Analysis
-
max time kernel
149s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2024, 12:27
Static task
static1
Behavioral task
behavioral1
Sample
Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe
Resource
win7-20231129-en
General
-
Target
Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe
-
Size
67KB
-
MD5
ceb9e6829d00ad6e8f25b30d77aba83f
-
SHA1
865128c3a9baee65deeab14f1fdc9a68969df6f4
-
SHA256
664582c7357c0ea9f0f6ab524867e1cce887251b11e917ba5c9d81247e57bcb1
-
SHA512
18703d353319cbd049dfe3d19469eef2ef26615e44101eca43d1c7da515553d2c98e8098e5d2cfbf1c32984d77846dec320223ea4b8189ca9f64d570e7ea0ca2
-
SSDEEP
1536:j+wPW51r8EHsL71ELMt/RYKiq4vo/1oHHbwr/Ye2WcMX6F8:j+wIiEH+u4/O1HHbwse2SXE8
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 6 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\8a3d5dfa8806795b2b19dfa565855e69\Admin@QMWIRSIY_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe File created C:\Users\Admin\AppData\Local\8a3d5dfa8806795b2b19dfa565855e69\Admin@QMWIRSIY_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe File created C:\Users\Admin\AppData\Local\8a3d5dfa8806795b2b19dfa565855e69\Admin@QMWIRSIY_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe File created C:\Users\Admin\AppData\Local\8a3d5dfa8806795b2b19dfa565855e69\Admin@QMWIRSIY_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe File created C:\Users\Admin\AppData\Local\8a3d5dfa8806795b2b19dfa565855e69\Admin@QMWIRSIY_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe File created C:\Users\Admin\AppData\Local\8a3d5dfa8806795b2b19dfa565855e69\Admin@QMWIRSIY_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 30 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4672 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3960 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 1 IoCs
pid Process 3576 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
pid Process 1488 msedge.exe 1488 msedge.exe 3040 msedge.exe 3040 msedge.exe 956 identity_helper.exe 956 identity_helper.exe 4472 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 4472 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 4472 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 4472 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 4472 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 4472 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 4472 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 4472 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 4472 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 4472 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 4472 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 4472 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 4472 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 4472 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 4472 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 4472 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 4472 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 4472 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 4472 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 4472 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 4472 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 4472 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 4472 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 4472 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 4472 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 4472 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 620 msedge.exe 620 msedge.exe 620 msedge.exe 620 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4472 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe Token: SeDebugPrivilege 3576 taskkill.