bd454f23ca60e35b9442b70b28762e9f8e70116757a0a37ac30335b6aff8ffda

Resubmissions

01/05/2024, 16:04

240501-th2jaach66 1

29/04/2024, 17:15

240429-vsye2sgd2t 8

29/04/2024, 17:08

240429-vnv45agb91 5

Analysis

max time kernel
312s
max time network
313s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
29/04/2024, 17:08

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

.html
Size

1KB
MD5

e7c33e896fc6a6c7d635fc478b7ed5ef
SHA1

b2b0e2d14719a991c2490cd6305d38432cfb5b01
SHA256

bd454f23ca60e35b9442b70b28762e9f8e70116757a0a37ac30335b6aff8ffda
SHA512

1aab589a70e9f8058483fe128fe490baec3f676dbfa8840bf7084fcdf5aada519d697cc250faf67586ee29abbdafdbae64c24467b3d8ea86419aa4a76dc12dda

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SRU\SRUDB.dat	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.jfm	svchost.exe
File created	C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{87a17bed-4e52-4b2f-89c5-c71cce439cdd}\snapshot.etl	svchost.exe
File opened for modification	C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{87a17bed-4e52-4b2f-89c5-c71cce439cdd}\snapshot.etl	svchost.exe
File opened for modification	C:\Windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin	svchost.exe
File created	C:\Windows\system32\wdi\LogFiles\StartupInfo\S-1-5-21-2878097196-921257239-309638238-1000_StartupInfo3.xml	svchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File opened for modification	C:\Windows\system32\SRU\SRU.log	svchost.exe
File opened for modification	C:\Windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2878097196-921257239-309638238-1000_UserData.bin	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUtmp.log	svchost.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File opened for modification	C:\Windows\system32\SRU\SRU.chk	svchost.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "23"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133588841681849543"	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe

Modifies registry class 29 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	PickerHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "4294967295"	PickerHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings	PickerHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	PickerHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	PickerHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	PickerHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	PickerHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	PickerHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	PickerHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	PickerHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	PickerHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	PickerHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1"	PickerHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff	PickerHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	PickerHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	PickerHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	PickerHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	PickerHost.exe
Key created	\Registry\User\S-1-5-21-2878097196-921257239-309638238-1000_Classes\NotificationData	PickerHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	PickerHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	PickerHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	PickerHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "4"	PickerHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	PickerHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	PickerHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac04000000c8000000354b179bff40d211a27e00c04fc308710300000080000000354b179bff40d211a27e00c04fc308710200000080000000	PickerHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	PickerHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	PickerHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	PickerHost.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3340	chrome.exe
3340	chrome.exe
2444	msedge.exe
2444	msedge.exe
4752	msedge.exe
4752	msedge.exe
764	identity_helper.exe
764	identity_helper.exe
2968	msedge.exe
2968	msedge.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
6076	sdiagnhost.exe
6076	sdiagnhost.exe
1340	svchost.exe
1340	svchost.exe
1340	svchost.exe
1340	svchost.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
680	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs

pid	Process
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
3340	chrome.exe
3340	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe
Token: SeShutdownPrivilege	3340	chrome.exe
Token: SeCreatePagefilePrivilege	3340	chrome.exe

