Analysis
-
max time kernel
326s -
max time network
316s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 19:17
Static task
static1
URLScan task
urlscan1
General
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\System32\drivers\rteth.sys cmd.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 4940 takeown.exe 6136 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 4940 takeown.exe 6136 icacls.exe -
Drops file in System32 directory 1 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\System32\cjmmco.exe cmd.exe -
Drops file in Program Files directory 1 IoCs
Processes:
chrome.exedescription ioc process File opened for modification C:\Program Files\Google\Chrome\Application\debug.log chrome.exe -
Enumerates system info in registry 2 TTPs 5 IoCs
Processes:
chrome.exemsedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies registry class 6 IoCs
Processes:
SearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exemsedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\MuiCache SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\MuiCache SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\MuiCache SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\MuiCache SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\MuiCache SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings msedge.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exepid process 3720 msedge.exe 3720 msedge.exe 744 msedge.exe 744 msedge.exe 3756 identity_helper.exe 3756 identity_helper.exe 1860 msedge.exe 1860 msedge.exe 5856 msedge.exe 5856 msedge.exe 6020 msedge.exe 6020 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
Processes:
msedge.exepid process 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid process Token: SeTakeOwnershipPrivilege 4940 takeown.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exechrome.exepid process 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 1168 chrome.exe 1168 chrome.exe 1168 chrome.exe 1168 chrome.exe 1168 chrome.exe 1168 chrome.exe 1168 chrome.exe 1168 chrome.exe 1168 chrome.exe 1168 chrome.exe 1168 chrome.exe 1168 chrome.exe 1168 chrome.exe 1168 chrome.exe -
Suspicious use of SendNotifyMessage 40 IoCs
Processes:
msedge.exechrome.exepid process 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 1168 chrome.exe 1168 chrome.exe 1168 chrome.exe 1168 chrome.exe 1168 chrome.exe 1168 chrome.exe 1168 chrome.exe 1168 chrome.exe 1168 chrome.exe 1168 chrome.exe 1168 chrome.exe 1168 chrome.exe 1168 chrome.exe 1168 chrome.exe 1168 chrome.exe 1168 chrome.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
SearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exepid process 5148 SearchApp.exe 5848 SearchApp.exe 3652 SearchApp.exe 728 SearchApp.exe 5880 SearchApp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 744 wrote to memory of 3608 744 msedge.exe msedge.exe PID 744 wrote to memory of 3608 744 msedge.exe msedge.exe PID 744 wrote to memory of 2260 744 msedge.exe msedge.exe PID 744 wrote to memory of 2260 744 msedge.exe msedge.exe PID 744 wrote to memory of 2260 744 msedge.exe msedge.exe PID 744 wrote to memory of 2260 744 msedge.exe msedge.exe PID 744 wrote to memory of 2260 744 msedge.exe msedge.exe PID 744 wrote to memory of 2260 744 msedge.exe msedge.exe PID 744 wrote to memory of 2260 744 msedge.exe msedge.exe PID 744 wrote to memory of 2260 744 msedge.exe msedge.exe PID 744 wrote to memory of 2260 744 msedge.exe msedge.exe PID 744 wrote to memory of 2260 744 msedge.exe msedge.exe PID 744 wrote to memory of 2260 744 msedge.exe msedge.exe PID 744 wrote to memory of 2260 744 msedge.exe msedge.exe PID 744 wrote to memory of 2260 744 msedge.exe msedge.exe PID 744 wrote to memory of 2260 744 msedge.exe msedge.exe PID 744 wrote to memory of 2260 744 msedge.exe msedge.exe PID 744 wrote to memory of 2260 744 msedge.exe msedge.exe PID 744 wrote to memory of 2260 744 msedge.exe msedge.exe PID 744 wrote to memory of 2260 744 msedge.exe msedge.exe PID 744 wrote to memory of 2260 744 msedge.exe msedge.exe PID 744 wrote to memory of 2260 744 msedge.exe msedge.exe PID 744 wrote to memory of 2260 744 msedge.exe msedge.exe PID 744 wrote to memory of 2260 744 msedge.exe msedge.exe PID 744 wrote to memory of 2260 744 msedge.exe msedge.exe PID 744 wrote to memory of 2260 744 msedge.exe msedge.exe PID 744 wrote to memory of 2260 744 msedge.exe msedge.exe PID 744 wrote to memory of 2260 744 msedge.exe msedge.exe PID 744 wrote to memory of 2260 744 msedge.exe msedge.exe PID 744 wrote to memory of 2260 744 msedge.exe msedge.exe PID 744 wrote to memory of 2260 744 msedge.exe msedge.exe PID 744 wrote to memory of 2260 744 msedge.exe msedge.exe PID 744 wrote to memory of 2260 744 msedge.exe msedge.exe PID 744 wrote to memory of 2260 744 msedge.exe msedge.exe PID 744 wrote to memory of 2260 744 msedge.exe msedge.exe PID 744 wrote to memory of 2260 744 msedge.exe msedge.exe PID 744 wrote to memory of 2260 744 msedge.exe msedge.exe PID 744 wrote to memory of 2260 744 msedge.exe msedge.exe PID 744 wrote to memory of 2260 744 msedge.exe msedge.exe PID 744 wrote to memory of 2260 744 msedge.exe msedge.exe PID 744 wrote to memory of 2260 744 msedge.exe msedge.exe PID 744 wrote to memory of 2260 744 msedge.exe msedge.exe PID 744 wrote to memory of 3720 744 msedge.exe msedge.exe PID 744 wrote to memory of 3720 744 msedge.exe msedge.exe PID 744 wrote to memory of 4972 744 msedge.exe msedge.exe PID 744 wrote to memory of 4972 744 msedge.exe msedge.exe PID 744 wrote to memory of 4972 744 msedge.exe msedge.exe PID 744 wrote to memory of 4972 744 msedge.exe msedge.exe PID 744 wrote to memory of 4972 744 msedge.exe msedge.exe PID 744 wrote to memory of 4972 744 msedge.exe msedge.exe PID 744 wrote to memory of 4972 744 msedge.exe msedge.exe PID 744 wrote to memory of 4972 744 msedge.exe msedge.exe PID 744 wrote to memory of 4972 744 msedge.exe msedge.exe PID 744 wrote to memory of 4972 744 msedge.exe msedge.exe PID 744 wrote to memory of 4972 744 msedge.exe msedge.exe PID 744 wrote to memory of 4972 744 msedge.exe msedge.exe PID 744 wrote to memory of 4972 744 msedge.exe msedge.exe PID 744 wrote to memory of 4972 744 msedge.exe msedge.exe PID 744 wrote to memory of 4972 744 msedge.exe msedge.exe PID 744 wrote to memory of 4972 744 msedge.exe msedge.exe PID 744 wrote to memory of 4972 744 msedge.exe msedge.exe PID 744 wrote to memory of 4972 744 msedge.exe msedge.exe PID 744 wrote to memory of 4972 744 msedge.exe msedge.exe PID 744 wrote to memory of 4972 744 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/FeltMacaroon389/System32-Deleter/archive/refs/heads/master.zip1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa4a9b46f8,0x7ffa4a9b4708,0x7ffa4a9b47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,14403225021762947302,2459578922293612541,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,14403225021762947302,2459578922293612541,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,14403225021762947302,2459578922293612541,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14403225021762947302,2459578922293612541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14403225021762947302,2459578922293612541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,14403225021762947302,2459578922293612541,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,14403225021762947302,2459578922293612541,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14403225021762947302,2459578922293612541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14403225021762947302,2459578922293612541,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,14403225021762947302,2459578922293612541,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3404 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14403225021762947302,2459578922293612541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,14403225021762947302,2459578922293612541,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3424 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14403225021762947302,2459578922293612541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14403225021762947302,2459578922293612541,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14403225021762947302,2459578922293612541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6428 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,14403225021762947302,2459578922293612541,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5772 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,14403225021762947302,2459578922293612541,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6444 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\System32-Deleter-master (2)\System32-Deleter-master\death.bat"1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
-
C:\Windows\system32\net.exenet session2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session3⤵
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32 /r /d y2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32 /grant administrators:F /t2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa3e7fab58,0x7ffa3e7fab68,0x7ffa3e7fab782⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=1864,i,17152551347509981120,11827768827933064539,131072 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1864,i,17152551347509981120,11827768827933064539,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2156 --field-trial-handle=1864,i,17152551347509981120,11827768827933064539,131072 /prefetch:82⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Program Files directory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa3e7fab58,0x7ffa3e7fab68,0x7ffa3e7fab782⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa4a9b46f8,0x7ffa4a9b4708,0x7ffa4a9b47182⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54f7152bc5a1a715ef481e37d1c791959
SHA1c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7
SHA256704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc
SHA5122e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ea98e583ad99df195d29aa066204ab56
SHA1f89398664af0179641aa0138b337097b617cb2db
SHA256a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6
SHA512e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
255B
MD5d11edf9e08a127c768843acea41d0bc5
SHA1ff1af9b39de4a3f547407fd9864ffdd2bb6c7354
SHA256217e4d9d1412e45abf7a653f72a5ab8b53bc8fc6f377f52a042668a41abc7478
SHA51292c3f0def567b0e2f2523ed25eb9d4abff06070b8be744fea4a6678f25f292439d7bc0c8015eaa6281b7f43149eebb3d3821cd6d6436598481113694b11ddea3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD52a6cfd5cf0e828ac3d2fd42ece9f675b
SHA12bbcb6117a44e131a904b2b537fc6ddd4a321f89
SHA25639b2660b1c8227f823397e6f92fef3f50a3bf8c4060aa17df05f1b81f0be886d
SHA5123194ca07c6f34807ce9e5485a183b744a55520d36ccb49120a246f40f3b87cbe00b18df11d8cdbe278c92ce49f89d3fcf57b50ba8bbd5c480085476227ea64e5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5be8d1db444a77f3b6c0607e691410a50
SHA1d32e4282dae0f0d081ba3e6d54ae7d2242003a7d
SHA25694bf2c864a7f2f40d4db347aa87faf36ddde55e370f361e8cf74c912970a74d1
SHA5123e3f99bb86ea183910def69d2df091ae04df1e5d804216323fcdcf5086d68025fa8476cbd8a50acd963a85472165d2f4bdb4ff221ebe4ad4e4e4c37f7ad15f74
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD59da33518fb8bc01f37d648809bd466f4
SHA1a993ef2d3951591d3d87d5a06d9ab51207d40d2b
SHA256ec02fd39e6e9e8089d09ec1e1f31489344d1c4e95e22405c7461f42f33fce79f
SHA512c3b6004a92439b63f0056d2e1b4f0bb3f441149a00d8da7bd7578e94601f21a44d9c9e7768972182b1c1ea6566d875cfbc89a5e9b23eee59fda6146cb968a034
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD539c7e87aa0161295cde0f8fc1acc79d6
SHA139f37cfadcc12c934a3fdda9cc2fa336f53ecbff
SHA2565e27e3c174c943e92016ed54ce41ee603cd6ca909cce81b27612704580a60242
SHA51203b9f9a1dc89301d68f9b581a69d90d729a683344ca891485937d3dc449fddbba7a93bcd4c4b870e6ff1d9791d3dc06f9cc1cd0739a3b403535505b61ede14b4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
371B
MD5ba0b1d612149d0fe8835260b19c7912c
SHA1badf0cce0ffe921622a7e20a0611a35c410de8af
SHA2564ce1e773e4310c50d322e88773682f2ba79fdba3aca4d624c9103bb3c185f438
SHA51239de374f4deefc72b92a796dfb7ba1368223c10006a93dcd04c799327d4a222071ad3df99490cca904872623ba88496e6bff64c2262c652ca7754ccfef40636b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57a0e3.TMPFilesize
371B
MD54ef9c28730158651eb3126df4398172e
SHA1a388e8f477374cda6cb8956d619b1051a7d13bee
SHA256c9a5ae93b912a7cefa3b2ea96cedd2be1b9f8e58ab4cac6b6768c762d7ebbc3b
SHA512071d9e05667b64d1554da7e0fdddbf5640fbc1e9526ea67975ac61f290e05a1751f30dc9031c0167420123a36d6a5a51125264153e260042b743f0828e2a2ae7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD58a289f9f3a1036b160918af9d4febf41
SHA17edf37a356ffbe99de7c7fefc6be6f7b4f49004e
SHA256eb85a2d885af23801282e005caaa4cc7f96af046c4de7fac285a9a1cb2e3503c
SHA51248eedf632d8ccc9102857c405b04c41bc63006f626d81187b099a97603d798356496cc1a80ee0ffdffac4c83de0ce89e9784d4804da6124e7c14d3d006cd0e14
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD59df6f7fba683cfc34c1efda7ed5268e8
SHA1da318502b605b403f1855adbcd26289bd6d84e93
SHA256f7e93c71007ac1d62ce17279551d5c8bfcc80b826609f72f6490d7f268d761bd
SHA512a05fd99630cb9b0f09a1215dad19c826a1435d4385bdbdccfbd23ee598eb0915cee2fa607f38459d73e2d5479a7cbf8b33beb8ed76c7cf9486c4901487816665
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD58b020bfe49cd1f9b27e734a4aacd664e
SHA1b6e81986f7193003354b459652b781c2404c26c9
SHA25616320e7831b2a206025e8b181dd76d7b3a3a0e23eface85ce0f4b8279fa149b9
SHA512a25e80f7558290b7dd1948ae3fb816987bba38e38e29bdffc2e22a7b235fbc2e22fc6252aa8782c654ec1347e8959a5ee81fd3353002dd079617da9f1de2896c
-
C:\Users\Admin\Downloads\28957934-678f-470e-935d-f0e88374bd37.tmpFilesize
1KB
MD5fb6a568af96caacb10377d05a899f879
SHA1c9a95a016494a0494ea2daa2a5ca7f9870b0602d
SHA256d8983c9331448fdd98cbb7542da300a81cc91bbb4ea1d1f5462d6925bfbf778a
SHA5123a4740eeffd30b9c52a920cfe00a5c9fd9610b12f9102e90cadd022cb884932636d12e02043ac140c12294c5261f09a2b4667485e0476b44a840a82034003135
-
\??\pipe\LOCAL\crashpad_744_HKKABGNHDPNYLBQSMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e