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe 3040 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4472 wrote to memory of 1176 4472 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 92 PID 4472 wrote to memory of 1176 4472 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 92 PID 4472 wrote to memory of 3040 4472 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 94 PID 4472 wrote to memory of 3040 4472 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 94 PID 4472 wrote to memory of 4736 4472 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 95 PID 4472 wrote to memory of 4736 4472 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 95 PID 3040 wrote to memory of 1188 3040 msedge.exe 97 PID 3040 wrote to memory of 1188 3040 msedge.exe 97 PID 4472 wrote to memory of 4672 4472 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 99 PID 4472 wrote to memory of 4672 4472 Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe 99 PID 3040 wrote to memory of 4928 3040 msedge.exe 101 PID 3040 wrote to memory of 4928 3040 msedge.exe 101 PID 3040 wrote to memory of 4928 3040 msedge.exe 101 PID 3040 wrote to memory of 4928 3040 msedge.exe 101 PID 3040 wrote to memory of 4928 3040 msedge.exe 101 PID 3040 wrote to memory of 4928 3040 msedge.exe 101 PID 3040 wrote to memory of 4928 3040 msedge.exe 101 PID 3040 wrote to memory of 4928 3040 msedge.exe 101 PID 3040 wrote to memory of 4928 3040 msedge.exe 101 PID 3040 wrote to memory of 4928 3040 msedge.exe 101 PID 3040 wrote to memory of 4928 3040 msedge.exe 101 PID 3040 wrote to memory of 4928 3040 msedge.exe 101 PID 3040 wrote to memory of 4928 3040 msedge.exe 101 PID 3040 wrote to memory of 4928 3040 msedge.exe 101 PID 3040 wrote to memory of 4928 3040 msedge.exe 101 PID 3040 wrote to memory of 4928 3040 msedge.exe 101 PID 3040 wrote to memory of 4928 3040 msedge.exe 101 PID 3040 wrote to memory of 4928 3040 msedge.exe 101 PID 3040 wrote to memory of 4928 3040 msedge.exe 101 PID 3040 wrote to memory of 4928 3040 msedge.exe 101 PID 3040 wrote to memory of 4928 3040 msedge.exe 101 PID 3040 wrote to memory of 4928 3040 msedge.exe 101 PID 3040 wrote to memory of 4928 3040 msedge.exe 101 PID 3040 wrote to memory of 4928 3040 msedge.exe 101 PID 3040 wrote to memory of 4928 3040 msedge.exe 101 PID 3040 wrote to memory of 4928 3040 msedge.exe 101 PID 3040 wrote to memory of 4928 3040 msedge.exe 101 PID 3040 wrote to memory of 4928 3040 msedge.exe 101 PID 3040 wrote to memory of 4928 3040 msedge.exe 101 PID 3040 wrote to memory of 4928 3040 msedge.exe 101 PID 3040 wrote to memory of 4928 3040 msedge.exe 101 PID 3040 wrote to memory of 4928 3040 msedge.exe 101 PID 3040 wrote to memory of 4928 3040 msedge.exe 101 PID 3040 wrote to memory of 4928 3040 msedge.exe 101 PID 3040 wrote to memory of 4928 3040 msedge.exe 101 PID 3040 wrote to memory of 4928 3040 msedge.exe 101 PID 3040 wrote to memory of 4928 3040 msedge.exe 101 PID 3040 wrote to memory of 4928 3040 msedge.exe 101 PID 3040 wrote to memory of 4928 3040 msedge.exe 101 PID 3040 wrote to memory of 4928 3040 msedge.exe 101 PID 3040 wrote to memory of 1488 3040 msedge.exe 102 PID 3040 wrote to memory of 1488 3040 msedge.exe 102 PID 3040 wrote to memory of 3100 3040 msedge.exe 103 PID 3040 wrote to memory of 3100 3040 msedge.exe 103 PID 3040 wrote to memory of 3100 3040 msedge.exe 103 PID 3040 wrote to memory of 3100 3040 msedge.exe 103 PID 3040 wrote to memory of 3100 3040 msedge.exe 103 PID 3040 wrote to memory of 3100 3040 msedge.exe 103 PID 3040 wrote to memory of 3100 3040 msedge.exe 103 PID 3040 wrote to memory of 3100 3040 msedge.exe 103 PID 3040 wrote to memory of 3100 3040 msedge.exe 103 PID 3040 wrote to memory of 3100 3040 msedge.exe 103 PID 3040 wrote to memory of 3100 3040 msedge.exe 103 PID 3040 wrote to memory of 3100 3040 msedge.exe 103 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe"C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe"1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /query /TN WinTask2⤵PID:1176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\p.html2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9c94446f8,0x7ff9c9444708,0x7ff9c94447183⤵PID:1188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,15984487128788013720,824418072290361178,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:23⤵PID:4928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,15984487128788013720,824418072290361178,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:1488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,15984487128788013720,824418072290361178,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:83⤵PID:3100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15984487128788013720,824418072290361178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:13⤵PID:3056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15984487128788013720,824418072290361178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:13⤵PID:5064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,15984487128788013720,824418072290361178,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:83⤵PID:2820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,15984487128788013720,824418072290361178,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15984487128788013720,824418072290361178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:13⤵PID:3576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15984487128788013720,824418072290361178,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:13⤵PID:2544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15984487128788013720,824418072290361178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:13⤵PID:4672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15984487128788013720,824418072290361178,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:13⤵PID:4268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,15984487128788013720,824418072290361178,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4832 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:620
-
-
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /query /TN WinTask2⤵PID:4736
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn WinTask /tr C:\Users\Admin\AppData\Local\Temp\Administrator-DELLXPS1456- 2024-04-03 13-52-24.html.exe /sc minute /mo 52⤵
- Creates scheduled task(s)
PID:4672
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵PID:720
-
C:\Windows\system32\chcp.comchcp 650013⤵PID:2992
-
-
C:\Windows\system32\netsh.exenetsh wlan show profile3⤵PID:3784
-
-
C:\Windows\system32\findstr.exefindstr All3⤵PID:3648
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid2⤵PID:4792
-
C:\Windows\system32\chcp.comchcp 650013⤵PID:5016
-
-
C:\Windows\system32\netsh.exenetsh wlan show networks mode=bssid3⤵PID:896
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp68B9.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp68B9.tmp.bat2⤵PID:3600
-
C:\Windows\system32\chcp.comchcp 650013⤵PID:1176
-
-
C:\Windows\system32\taskkill.exeTaskKill /F /IM 44723⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3576
-
-
C:\Windows\system32\timeout.exeTimeout /T 2 /Nobreak3⤵
- Delays execution with timeout.exe
PID:3960
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3516
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1868
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\8a3d5dfa8806795b2b19dfa565855e69\Admin@QMWIRSIY_en-US\Browsers\Firefox\Bookmarks.txt
Filesize105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Local\8a3d5dfa8806795b2b19dfa565855e69\Admin@QMWIRSIY_en-US\System\Process.txt
Filesize856B
MD5ac0846b65fb57bce782845f8acfb64b4
SHA19eca5dc29ef177e4d480be3eea23718a349123f7
SHA2565d167cd8ba9c5cdf09c6e6f763377fbcf8f499686534731d3bea6674de603475
SHA512fafd92c919ff3022a22193894ac7772b22b312636c8d3f10be5cef47be66aa0023a008b9efb5c6ee9cb300f3577918288f2f77ca56513f69a04380b14186a015
-
C:\Users\Admin\AppData\Local\8a3d5dfa8806795b2b19dfa565855e69\Admin@QMWIRSIY_en-US\System\Process.txt
Filesize1KB
MD5d31484e0ca0300498d55c53a7b840996
SHA1f6885e26b673aaec85a0447101097d095829f2ec
SHA25673834a5298fdd597a7b1e00c6c696a0bfc9653b13b98e8a07ec9679bc233122b
SHA51232d80aafba2a1e3285226f7e88406e5753f76f6ddca210836d8e1b821e868d4782b54d7aaafe6e81dfd2e1c163b4de79bd3dce99e6c3a1124d1d1a7ed2a615bb
-
C:\Users\Admin\AppData\Local\8a3d5dfa8806795b2b19dfa565855e69\Admin@QMWIRSIY_en-US\System\Process.txt
Filesize2KB
MD5336dc251f7160518a5d7f6331acbfe8f
SHA1a5e27fac9463164c9770b37c0cebe16a15ffb32e
SHA25666081fad328ca00b4faa3aa5b9adaf887e38fb5c522d754a915e71c0d9d021bc
SHA512133b69d7f44395851e685634187a4c0725b3e6a2b47ce7b2aa738e7b8c4846f1b0982cd3ea65b2efd85f162c739afa14878958f8a824c4bd247b0e4b5e371aea
-
C:\Users\Admin\AppData\Local\8a3d5dfa8806795b2b19dfa565855e69\Admin@QMWIRSIY_en-US\System\Process.txt
Filesize3KB
MD5b9417c5cab5e9b2794b3287870b2e24f
SHA10c16334f6d4f2b9b75419de9c01a1c97d821c480
SHA2564546f9bac8af91793509a580571d3f804d83ab45166d7321f67a41ca03a48f87
SHA5121a522d7e69ac0b448eaf5247f45b6d6c4820daec52b8f789f218fecde6846b70bc4eb60cb3ab16a7800b592f84e24e54c9dcbadb19aae62fb9bf8cd5487766ad
-
C:\Users\Admin\AppData\Local\8a3d5dfa8806795b2b19dfa565855e69\Admin@QMWIRSIY_en-US\System\Process.txt
Filesize4KB
MD5aab712b2a28a0306c64e3fd4402a5c61
SHA143b998d05f0be9b92b83aa8c8b78f48d2f13349b
SHA2567b17cb2e9e4add8f7a6a4ba18fd086ab3b128997e8a912bc1341d27610a71ee8
SHA5124e5823607fc563611df6a9756d41ab69a6089ca834be4dd54cb4d72ecc4cf226230919e5157978876e37137e62a19e8787b7191093c46f2caa3df705a228e98d
-
Filesize
152B
MD5e1b45169ebca0dceadb0f45697799d62
SHA1803604277318898e6f5c6fb92270ca83b5609cd5
SHA2564c0224fb7cc26ccf74f5be586f18401db57cce935c767a446659b828a7b5ee60
SHA512357965b8d5cfaf773dbd9b371d7e308d1c86a6c428e542adbfe6bac34a7d2061d0a2f59e84e5b42768930e9b109e9e9f2a87e95cf26b3a69cbff05654ee42b4e
-
Filesize
152B
MD59ffb5f81e8eccd0963c46cbfea1abc20
SHA1a02a610afd3543de215565bc488a4343bb5c1a59
SHA2563a654b499247e59e34040f3b192a0069e8f3904e2398cbed90e86d981378e8bc
SHA5122d21e18ef3f800e6e43b8cf03639d04510433c04215923f5a96432a8aa361fdda282cd444210150d9dbf8f028825d5bc8a451fd53bd3e0c9528eeb80d6e86597
-
Filesize
6KB
MD55c5b6d6c8dae544ee8b198922722fd28
SHA1bb7fe7c5a6a92b5b453a1d151d2f1a097884f12a
SHA2569e2932dc8efa6daf2df3f57b41eb1d773e7a0c46b3c0637ebe6236257ae83ba5
SHA5129674dc27f44f87831e8f6ab8b812280b63ba076c8269e37393bcf379a5d9258fd804381f353b67dcd5ae99dfc08323ff2a7c65345b4aa7a64c77de0e70fa4997
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a504e702-852c-45be-ba96-d212e24e92bd.tmp
Filesize6KB
MD5fb4a1945ddc02305bdff90f0f6541df3
SHA131fac662d73f73507f00724ec43d00f1106eb775
SHA256cb2eeae9d8f00474d2169d36a576c2c7259dbca5aaf396ef5d11734496d1eeda
SHA5124cbc348c7495bd5d44928871ece3a03758518e9a0a2b07c1c207c4e0d0fe13d9a8884b308acede4f7bd99e6c8622bee4b5bd610a332aef185fa3a2ae8a4b898c
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD543feac7efacd5a14dc3796d480a08dbe
SHA1dc690bac5ecd40f7d41af45755deb8f3848c7c78
SHA256cce61298db9bea855e294e8ab0ae807783a4bcacaede7fd3e697a9fa6213f73f
SHA512290e5824b85b1a8a20ce37484fd82b161c9c3c48ce51074329aab85707c9c80dae5210498f91ff38a8b43b64f84183a87b2e3cac34f83de3e5c8b2a4bd8759de
-
Filesize
23KB
MD54e4349147d3cbbd440f7f3fac5866fa6
SHA1563cf45b4395e64993a84665efcb49b3775505b1
SHA256732efd30bfed7196474ada4a5ffabc01f116bb2b3c68c099991f291ab0c6e325
SHA5127f2e285507d699b1362babcff71b56e1ddd56fb819a27007f492b2276a10648aef6e5880306a60e2d0265b57b999dfabfae0cb7909a64cf9eebc21f8fcb1a440
-
Filesize
69B
MD5b3648b6cc1d20cb657dffce89ad65a32
SHA17eb99a8ed1423353968ba284d7944922ac6c72e0
SHA25653f5992ed8b575a8afb695851fc01877c42e90460b25ea8120f487a662e14866
SHA512f882fed097cea656b40592bc359970e130deda904f599c9469c57ccd8cc1240e9d6a45cf863e874bc69dbe6e83bcb5aaa78cb4301de388c4eba7f6cd7d0177a2