Suspicious use of FindShellTrayWindow 54 IoCs

pid	Process
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
2000	msdt.exe
3340	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
3340	chrome.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1068	PickerHost.exe
1068	PickerHost.exe
1068	PickerHost.exe
3064	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3340 wrote to memory of 4236	3340	chrome.exe	79
PID 3340 wrote to memory of 4236	3340	chrome.exe	79
PID 3340 wrote to memory of 2488	3340	chrome.exe	80
PID 3340 wrote to memory of 2488	3340	chrome.exe	80
PID 3340 wrote to memory of 2488	3340	chrome.exe	80
PID 3340 wrote to memory of 2488	3340	chrome.exe	80
PID 3340 wrote to memory of 2488	3340	chrome.exe	80
PID 3340 wrote to memory of 2488	3340	chrome.exe	80
PID 3340 wrote to memory of 2488	3340	chrome.exe	80
PID 3340 wrote to memory of 2488	3340	chrome.exe	80
PID 3340 wrote to memory of 2488	3340	chrome.exe	80
PID 3340 wrote to memory of 2488	3340	chrome.exe	80
PID 3340 wrote to memory of 2488	3340	chrome.exe	80
PID 3340 wrote to memory of 2488	3340	chrome.exe	80
PID 3340 wrote to memory of 2488	3340	chrome.exe	80
PID 3340 wrote to memory of 2488	3340	chrome.exe	80
PID 3340 wrote to memory of 2488	3340	chrome.exe	80
PID 3340 wrote to memory of 2488	3340	chrome.exe	80
PID 3340 wrote to memory of 2488	3340	chrome.exe	80
PID 3340 wrote to memory of 2488	3340	chrome.exe	80
PID 3340 wrote to memory of 2488	3340	chrome.exe	80
PID 3340 wrote to memory of 2488	3340	chrome.exe	80
PID 3340 wrote to memory of 2488	3340	chrome.exe	80
PID 3340 wrote to memory of 2488	3340	chrome.exe	80
PID 3340 wrote to memory of 2488	3340	chrome.exe	80
PID 3340 wrote to memory of 2488	3340	chrome.exe	80
PID 3340 wrote to memory of 2488	3340	chrome.exe	80
PID 3340 wrote to memory of 2488	3340	chrome.exe	80
PID 3340 wrote to memory of 2488	3340	chrome.exe	80
PID 3340 wrote to memory of 2488	3340	chrome.exe	80
PID 3340 wrote to memory of 2488	3340	chrome.exe	80
PID 3340 wrote to memory of 2488	3340	chrome.exe	80
PID 3340 wrote to memory of 1128	3340	chrome.exe	81
PID 3340 wrote to memory of 1128	3340	chrome.exe	81
PID 3340 wrote to memory of 4376	3340	chrome.exe	82
PID 3340 wrote to memory of 4376	3340	chrome.exe	82
PID 3340 wrote to memory of 4376	3340	chrome.exe	82
PID 3340 wrote to memory of 4376	3340	chrome.exe	82
PID 3340 wrote to memory of 4376	3340	chrome.exe	82
PID 3340 wrote to memory of 4376	3340	chrome.exe	82
PID 3340 wrote to memory of 4376	3340	chrome.exe	82
PID 3340 wrote to memory of 4376	3340	chrome.exe	82
PID 3340 wrote to memory of 4376	3340	chrome.exe	82
PID 3340 wrote to memory of 4376	3340	chrome.exe	82
PID 3340 wrote to memory of 4376	3340	chrome.exe	82
PID 3340 wrote to memory of 4376	3340	chrome.exe	82
PID 3340 wrote to memory of 4376	3340	chrome.exe	82
PID 3340 wrote to memory of 4376	3340	chrome.exe	82
PID 3340 wrote to memory of 4376	3340	chrome.exe	82
PID 3340 wrote to memory of 4376	3340	chrome.exe	82
PID 3340 wrote to memory of 4376	3340	chrome.exe	82
PID 3340 wrote to memory of 4376	3340	chrome.exe	82
PID 3340 wrote to memory of 4376	3340	chrome.exe	82
PID 3340 wrote to memory of 4376	3340	chrome.exe	82
PID 3340 wrote to memory of 4376	3340	chrome.exe	82
PID 3340 wrote to memory of 4376	3340	chrome.exe	82
PID 3340 wrote to memory of 4376	3340	chrome.exe	82
PID 3340 wrote to memory of 4376	3340	chrome.exe	82
PID 3340 wrote to memory of 4376	3340	chrome.exe	82
PID 3340 wrote to memory of 4376	3340	chrome.exe	82
PID 3340 wrote to memory of 4376	3340	chrome.exe	82
PID 3340 wrote to memory of 4376	3340	chrome.exe	82
PID 3340 wrote to memory of 4376	3340	chrome.exe	82
PID 3340 wrote to memory of 4376	3340	chrome.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\.html
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xd8,0x100,0x104,0xe4,0x108,0x7ff94344cc40,0x7ff94344cc4c,0x7ff94344cc58
  2⤵
  PID:4236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1800,i,8035624921212110156,8835192837869338950,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1796 /prefetch:2
  2⤵
  PID:2488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2032,i,8035624921212110156,8835192837869338950,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2052 /prefetch:3
  2⤵
  PID:1128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1712,i,8035624921212110156,8835192837869338950,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2196 /prefetch:8
  2⤵
  PID:4376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3056,i,8035624921212110156,8835192837869338950,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3068 /prefetch:1
  2⤵
  PID:1332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3076,i,8035624921212110156,8835192837869338950,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3124 /prefetch:1
  2⤵
  PID:1644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4584,i,8035624921212110156,8835192837869338950,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4740 /prefetch:8
  2⤵
  PID:720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4396,i,8035624921212110156,8835192837869338950,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4428 /prefetch:1
  2⤵
  PID:2648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=3716,i,8035624921212110156,8835192837869338950,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4868 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4888,i,8035624921212110156,8835192837869338950,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4884 /prefetch:1
  2⤵
  PID:4768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3492,i,8035624921212110156,8835192837869338950,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:4412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=3244,i,8035624921212110156,8835192837869338950,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4372 /prefetch:1
  2⤵
  PID:1484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4852,i,8035624921212110156,8835192837869338950,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:2156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3220,i,8035624921212110156,8835192837869338950,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:3328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4568,i,8035624921212110156,8835192837869338950,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5168 /prefetch:1
  2⤵
  PID:1204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3696,i,8035624921212110156,8835192837869338950,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:4844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=3252,i,8035624921212110156,8835192837869338950,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3092 /prefetch:1
  2⤵
  PID:4040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=4988,i,8035624921212110156,8835192837869338950,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4924 /prefetch:1
  2⤵
  PID:2728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5208,i,8035624921212110156,8835192837869338950,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5264 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=3296,i,8035624921212110156,8835192837869338950,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:2408
- C:\Windows\system32\msdt.exe
  -modal "983106" -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\Admin\AppData\Local\Temp\NDFFB4E.tmp" -ep "NetworkDiagnosticsWeb"
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:2000

