Overview
overview
8Static
static
3MeetOne.exe
windows7-x64
7MeetOne.exe
windows10-2004-x64
$PLUGINSDI...er.dll
windows7-x64
1$PLUGINSDI...er.dll
windows10-2004-x64
1$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...ll.dll
windows7-x64
3$PLUGINSDI...ll.dll
windows10-2004-x64
3LICENSES.c...m.html
windows7-x64
1LICENSES.c...m.html
windows10-2004-x64
1MeetOne.exe
windows10-2004-x64
d3dcompiler_47.dll
windows10-2004-x64
1ffmpeg.dll
windows10-2004-x64
1libEGL.dll
windows10-2004-x64
1libGLESv2.dll
windows10-2004-x64
1resources/elevate.exe
windows7-x64
1resources/elevate.exe
windows10-2004-x64
1vk_swiftshader.dll
windows10-2004-x64
1vulkan-1.dll
windows10-2004-x64
1$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3$PLUGINSDI...7z.dll
windows7-x64
3$PLUGINSDI...7z.dll
windows10-2004-x64
3$R0/Uninst...ne.exe
windows7-x64
7$R0/Uninst...ne.exe
windows10-2004-x64
7$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...ll.dll
windows7-x64
3Analysis
-
max time kernel
30s -
max time network
38s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
28/05/2024, 14:40
Static task
static1
Behavioral task
behavioral1
Sample
MeetOne.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral2
Sample
MeetOne.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/SpiderBanner.dll
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/SpiderBanner.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$PLUGINSDIR/WinShell.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral10
Sample
$PLUGINSDIR/WinShell.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
LICENSES.chromium.html
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral12
Sample
LICENSES.chromium.html
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
MeetOne.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral14
Sample
d3dcompiler_47.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
ffmpeg.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
libEGL.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
libGLESv2.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral18
Sample
resources/elevate.exe
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral19
Sample
resources/elevate.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral20
Sample
vk_swiftshader.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
vulkan-1.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral22
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral23
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral24
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral25
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral26
Sample
$R0/Uninstall MeetOne.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral27
Sample
$R0/Uninstall MeetOne.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral28
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral29
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral30
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral31
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral32
Sample
$PLUGINSDIR/WinShell.dll
Resource
win7-20240508-en
windows7-x64
Errors
General
-
Target
MeetOne.exe
-
Size
168.8MB
-
MD5
e3b0d01a5646b026f032438088b5fd05
-
SHA1
d9cf53bbbd741a5169d75bbdbfce08c6208b61f5
-
SHA256
fa4515eee5962c44c6814402918350cd26c8ec81dc8b07f694217d5573cf5d16
-
SHA512
e20c89111ccd08cd5319b3d839ad8d71b1a47a77167f80bcd9d22e28764b994f45339221eb4bb0afd45e91ca86173091e0b9573b4e564cdd93f98add105ed2cc
-
SSDEEP
1572864:u/GY26JpMEtwq2siQtkHZMTwpNUdYHAMRe845LgwECbnEVrsa0pHMDAyAabm:WbxK4byAa
Malware Config
Signatures
-
pid Process 2236 powershell.exe 8 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation MeetOne.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation MeetOne.exe -
Executes dropped EXE 2 IoCs
pid Process 2904 MicrosoftRuntimeComponentsX86.exe 1344 UpdateMO.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Path = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UpdateMO.exe" UpdateMO.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: MicrosoftRuntimeComponentsX86.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 43 api.db-ip.com 44 api.db-ip.com -
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz MeetOne.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString MeetOne.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 MeetOne.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MeetOne.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MeetOne.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString MeetOne.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 MeetOne.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "159" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 2236 powershell.exe 2236 powershell.exe 2236 powershell.exe 8 powershell.exe 8 powershell.exe 8 powershell.exe 2904 MicrosoftRuntimeComponentsX86.exe 2904 MicrosoftRuntimeComponentsX86.exe 2904 MicrosoftRuntimeComponentsX86.exe 2904 MicrosoftRuntimeComponentsX86.exe 2904 MicrosoftRuntimeComponentsX86.exe 2904 MicrosoftRuntimeComponentsX86.exe 2904 MicrosoftRuntimeComponentsX86.exe 2904 MicrosoftRuntimeComponentsX86.exe 2904 MicrosoftRuntimeComponentsX86.exe 2904 MicrosoftRuntimeComponentsX86.exe 2904 MicrosoftRuntimeComponentsX86.exe 2904 MicrosoftRuntimeComponentsX86.exe 2904 MicrosoftRuntimeComponentsX86.exe 2904 MicrosoftRuntimeComponentsX86.exe 2904 MicrosoftRuntimeComponentsX86.exe 2904 MicrosoftRuntimeComponentsX86.exe 2904 MicrosoftRuntimeComponentsX86.exe 2904 MicrosoftRuntimeComponentsX86.exe 2904 MicrosoftRuntimeComponentsX86.exe 2904 MicrosoftRuntimeComponentsX86.exe 2904 MicrosoftRuntimeComponentsX86.exe 2904 MicrosoftRuntimeComponentsX86.exe 2904 MicrosoftRuntimeComponentsX86.exe 2904 MicrosoftRuntimeComponentsX86.exe 2904 MicrosoftRuntimeComponentsX86.exe 2904 MicrosoftRuntimeComponentsX86.exe 2904 MicrosoftRuntimeComponentsX86.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4628 MeetOne.exe Token: SeCreatePagefilePrivilege 4628 MeetOne.exe Token: SeShutdownPrivilege 4628 MeetOne.exe Token: SeCreatePagefilePrivilege 4628 MeetOne.exe Token: SeShutdownPrivilege 4628 MeetOne.exe Token: SeCreatePagefilePrivilege 4628 MeetOne.exe Token: SeShutdownPrivilege 4628 MeetOne.exe Token: SeCreatePagefilePrivilege 4628 MeetOne.exe Token: SeShutdownPrivilege 4628 MeetOne.exe Token: SeCreatePagefilePrivilege 4628 MeetOne.exe Token: SeShutdownPrivilege 4628 MeetOne.exe Token: SeCreatePagefilePrivilege 4628 MeetOne.exe Token: SeShutdownPrivilege 4628 MeetOne.exe Token: SeCreatePagefilePrivilege 4628 MeetOne.exe Token: SeShutdownPrivilege 4628 MeetOne.exe Token: SeCreatePagefilePrivilege 4628 MeetOne.exe Token: SeShutdownPrivilege 4628 MeetOne.exe Token: SeCreatePagefilePrivilege 4628 MeetOne.exe Token: SeShutdownPrivilege 4628 MeetOne.exe Token: SeCreatePagefilePrivilege 4628 MeetOne.exe Token: SeDebugPrivilege 2236 powershell.exe Token: SeShutdownPrivilege 4628 MeetOne.exe Token: SeCreatePagefilePrivilege 4628 MeetOne.exe Token: SeShutdownPrivilege 4628 MeetOne.exe Token: SeCreatePagefilePrivilege 4628 MeetOne.exe Token: SeShutdownPrivilege 4628 MeetOne.exe Token: SeCreatePagefilePrivilege 4628 MeetOne.exe Token: SeShutdownPrivilege 4628 MeetOne.exe Token: SeCreatePagefilePrivilege 4628 MeetOne.exe Token: SeShutdownPrivilege 4628 MeetOne.exe Token: SeCreatePagefilePrivilege 4628 MeetOne.exe Token: SeShutdownPrivilege 4628 MeetOne.exe Token: SeCreatePagefilePrivilege 4628 MeetOne.exe Token: SeShutdownPrivilege 4628 MeetOne.exe Token: SeCreatePagefilePrivilege 4628 MeetOne.exe Token: SeShutdownPrivilege 4628 MeetOne.exe Token: SeCreatePagefilePrivilege 4628 MeetOne.exe Token: SeShutdownPrivilege 4628 MeetOne.exe Token: SeCreatePagefilePrivilege 4628 MeetOne.exe Token: SeShutdownPrivilege 4628 MeetOne.exe Token: SeCreatePagefilePrivilege 4628 MeetOne.exe Token: SeShutdownPrivilege 4628 MeetOne.exe Token: SeCreatePagefilePrivilege 4628 MeetOne.exe Token: SeIncreaseQuotaPrivilege 3324 wmic.exe Token: SeSecurityPrivilege 3324 wmic.exe Token: SeTakeOwnershipPrivilege 3324 wmic.exe Token: SeLoadDriverPrivilege 3324 wmic.exe Token: SeSystemProfilePrivilege 3324 wmic.exe Token: SeSystemtimePrivilege 3324 wmic.exe Token: SeProfSingleProcessPrivilege 3324 wmic.exe Token: SeIncBasePriorityPrivilege 3324 wmic.exe Token: SeCreatePagefilePrivilege 3324 wmic.exe Token: SeBackupPrivilege 3324 wmic.exe Token: SeRestorePrivilege 3324 wmic.exe Token: SeShutdownPrivilege 3324 wmic.exe Token: SeDebugPrivilege 3324 wmic.exe Token: SeSystemEnvironmentPrivilege 3324 wmic.exe Token: SeRemoteShutdownPrivilege 3324 wmic.exe Token: SeUndockPrivilege 3324 wmic.exe Token: SeManageVolumePrivilege 3324 wmic.exe Token: 33 3324 wmic.exe Token: 34 3324 wmic.exe Token: 35 3324 wmic.exe Token: 36 3324 wmic.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1500 LogonUI.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 4628 wrote to memory of 5096 4628 MeetOne.exe 88 PID 4628 wrote to memory of 5096 4628 MeetOne.exe 88 PID 4628 wrote to memory of 2572 4628 MeetOne.exe 89 PID 4628 wrote to memory of 2572 4628 MeetOne.exe 89 PID 4628 wrote to memory of 2572 4628 MeetOne.exe 89 PID 4628 wrote to memory of 2572 4628 MeetOne.exe 89 PID 4628 wrote to memory of 2572 4628 MeetOne.exe 89 PID 4628 wrote to memory of 2572 4628 MeetOne.exe 89 PID 4628 wrote to memory of 2572 4628 MeetOne.exe 89 PID 4628 wrote to memory of 2572 4628 MeetOne.exe 89 PID 4628 wrote to memory of 2572 4628 MeetOne.exe 89 PID 4628 wrote to memory of 2572 4628 MeetOne.exe 89 PID 4628 wrote to memory of 2572 4628 MeetOne.exe 89 PID 4628 wrote to memory of 2572 4628 MeetOne.exe 89 PID 4628 wrote to memory of 2572 4628 MeetOne.exe 89 PID 4628 wrote to memory of 2572 4628 MeetOne.exe 89 PID 4628 wrote to memory of 2572 4628 MeetOne.exe 89 PID 4628 wrote to memory of 2572 4628 MeetOne.exe 89 PID 4628 wrote to memory of 2572 4628 MeetOne.exe 89 PID 4628 wrote to memory of 2572 4628 MeetOne.exe 89 PID 4628 wrote to memory of 2572 4628 MeetOne.exe 89 PID 4628 wrote to memory of 2572 4628 MeetOne.exe 89 PID 4628 wrote to memory of 2572 4628 MeetOne.exe 89 PID 4628 wrote to memory of 2572 4628 MeetOne.exe 89 PID 4628 wrote to memory of 2572 4628 MeetOne.exe 89 PID 4628 wrote to memory of 2572 4628 MeetOne.exe 89 PID 4628 wrote to memory of 2572 4628 MeetOne.exe 89 PID 4628 wrote to memory of 2572 4628 MeetOne.exe 89 PID 4628 wrote to memory of 2572 4628 MeetOne.exe 89 PID 4628 wrote to memory of 2572 4628 MeetOne.exe 89 PID 4628 wrote to memory of 2572 4628 MeetOne.exe 89 PID 4628 wrote to memory of 2572 4628 MeetOne.exe 89 PID 4628 wrote to memory of 1208 4628 MeetOne.exe 90 PID 4628 wrote to memory of 1208 4628 MeetOne.exe 90 PID 4628 wrote to memory of 4700 4628 MeetOne.exe 92 PID 4628 wrote to memory of 4700 4628 MeetOne.exe 92 PID 4628 wrote to memory of 736 4628 MeetOne.exe 95 PID 4628 wrote to memory of 736 4628 MeetOne.exe 95 PID 736 wrote to memory of 2236 736 cmd.exe 97 PID 736 wrote to memory of 2236 736 cmd.exe 97 PID 2236 wrote to memory of 2904 2236 powershell.exe 98 PID 2236 wrote to memory of 2904 2236 powershell.exe 98 PID 2904 wrote to memory of 8 2904 MicrosoftRuntimeComponentsX86.exe 99 PID 2904 wrote to memory of 8 2904 MicrosoftRuntimeComponentsX86.exe 99 PID 2904 wrote to memory of 3324 2904 MicrosoftRuntimeComponentsX86.exe 100 PID 2904 wrote to memory of 3324 2904 MicrosoftRuntimeComponentsX86.exe 100 PID 8 wrote to memory of 1344 8 powershell.exe 103 PID 8 wrote to memory of 1344 8 powershell.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\MeetOne.exe"C:\Users\Admin\AppData\Local\Temp\MeetOne.exe"1⤵
- Checks computer location settings
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Users\Admin\AppData\Local\Temp\MeetOne.exeC:\Users\Admin\AppData\Local\Temp\MeetOne.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\meetone /prefetch:4 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\meetone\Crashpad --url=https://f.a.k/e --annotation=_productName=meetone --annotation=_version=2.0.0 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=30.0.1 --initial-client-data=0x4e8,0x4f0,0x4f4,0x4c4,0x4f8,0x7ff6ec7eaed8,0x7ff6ec7eaee4,0x7ff6ec7eaef02⤵PID:5096
-
-
C:\Users\Admin\AppData\Local\Temp\MeetOne.exe"C:\Users\Admin\AppData\Local\Temp\MeetOne.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\meetone" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1856,i,9523261037981838063,8504595933272326147,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1848 /prefetch:22⤵PID:2572
-
-
C:\Users\Admin\AppData\Local\Temp\MeetOne.exe"C:\Users\Admin\AppData\Local\Temp\MeetOne.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\meetone" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --field-trial-handle=2156,i,9523261037981838063,8504595933272326147,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2152 /prefetch:32⤵PID:1208
-
-
C:\Users\Admin\AppData\Local\Temp\MeetOne.exe"C:\Users\Admin\AppData\Local\Temp\MeetOne.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\meetone" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --app-user-model-id=com.electron --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --field-trial-handle=2568,i,9523261037981838063,8504595933272326147,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2564 /prefetch:12⤵
- Checks computer location settings
PID:4700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe -Command "Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\temp00324124QigSik\apploader\MicrosoftRuntimeComponentsX86.exe' -Verb RunAs -ErrorAction SilentlyContinue""2⤵
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command "Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\temp00324124QigSik\apploader\MicrosoftRuntimeComponentsX86.exe' -Verb RunAs -ErrorAction SilentlyContinue"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Users\Admin\AppData\Local\Temp\temp00324124QigSik\apploader\MicrosoftRuntimeComponentsX86.exe"C:\Users\Admin\AppData\Local\Temp\temp00324124QigSik\apploader\MicrosoftRuntimeComponentsX86.exe"4⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command "Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\UpdateMO.exe' -Verb RunAs -WindowStyle hidden -ErrorAction SilentlyContinue"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Users\Admin\AppData\Local\Temp\UpdateMO.exe"C:\Users\Admin\AppData\Local\Temp\UpdateMO.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1344
-
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" csproduct get UUID5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3324
-
-
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39bf855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1500
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
64B
MD5d8b9a260789a22d72263ef3bb119108c
SHA1376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b
-
Filesize
200KB
MD5b3d34dafed16d08158119a69b7593468
SHA1d583fd25238c16eea9b8554f685781929b255cb4
SHA25648d4515d76bab9473ed8d05a8d7ed9e119f189d362b06e9f672cf7e5aca13707
SHA51276dc3b5f508d51fcc9b4300ffba089bafe1ec7c63d7c0d30cf6ec5f0db63c9599aed375f6fb851182b124e91ef148b678807aef184e76b0f21875865bccb65f0
-
Filesize
35.8MB
MD53f0b210932e2ae884ad8220c5ddd9b9d
SHA19717787360a02428780ea2712d22a8b0cd09a448
SHA2561dd70ad9399b127e9cc2700248002d1100419ae97da7263055f6e25167cae05e
SHA51244880de8c368a5c12bde38f818b3c1bc9fc0fc4ec1e739622a1671a15b39f753b6ab6713c3f4ced516145cf234dd0c89bd82ed645ba4b05f853af3b8a85ec974
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
