Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2024, 12:23
Static task
static1
Behavioral task
behavioral1
Sample
Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe
Resource
win7-20240221-en
General
-
Target
Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe
-
Size
67KB
-
MD5
ceb9e6829d00ad6e8f25b30d77aba83f
-
SHA1
865128c3a9baee65deeab14f1fdc9a68969df6f4
-
SHA256
664582c7357c0ea9f0f6ab524867e1cce887251b11e917ba5c9d81247e57bcb1
-
SHA512
18703d353319cbd049dfe3d19469eef2ef26615e44101eca43d1c7da515553d2c98e8098e5d2cfbf1c32984d77846dec320223ea4b8189ca9f64d570e7ea0ca2
-
SSDEEP
1536:j+wPW51r8EHsL71ELMt/RYKiq4vo/1oHHbwr/Ye2WcMX6F8:j+wIiEH+u4/O1HHbwse2SXE8
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 6 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\340284e8ea064f5633697681546d3ee0\Admin@GAWKBMOT_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe File created C:\Users\Admin\AppData\Local\340284e8ea064f5633697681546d3ee0\Admin@GAWKBMOT_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe File created C:\Users\Admin\AppData\Local\340284e8ea064f5633697681546d3ee0\Admin@GAWKBMOT_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe File created C:\Users\Admin\AppData\Local\340284e8ea064f5633697681546d3ee0\Admin@GAWKBMOT_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe File created C:\Users\Admin\AppData\Local\340284e8ea064f5633697681546d3ee0\Admin@GAWKBMOT_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe File created C:\Users\Admin\AppData\Local\340284e8ea064f5633697681546d3ee0\Admin@GAWKBMOT_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 36 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1604 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1944 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 1 IoCs
pid Process 208 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
pid Process 4888 msedge.exe 4888 msedge.exe 4308 msedge.exe 4308 msedge.exe 852 identity_helper.exe 852 identity_helper.exe 1580 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 1580 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 1580 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 1580 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 1580 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 1580 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 1580 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 1580 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 1580 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 1580 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 1580 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 1580 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 1580 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 1580 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 1580 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 1580 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 1580 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 1580 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 1580 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 1580 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 1580 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 1580 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 1580 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 1580 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 1580 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 1580 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1580 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe Token: SeDebugPrivilege 208 taskkill.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe 4308 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1580 wrote to memory of 4376 1580 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 88 PID 1580 wrote to memory of 4376 1580 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 88 PID 1580 wrote to memory of 4308 1580 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 90 PID 1580 wrote to memory of 4308 1580 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 90 PID 4308 wrote to memory of 2872 4308 msedge.exe 91 PID 4308 wrote to memory of 2872 4308 msedge.exe 91 PID 1580 wrote to memory of 860 1580 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 92 PID 1580 wrote to memory of 860 1580 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 92 PID 1580 wrote to memory of 1604 1580 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 94 PID 1580 wrote to memory of 1604 1580 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 94 PID 4308 wrote to memory of 1752 4308 msedge.exe 96 PID 4308 wrote to memory of 1752 4308 msedge.exe 96 PID 4308 wrote to memory of 1752 4308 msedge.exe 96 PID 4308 wrote to memory of 1752 4308 msedge.exe 96 PID 4308 wrote to memory of 1752 4308 msedge.exe 96 PID 4308 wrote to memory of 1752 4308 msedge.exe 96 PID 4308 wrote to memory of 1752 4308 msedge.exe 96 PID 4308 wrote to memory of 1752 4308 msedge.exe 96 PID 4308 wrote to memory of 1752 4308 msedge.exe 96 PID 4308 wrote to memory of 1752 4308 msedge.exe 96 PID 4308 wrote to memory of 1752 4308 msedge.exe 96 PID 4308 wrote to memory of 1752 4308 msedge.exe 96 PID 4308 wrote to memory of 1752 4308 msedge.exe 96 PID 4308 wrote to memory of 1752 4308 msedge.exe 96 PID 4308 wrote to memory of 1752 4308 msedge.exe 96 PID 4308 wrote to memory of 1752 4308 msedge.exe 96 PID 4308 wrote to memory of 1752 4308 msedge.exe 96 PID 4308 wrote to memory of 1752 4308 msedge.exe 96 PID 4308 wrote to memory of 1752 4308 msedge.exe 96 PID 4308 wrote to memory of 1752 4308 msedge.exe 96 PID 4308 wrote to memory of 1752 4308 msedge.exe 96 PID 4308 wrote to memory of 1752 4308 msedge.exe 96 PID 4308 wrote to memory of 1752 4308 msedge.exe 96 PID 4308 wrote to memory of 1752 4308 msedge.exe 96 PID 4308 wrote to memory of 1752 4308 msedge.exe 96 PID 4308 wrote to memory of 1752 4308 msedge.exe 96 PID 4308 wrote to memory of 1752 4308 msedge.exe 96 PID 4308 wrote to memory of 1752 4308 msedge.exe 96 PID 4308 wrote to memory of 1752 4308 msedge.exe 96 PID 4308 wrote to memory of 1752 4308 msedge.exe 96 PID 4308 wrote to memory of 1752 4308 msedge.exe 96 PID 4308 wrote to memory of 1752 4308 msedge.exe 96 PID 4308 wrote to memory of 1752 4308 msedge.exe 96 PID 4308 wrote to memory of 1752 4308 msedge.exe 96 PID 4308 wrote to memory of 1752 4308 msedge.exe 96 PID 4308 wrote to memory of 1752 4308 msedge.exe 96 PID 4308 wrote to memory of 1752 4308 msedge.exe 96 PID 4308 wrote to memory of 1752 4308 msedge.exe 96 PID 4308 wrote to memory of 1752 4308 msedge.exe 96 PID 4308 wrote to memory of 1752 4308 msedge.exe 96 PID 4308 wrote to memory of 4888 4308 msedge.exe 97 PID 4308 wrote to memory of 4888 4308 msedge.exe 97 PID 4308 wrote to memory of 1988 4308 msedge.exe 98 PID 4308 wrote to memory of 1988 4308 msedge.exe 98 PID 4308 wrote to memory of 1988 4308 msedge.exe 98 PID 4308 wrote to memory of 1988 4308 msedge.exe 98 PID 4308 wrote to memory of 1988 4308 msedge.exe 98 PID 4308 wrote to memory of 1988 4308 msedge.exe 98 PID 4308 wrote to memory of 1988 4308 msedge.exe 98 PID 4308 wrote to memory of 1988 4308 msedge.exe 98 PID 4308 wrote to memory of 1988 4308 msedge.exe 98 PID 4308 wrote to memory of 1988 4308 msedge.exe 98 PID 4308 wrote to memory of 1988 4308 msedge.exe 98 PID 4308 wrote to memory of 1988 4308 msedge.exe 98 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe"C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe"1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /query /TN WinTask2⤵PID:4376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\p.html2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb299646f8,0x7ffb29964708,0x7ffb299647183⤵PID:2872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,10391541749144824897,2177612364307313468,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:23⤵PID:1752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,10391541749144824897,2177612364307313468,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:4888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,10391541749144824897,2177612364307313468,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:83⤵PID:1988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10391541749144824897,2177612364307313468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:13⤵PID:3268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10391541749144824897,2177612364307313468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:13⤵PID:3744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,10391541749144824897,2177612364307313468,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4936 /prefetch:83⤵PID:4968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,10391541749144824897,2177612364307313468,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4936 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10391541749144824897,2177612364307313468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:13⤵PID:3724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10391541749144824897,2177612364307313468,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:13⤵PID:4944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10391541749144824897,2177612364307313468,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:13⤵PID:3464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10391541749144824897,2177612364307313468,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:13⤵PID:860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,10391541749144824897,2177612364307313468,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3276 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:2456
-
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /query /TN WinTask2⤵PID:860
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn WinTask /tr C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe /sc minute /mo 52⤵
- Creates scheduled task(s)
PID:1604
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵PID:1344
-
C:\Windows\system32\chcp.comchcp 650013⤵PID:3344
-
-
C:\Windows\system32\netsh.exenetsh wlan show profile3⤵PID:1348
-
-
C:\Windows\system32\findstr.exefindstr All3⤵PID:4948
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid2⤵PID:784
-
C:\Windows\system32\chcp.comchcp 650013⤵PID:2352
-
-
C:\Windows\system32\netsh.exenetsh wlan show networks mode=bssid3⤵PID:4288
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp7D79.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp7D79.tmp.bat2⤵PID:60
-
C:\Windows\system32\chcp.comchcp 650013⤵PID:2736
-
-
C:\Windows\system32\taskkill.exeTaskKill /F /IM 15803⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:208
-
-
C:\Windows\system32\timeout.exeTimeout /T 2 /Nobreak3⤵
- Delays execution with timeout.exe
PID:1944
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4816
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2360
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\340284e8ea064f5633697681546d3ee0\Admin@GAWKBMOT_en-US\Browsers\Firefox\Bookmarks.txt
Filesize105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Local\340284e8ea064f5633697681546d3ee0\Admin@GAWKBMOT_en-US\System\Process.txt
Filesize929B
MD5b229d4c9a7e4ebc8f46df752aed13a40
SHA19702483d3abfe7ac2be562636c085dd38a79c519
SHA256587e08fca87ac738cf1e56754f4af8e6a1ed61fe0f171f31660df062d3aab39b
SHA51236b7152859ccfe7a0c88b7f7f9d13cd47fb5c2857faf1295860fc1b50b092834166b4a4b4d3d2b8c5333f94ecd0c2fc79bedc305483b6ec8d310828c87d39706
-
C:\Users\Admin\AppData\Local\340284e8ea064f5633697681546d3ee0\Admin@GAWKBMOT_en-US\System\Process.txt
Filesize1KB
MD5e3b205ab3fc50fc281ec0e736bf9ef4a
SHA1e0e852a15b94d6767c75273607c1a66a334b848b
SHA256a4d78b8167d3cdf73c666dc72e1b410a221c2df127e1e0c3418d108a86eab2b9
SHA512f7a0848a4d9b56b38c6c1cab3a6aaf517bd00ebcaef46d9495c0245b08a2afdd334d6e71174b9aa4caab19c0ad8ce007c00fb9a282837bdb2b62fce160a1310c
-
C:\Users\Admin\AppData\Local\340284e8ea064f5633697681546d3ee0\Admin@GAWKBMOT_en-US\System\Process.txt
Filesize2KB
MD56969521b65999f8ccba1490f72b0e38e
SHA1d513c0beb30eb56e013cc54c799a72a6274a3dbe
SHA256771b56527440947270a03586f5918166cea77641dae4f84b2e8d40f6b3ef8c9d
SHA512cf8ad240933ac4f0d02ee09e74f812256d20e5ca928deee8ba6f47b0d79b9ff6e14b6a0e775439a27e5c21293fa328af61ba1af522789c73fafc78de521a4e79
-
C:\Users\Admin\AppData\Local\340284e8ea064f5633697681546d3ee0\Admin@GAWKBMOT_en-US\System\Process.txt
Filesize2KB
MD5994ab2913fc03bc82b207207e9c91919
SHA1733b3a73fb54ad842b67fb36951857c0ee5c3939
SHA2563ba97883d75d8bcfc2afda0b93ce5210e2fc6ec2e14f5e9b67e947b4db2b10dd
SHA51299f56e1bd72c9068ae46355cd53da594bdea419d6760d4f33e86c09579e06ea0bd5a4062c4f3a9f4bfb56da384e815f76b192209eab9fe4fc56ddc64510256c8
-
C:\Users\Admin\AppData\Local\340284e8ea064f5633697681546d3ee0\Admin@GAWKBMOT_en-US\System\Process.txt
Filesize2KB
MD56c9ce2b15da8187d0dbcffc8c3ce2d5a
SHA11b86b6689481e107f9fdda1c4b0c0630fcf92fb2
SHA25621528e763355a3de9699fbefb2812b453d5ee3cd9b223b851dd12a4c477e3d17
SHA512559dd7bff77dee630400351020f261ee8f4c99eea0d897a78682323233176521771e085ff07e7b78d09116ce0a39576156b8d222f4b9cf8e7c4d2372b56392b4
-
C:\Users\Admin\AppData\Local\340284e8ea064f5633697681546d3ee0\Admin@GAWKBMOT_en-US\System\Process.txt
Filesize3KB
MD5837cbed2b4be007ce95efe8e46a58805
SHA138133229c9312d04028cc7ed770e398159c28ecf
SHA2560a161afc75c851be1323f54eada70ea0168fd07aee3784de904ae7714a1197d6
SHA512c47b21258da32424f5fbbcd8ad8ef7ddd883c431549c4454ea41cae793b64b80f9e547c6fcc17034ff4d0192892c76d1c86731b07316f31561dedaf79984419f
-
C:\Users\Admin\AppData\Local\340284e8ea064f5633697681546d3ee0\Admin@GAWKBMOT_en-US\System\Process.txt
Filesize3KB
MD5056095375095919a846b649e248cc09b
SHA1d30401f41b8785d02c9bf0d654f55ecd8a9c9632
SHA256eafe3a7736c73e57695f2006a46e484bb9a62b2e7564e70b48f7f76d4ce6d774
SHA512f68de326e532146e4ab2dc23cf3d6466ba2437e288e41328cccdcc5710f6a83ee4f0947866e1a59fbba038fe339f6fa96b01a7595a909f2686aaa7575c3b816b
-
C:\Users\Admin\AppData\Local\340284e8ea064f5633697681546d3ee0\Admin@GAWKBMOT_en-US\System\Process.txt
Filesize4KB
MD5a3206f117c3471db2a954a3844d1e03f
SHA19521e2efee002e3248b64e4f4a7a1eb775a07872
SHA256e158755293d05c918c3784c708a89cf75de5cc6376d4b1dae9e235a3916a7e51
SHA51243b961f260eb05ced5214ce7508fcf1d2598a318ac7d3768ab829c6b5bcab5a6636e6ac8eba7ebd787e3f573cbe1b690c7b00b29fc00e839da9e57dbb35ca29a
-
Filesize
152B
MD54d6e17218d9a99976d1a14c6f6944c96
SHA19e54a19d6c61d99ac8759c5f07b2f0d5faab447f
SHA25632e343d2794af8bc6f2f7c905b5df11d53db4ad8922b92ad5e7cc9c856509d93
SHA5123fa166b3e2d1236298d8dda7071a6fcf2bde283f181b8b0a07c0bb8ba756d6f55fa8a847ca5286d4dbabc6dace67e842a118866320ac01bd5f93cccd3a032e47
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
5KB
MD5e3b15cccbbf91972ea46c7b10748dc51
SHA175f69939140d5b059cefae3fba32a95fd33aa5af
SHA25623050f4dd3a28ee78d9e44af1fbea23f900409aebebe4abd71a5658588dc1960
SHA5129671399dc5b8a901f4277814f5a12c3d75b2f093ff06250734c4791a083b98056f6a06b5eaaa01187b61f941794488852697ac3c5108b1ec2a46b638d9ad8655
-
Filesize
24KB
MD5c2ef1d773c3f6f230cedf469f7e34059
SHA1e410764405adcfead3338c8d0b29371fd1a3f292
SHA256185450d538a894e4dcf55b428f506f3d7baa86664fbbc67afd6c255b65178521
SHA5122ef93803da4d630916bed75d678382fd1c72bff1700a1a72e2612431c6d5e11410ced4eaf522b388028aeadb08e8a77513e16594e6ab081f6d6203e4caa7d549
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ca212de6-7d33-4f9a-9877-3a1021fd55c8.tmp
Filesize5KB
MD555460361f6588dc4059d5f2eb85b8921
SHA11fbab74d5dace98a109a5f8bd1206af3dbaaa403
SHA256d926f86e3b2868e3dd08c0288189ed6abff117d65ec19a3a571f8af11941bae0
SHA512dba8689eed0629fc1267255f951218b2d630a5fb2a47bb6e0a5dfd11effb30e0667ca3ced8ec5183347ada39166d5708bc17b88c0742b2a5860aafd6ff71de55
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD52fd9b2230fffa06d031cc26d1f58a27a
SHA172364c4ebed774ad61df8ffb934ee1bf4500de52
SHA256142ceba8c9a6ba993e4da0b079f016cf89eb40f0bbf3c584114f8ae0a6f12793
SHA512337d31d62c3414d35067b8dc82362dcab163392abecb1c4b093b420893d11fdd28c8d67418eef198a5de2d31a6ed2354dc0f1fcfd7890e6dcb2b2439353e595e
-
Filesize
23KB
MD54e4349147d3cbbd440f7f3fac5866fa6
SHA1563cf45b4395e64993a84665efcb49b3775505b1
SHA256732efd30bfed7196474ada4a5ffabc01f116bb2b3c68c099991f291ab0c6e325
SHA5127f2e285507d699b1362babcff71b56e1ddd56fb819a27007f492b2276a10648aef6e5880306a60e2d0265b57b999dfabfae0cb7909a64cf9eebc21f8fcb1a440
-
Filesize
69B
MD5bc62b839f112ed1738746dde677c1c64
SHA18939e5cc1624e8c14938114e3adb6691558500c4
SHA256343dd792d66683c6dfbcb44d4c6bddc46cacd556a6ec8279527202ba4ee69d82
SHA51213ffe3abfa421bea484af0fbf2a7889c00b40dccb9c7fb71d362c35e955d4ca1b5e9ed669d372a9c3082ec744857243a4f5209957642521bf43b47632e3d2713