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:1008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff92d343cb8,0x7ff92d343cc8,0x7ff92d343cd8
  2⤵
  PID:1268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1988,7363841874185857203,12769421542979170509,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2000 /prefetch:2
  2⤵
  PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1988,7363841874185857203,12769421542979170509,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1988,7363841874185857203,12769421542979170509,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2568 /prefetch:8
  2⤵
  PID:2024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,7363841874185857203,12769421542979170509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:2468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,7363841874185857203,12769421542979170509,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:2176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,7363841874185857203,12769421542979170509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4432 /prefetch:1
  2⤵
  PID:2428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,7363841874185857203,12769421542979170509,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4456 /prefetch:1
  2⤵
  PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1988,7363841874185857203,12769421542979170509,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3472 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,7363841874185857203,12769421542979170509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3632 /prefetch:1
  2⤵
  PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,7363841874185857203,12769421542979170509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:1
  2⤵
  PID:3296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,7363841874185857203,12769421542979170509,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4556 /prefetch:1
  2⤵
  PID:2404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1988,7363841874185857203,12769421542979170509,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3972 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2968

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1296

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3788

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:2980

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:2176

C:\Windows\System32\PickerHost.exe
C:\Windows\System32\PickerHost.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1068

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:6076
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
  2⤵
  PID:2012
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
  2⤵
  PID:5012

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1340

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost
1⤵
PID:2604

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost
1⤵
- Modifies data under HKEY_USERS
PID:4488

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:5240

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:5288

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004D8
1⤵
PID:5384

C:\Windows\System32\SpatialAudioLicenseSrv.exe
C:\Windows\System32\SpatialAudioLicenseSrv.exe SpatialAudioLicenseServerInteractiveUser -Embedding
1⤵
PID:6080

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39eb055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024042917.000\NetworkDiagnostics.debugreport.xml

Filesize
71KB

MD5
cba16b69c99b065c4d640cce402aff07

SHA1
8d72f45e73844116a5e6a9459ea8e90c5aaf8383

SHA256
ef8705bc70a4ac84e7bc1bc5dfec7d3fd62e340e9429dd865291b93a66858b50

SHA512
a11a0c0323314395d2d0f3ccb23f224034b31dce21492a2f673859545084cc6d93af0b07f4f3b606f9693b818a220e846376e079e37c88ecf7e2e27d3b6f9409

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024042917.000\results.xsl

Filesize
47KB

MD5
90df783c6d95859f3a420cb6af1bafe1

SHA1
3fe1e63ca5efc0822fc3a4ae862557238aa22f78

SHA256
06db605b5969c93747313e6409ea84bdd8b7e1731b7e6e3656329d77bcf51093

SHA512
e5dcbb7d8f42eabf42966fccee11c3d3e3f965ecc7a4d9e4ecd0382a31c4e8afea931564b1c6931f6d7e6b3650dc01a4a1971e317dab6c1f03932c6b6b7d399f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\9b7361f7-9593-4d2f-980c-8ab84a3c5cb5.tmp

Filesize
8KB

MD5
0d077db232bc353100a004f2d4f2b584

SHA1
06b7874cba1764642a00a36f32ac4428f62aca9d

SHA256
5b911e8d5495351e8746c2e66cbb00392ce59c096ebb3cb147124d7f461a9b65

SHA512
8ac6479d35322af9ee389e7fc025fc49335f1b98c2ec23e8a7c4f306c84ae95ce09f215d41b6ada7eec2def162b12de0c8609a10b744c9ce786952e10eb111e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
450ee15a6c6defe71cf933f3a16b2a73

SHA1
4969861b49837bdc5866437edf2c2a3b35031049

SHA256
a045ec11143b7612270177c1c1efa74f283b2bd555be5cb7080d81043d692d63

SHA512
85b8c70d11c2a33ddf104b86011ec2a8924704b8fec151451d367657a03a22efe30f7ff9e71f574f2823864783913e2e819a47d5e05fdd49681cbb515c680fbb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
73eff3813e86db1332d3f82c886e06d2

SHA1
b908765a99c261d11ab9428a6dcc294c954b477f

SHA256
2a0a0074cacbea1ec06f648582af855f7e2acb5729fd6c395f025ef2523b801b

SHA512
85bcbc4632a7844e268ea8591bdacc3a9cf399ddcb0447abd259467703d282cfd0613ad6c9730401a47dcf1847d0a796071258fbeffef6f70ee317abb99eb61d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c1c0e7b55d5de751b0e9b85776781d38

SHA1
0b182bf844e641b99672200313dbb95691fb608c

SHA256
fd189e3092eded7451a8004993f458fd74913808c43effb76d13b397bc6736c5

SHA512
ea4b34e2c746b6ada588230fc147bceac0d0d27e0f59cc8ed588379a9a23ebe07d9d52eb2f5f22502988d439e5900b0340a7ce5d608e9b968b3c93c2a5bbc320

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6120f5f91a5759949b07d2e1ea69b6c3

SHA1
877d4556ec20f3487db5833b0d3f8235eb4c84a5

SHA256
20ae32767fc2253cf4c59ef044a3a7b05b3e3474496ad1bc53ae53b7f09381cd

SHA512
e36739f5b5e9527c7fb9f1e1650b86d570a8f459bdce086b60de5c0ecde1e9165c9f9882eb28d07b6766e771123aefa246a07a7efbfd19928234a41da552012a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3ca7088281525f54ef20610faf60be60

SHA1
926473cddb3a973ed9131d45bc82d696e07feb09

SHA256
a8d7aeda930e2ea1d905748bb86db2b2e28e17815de784022d228fe897bca04c

SHA512
1116b9ed839c68008c844982fec88fa330cad4eadbb2d898c593a043a83cb0cd5c6972b5ba90490656abcbe0cca383ea4a462527bff9224e4b3d2ba6028b866e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2de4dc13daeaf71e3cafb30cc0579246

SHA1
9a006d3a7e01e0878045d17787b5b551c8738e6d

SHA256
be23c9783777b2be27f949b7d47a72b3f7dc8f7b3b6c27fdc42df9f89947811b

SHA512
6ea1e9a6fad3bf698bbca9c0dd533708a89394250d788011b1c93a63cf36629098903ab71a735518562fc7dc4fcd403962204f844d000a7fe7d9768c596f96ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d5fe604c1cea9d0d1f7c2429bb72b4d5

SHA1
91b4d9257d9f7893602b379e3ea06213720427b3

SHA256
54f0e50740196c005cf02f941616c282afe1e133e9c20bae3fe598b937a9e811

SHA512
85dba68de76bbae136a7fbe7265e8adb34c58baa41c8ba58f1e0725e384f430d136942dbbf707ee8fac0b86f5c7b6dde40e841af1e0d0fbc8db6ff7a49f303f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
06bd4c2eda245d8efa255b937494c34b

SHA1
8708d9fc617f6b22c8212ce810074f075e17063b

SHA256
5719441f6e0e5d3c37e8ab33f6eb435e21de113f4d302e8088ae57bbd784723e

SHA512
472bdec08fdba2d5fe0b5406a07970434f99819072d1c90bcff9431082ee2911d21ff274732ae535a03baec3a43039511045144b075530bd2e3c6ad35048d7cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d6e6bb0c3f1c48f32ed3c2be2685848b

SHA1
a174402148320566ece31cab7004e1e1a4a5bb06

SHA256
7ecc810fc1aef9d78fb79819610ff4583a311570b76a1c2489239b869cf70240

SHA512
b110b0f987f5fe86cf4073e8028332d2069d1a4bd60d06ae15df76d7acd4f561abed44d54c91e2154bd0f3620491b1a0655a78a30d98ea4242ad906489031803

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
dc0d413a9e96f11596c474ffab451b1c

SHA1
c2bf8a4df96b94bb8a3944f186279587b7f33550

SHA256
fabcfcb44cc3ff18807bd739978b0712fe159ab06c45013211cf404215c6c8e7

SHA512
05df27728c92b8220732d282ed131da504a1dbaa0e56928807afcc46215b6428a586a7ba2ba81d289db7e4a39ba5a38731d888e12feb27e7aab079220d0b6fa6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
71eac2879e722a4f482589a13c86053e

SHA1
b2b0a734f1d6c774e30563cf1cb4c515ab6349fb

SHA256
73823f9b6b9857497fc033af3e56c3a44f2f66de233cc709c5fd3dcdee68a2a6

SHA512
45dddd6b2091b510b300f76b9b29e3b0a8981736726e3f4b415d14650e6179066e00300d90fc5f15f7bb4d023c1d6d1e807e018c7cc9079724e575fdf4a1b467

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f5e3d925a85ae5a8bc4e042757c63863

SHA1
7093dc7f3fd3cdfea341b03bcd77443f9367066a

SHA256
0f18f11e6a4a6d5934e3aaad255d4f14fe863899c831864ae68890e32961486a

SHA512
31d9ad58d1a7f7cdd676815f88511995998fe1294ec255133088349a867a24d5ad6e145ffa8f71d53a8604f43faaef2ac9f2e079cf39b333116623d9633a371a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
41a3b046a0f00cc8450d11866f6498af

SHA1
86429fae7aad7000fb4c73a09d930314a238583b

SHA256
3f2a39bd97fbb40fdad90cdf0b60e8aed199d5dfd9c3ca0e1c31524bb7cc3d40

SHA512
9fcc1ab0f529cf0d0df9fcd1088623da1d367486baa0b9321dc22f95e8cf2a5b7480bc8301aacc730611ff569c86ab0be2e876b27f729578b743b507c6260d98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ca4a4d2db0182e40a532a31e38f7b605

SHA1
3412d1b2ffd0fc023ae071c1cda49a923e672f45

SHA256
383f28195fcba343e7c47131b763b4380b5fc5b0b4faab4d9a0a4310df7981f0

SHA512
5a98ce842418533e08e6c6e477d9e942e0b2be187573d589cf549b2fae967eb3b9d1dc197b6dfd6c4c5a54cdc32f57ed08df5878d765da91e84e7925e5025183

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
16b482c8847fa70396153ee646fc49e5

SHA1
655d7f96ae841c5f036a8a70936a0c9ac72bcb4a

SHA256
ef1512395f5b8f844ac6d3ba4ed8db4f3fd76d8f86943bcc26179e993b04864b

SHA512
a0def10702b3879c4b0cfd689c55d7e6ee716dfd4d7ea2d64a542014159666a1a630dee9a0e36d30eb6fdc6f1d07d1cb280c4d5c4ee680c9d3727a01f460dc66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
a91fe47581a8b4c2efd4fb9efaa200fb

SHA1
04fa3c026d33a4fce6914e5e869af9fdd69065bf

SHA256
3be95510a43c760b390ccd029d0aa99cadf57814b6a8548fa2b5b39de645656e

SHA512
c8647754c084231e346217ecf3163e85f19c0f4ee5368464b83aa8ff049d6f220c40295d50c16106a9f6c993e5234a5bcbbdfb97f2dca9202ac438279a842fe7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
85b9875c9f7d7eba96e0f5ff7fcc8f8a

SHA1
95cdee77e4672351f66e74369a120cb1105d89ea

SHA256
db50e735adaa63af8bec70c91ff995552edd9dbc7c2ed2708a2e28ead8f07629

SHA512
4fe078f2cc1e8df0fe5256f54d42bf7ede91b053a9c0227854b2d33acd3befe9fb5d7c5a7984a5cd0d7572b3e59b20d703887e3106cf0603d7963fea68a27864

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
6ffad56c11166172505fdd8522d90f63

SHA1
7a8c89006ac70a6e9aecd45660ea04b18ad6608a

SHA256
de9c3787a13f081089855ec10ffa48e21b31d1e41039b0d0b0dc5f19ab30fa62

SHA512
eef497b43a35c16d76dd5a90252f9a70a98e54bb0e4e50b46dab5c0a598d38415b1357722aaf348ad3c478a1618a9646bb7da2a1d1c2cb0b651a7fb692c2cb6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bdf3e009c72d4fe1aa9a062e409d68f6

SHA1
7c7cc29a19adb5aa0a44782bb644575340914474

SHA256
8728752ef08d5b17d7eb77ed69cfdd1fc73b9d6e27200844b0953aeece7a7fdc

SHA512
75b85a025733914163d90846af462124db41a40f1ce97e1e0736a05e4f09fe9e78d72316753317dabea28d50906631f634431a39384a332d66fa87352ff497f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7c16971be0e6f1e01725260be0e299cd

SHA1
e7dc1882a0fc68087a2d146b3a639ee7392ac5ed

SHA256
b1fa098c668cdf8092aa096c83328b93e4014df102614aaaf6ab8dc12844bdc0

SHA512
dc76816e756d27eedc2fe7035101f35d90d54ec7d7c724ad6a330b5dd2b1e6d108f3ae44cedb14a02110157be8ddac7d454efae1becebf0efc9931fdc06e953c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1757d67f9165c1a2e22808db96bd5ffa

SHA1
329fb7bcf32eedfbb70a525b958060cdac43d67d

SHA256
9309f5b39c22406c03d3e7f46ae6e850a0422fbfbc1b6fb4f83d4b7965966cc6

SHA512
f350af27b0f50fc9900a97da70502adc8cafd03699ffda048770cee8464cd4fdc9dfc2ed0bd6219371ce8766228930a5a71c3f491c0c678a0e79202856a6b0df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cb4d751940d917a49abb1b414b2f1fb4

SHA1
364a6e428a80a3153ec7a1c6541407ddbdff8f0e

SHA256
9abf6acfe63e902dd310c63e18cd8524ea3605442a07a225ca8677076a97e62e

SHA512
33b27629336fb9270c52cc7b0bef22346529d83defcdeb6a27f101b1532802ada40d8a6641447dfb6f94a027c33defda1803ab4e7096632ba2bcc05ffddc9af4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
1e221b5a9145dccbe23a12613d2b5438

SHA1
683775c215b237eddf4e78ad960ad06c3383b4b1

SHA256
1de818389c1864a6bd28e0ed645e3c8e13ba7179fe127fb1640409e7562db8f0

SHA512
0bb5848c6230017d289548c7ccd377e4120dbbbd814d83d6907da5065f2ecaa7b2177e8a1d26fff1b84fa85e61242cd8d0e519c4718013487268d52136d3c618

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-4-29.1710.2176.1.odl

Filesize
706B

MD5
a1236d7b14e128be78babd442b4020ad

SHA1
1eb59689e5649c414274dd386bdf9d56b702610b

SHA256
fa5fd7d848d8d2b93973a0d889be033f118c3c4509fc523a87ef0f0aa8853969

SHA512
9177c4929bb1a2df4c8581f5125f586ed56271eb43780277f6aeb43a2d1df594d5c378f70890b7ac2aeaf9b25aea9e8799ce575846db1f3ebc2efbf61cf694b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NDFFB4E.tmp

Filesize
3KB

MD5
e310e5578a38aa0803fe501af84e061d

SHA1
ec4e52893b7da842778df8d6658b356de731249b

SHA256
904b48d7f7c6f079ddf5453bfe05bd98118a7e69d0bba17a75f2209a7a5389bd

SHA512
36465ac3ee139947b6623b0efc85cbf66dc8640dbb41abb613057b7d4b48e816bb67cc4893bd994f4f81d2978397f0a8361b2300eb5fb38cb0dcf01a546bceb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dik4ycku.x0a.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System32\sru\SRU0000F.log

Filesize
64KB

MD5
5f48d642bc0a35b4a7369c4ce2617dfe

SHA1
b817fbd3315c2a816d643a2532674ca0e47497a9

SHA256
3f5aa8eeba83188a9a3ff82c5e05ffa6dce7ed0a0c701b346234ea9fe05f5340

SHA512
52ddd87a7f09ce9803a7f92de9ad547f888d85c600b9fa6ca0e498adffcc83762cebb2a11163f73feffea938a288c389a099c2778e5b0b24662658466ec1259b

Download Submit
C:\Windows\TEMP\SDIAG_0e1fbe77-5cf3-4cc0-a223-34aad1f642a9\NetworkDiagnosticsTroubleshoot.ps1

Filesize
25KB

MD5
d0cfc204ca3968b891f7ce0dccfb2eda

SHA1
56dad1716554d8dc573d0ea391f808e7857b2206

SHA256
e3940266b4368c04333db89804246cb89bf2073626f22b8de72bea27c522282a

SHA512
4d2225b599ad8af8ba8516f12cfddca5ec0ce69c5c80b133a6a323e9aaf5e0312efbcfa54d2e4462a5095f9a7c42b9d5b39f3204e0be72c3b1992cf33b22087c

Download Submit
C:\Windows\TEMP\SDIAG_0e1fbe77-5cf3-4cc0-a223-34aad1f642a9\StartDPSService.ps1

Filesize
567B

MD5
a660422059d953c6d681b53a6977100e

SHA1
0c95dd05514d062354c0eecc9ae8d437123305bb

SHA256
d19677234127c38a52aec23686775a8eb3f4e3a406f4a11804d97602d6c31813

SHA512
26f8cf9ac95ff649ecc2ed349bc6c7c3a04b188594d5c3289af8f2768ab59672bc95ffefcc83ed3ffa44edd0afeb16a4c2490e633a89fce7965843674d94b523

Download Submit
C:\Windows\TEMP\SDIAG_0e1fbe77-5cf3-4cc0-a223-34aad1f642a9\UtilityFunctions.ps1

Filesize
53KB

MD5
c912faa190464ce7dec867464c35a8dc

SHA1
d1c6482dad37720db6bdc594c4757914d1b1dd70

SHA256
3891846307aa9e83bca66b13198455af72af45bf721a2fbd41840d47e2a91201

SHA512
5c34352d36459fd8fcda5b459a2e48601a033af31d802a90ed82c443a5a346b9480880d30c64db7ad0e4a8c35b98c98f69eceedad72f2a70d9c6cca74dce826a

Download Submit
C:\Windows\TEMP\SDIAG_0e1fbe77-5cf3-4cc0-a223-34aad1f642a9\UtilitySetConstants.ps1

Filesize
2KB

MD5
0c75ae5e75c3e181d13768909c8240ba

SHA1
288403fc4bedaacebccf4f74d3073f082ef70eb9

SHA256
de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f

SHA512
8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

Download Submit
C:\Windows\TEMP\SDIAG_0e1fbe77-5cf3-4cc0-a223-34aad1f642a9\en-US\LocalizationData.psd1

Filesize
5KB

MD5
91f545459be2ff513b8d98c7831b8e54

SHA1
499e4aa76fc21540796c75ba5a6a47980ff1bc21

SHA256
1ccd68e58ead16d22a6385bb6bce0e2377ed573387bdafac3f72b62264d238ff

SHA512
469571a337120885ee57e0c73a3954d0280fa813e11709ee792285c046f6ddaf9be5583e475e627ea5f34e8e6fb723a4681289312f0e51dc8e9894492407b911

Download Submit
C:\Windows\Temp\SDIAG_0e1fbe77-5cf3-4cc0-a223-34aad1f642a9\DiagPackage.dll

Filesize
488KB

MD5
ec287e627bf07521b8b443e5d7836c92

SHA1
02595dde2bd98326d8608ee3ddabc481ddc39c3d

SHA256
35fa9f66ed386ee70cb28ec6e03a3b4848e3ae11c8375ba3b17b26d35bd5f694

SHA512
8465ae3ca6a4355888eecedda59d83806faf2682431f571185c31fb8a745f2ef4b26479f07aaf2693cd83f2d0526a1897a11c90a1f484a72f1e5965b72de9903

Download Submit
C:\Windows\Temp\SDIAG_0e1fbe77-5cf3-4cc0-a223-34aad1f642a9\en-US\DiagPackage.dll.mui

Filesize
17KB

MD5
44b3399345bc836153df1024fa0a81e1

SHA1
ce979bfdc914c284a9a15c4d0f9f18db4d984cdd

SHA256
502abf2efedb7f76147a95dc0755723a070cdc3b2381f1860313fd5f01c4fb4d

SHA512
a49ba1a579eedca2356f8a4df94b1c273e483ceace93c617cddee77f66e90682836c77cea58047320b2c2f1d0e23ee7efa3d8af71e8ee864faef7e68f233bec4

Download Submit
memory/1340-872-0x000002962AD50000-0x000002962AD51000-memory.dmp

Filesize
4KB

Download
memory/1340-875-0x000002962B1A0000-0x000002962B1A1000-memory.dmp

Filesize
4KB

Download
memory/1340-684-0x000002962C100000-0x000002962C110000-memory.dmp

Filesize
64KB

Download
memory/1340-844-0x00000296306F0000-0x00000296306F1000-memory.dmp

Filesize
4KB

Download
memory/1340-845-0x00000296306E0000-0x00000296306E1000-memory.dmp

Filesize
4KB

Download
memory/1340-847-0x00000296305E0000-0x00000296305E1000-memory.dmp

Filesize
4KB

Download
memory/1340-848-0x00000296305D0000-0x00000296305D1000-memory.dmp

Filesize
4KB

Download
memory/1340-850-0x00000296305D0000-0x00000296305D1000-memory.dmp

Filesize
4KB

Download
memory/1340-853-0x0000029630520000-0x0000029630521000-memory.dmp

Filesize
4KB

Download
memory/1340-688-0x000002962C140000-0x000002962C150000-memory.dmp

Filesize
64KB

Download
memory/1340-692-0x00000296305D0000-0x00000296305D1000-memory.dmp

Filesize
4KB

Download
memory/1340-896-0x000002962ACB0000-0x000002962ACB1000-memory.dmp

Filesize
4KB

Download
memory/1340-874-0x000002962B190000-0x000002962B191000-memory.dmp

Filesize
4KB

Download
memory/1340-877-0x000002962B020000-0x000002962B021000-memory.dmp

Filesize
4KB

Download
memory/1340-878-0x000002962B040000-0x000002962B041000-memory.dmp

Filesize
4KB

Download
memory/1340-880-0x000002962ADE0000-0x000002962ADE1000-memory.dmp

Filesize
4KB

Download
memory/1340-882-0x000002962B060000-0x000002962B061000-memory.dmp

Filesize
4KB

Download
memory/1340-883-0x000002962B010000-0x000002962B011000-memory.dmp

Filesize
4KB

Download
memory/1340-885-0x000002962ADF0000-0x000002962ADF1000-memory.dmp

Filesize
4KB

Download
memory/1340-887-0x000002962B1C0000-0x000002962B1C1000-memory.dmp

Filesize
4KB

Download
memory/1340-891-0x000002962AD50000-0x000002962AD51000-memory.dmp

Filesize
4KB

Download
memory/1340-890-0x000002962AD60000-0x000002962AD61000-memory.dmp

Filesize
4KB

Download
memory/1340-893-0x000002962AD50000-0x000002962AD51000-memory.dmp

Filesize
4KB

Download
memory/6076-669-0x0000028EE1AF0000-0x0000028EE1B12000-memory.dmp

Filesize
136KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads