Analysis
-
max time kernel
129s -
max time network
147s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
-
submitted
23-05-2024 01:47
General
-
Target
test.exe
-
Size
75KB
-
MD5
07202b2ac038a5853ee4fb88dcb9a899
-
SHA1
1cbe3734d3594cd2430e699e63972da458562dd3
-
SHA256
90cee64c0da47de7b66c5f50120051e3797f14c5609aea1c5e1aaf10e10537a8
-
SHA512
75c79157f14bb226ea3fedc011e79bfd57aed6a94f1a97c518755289da6bbcb9eeeeb327d45e70ed1e7d69e24a863f76ad0fc78dda593817b513c678de10c0c5
-
SSDEEP
1536:GOXQrSji6XN9+GVqQ7zgN9ebqvjoJExemwHX9TM:GOXQA+QqQfgNY0emcQ
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Modifies Installed Components in the registry 2 TTPs 6 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops desktop.ini file(s) 8 IoCs
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 1 IoCs
-
Drops file in Windows directory 4 IoCs
-
Checks SCSI registry key(s) 3 TTPs 58 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 10 IoCs
-
Kills process with taskkill 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 5 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 64 IoCs
-
Modifies registry key 1 TTPs 5 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 15 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4371.tmp\test.bat" "C:\Users\Admin\AppData\Local\Temp\test.exe""2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /im explorer.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exeReg Delete HKLM\System\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Win32 /t REG_SZ /d C:\Windows\Win32.exe /f3⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg Delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f3⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f3⤵
- Modifies registry key
-
C:\Windows\explorer.exeexplorer.exe3⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ffb0b53ab58,0x7ffb0b53ab68,0x7ffb0b53ab785⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1952,i,5875792435641966512,2146807173682813235,131072 /prefetch:25⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1892 --field-trial-handle=1952,i,5875792435641966512,2146807173682813235,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2208 --field-trial-handle=1952,i,5875792435641966512,2146807173682813235,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1952,i,5875792435641966512,2146807173682813235,131072 /prefetch:15⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3196 --field-trial-handle=1952,i,5875792435641966512,2146807173682813235,131072 /prefetch:15⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4272 --field-trial-handle=1952,i,5875792435641966512,2146807173682813235,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4396 --field-trial-handle=1952,i,5875792435641966512,2146807173682813235,131072 /prefetch:15⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4392 --field-trial-handle=1952,i,5875792435641966512,2146807173682813235,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4724 --field-trial-handle=1952,i,5875792435641966512,2146807173682813235,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4872 --field-trial-handle=1952,i,5875792435641966512,2146807173682813235,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4088 --field-trial-handle=1952,i,5875792435641966512,2146807173682813235,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5112 --field-trial-handle=1952,i,5875792435641966512,2146807173682813235,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4684 --field-trial-handle=1952,i,5875792435641966512,2146807173682813235,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 --field-trial-handle=1952,i,5875792435641966512,2146807173682813235,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4572 --field-trial-handle=1952,i,5875792435641966512,2146807173682813235,131072 /prefetch:85⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3992 --field-trial-handle=1952,i,5875792435641966512,2146807173682813235,131072 /prefetch:15⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"4⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb0b53ab58,0x7ffb0b53ab68,0x7ffb0b53ab785⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1660 --field-trial-handle=1796,i,17740193254670485371,15512267208138581301,131072 /prefetch:25⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2020 --field-trial-handle=1796,i,17740193254670485371,15512267208138581301,131072 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb11943cb8,0x7ffb11943cc8,0x7ffb11943cd85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1712,5621770880440879954,10492324106992346996,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1808 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1712,5621770880440879954,10492324106992346996,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2020 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1712,5621770880440879954,10492324106992346996,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,5621770880440879954,10492324106992346996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,5621770880440879954,10492324106992346996,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,5621770880440879954,10492324106992346996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,5621770880440879954,10492324106992346996,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1712,5621770880440879954,10492324106992346996,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,5621770880440879954,10492324106992346996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4532 /prefetch:15⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\BackupLock.ps1xml4⤵
- Opens file in notepad (likely ransom note)
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\FormatBlock.gif4⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\FormatBlock.gif4⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Media Player\setup_wm.exe"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\unregmp2.exeC:\Windows\system32\unregmp2.exe /ShowWMP /SetShowState /CreateMediaLibrary3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /ShowWMP /SetShowState /CreateMediaLibrary /REENTRANT4⤵
- Modifies Installed Components in the registry
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Relaunch /Play C:\Users\Admin\Desktop\UseStart.wmx3⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Modifies registry class
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost1⤵
- Drops file in Windows directory
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5811ed37212cae623870eda23960543e0
SHA137f3067e983fccd27048480e03a0b9ff39851e38
SHA256d3cc4d06e5bfc8087a4d6476daa82117677043fb8ef75f5862138cc5ab52b830
SHA5120578001e4cbcf63860f583faa2d61493c082b99f43a97537cf3d1377aa85d4d02ef0a472c9a7553ae90e145eaed3c65283b509d85bf1421e534d2828dcc758ac
-
Filesize
352B
MD51578e75dc45a7bf1d7705c2a49b0532e
SHA16fd493e8b3322a961474f619f69fce57a5ac271a
SHA2569cb8c828f1cd7730f0049de9b92a246f163165068386619ba5f0d1bdb0cffd69
SHA512075d223f451fc0e529da0912285b02ddc5f91e26999d1b0cb29681ec1329dd14101bdc02f8cd6bbfe87649d8b349aca0a41241b3c8dbc4cbfc792c3d45033d01
-
Filesize
40B
MD5bbdce7283f8c8e7d66ccf5cba06bcfdd
SHA1c2e2d0145906f8992455ad7819275db251f1a482
SHA256ac592c3e751c5521f73447f2f32b6d4fda91635f349431f89f975c1e3208537e
SHA512b8fa50f8201bdbf43b9065e9a9f0ce5cc1a182ab5da6ce275afe823b3ea4cca84c7c43e7e09ec47523fda2013c8af5081656378326cc148c89eded6dd62e0a37
-
Filesize
1KB
MD51d7d06faefbe66787e3169cf3f8ef0a8
SHA1367525651c38e2ba0bca0ce67b8c2a10d2d7e6b9
SHA2562cdb9d1351ca4c95218dfb4d6b9c8e05747d08f915cfd3c4d5c0d65d028d2c6e
SHA5122dd8c3708f197428694c6f31d31b083f36f6f6f9f8afa206515696325099a2c93d471eac94d206165901f825be49ed8287c6680aadcafc5a81fc7352097f45e7
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD5825a0a0c7177b569f9752d96fa315c10
SHA194e5ab040c51805622a03d30624ed59b00538f8e
SHA256beb739a2a7fdd284f5f3dee5b429dafb0fe1adc45c98ee4e222ae10a478b05e6
SHA512da4ef65c3f2ad5287e8fca0a4248ff1bae98ba1976008c27e8bc6898489bb4bc4d27d3373a16159e0f2150e5d5d15f4a82c84c17a74a367e8a839273764d9d88
-
Filesize
6KB
MD5abb1fc4377239f947d40add4699c34ab
SHA15ebc46d703cbfb4db97dd9cf64fc58aa1afb212b
SHA256463c5f52c80ad4d7e3354ee5507a1643ba1f69d2dbbb3ea9513c4ea7e6fd1e78
SHA5129d03feac3faf4c73b40bbe5bc6f668ec36417a1b3a12ac450486959d2ecd6093be781c7a00c0a89196c5ae4525a6913b67e0653ffb932ed4224644b4b8a88570
-
Filesize
16KB
MD5173bd3c3aa6a074796d07d6ed5ad6a61
SHA1ff0362dfbb1b4b40d7e27c5cac3f8ee6e4449c0a
SHA2568455121ebe09050d14699a52e26ce179ab3fd65735c88aab131dae43d975f2c9
SHA5126d743a4dd517632251239a9c522788a7e2bc0271c2b3957aeeea1a9ca5138ed0f48ec8b0469d22f00554c66c153ec525adc471fc4abae125e02a0ff0230a99e1
-
Filesize
129KB
MD5e41ab1a8950c7f62dd46cee5bd0e32c6
SHA1d58bb5b1fec5efc96bc57aae0e94de46d6cac0d2
SHA2567d62699e868c4c73eb5a1b14b9f78bef49025c5b1aa55df9c520fa7e058efc6d
SHA5121f7b5fa754ebe9b777753cfe7f6cae8c744355b4951b3fd4561f49cfdf6c18ce65db78c46fe730014ac0a993ac789da247aa39f3510b9dfdf7a11094efeb0e64
-
Filesize
260KB
MD5e833d58138d8d35b5c64c877ab8fcb15
SHA1632a8dbdddd223d3c1d745bf679a70540a68171a
SHA256a83834e4d7368d627351938a777e5026a04eaf3bfb04b213a185497f264e8a6f
SHA512dfe825ea936b147c2b84a1094b1a0c3cc436cd116826714d524e2eda41408e956100fabdfd24e5b039004d2cefe4bda73aab5b8f2c22e0a7f95f0e29e0b76813
-
Filesize
260KB
MD515635dfdd84f4c69d7eb0fa2e77ff771
SHA19b4520f1e409492d05e70562b74b4bab759b9334
SHA2560d67bb12405ffe0407f63525345b703203bb130833d870fb350211f6649791f4
SHA512146cd72fec357b7255c8cdd6b9affd16a5e8a480442996f929715dace555efc59f5234582663d884244081823074d86e609fece6f671e12e7f58831e5e06fccd
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
86B
MD5f732dbed9289177d15e236d0f8f2ddd3
SHA153f822af51b014bc3d4b575865d9c3ef0e4debde
SHA2562741df9ee9e9d9883397078f94480e9bc1d9c76996eec5cfe4e77929337cbe93
SHA512b64e5021f32e26c752fcba15a139815894309b25644e74ceca46a9aa97070bca3b77ded569a9bfd694193d035ba75b61a8d6262c8e6d5c4d76b452b38f5150a4
-
Filesize
85B
MD5bc6142469cd7dadf107be9ad87ea4753
SHA172a9aa05003fab742b0e4dc4c5d9eda6b9f7565c
SHA256b26da4f8c7e283aa74386da0229d66af14a37986b8ca828e054fc932f68dd557
SHA51247d1a67a16f5dc6d50556c5296e65918f0a2fcad0e8cee5795b100fe8cd89eaf5e1fd67691e8a57af3677883a5d8f104723b1901d11845b286474c8ac56f6182
-
Filesize
152B
MD58294f1821fd3419c0a42b389d19ecfc6
SHA1cd4982751377c2904a1d3c58e801fa013ea27533
SHA25692a96c9309023c8b9e1396ff41f7d9d3ff8a3687972e76b9ebd70b04e3bf223a
SHA512372d369f7ad1b0e07200d3aa6b2cfce5beafa7a97f63932d4c9b3b01a0e8b7eb39881867f87ded55a9973abea973b2d2c9b6fc4892f81cec644702b9edb1566d
-
Filesize
152B
MD5390187670cb1e0eb022f4f7735263e82
SHA1ea1401ccf6bf54e688a0dc9e6946eae7353b26f1
SHA2563e6c56356d6509a3fd4b2403555be55e251f4a962379b29735c1203e57230947
SHA512602f64d74096d4fb7a23b23374603246d42b17cc854835e3b2f4d464997b73f289a3b40eb690e3ee707829d4ff886865e982f72155d96be6bc00166f44878062
-
Filesize
5KB
MD5434d1a48ed5d08ec35862ab267a74ffb
SHA165d0c1fafd1a5a2593173988e99441139a85a5f3
SHA256d5fd63cd09dca2bedfe48489227ff0bb0d1e11f327f30e9d738bad9f9457e645
SHA5128e6d1bcad39c3b9c03a36bf30ed8881719c580b30c6057ce5c8ccade489f1336de55b73d6aa347057db1118fea1bfb119e4e33e54602c794cd8c8666ea932c3b
-
Filesize
5KB
MD505b22f8bf7bfb0aee4662500e870ba0e
SHA1f76d9c9d90c1d18a965f8d6d66a46bfee38a61f1
SHA25614a903cb988561884686d9a88d34f52ed2ac3a21e7b865861d17181b27b9c380
SHA5125d80cfc72a77e7cde22a482c2c76787ff5ce71d46ea890262cb8ea26d6f0ec4c02db99c97921fdeb5a603469759fa3134a5ddc3c008777dec57a8dd7b91f0c1a
-
Filesize
5KB
MD5a3fcc4b388c83f0a3edc27b60774a596
SHA1bd470903cf5c8f82259b382dc11ced9db7dfcb07
SHA256116ab365afeb9fded2e7fed5b854e75546af77475de555394805e7a9e9363632
SHA51285dfac4400b2b5e5e1d6696ec9e514dd2c781e1a9da2645b6c267c12dbbab6ea877f45090801ca6bd4b88d3b357e54c1e867dbd699d5d5bff527c25f2bf2cd5a
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5b5115cd9781ed50755fa60b9c825ffe5
SHA1e32dd907b99cb9a290448d914a0f8c1e30c712d4
SHA256ff590eadb6042b5faa2f37e8c2dca83367cebda577dd6526d001e3c485a83617
SHA512753a33eb83fcde28760c894ae1b048af7d78db3f27202bbcec7cc4224f0fd064ad54fe4b1b46fb59821887a0ff5c8684ebc98680d67149542635715a98aafd93
-
Filesize
11KB
MD5adc9f849476e1a37b53a60898e753c5b
SHA14617191a62c4f5829be482f23b81b354c3a7d80b
SHA256371bf0070a1a881f58a9effcd4e1283b9f18c10582a08ec8c335a0b5ce7035f6
SHA512e76a46d3800234534baa01aca2509d0111b6d347d10ffef11c6e5ab64e21dac917c2c31df784b4d6cf1b0476f4bf475d7bad9b04f6445882a96ba12158a10946
-
Filesize
384KB
MD573c977ca318631b8c4d95e28c39bb5d0
SHA180584b42372b68106dcb7129b9170f2812c9aa19
SHA256c7acd1ea7e5a018d5d820d4948fa89512a6b65c68c6973b3104dab53ce5a1c93
SHA5128733c4714898be64d59d3526385c36dd7a2f8463a572c217cebd75e6c3dda1a75e6bec006ec25e46a1b2aad45c38c469b27b87e1464efaa81517f4a3c151d800
-
Filesize
1024KB
MD5f7d9993de4e28748a239cb7a700fc7e5
SHA15591c6c855b41344e33e0b69f8ff1aad18fa5238
SHA2562195f1563d1ced44b6953ff7986a349c1cd0337b9c926de40723a796a5851273
SHA5127a048cb62663bbc6f5672b183b168e6a9beb3f2ab9bc99b0e2524ed58f64671fa47b23478a3881fe4329cdb65028caa6f4641ea1890ca9a908212529ae1e68c0
-
Filesize
68KB
MD56c7490a69bebaa31618b00cfd94edf4f
SHA15c302519a0dcf792ab98f75b2780da118af73345
SHA2561f93706f2769f8a68ae841894a53828304304a8cc058e72c0b239adb98692729
SHA5121941f244e56dd4542c1e752f1010edc453575d99e79bc8feaf71c83e165f2fab13478a141ff8b9fffe11ac6b7c4fbba110c22945128cc77da2edfb01831db9aa
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
14KB
MD57829ba3271f0d2bfa095bf21370f0c39
SHA16cc39f67b99123191ac8b2da12f9f0b7fa20a4ff
SHA2565decd12c280ee131743bcd98f85f0ad5128d1012667b925a759d1c910153d56c
SHA512ba677d57b51d7ddb253fe6d440520062dba220480af086a031b93a5e4be69cbf2d665445bf76b95633f6605f6dec024d10e79a65d8940e6386292e8e73537f9f
-
Filesize
2KB
MD569bf719562c610cac0ace804bc6bee85
SHA189cc11b7c623c8a14c4f87b695c26505190c6fc2
SHA256eff1d01142e5bbcab369c0d26e38524d1e0f9316fc5737ed4d3bc68604815529
SHA512316449084c74a895ad0a44b44b406d28005c77be02c3bbeb4da13dd3ed73b942b1b8ee7db99c06db9abb2a5365844e3f92b7503982e5ca40fa9176ba47a050a0
-
Filesize
17KB
MD58ee7e66e545945504d7eae3ebbfe29b7
SHA1918125eeae5cdbb323cbd0e070a4b8ee362933dc
SHA256fdd9d1afdb310d3b302c6b7763900d3ba7893a6a70392bd7e0f872db868cfa08
SHA512e6c7360652c1753c4e10c26846dc8c08a76a3fab3270f81ecede40ea58cada665c998546f49af7522014bec8e4d2c54e26814bb25ef33261c2e58cd876a6d45a
-
Filesize
25KB
MD5ec9ae899461b8d69a9ccfef9bbd88558
SHA108d42acf6cebd8d025565f38efc55f240cb2d228
SHA2569aa85debb1606e929f94adb802f75cc10c65d13b313dabd3e216734b5d27c8a1
SHA512ae6c4fc095d574095b011c68ca37f737e69d970b94a46fe24f0c6e0e09e95be0a8a19528539b95d8fbadf245548eb24cab31d1af9d91a9990c9689870e07bf25
-
Filesize
1KB
MD53423bfcd5d796f351d6877277656dce0
SHA1fd97b809225bd6410667ef6186b9b65632566a99
SHA25683a6299c3d4dcb0a864de86be96059106125204e949098d4c718f5312496b47c
SHA5128af1c2c263d6385beda9e213988447dd1b79223ee286fec849d067fa0d4950af8cfafdf47812c59723558f1f28b693e077edc61308c9859d33f9e2838c4ddde6
-
Filesize
1KB
MD5dfdc12fc8cd8534f6697a9af9a441d59
SHA115dd6989b3a9e3a57f47e407ac84cd516fdc4104
SHA2566c480349dd2eaee6e90b172e11b3619196f4199b9abcbbd839bc8b7f449eb930
SHA512ff4b37c4a6a48f15d6dd28c1228581d87e1e769220e67c9d239c37da2d8734fa3600b7c1170e9cb0786702d26c2a33a6ffc1f2d737a82076d6b1994ec6e1b3e7
-
Filesize
2KB
MD5ece94205300d943b349d466ed0bec124
SHA19a34a9531ed59536c63d2ca0d4f0a6f27bef66d4
SHA256e01855c787ab974b54f2e45e4f7e6ac2dc8713f6f740ced27a1c1e05ea521217
SHA5122cdba40edb5c10206f2e3201ecd7409055a8b47a8763331802a92c91600f93caca615b070156ddc2720ef3864a229c7598c42f8cc872d39c8072ecf30f4522b5
-
Filesize
7KB
MD59e9db3d436688ebe64090e3c2aee1e66
SHA1973fc21b16f9e098a7f9d658ce692d835b32f534
SHA256d9af9091d3e705316dbcfd36a8271f084d1de210cac27d49fcad80e6ac74f57c
SHA512f8424205006a8734153105e4e01aa493a94f5bd9e69f305055a09ba5b51c3595b8a78f106fc954a81d79b8d4ccc220af81abd08079a50107049c1f6c504ce46a
-
Filesize
7KB
MD5d990d440566cc02e2fa7ce11408357df
SHA12d774a2715ea26ba73fe75719c95459a6f340413
SHA256d65c3f39cac9f2d1a8a14d9e92072e364dcea13ae45b9bd9f3f10b454765bbe4
SHA51267bf1650b60e65c959a413598165ddecd7690cd35917765519efa0bcde9fa2527510a4fdc67544c6e35521f6fb3a54e01e5fe5d98876c0d8c56bcac5a25304f0
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
128KB
-
Filesize
1024KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
128KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB