Resubmissions
27/05/2024, 18:30
240527-w5rzgaee33 127/05/2024, 18:26
240527-w25q6adb9s 127/05/2024, 18:21
240527-wzhhvada8s 1Analysis
-
max time kernel
138s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
27/05/2024, 18:30
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://tiktokcreativefest.us12.list-manage.com/about?u=eeef216de78b755cfa0f84d31&id=52ef578d63&e=cc1f40a2ba&c=59cbff1bb7
Resource
win10v2004-20240426-en
General
-
Target
https://tiktokcreativefest.us12.list-manage.com/about?u=eeef216de78b755cfa0f84d31&id=52ef578d63&e=cc1f40a2ba&c=59cbff1bb7
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\PhishingFilter iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 28d578d41098da01 iexplore.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "611766630" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003c000000900300001c020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31109220" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\RepId iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31109220" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{F6B65019-761B-4C8B-A2FB-DB1DC0492BA7}" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "611766630" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31109220" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "616297752" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4FE2DAC6-1C57-11EF-B826-FE9C19C479B8} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133613082582808704" chrome.exe -
Modifies registry class 26 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\韞ȳ\ = "vcf_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\vcf_auto_file\shell\open OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\vcf_auto_file\shell\open\command\DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings chrome.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\嚀ᨢ붗耀 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\瑴is OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\vcf_auto_file\shell\open\CommandId = "IE.File" OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\vcf_auto_file\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\vcf_auto_file OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\韞ȳ OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\赠韟ȳ\ = "vcf_auto_file" OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\瑴is\ = "vcf_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ȳ OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\.vcf\ = "vcf_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\赠韟ȳ OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\潬灯s\ = "vcf_auto_file" OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\嚂ᨠ븀耀\ = "vcf_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\潬灯s OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\嚀ᨢ붗耀\ = "vcf_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\嚂ᨠ븀耀 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\vcf_auto_file\shell OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\.vcf OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ȳ\ = "vcf_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\vcf_auto_file\shell\open\command OpenWith.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3880 chrome.exe 3880 chrome.exe 5016 chrome.exe 5016 chrome.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3972 OpenWith.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3880 chrome.exe Token: SeCreatePagefilePrivilege 3880 chrome.exe Token: SeShutdownPrivilege 3880 chrome.exe Token: SeCreatePagefilePrivilege 3880 chrome.exe Token: SeShutdownPrivilege 3880 chrome.exe Token: SeCreatePagefilePrivilege 3880 chrome.exe Token: SeShutdownPrivilege 3880 chrome.exe Token: SeCreatePagefilePrivilege 3880 chrome.exe Token: SeShutdownPrivilege 3880 chrome.exe Token: SeCreatePagefilePrivilege 3880 chrome.exe Token: SeShutdownPrivilege 3880 chrome.exe Token: SeCreatePagefilePrivilege 3880 chrome.exe Token: SeShutdownPrivilege 3880 chrome.exe Token: SeCreatePagefilePrivilege 3880 chrome.exe Token: SeShutdownPrivilege 3880 chrome.exe Token: SeCreatePagefilePrivilege 3880 chrome.exe Token: SeShutdownPrivilege 3880 chrome.exe Token: SeCreatePagefilePrivilege 3880 chrome.exe Token: SeShutdownPrivilege 3880 chrome.exe Token: SeCreatePagefilePrivilege 3880 chrome.exe Token: SeShutdownPrivilege 3880 chrome.exe Token: SeCreatePagefilePrivilege 3880 chrome.exe Token: SeShutdownPrivilege 3880 chrome.exe Token: SeCreatePagefilePrivilege 3880 chrome.exe Token: SeShutdownPrivilege 3880 chrome.exe Token: SeCreatePagefilePrivilege 3880 chrome.exe Token: SeShutdownPrivilege 3880 chrome.exe Token: SeCreatePagefilePrivilege 3880 chrome.exe Token: SeShutdownPrivilege 3880 chrome.exe Token: SeCreatePagefilePrivilege 3880 chrome.exe Token: SeShutdownPrivilege 3880 chrome.exe Token: SeCreatePagefilePrivilege 3880 chrome.exe Token: SeShutdownPrivilege 3880 chrome.exe Token: SeCreatePagefilePrivilege 3880 chrome.exe Token: SeShutdownPrivilege 3880 chrome.exe Token: SeCreatePagefilePrivilege 3880 chrome.exe Token: SeShutdownPrivilege 3880 chrome.exe Token: SeCreatePagefilePrivilege 3880 chrome.exe Token: SeShutdownPrivilege 3880 chrome.exe Token: SeCreatePagefilePrivilege 3880 chrome.exe Token: SeShutdownPrivilege 3880 chrome.exe Token: SeCreatePagefilePrivilege 3880 chrome.exe Token: SeShutdownPrivilege 3880 chrome.exe Token: SeCreatePagefilePrivilege 3880 chrome.exe Token: SeShutdownPrivilege 3880 chrome.exe Token: SeCreatePagefilePrivilege 3880 chrome.exe Token: SeShutdownPrivilege 3880 chrome.exe Token: SeCreatePagefilePrivilege 3880 chrome.exe Token: SeShutdownPrivilege 3880 chrome.exe Token: SeCreatePagefilePrivilege 3880 chrome.exe Token: SeShutdownPrivilege 3880 chrome.exe Token: SeCreatePagefilePrivilege 3880 chrome.exe Token: SeShutdownPrivilege 3880 chrome.exe Token: SeCreatePagefilePrivilege 3880 chrome.exe Token: SeShutdownPrivilege 3880 chrome.exe Token: SeCreatePagefilePrivilege 3880 chrome.exe Token: SeShutdownPrivilege 3880 chrome.exe Token: SeCreatePagefilePrivilege 3880 chrome.exe Token: SeShutdownPrivilege 3880 chrome.exe Token: SeCreatePagefilePrivilege 3880 chrome.exe Token: SeShutdownPrivilege 3880 chrome.exe Token: SeCreatePagefilePrivilege 3880 chrome.exe Token: SeShutdownPrivilege 3880 chrome.exe Token: SeCreatePagefilePrivilege 3880 chrome.exe -
Suspicious use of FindShellTrayWindow 37 IoCs
pid Process 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe 456 iexplore.exe 456 iexplore.exe 456 iexplore.exe 456 iexplore.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe 3880 chrome.exe -
Suspicious use of SetWindowsHookEx 49 IoCs
pid Process 3972 OpenWith.exe 3972 OpenWith.exe 3972 OpenWith.exe 3972 OpenWith.exe 3972 OpenWith.exe 3972 OpenWith.exe 3972 OpenWith.exe 3972 OpenWith.exe 3972 OpenWith.exe 3972 OpenWith.exe 3972 OpenWith.exe 3972 OpenWith.exe 3972 OpenWith.exe 3972 OpenWith.exe 3972 OpenWith.exe 3972 OpenWith.exe 3972 OpenWith.exe 3972 OpenWith.exe 3972 OpenWith.exe 3972 OpenWith.exe 3972 OpenWith.exe 3972 OpenWith.exe 3972 OpenWith.exe 3972 OpenWith.exe 3972 OpenWith.exe 3972 OpenWith.exe 3972 OpenWith.exe 3972 OpenWith.exe 3972 OpenWith.exe 3972 OpenWith.exe 3972 OpenWith.exe 3972 OpenWith.exe 3972 OpenWith.exe 3972 OpenWith.exe 3972 OpenWith.exe 3972 OpenWith.exe 3972 OpenWith.exe 3972 OpenWith.exe 3972 OpenWith.exe 3972 OpenWith.exe 3972 OpenWith.exe 456 iexplore.exe 456 iexplore.exe 2144 IEXPLORE.EXE 2144 IEXPLORE.EXE 456 iexplore.exe 456 iexplore.exe 5048 IEXPLORE.EXE 5048 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3880 wrote to memory of 2396 3880 chrome.exe 82 PID 3880 wrote to memory of 2396 3880 chrome.exe 82 PID 3880 wrote to memory of 1552 3880 chrome.exe 83 PID 3880 wrote to memory of 1552 3880 chrome.exe 83 PID 3880 wrote to memory of 1552 3880 chrome.exe 83 PID 3880 wrote to memory of 1552 3880 chrome.exe 83 PID 3880 wrote to memory of 1552 3880 chrome.exe 83 PID 3880 wrote to memory of 1552 3880 chrome.exe 83 PID 3880 wrote to memory of 1552 3880 chrome.exe 83 PID 3880 wrote to memory of 1552 3880 chrome.exe 83 PID 3880 wrote to memory of 1552 3880 chrome.exe 83 PID 3880 wrote to memory of 1552 3880 chrome.exe 83 PID 3880 wrote to memory of 1552 3880 chrome.exe 83 PID 3880 wrote to memory of 1552 3880 chrome.exe 83 PID 3880 wrote to memory of 1552 3880 chrome.exe 83 PID 3880 wrote to memory of 1552 3880 chrome.exe 83 PID 3880 wrote to memory of 1552 3880 chrome.exe 83 PID 3880 wrote to memory of 1552 3880 chrome.exe 83 PID 3880 wrote to memory of 1552 3880 chrome.exe 83 PID 3880 wrote to memory of 1552 3880 chrome.exe 83 PID 3880 wrote to memory of 1552 3880 chrome.exe 83 PID 3880 wrote to memory of 1552 3880 chrome.exe 83 PID 3880 wrote to memory of 1552 3880 chrome.exe 83 PID 3880 wrote to memory of 1552 3880 chrome.exe 83 PID 3880 wrote to memory of 1552 3880 chrome.exe 83 PID 3880 wrote to memory of 1552 3880 chrome.exe 83 PID 3880 wrote to memory of 1552 3880 chrome.exe 83 PID 3880 wrote to memory of 1552 3880 chrome.exe 83 PID 3880 wrote to memory of 1552 3880 chrome.exe 83 PID 3880 wrote to memory of 1552 3880 chrome.exe 83 PID 3880 wrote to memory of 1552 3880 chrome.exe 83 PID 3880 wrote to memory of 1552 3880 chrome.exe 83 PID 3880 wrote to memory of 1552 3880 chrome.exe 83 PID 3880 wrote to memory of 2376 3880 chrome.exe 84 PID 3880 wrote to memory of 2376 3880 chrome.exe 84 PID 3880 wrote to memory of 4992 3880 chrome.exe 85 PID 3880 wrote to memory of 4992 3880 chrome.exe 85 PID 3880 wrote to memory of 4992 3880 chrome.exe 85 PID 3880 wrote to memory of 4992 3880 chrome.exe 85 PID 3880 wrote to memory of 4992 3880 chrome.exe 85 PID 3880 wrote to memory of 4992 3880 chrome.exe 85 PID 3880 wrote to memory of 4992 3880 chrome.exe 85 PID 3880 wrote to memory of 4992 3880 chrome.exe 85 PID 3880 wrote to memory of 4992 3880 chrome.exe 85 PID 3880 wrote to memory of 4992 3880 chrome.exe 85 PID 3880 wrote to memory of 4992 3880 chrome.exe 85 PID 3880 wrote to memory of 4992 3880 chrome.exe 85 PID 3880 wrote to memory of 4992 3880 chrome.exe 85 PID 3880 wrote to memory of 4992 3880 chrome.exe 85 PID 3880 wrote to memory of 4992 3880 chrome.exe 85 PID 3880 wrote to memory of 4992 3880 chrome.exe 85 PID 3880 wrote to memory of 4992 3880 chrome.exe 85 PID 3880 wrote to memory of 4992 3880 chrome.exe 85 PID 3880 wrote to memory of 4992 3880 chrome.exe 85 PID 3880 wrote to memory of 4992 3880 chrome.exe 85 PID 3880 wrote to memory of 4992 3880 chrome.exe 85 PID 3880 wrote to memory of 4992 3880 chrome.exe 85 PID 3880 wrote to memory of 4992 3880 chrome.exe 85 PID 3880 wrote to memory of 4992 3880 chrome.exe 85 PID 3880 wrote to memory of 4992 3880 chrome.exe 85 PID 3880 wrote to memory of 4992 3880 chrome.exe 85 PID 3880 wrote to memory of 4992 3880 chrome.exe 85 PID 3880 wrote to memory of 4992 3880 chrome.exe 85 PID 3880 wrote to memory of 4992 3880 chrome.exe 85 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://tiktokcreativefest.us12.list-manage.com/about?u=eeef216de78b755cfa0f84d31&id=52ef578d63&e=cc1f40a2ba&c=59cbff1bb71⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ffab1d4ab58,0x7ffab1d4ab68,0x7ffab1d4ab782⤵PID:2396
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1692 --field-trial-handle=1892,i,470026468726252456,7392706169613070617,131072 /prefetch:22⤵PID:1552
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1892,i,470026468726252456,7392706169613070617,131072 /prefetch:82⤵PID:2376
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2188 --field-trial-handle=1892,i,470026468726252456,7392706169613070617,131072 /prefetch:82⤵PID:4992
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1892,i,470026468726252456,7392706169613070617,131072 /prefetch:12⤵PID:4584
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=1892,i,470026468726252456,7392706169613070617,131072 /prefetch:12⤵PID:2272
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4580 --field-trial-handle=1892,i,470026468726252456,7392706169613070617,131072 /prefetch:82⤵PID:5052
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 --field-trial-handle=1892,i,470026468726252456,7392706169613070617,131072 /prefetch:82⤵PID:220
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3936 --field-trial-handle=1892,i,470026468726252456,7392706169613070617,131072 /prefetch:12⤵PID:3176
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 --field-trial-handle=1892,i,470026468726252456,7392706169613070617,131072 /prefetch:82⤵PID:4868
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5260 --field-trial-handle=1892,i,470026468726252456,7392706169613070617,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5016
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5072 --field-trial-handle=1892,i,470026468726252456,7392706169613070617,131072 /prefetch:82⤵PID:684
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:3732
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3972 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\TikTok_Creative_Fest_2024.vcf2⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:456 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:456 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2144
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\TikTok_Creative_Fest_2024.vcf3⤵
- Modifies Internet Explorer settings
PID:3972
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:456 CREDAT:82948 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:5048
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD539f991f6e6aecffbe2db5dcecf1f226f
SHA1b512ccfff1d83f102d75aa8f78df0c7051bd2df0
SHA2566911a1c252519f8cb3db2a3eead8863ae288e14c699866b2bc580cfc0f3f42a7
SHA5123d7954ad14d8361a0f9a5939c0b0290bb42fa32ac2da1a809d3985195347898f4f0b1d0c1e33d87a6d14d61c48fe3258d7820a0bece6723b0f6e18eb60307e71
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD5e33a30d1d00a75ce6256adc82b6ba88e
SHA1d6b49ea6249125adb5d32af19bde3f44c4ab2b95
SHA256f6fca3d8c2a6af6e86dacd759c69c783c472a8fe35ca8ed8ea4c60cb18ad6585
SHA51212b7d9d1f8e8626844ef61a8a7dd534c114d47ff5a48ef799cc33e68f1b77f3f3a3b38351c8bf330546fea6098f2576a6a44f8164b2e708d36cf3cc59fc7ed66
-
Filesize
41KB
MD598c1b6c906268fa6e165bec030ab7aba
SHA17f5b07307dd655451f9e1f69c84839120dcbb926
SHA256cd7619be91febb63f23b0b19b10d25c93a4cc6123d9c882eb0616cd204bf73b2
SHA5128b95fde55d678328e6798bbd80583956ac2837ae1516a699dc430c75e08d73b9394f2cbad83f4771e123b2b6e5cc1d6a70cd8aa6751116d35d4154715890c35a
-
Filesize
50KB
MD5371af0b2c61a59a2b6be16d3b0e436b4
SHA17c79625f085a2504c6d996f6fb319a6db5ae18af
SHA2561f9fa0352358ec3960d0ff966fdcef80fc2242221cdd24a4d7121100e5fed3ad
SHA5120938d931ee1a8faaa306bb3274b84e52da1f9a9438f857d5e93e1204478c4b8f655ccfac2fb28cae5947bcd10e9aeec6c04bfb43458c044d8a3c573bcd21b9c7
-
Filesize
206KB
MD5f998b8f6765b4c57936ada0bb2eb4a5a
SHA113fb29dc0968838653b8414a125c124023c001df
SHA256374db366966d7b48782f352c78a0b3670ffec33ed046d931415034d6f93dcfef
SHA512d340ae61467332f99e4606ef022ff71c9495b9d138a40cc7c58b3206be0d080b25f4e877a811a55f4320db9a7f52e39f88f1aa426ba79fc5e78fc73dacf8c716
-
Filesize
76KB
MD5e3f1db3f5539bca35c804cfe7518afdb
SHA1b28cea30bb24770c3500772a3dc1a0350602b7f8
SHA256d43b7309552eee5be18d1ad18d0035436eaec46917b060f1ee5b547ef2c4dfba
SHA512193e57025a9731a691804a2c04fb85be4d1ff18d4a29ec1078d8b15a8d3761b01a391594acb21392fe956f5854040515c38811c2b1c6b4c458540bd560b9fd78
-
Filesize
1KB
MD5ef995d8748b4654f2c5ccc601bd53ec6
SHA1a9f981cf58ae4504d9a404f16b56302ae2ab1397
SHA2566118ea82264fb67317415e2f4c44afe422cb4ffbe73f23c92b43d01a67672b85
SHA51218839cce0e097735eed3aa4a23e273dfe27ebe3f7eea2bb95bda71856c8102d24ceb735773bddbd33344965571c88814938735dae7c48e77789830a3857fce01
-
Filesize
1KB
MD5c19dfdd4c1f18d1b1260316b95595070
SHA1d4e450f72388865a48dfd35f6bd6ef8083c3ba4b
SHA256bf2663c3fcfa8ee5162a1cec06e295d00b1093b5f5dcd3521dc55d8d9bf40853
SHA512c39539738d811f9b2c5a172b600cb86af738c7a3754a2745e4f81d81a5e23bfde54a526043aade82a8d1a4b7d17dcf0e7ac228b80cd45e9469fdc32d5831f398
-
Filesize
1KB
MD52cc5b97c1a02bd27fdbb1079f8b77826
SHA1cf54b60db4e58de164895fa0a4181818cee30a31
SHA25603d7090d84d6c5dcd6e01571099561e4f654ae9114b53df4b080e7a83f3e6060
SHA512a54b672edd0a8eac73fff4f4e5e8c4dee6f5eaa77dc6e1e50c04214a80203a5a205afb0162e9916a86802a984e63771e88974034bd3e4b0066bba382e16a4bcf
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
522B
MD5e8388618979dd8ca20178d2661ba5cf2
SHA127bc46ba9febaf0c712f35aff70ba2eb5a1c98a4
SHA25661e993bbe3a157cdcff481b859f806d80b12f01b6f316a8540d8c08a3c8509f9
SHA512376f443bcdb87b51ada81cb58defa3e0f2b1e8c115d28f1b093bb9b36ddfb70649645feddb3226c06ed039627172e90495ab7aa6a0e3d7fa21ce91db343c36ed
-
Filesize
520B
MD5a703699ce2f7323b850dc594ad618452
SHA1bae15de8899f820c53fc834893a7d865079fbada
SHA2561ce395c0cf0d2307fdbfbfef365642436a20e4739c3bc8fdd2839fdc90c516d9
SHA512df2b19e1ca85fbad8dc018a1faf42f500b01ba43682086d9795a6161672072623f9737e31421120aafdaa4c85c5953d7dd3c94328834ec425137075fb407e673
-
Filesize
690B
MD52c6df2026d169eaa0e0345e7bf530ef5
SHA1609a7f5b57475f4d47d7ebfd506975f15d15d042
SHA256769fb8ae81615132b5bdb5634b19cf99826d35b407a180270689dc2ea02fb32a
SHA512e1319d577eb808442e7a3b535cf72ba3c15d1f69c1063d6f753f7109b7fbbe9afab85e5be001902ba10b9f3024886a7ef24426b633dc6e327c0511bdbccad718
-
Filesize
8KB
MD59fa12477b51648e0a04158ef683088f4
SHA1391d4e2a320cf941784124cda68352fdd0c40536
SHA25606654e0984f9b6da39e30fb1b915de910a591288b5a2c589bed2c2b2fcb142c0
SHA51217665f4799808c49320e845053630e2244b37ae60cc1de23422fb31bdc3ce6633d0d37a7e13b6bdb98f19b1f475a94875aed7d7284f883a830e1998597a584ea
-
Filesize
7KB
MD5160dd274d9aa80d671724b8e763cc51c
SHA11ffdab378e33c5322924f34e5e474085d46878fc
SHA256a50f7330b98c391d269cd60027782cc1125bf50ee3bf99741d333c4045441eb4
SHA51262a08fc0dbbe55e64514792c068262222a3e6e6de521caadc38c5bf8e335d8ec1f1c8aa2b1f253e40ebdd5e714dd3d2ebc21d2ee0db65702ed078c680bb41613
-
Filesize
7KB
MD5f625c1c43d405502c2914434dd277fbe
SHA126e3a90316b5a01c1c7e1cdc2fcad85e897b6132
SHA2568139ee914d44f8e4135ef7d32138f781d00e65df36b2b2a3366d31a4fb3d440d
SHA5121d05291b6564386d78d6594596e08c91f67245a78353b41fb39c7ac9f3c4acd39cad008692e0a965655dddc6fe855932e3982aaff78816a99541f41ce93cd3b3
-
Filesize
130KB
MD5b537cc48851b869fb5467696dc97a86d
SHA1b34b04fb4a4e722d1d8af7b05d4eecad91c27972
SHA256500fcffddf121ea3f1cae4595a0d19a24ed6d674b1cc8a867920cfea2a4f94e2
SHA5125046ff3f69c873637c2aa859ac60627ec38f91df0793c0aea90f2730ec7a6725be39abf9841695958283694ccc7b2e679ba6a3a33d9d5cbb9fb11de89901df9a
-
Filesize
130KB
MD5c6cd978e2153ecc98f78745acdff18f0
SHA1abe7a821ffffda95d624f6baacd44d722047543e
SHA25667cd06f8f1d06e822af9fb09626342c19061570126ca58714694daf890f2539f
SHA512d2f9e158e9fcdc955d17dec6efb5e0834902b0f1db85b99b89329e1a96889c611db3f06754e8bdc8983ed46fe19e111e1b7eda83332134f870bd4461f80ff40c
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
336B
MD577fa60685691abdd5a77a7e97c4fe96d
SHA108e2fa658adc0a449fe8c91aecd3f5f71a1b96a0
SHA256891d68b8fd8f27556b67164a7c7ffc3dd2e8383505daa19bbdea2346d66b168e
SHA512781981ccab017518fd8eb36ca5cbb56c3d90324dcb6db7f4a16c90b4c2c82843acb95ce0a5611dc21b8e8151f3837aa234e22a9d0c727b54e35592e30078a335