.exe	84
PID 4028 wrote to memory of 236	4028	chrome.exe	84
PID 4028 wrote to memory of 236	4028	chrome.exe	84
PID 4028 wrote to memory of 236	4028	chrome.exe	84
PID 4028 wrote to memory of 236	4028	chrome.exe	84
PID 4028 wrote to memory of 236	4028	chrome.exe	84
PID 4028 wrote to memory of 236	4028	chrome.exe	84
PID 4028 wrote to memory of 236	4028	chrome.exe	84
PID 4028 wrote to memory of 236	4028	chrome.exe	84
PID 4028 wrote to memory of 236	4028	chrome.exe	84
PID 4028 wrote to memory of 236	4028	chrome.exe	84
PID 4028 wrote to memory of 236	4028	chrome.exe	84
PID 4028 wrote to memory of 236	4028	chrome.exe	84
PID 4028 wrote to memory of 236	4028	chrome.exe	84
PID 4028 wrote to memory of 236	4028	chrome.exe	84
PID 4028 wrote to memory of 236	4028	chrome.exe	84
PID 4028 wrote to memory of 236	4028	chrome.exe	84
PID 4028 wrote to memory of 236	4028	chrome.exe	84
PID 4028 wrote to memory of 236	4028	chrome.exe	84
PID 4028 wrote to memory of 236	4028	chrome.exe	84

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://vencord.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa09469758,0x7ffa09469768,0x7ffa09469778
  2⤵
  PID:4952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1568 --field-trial-handle=1816,i,18433023676496491525,13692486370048560854,131072 /prefetch:2
  2⤵
  PID:2536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1816,i,18433023676496491525,13692486370048560854,131072 /prefetch:8
  2⤵
  PID:4956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2160 --field-trial-handle=1816,i,18433023676496491525,13692486370048560854,131072 /prefetch:8
  2⤵
  PID:236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3052 --field-trial-handle=1816,i,18433023676496491525,13692486370048560854,131072 /prefetch:1
  2⤵
  PID:4816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2792 --field-trial-handle=1816,i,18433023676496491525,13692486370048560854,131072 /prefetch:1
  2⤵
  PID:2616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3696 --field-trial-handle=1816,i,18433023676496491525,13692486370048560854,131072 /prefetch:1
  2⤵
  PID:728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3188 --field-trial-handle=1816,i,18433023676496491525,13692486370048560854,131072 /prefetch:1
  2⤵
  PID:3428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4780 --field-trial-handle=1816,i,18433023676496491525,13692486370048560854,131072 /prefetch:8
  2⤵
  PID:4908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4896 --field-trial-handle=1816,i,18433023676496491525,13692486370048560854,131072 /prefetch:8
  2⤵
  PID:2272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3612 --field-trial-handle=1816,i,18433023676496491525,13692486370048560854,131072 /prefetch:1
  2⤵
  PID:4348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3556 --field-trial-handle=1816,i,18433023676496491525,13692486370048560854,131072 /prefetch:1
  2⤵
  PID:2328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4924 --field-trial-handle=1816,i,18433023676496491525,13692486370048560854,131072 /prefetch:1
  2⤵
  PID:2844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3384 --field-trial-handle=1816,i,18433023676496491525,13692486370048560854,131072 /prefetch:1
  2⤵
  PID:3052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3056 --field-trial-handle=1816,i,18433023676496491525,13692486370048560854,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=2992 --field-trial-handle=1816,i,18433023676496491525,13692486370048560854,131072 /prefetch:1
  2⤵
  PID:6112

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2652

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3108

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:3396

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:3660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
195KB

MD5
873734b55d4c7d35a177c8318b0caec7

SHA1
469b913b09ea5b55e60098c95120cc9b935ddb28

SHA256
4ee3aa3dc43cb3ef3f6bfb91ed8214659e9c2600a45bee9728ebbcb6f33b088d

SHA512
24f05ed981e994475879ca2221b6948418c4412063b9c07f46b8de581047ddd5d73401562fa9ee54d4ce5f97a6288c54eac5de0ca29b1bb5797bdac5a1b30308

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
1aae6f4e7c226ef0a0f128048cbcc133

SHA1
2088f7c3e4da70fcee7f7d73ec25be56292f99fe

SHA256
e6d58f798ee977c1537771e947df507ec6f36f8eed149d7f10ef87fe1fe33dcc

SHA512
bb04593cec3126b9376f36171089963be698a75ad9fb2c29f77d56d0b57ab77033cd5264766bcafab2a77b8fe3f83c45f18a927d0c2dcee3ed58a30c6e79f179

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
7171161b05bb808bc44bd6668a02e128

SHA1
758a4d5971f44c3e190790bea6c7bec18adcde4a

SHA256
489183a76a42b76c486856abb35f534382e932e381d3937c7483268fe7412898

SHA512
16c02b511705582adb37a4e7b631ac5f747826a09daa96cee8a2c42c2a21af4b8bdbc4f2a798297ce8d51e5d51de3aa928215a09b633dc886d9ddae3a9a4a536

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
d354c26c7a24c8f357b965b90e8ef686

SHA1
32700c3222d3d50de230cd6e4ccb942d8f31a3b3

SHA256
1f7b4db5318d3b48dbbfafe47063409e31abdf49ae70a9b5a9bdf9852c748369

SHA512
5ddc18f064cf595e980a5f09e06702bbcc583ed8d2be37ef47ffa35f95763346a3fbdc77adc6d0303ca80fe556eb2d901465a0d3dcb79d38ea0a22eb2db8f382

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
569cf8a9d1034acf06fe7008806298ab

SHA1
568c9c0d4412adb25a0484e9abf638ffcf5f9b5b

SHA256
602acb0ebe936e0a6707fa475aa15d2501173fc6eb0fa10c31beb9f5a7d13eac

SHA512
11dc815887b6600b1d3e9993931ea32966cf9a9048980cb8175ff135560e77d6b0f5120586b1ebc62f61d0061ce1fac16dc68b93c1a9044943032e26a715548d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b9ecbe9f88e70ff6d4a01cfc668a266c

SHA1
856457cd895c17bb452a2d27261029f6bc080057

SHA256
703d4bcd39f52101eea86569628b2cc9800d2b2fefe559cadf78379aab0d5501

SHA512
3e389233cb4a7ff9036943218fba1f580643366f98b35bea6e7badff53251154c4022ddf2a885ac6fb08dea5ec752af1a42c7cd86cbbef98a4cbc7d9540394f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
24a714321b4a447db86b9081245f2821

SHA1
f8ee45655f88fef02eb256d8b635e2c360479383

SHA256
34667318a008b8a3d96155e9e81e800379cee454c042dca0c60a55f590b07536

SHA512
277b851c6b62c8f0d84a94d4c673b4021871f34c013859893dc4265b2c338d5ea3758954f4e096d9162c75dbef2a3bbea562ecdb5983bef6f20c7c56d4021cdb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
43a20f908ddbbbe161bc453cb62bd2ae

SHA1
20349b47bc2fcbfbd106103b65da7e0c35e6cfae

SHA256
2faf4b333daed24046096c9926176e203abae3b6464dd88d90b9732dda99256d

SHA512
65a622079704185b8533ecca59779ebd8ffe14acacfba105dc65077885ca5e1a3a82ece857e6663b7f38aedb522e0a4742ebbefe0bdee2d5c9e1c2094983542d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
87c79fadfca7b666b3eb3f3392d164e8

SHA1
9ad6f292634ea449e5dd306631d49499944c2406

SHA256
2950cf0b7b50963d8ea737800758a6ea501d561563efb2c865548d051e523520

SHA512
1d724a952f5c2e82692e25d0dc8a9ea8a1fd52cfb4bef9e0430c252db61cc55df4f0cfd06519a3fa8edc4f6d990f585e2e2904327a6e61f9631755bc9f068640

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
0f7a748495b6fcca44c21cdd62bdabe7

SHA1
a2e490ee6eec08ff1af74838437e778dfcee9c97

SHA256
961b859b7f6ee343ef27040d08f8f899df8a329cb0ae7bf43663c7af537e6e78

SHA512
f95887b9287bd4297c19bbc7a929df58feb3547dd1ade7a1b687cfc700f2ddc41702e8fd3b99a128b327aa534bbb613861e45198e88090e33d7af368bf6e8cb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
6ae3a440f7daf1f311ad03be4fd881c5

SHA1
1776bb4c28e25d94ae3d7494104c86c1b427ca50

SHA256
fb0fbafb4e97ccd40453f177c6d80b573ce34621fdb978aed351780e75a91944

SHA512
364cd1a4b1e30c2216e53a2fefedbba959e8941ac38bf9cc6c6ae1c8f5709b3c6fc37ef8d71a1f47ad63637854fa249f051c591efa79ec99f9becd7c1858f7a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit