Resubmissions
07/05/2024, 12:22
240507-pjxt9sab53 707/05/2024, 12:19
240507-phfvcsaa87 807/05/2024, 12:09
240507-pbhelshg42 607/05/2024, 11:59
240507-n59khshe59 707/05/2024, 11:59
240507-n5x7gshe53 107/05/2024, 11:56
240507-n386zaeg5x 507/05/2024, 11:40
240507-ntbjcaec5y 5Analysis
-
max time kernel
115s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
07/05/2024, 12:19
Static task
static1
Behavioral task
behavioral1
Sample
images (1).jpg
Resource
win10v2004-20240419-en
General
-
Target
images (1).jpg
-
Size
3KB
-
MD5
6f62187dbc30d53e1d661e8914fa708d
-
SHA1
99b0006f843c006156628767d71cbafd922804bd
-
SHA256
bdd5ea18320c3fb29eece7ffff299152d11361659e8640f64de736affbe11e61
-
SHA512
496f2919cf60ede364db5d5f6947e2a6f607bbe43876745a8443a4ea74068df8961f0629d6a4ae23bf2e4d18b59f40118f63e3c3a6d25c604955ac2eb7a993d8
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\~~CB = "cb.exe" [email protected] -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: [email protected] File opened (read-only) \??\P: [email protected] File opened (read-only) \??\T: [email protected] File opened (read-only) \??\U: [email protected] File opened (read-only) \??\R: [email protected] File opened (read-only) \??\X: [email protected] File opened (read-only) \??\E: [email protected] File opened (read-only) \??\I: [email protected] File opened (read-only) \??\J: [email protected] File opened (read-only) \??\N: [email protected] File opened (read-only) \??\O: [email protected] File opened (read-only) \??\V: [email protected] File opened (read-only) \??\W: [email protected] File opened (read-only) \??\Y: [email protected] File opened (read-only) \??\A: [email protected] File opened (read-only) \??\H: [email protected] File opened (read-only) \??\K: [email protected] File opened (read-only) \??\M: [email protected] File opened (read-only) \??\Z: [email protected] File opened (read-only) \??\G: [email protected] File opened (read-only) \??\L: [email protected] File opened (read-only) \??\Q: [email protected] File opened (read-only) \??\S: [email protected] -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 158 camo.githubusercontent.com 159 camo.githubusercontent.com 180 raw.githubusercontent.com 181 raw.githubusercontent.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\Desktop\Wallpaper [email protected] -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Kills process with taskkill 2 IoCs
pid Process 4848 taskkill.exe 3212 taskkill.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133595579919841025" chrome.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3726321484-1950364574-433157660-1000\{2435E6F3-E193-4E64-8B65-5223583DCE9B} chrome.exe Key created \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings chrome.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico" [email protected] Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3726321484-1950364574-433157660-1000\{4FEB15BF-CC9C-48A6-9B8F-8046A89BA31B} [email protected] -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2100 chrome.exe 2100 chrome.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2100 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2100 chrome.exe Token: SeCreatePagefilePrivilege 2100 chrome.exe Token: SeShutdownPrivilege 2100 chrome.exe Token: SeCreatePagefilePrivilege 2100 chrome.exe Token: SeShutdownPrivilege 2100 chrome.exe Token: SeCreatePagefilePrivilege 2100 chrome.exe Token: SeShutdownPrivilege 2100 chrome.exe Token: SeCreatePagefilePrivilege 2100 chrome.exe Token: SeShutdownPrivilege 2100 chrome.exe Token: SeCreatePagefilePrivilege 2100 chrome.exe Token: SeShutdownPrivilege 2100 chrome.exe Token: SeCreatePagefilePrivilege 2100 chrome.exe Token: SeShutdownPrivilege 2100 chrome.exe Token: SeCreatePagefilePrivilege 2100 chrome.exe Token: SeShutdownPrivilege 2100 chrome.exe Token: SeCreatePagefilePrivilege 2100 chrome.exe Token: SeShutdownPrivilege 2100 chrome.exe Token: SeCreatePagefilePrivilege 2100 chrome.exe Token: SeShutdownPrivilege 2100 chrome.exe Token: SeCreatePagefilePrivilege 2100 chrome.exe Token: SeShutdownPrivilege 2100 chrome.exe Token: SeCreatePagefilePrivilege 2100 chrome.exe Token: SeShutdownPrivilege 2100 chrome.exe Token: SeCreatePagefilePrivilege 2100 chrome.exe Token: SeShutdownPrivilege 2100 chrome.exe Token: SeCreatePagefilePrivilege 2100 chrome.exe Token: SeShutdownPrivilege 2100 chrome.exe Token: SeCreatePagefilePrivilege 2100 chrome.exe Token: SeShutdownPrivilege 2100 chrome.exe Token: SeCreatePagefilePrivilege 2100 chrome.exe Token: SeShutdownPrivilege 2100 chrome.exe Token: SeCreatePagefilePrivilege 2100 chrome.exe Token: SeShutdownPrivilege 2100 chrome.exe Token: SeCreatePagefilePrivilege 2100 chrome.exe Token: SeShutdownPrivilege 2100 chrome.exe Token: SeCreatePagefilePrivilege 2100 chrome.exe Token: SeShutdownPrivilege 2100 chrome.exe Token: SeCreatePagefilePrivilege 2100 chrome.exe Token: SeShutdownPrivilege 2100 chrome.exe Token: SeCreatePagefilePrivilege 2100 chrome.exe Token: SeShutdownPrivilege 2100 chrome.exe Token: SeCreatePagefilePrivilege 2100 chrome.exe Token: SeShutdownPrivilege 2100 chrome.exe Token: SeCreatePagefilePrivilege 2100 chrome.exe Token: SeShutdownPrivilege 2100 chrome.exe Token: SeCreatePagefilePrivilege 2100 chrome.exe Token: SeShutdownPrivilege 2100 chrome.exe Token: SeCreatePagefilePrivilege 2100 chrome.exe Token: SeShutdownPrivilege 2100 chrome.exe Token: SeCreatePagefilePrivilege 2100 chrome.exe Token: SeShutdownPrivilege 2100 chrome.exe Token: SeCreatePagefilePrivilege 2100 chrome.exe Token: SeShutdownPrivilege 2100 chrome.exe Token: SeCreatePagefilePrivilege 2100 chrome.exe Token: SeShutdownPrivilege 2100 chrome.exe Token: SeCreatePagefilePrivilege 2100 chrome.exe Token: SeShutdownPrivilege 2100 chrome.exe Token: SeCreatePagefilePrivilege 2100 chrome.exe Token: SeShutdownPrivilege 2100 chrome.exe Token: SeCreatePagefilePrivilege 2100 chrome.exe Token: SeShutdownPrivilege 2100 chrome.exe Token: SeCreatePagefilePrivilege 2100 chrome.exe Token: SeShutdownPrivilege 2100 chrome.exe Token: SeCreatePagefilePrivilege 2100 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe 2100 chrome.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 6124 [email protected] 6124 [email protected] -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2100 wrote to memory of 3644 2100 chrome.exe 94 PID 2100 wrote to memory of 3644 2100 chrome.exe 94 PID 2100 wrote to memory of 1196 2100 chrome.exe 96 PID 2100 wrote to memory of 1196 2100 chrome.exe 96 PID 2100 wrote to memory of 1196 2100 chrome.exe 96 PID 2100 wrote to memory of 1196 2100 chrome.exe 96 PID 2100 wrote to memory of 1196 2100 chrome.exe 96 PID 2100 wrote to memory of 1196 2100 chrome.exe 96 PID 2100 wrote to memory of 1196 2100 chrome.exe 96 PID 2100 wrote to memory of 1196 2100 chrome.exe 96 PID 2100 wrote to memory of 1196 2100 chrome.exe 96 PID 2100 wrote to memory of 1196 2100 chrome.exe 96 PID 2100 wrote to memory of 1196 2100 chrome.exe 96 PID 2100 wrote to memory of 1196 2100 chrome.exe 96 PID 2100 wrote to memory of 1196 2100 chrome.exe 96 PID 2100 wrote to memory of 1196 2100 chrome.exe 96 PID 2100 wrote to memory of 1196 2100 chrome.exe 96 PID 2100 wrote to memory of 1196 2100 chrome.exe 96 PID 2100 wrote to memory of 1196 2100 chrome.exe 96 PID 2100 wrote to memory of 1196 2100 chrome.exe 96 PID 2100 wrote to memory of 1196 2100 chrome.exe 96 PID 2100 wrote to memory of 1196 2100 chrome.exe 96 PID 2100 wrote to memory of 1196 2100 chrome.exe 96 PID 2100 wrote to memory of 1196 2100 chrome.exe 96 PID 2100 wrote to memory of 1196 2100 chrome.exe 96 PID 2100 wrote to memory of 1196 2100 chrome.exe 96 PID 2100 wrote to memory of 1196 2100 chrome.exe 96 PID 2100 wrote to memory of 1196 2100 chrome.exe 96 PID 2100 wrote to memory of 1196 2100 chrome.exe 96 PID 2100 wrote to memory of 1196 2100 chrome.exe 96 PID 2100 wrote to memory of 1196 2100 chrome.exe 96 PID 2100 wrote to memory of 1196 2100 chrome.exe 96 PID 2100 wrote to memory of 4176 2100 chrome.exe 97 PID 2100 wrote to memory of 4176 2100 chrome.exe 97 PID 2100 wrote to memory of 2448 2100 chrome.exe 98 PID 2100 wrote to memory of 2448 2100 chrome.exe 98 PID 2100 wrote to memory of 2448 2100 chrome.exe 98 PID 2100 wrote to memory of 2448 2100 chrome.exe 98 PID 2100 wrote to memory of 2448 2100 chrome.exe 98 PID 2100 wrote to memory of 2448 2100 chrome.exe 98 PID 2100 wrote to memory of 2448 2100 chrome.exe 98 PID 2100 wrote to memory of 2448 2100 chrome.exe 98 PID 2100 wrote to memory of 2448 2100 chrome.exe 98 PID 2100 wrote to memory of 2448 2100 chrome.exe 98 PID 2100 wrote to memory of 2448 2100 chrome.exe 98 PID 2100 wrote to memory of 2448 2100 chrome.exe 98 PID 2100 wrote to memory of 2448 2100 chrome.exe 98 PID 2100 wrote to memory of 2448 2100 chrome.exe 98 PID 2100 wrote to memory of 2448 2100 chrome.exe 98 PID 2100 wrote to memory of 2448 2100 chrome.exe 98 PID 2100 wrote to memory of 2448 2100 chrome.exe 98 PID 2100 wrote to memory of 2448 2100 chrome.exe 98 PID 2100 wrote to memory of 2448 2100 chrome.exe 98 PID 2100 wrote to memory of 2448 2100 chrome.exe 98 PID 2100 wrote to memory of 2448 2100 chrome.exe 98 PID 2100 wrote to memory of 2448 2100 chrome.exe 98 PID 2100 wrote to memory of 2448 2100 chrome.exe 98 PID 2100 wrote to memory of 2448 2100 chrome.exe 98 PID 2100 wrote to memory of 2448 2100 chrome.exe 98 PID 2100 wrote to memory of 2448 2100 chrome.exe 98 PID 2100 wrote to memory of 2448 2100 chrome.exe 98 PID 2100 wrote to memory of 2448 2100 chrome.exe 98 PID 2100 wrote to memory of 2448 2100 chrome.exe 98 PID 2100 wrote to memory of 2448 2100 chrome.exe 98
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\images (1).jpg"1⤵PID:2608
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff764dcc40,0x7fff764dcc4c,0x7fff764dcc582⤵PID:3644
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1688,i,17727786053816473683,5208500345042902012,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1948 /prefetch:22⤵PID:1196
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1812,i,17727786053816473683,5208500345042902012,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2032 /prefetch:32⤵PID:4176
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2216,i,17727786053816473683,5208500345042902012,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2324 /prefetch:82⤵PID:2448
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,17727786053816473683,5208500345042902012,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3120 /prefetch:12⤵PID:1948
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,17727786053816473683,5208500345042902012,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3136 /prefetch:12⤵PID:2644
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3700,i,17727786053816473683,5208500345042902012,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4572 /prefetch:12⤵PID:1092
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3692,i,17727786053816473683,5208500345042902012,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4712 /prefetch:82⤵PID:4272
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4736,i,17727786053816473683,5208500345042902012,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4804 /prefetch:82⤵PID:4392
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4832,i,17727786053816473683,5208500345042902012,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4768 /prefetch:82⤵PID:992
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4756,i,17727786053816473683,5208500345042902012,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4680 /prefetch:82⤵PID:1784
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4436,i,17727786053816473683,5208500345042902012,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5080 /prefetch:12⤵PID:3892
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5352,i,17727786053816473683,5208500345042902012,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5216 /prefetch:12⤵PID:1120
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5124,i,17727786053816473683,5208500345042902012,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5484 /prefetch:12⤵PID:3136
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5128,i,17727786053816473683,5208500345042902012,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4664 /prefetch:12⤵PID:3964
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3268,i,17727786053816473683,5208500345042902012,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5336 /prefetch:82⤵PID:4480
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3364,i,17727786053816473683,5208500345042902012,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3372 /prefetch:82⤵
- Modifies registry class
PID:4576
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=3360,i,17727786053816473683,5208500345042902012,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5292 /prefetch:12⤵PID:2136
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5104,i,17727786053816473683,5208500345042902012,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3176 /prefetch:82⤵PID:5232
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5632,i,17727786053816473683,5208500345042902012,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5616 /prefetch:82⤵PID:5772
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6068,i,17727786053816473683,5208500345042902012,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3300 /prefetch:82⤵PID:6040
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"1⤵PID:64
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:3200
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:532
-
C:\Users\Admin\AppData\Local\Temp\Temp1_ColorBug.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_ColorBug.zip\[email protected]"1⤵
- Adds Run key to start application
PID:5168
-
C:\Users\Admin\AppData\Local\Temp\Temp1_ColorBug.zip\[email protected]PID:2800
-
C:\Users\Admin\AppData\Local\Temp\Temp1_ColorBug.zip\[email protected]PID:3560
-
C:\Users\Admin\AppData\Local\Temp\Temp1_000.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_000.zip\[email protected]"1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6124 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""2⤵PID:4008
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- Kills process with taskkill
PID:4848
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe3⤵
- Kills process with taskkill
PID:3212
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic useraccount where name='Admin' set FullName='UR NEXT'3⤵PID:1704
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic useraccount where name='Admin' rename 'UR NEXT'3⤵PID:5544
-
-
C:\Windows\SysWOW64\shutdown.exeshutdown /f /r /t 03⤵PID:3404
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa38d0855 /state1:0x41c64e6d1⤵PID:5724
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649B
MD5f9ced12d849356db80c920deab35f5d6
SHA1bdc84cc0b92e4b024d1c0da6f4dc5a7740c48783
SHA256d6de6c6592edecf7ad8485d7a1958e2c4b2c09ba27da7ccefe02e54d16046905
SHA5128c14fc22798ad2350bdb624675f25d7e4d2eaadfe1af1be4820702c9bf3a88d4c8ab2d0d9962f16ad1942194e88ae08a570005c17126896ce33337236d404eb4
-
Filesize
472KB
MD5e1f573dd1be4c28839166fad04f60176
SHA1b051e6dee2cfd2ca171f6388fe7d4b336728cd52
SHA25626c540b2a929190d0aeb27d41d456bd72e2dd7b6208b18c47725b18804332f3e
SHA51218e88ea4f27de36560860f3e926885025c8ef791ba58227518b7bd3ce6929c826a3264d915de89f38d05589016aa39c0654008df5cf266085916539ba59ef6ba
-
Filesize
2KB
MD52fe6d02dcef8c4ebbfa907eebcf6f6dd
SHA119c9ccd764122405bf96d9535c9f35bbd62c465a
SHA25667a59737399b42d471f5ea7f3b4f837fbacf8d512c52fcd4a4e8f38c75cb603f
SHA5128f01caba694d9d535688d3615826d27dc264cd036d85b7d288f8333aa2e1c5b7f1b6fbf23c560f554ee00041881bf863e6a57318a5da66a6c179feb6fcbb0067
-
Filesize
8KB
MD5a0a9043dd460f09808e0fbe087272ef4
SHA1da2f20893e70600f579943052a5154565ec33d86
SHA256c23ec554ae3028d8915667926452d30e6f5ecbe57ecd2cd54e6d92549e837283
SHA5126d292a37504a1803cd6f4458cf66247b3370a2fabff3aed6c91868f463e4953ae2527bafb9f32eb51c71762d92f0a65cee4ba31d1b07d442cbe7ae9843780b6c
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
1KB
MD5f4fc9f9c6c2e7f13e1341b5c8d95c88f
SHA11ce9ff2806666bf1eff76f2ab1cf61592ea753bf
SHA2561d8d91409a9b602031a9ef961a3dc46a321008f9098551b77a541d93602b797c
SHA512037239959b9a6aa2ed2d8dacf45fc90eb662580055689d2205c80dbfca235f43413b0b5ef3adcd52c7d2c14e289d4d144385d0e98c1310005e95086add677147
-
Filesize
356B
MD5f6e0d23261c705c4867f8a641b1b9487
SHA155db9062810c82151e0074a244d11d0362972c7b
SHA25614fb8c7c74d80547692d55fb046450efb59daa3904be2cbbb240676dd371dfa3
SHA51253b932dabeb88de1dd1a00bc29e0f41b7f3e4964ffc6a707b9597dc60a8451f0e63571c950b4a95bc409246e936b2d4effde541384c1be49ebcf39da965ef78a
-
Filesize
356B
MD5b4bd6c43bf90b7f84821fe8912909d3a
SHA188daf3c8f70a582252d8804ba55b2049476f018f
SHA25692dbe9c83a1263107be6318d9a29e550343dc973f8d3e144fc832387b0e0c9cf
SHA512be4055a83a224fb048a4dae949c17827b41c373ac124ed003f0f38ae0189a7f80b7cef1ba91120955488942cf17d72ce5e4d8fe49d3b3987f08b4a3a61d2cfed
-
Filesize
1KB
MD58b94593f22d6a1fe07729498016651f0
SHA1bffeaff9074dca445e8de9b13bd2f06a8c3a791e
SHA256b236dcbf142c25397263662446fc6f80b9567ba30d45afa4bd8f3a8d5b6c928f
SHA512ddf2763c4c2e8e9550ff277c1ab0eb4084e070a9db91e46a3b5a714f212f94fbb6aef9732448f5c2ac89cc05a6fab79d87464fb31616a9af0fa6b5b4d38c8c59
-
Filesize
1KB
MD5918a4ed480f9e29562d4e13099e6a980
SHA1e04c8c1b8ff67f46332ad35a5ccc23a86a77d879
SHA25630dd7a714b2cf09881db4ec4105eacb8f4b117c8c349e28557b04a6545a23575
SHA51213c53bbb6895d0253a2035f3fc70ab01c25e0a511d6546b040a652839ed6083d2e7cde14d13ce4e4db2181edcd75b3e72b5e709d03f8e9231b7300774fd9e52e
-
Filesize
11KB
MD5aca787cb008041b54f1c1b8c84bed948
SHA113dede05b628b4a95b869b35b166d4ceac020249
SHA256a4532bdb16951579803f581c2218628a4c25f0d3d7d25743e5b8e14947202fb7
SHA5123d44ca17631e5dd27ddccee1a5033a3afc61e019144ed9cafa6c1ed477135e252c6dd9f58f449a61a0f2002b6c50cd27699f6c4bf4284501aa02f72f0e90b931
-
Filesize
9KB
MD5eb01c7f20ed7ac9826017ff8e31516b8
SHA15ed695ce395ebd2e33f2e4975a024f81072b41f9
SHA25635fa3a1c2622312b6f5373c21d29932ec48c3c65372fc9ff22a6bb286e4b7894
SHA5120687ac46b584c99c6d545d731ff75d74cd6f0add10e3dfc643ad501f411ec2dc438bf6df4834151443b4126b899b15bea43690d295fc70e6b52f6f3a4795b247
-
Filesize
11KB
MD5ba538f4a8a4651ced8eae097ec5cc0a3
SHA1fe8963dad79fd522ccfd4dae6a4e03e19e70e714
SHA256f9dca89bd2a46640a0c4b57b24e7fa7447bc0202b903a2d9f3494193a99a070f
SHA512ce2bada184e4729198f0678211fe3c5fe73b4e0bfb6bc9c9d3b3e1233ae64ff4bffcd36d3777872084c0f36a037e3eacfdab94baf934e41240a4a4e3c85c28f9
-
Filesize
10KB
MD5339f5f27b694004ba5503613a88d90c3
SHA173c924c18399b21ade65e44ecf3ac59720cc259a
SHA256a2ce1d1752c24f3bd2cfc012528d1245619e483bb520aad9c5beee6aea0a0f91
SHA5128ad4273260d3b4cc8403d2ddea5e7fa5e41d3dcf4984d76dfd78f79babe54f0be3e7c99b96ef711059439292e4e4c59bd60a35df61ffdf1fe215b84deea2f0cb
-
Filesize
11KB
MD5e02ca2c26f1822f2a8b9cd106c6922f6
SHA1a12aaa2bd6d20438e57d53307f0db31dfa3ebaa4
SHA256b6a14df28a90e1c5d42164426e4aca1fd1a49f4302455138e40db3fb29f216c9
SHA512fa5fc7045454abfe8ed1ef1a17d4054e3d45bfd32aeb75b205013238bf1feb7e97d08f0e78aaf2008f73d9009143b4e5525b8add0a16ea191b7d967bc6b583a1
-
Filesize
9KB
MD5d3f83ddafa0aee9bd50c2f363860d95d
SHA14bb2de0f7bfe89496739e8131fc8e9b4b228ac61
SHA25635b7b4c747cd517fe66d4de22cfd45315e1aabd481a045c28ee24ab801c31807
SHA51208086965c4ef607926e5dc33db1aac7ffd529040d4fad3015d1ca466b2854d345dee079bb1cb84f852ecdc007c694c8436985207b5878d063eafb6875a27b72d
-
Filesize
10KB
MD57bd76587fdd498b5877360ae3bb3738d
SHA121fedff6d0810578dce0c66c01d10495f4f5f96e
SHA256f0769278a5e3c60f994d05ab79e23380ac7ea5e0e75a462333f32c5852038c49
SHA5128fdbf474cf0ec209721ff9479c8f0cdfe041ebfd493971184d714af8e983e86f68653d02228c6aa2ede2080b1bced8900f46d0973399679f911afa7e48e36e1a
-
Filesize
11KB
MD57dba7a1a7f6fd4c640f0ff149a01b78b
SHA12e43e76c1f9cfdc8dbc950d05a0605464cd8bb92
SHA256b60134674985394f5d2fdd76e4c2c61bf703ac209c452c31d30d9215c3fe5de6
SHA512ebaeacd450099f2f781b28e280eadccd8cbc8fbddfdcc6fd8ae4d12a15f50e03bc5d56a17ace56e8750f4e359a7ef515fda4305b4ba46d662be005b9512cf381
-
Filesize
11KB
MD54c9ac9bc0717639a50a286930584daff
SHA1431d0982eb47e23c781f9d6616c5c035b3754921
SHA256833dec70e114db006f56c2374846868ec6b571754f8b133a4c4fba9220ca14f0
SHA5125d81ccaaeb8490cd09235ce38200b92d21bd2d6e58bb421fc09d5ff4d66e6b1858117829aed3d2942b4048d121f9d3cbd93fe1ff26b021feafdbd1664d1bb844
-
Filesize
15KB
MD5757e2944da0cc68c5919bc375801b450
SHA13f790b5529eca741545f3b13227005c6db6556b4
SHA2566a4b9986075ae8d1453bd30f7255498b74d4a0d8be5e8eceb0b91f39911e8ea1
SHA512041ca7552bd96b150507135940b1d0d663e4f59662b8ba9f475107e6b71e46499d14a2f593cbf84fd4943276412e26cf822466c79d02f1b9e70ffcf4a0ea7fba
-
Filesize
82B
MD59c12ec41b948e46a5108b7dbfaf1d16c
SHA1860c5126809bae1950aa06800c5c1bcdf05f6c53
SHA25634291f16a0ca09f3129132c388fbf0d909778432ae92059c6d85f77a622dc004
SHA512a93099ce7e7896b91fe111c44df3beece4828d40705f08f403c63502cf778822f276a3d40f01bee3433b8b1de32cfeef9c8b445bfcfaf56befae6b3ec43f463c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt~RFe57d273.TMP
Filesize146B
MD5a1d32b4581aa2b1ad1f4a52b99560a1b
SHA107914afc2793b80739d9a9dd655ddbe483aa4b1b
SHA256a021288acb18fb9cf4fd8094bde7c9af31a54c5cd7e84aec53fce8db194a3930
SHA512b5c9e5a99c197d6a4315b3c928c884e5d529221959f6c5eef58dd638d39d530912ce88eb9a13767143c3fc6f9ce9082807fc93bf1f4a7513b4810532703c528b
-
Filesize
152KB
MD5fccd649ef80c4b8812b43469875e2505
SHA14aa8de2d99c6d2a8a1b27813c3045a170d4573c7
SHA256722ff87ec647234222c4a1967cdb75e4de96a16e5b0f79e8ffe73813dd1fafa2
SHA512758312ab85e6f5164fd722be046ed9e51dea7c21a650900c48f6b35723ec6315e464d8604bf0886abf6a3cf6ea084b47bc26c5fe5c5eb82251e76de415c60b0c
-
Filesize
152KB
MD5b9159e83a4b067c4112533e81495ec44
SHA10cccefc4eaa93b8e425aa4f2ba21ec5bd1727eae
SHA2560064d08607a42244b1539e30e7faff64f064251be1ad19b03d08836719d30bb3
SHA51299d6176bb3fd7eff3df634af375bb89c3afa006f7408fa3d7795da7d189a0a781e42456ec1473b6b58a1838eb449ae5a8879054b71ae925df462a362478d440c
-
Filesize
152KB
MD5d8d83cdd3b7a66222c5666c2dac5a149
SHA17196a865a53bb469366359007441534b0fba76e2
SHA256f58a0e9aef0c1efe7c94c200470706f7ba397cec5d4af3bb802529cdabf28268
SHA512796f5a927443349bfa23cfc4ac4453a55f7571e4e463d658f0537f438469cdc104aa84be39d1facf86decbbddbfd6c808c6c0284f4672c7d8f340503dec55c10
-
Filesize
896KB
MD5de708a6fced82eac2670ef85188abbbe
SHA16e3445aaec4c000a9371672d454a0ae5a35f7631
SHA256a01ff1d989e2904396fb5f44488dcc4dff4cbb66a328c5c062f706e35be129ce
SHA5120d27c9dcf78c04f5d43e8b198ace4d1c005691673f0d9d44f5fa10ebcea1812635ffe5f80dca4b3c37f387a7d7c6229a386c727a5bb07ba039c81618aa240464
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
403B
MD56fbd6ce25307749d6e0a66ebbc0264e7
SHA1faee71e2eac4c03b96aabecde91336a6510fff60
SHA256e152b106733d9263d3cf175f0b6197880d70acb753f8bde8035a3e4865b31690
SHA51235a0d6d91178ec10619cf4d2fd44d3e57aa0266e1779e15b1eef6e9c359c77c384e0ffe4edb2cde980a6847e53f47733e6eacb72d46762066b3541dee3d29064
-
Filesize
76KB
MD59232120b6ff11d48a90069b25aa30abc
SHA197bb45f4076083fca037eee15d001fd284e53e47
SHA25670faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be
SHA512b06688a9fc0b853d2895f11e812c48d5871f2793183fda5e9638ded22fc5dc1e813f174baedc980a1f0b6a7b0a65cd61f29bb16acc6dd45da62988eb012d6877
-
Filesize
771B
MD5a9401e260d9856d1134692759d636e92
SHA14141d3c60173741e14f36dfe41588bb2716d2867
SHA256b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7
SHA5125cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6
-
Filesize
396B
MD59037ebf0a18a1c17537832bc73739109
SHA11d951dedfa4c172a1aa1aae096cfb576c1fb1d60
SHA25638c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48
SHA5124fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f
-
Filesize
119KB
MD5d113bd83e59586dd8f1843bdb9b98ee0
SHA16c203d91d5184dade63dbab8aecbdfaa8a5402ab
SHA2569d3fe04d88c401178165f7fbdf307ac0fb690cc5fef8b70ee7f380307d4748f8
SHA5120e763ff972068d2d9946a2659968e0f78945e9bf9a73090ec81f2a6f96ac9b43a240544455068d41afa327035b20b0509bb1ad79a28147b6375ed0c0cf3efec5
-
Filesize
28KB
MD534071c621da9508f92696709d71bb30a
SHA15817a14b8da5da5aecd59f5016c2b02fbbe2f631
SHA256ff2e6648e019087c2ec3c0f9eab548a761122b696caca171ab88e414ba5615cd
SHA512eb4c3b5ce9a4d6e979565d44c1a1432272bd2b9d1b83ca6b03ddc9982a5a6c341126ba71bbfd0e8d443ffa93265b6d205c187f586ff0bcb708965d2db6c98b45