Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
30-05-2024 14:16
Behavioral task
behavioral1
Sample
Empyrean Removal Tool.exe
Resource
win11-20240508-en
General
-
Target
Empyrean Removal Tool.exe
-
Size
44KB
-
MD5
72dc44b2e7ef74718c563d397b1b1fbf
-
SHA1
6874f37359d554346dc024cffc4a3a68334494b2
-
SHA256
fd8fb92324e4f5bb8665514b0c19f8bd4354ef091d8f2d088b528f1d21405066
-
SHA512
a5a84f6ea2cdbec151de9d49b67aa07cfd2d23e9035b2863fadc59c58012f6fb9c1d69106e981bde9d49f9d28b4946c3ada80a3fcd03a7a6e353b90105c9304e
-
SSDEEP
768:sMDF7zLXoeUHyLpeuddqLi9Fk9wO0/O/hY/22gds4S1EAd8IIf:HF73XoeUS9Hd9Fk9wv/O/+u2gdS1EAdo
Malware Config
Extracted
xworm
5.0
75.24.104.157:4782
LalTxzCzI20sKikz
-
Install_directory
%Public%
-
install_file
$77-Update.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2600-1-0x0000000000950000-0x0000000000962000-memory.dmp family_xworm C:\Users\Public\$77-Update.exe family_xworm -
Downloads MZ/PE file
-
Drops startup file 2 IoCs
Processes:
Empyrean Removal Tool.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-Update.lnk Empyrean Removal Tool.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-Update.lnk Empyrean Removal Tool.exe -
Executes dropped EXE 5 IoCs
Processes:
$77-Update.exe$77-Update.exeEmpyrean Removal Tool.exeEmpyrean Removal Tool.exe$77-Update.exepid process 468 $77-Update.exe 1468 $77-Update.exe 1164 Empyrean Removal Tool.exe 3784 Empyrean Removal Tool.exe 1224 $77-Update.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Empyrean Removal Tool.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\$77-Update = "C:\\Users\\Public\\$77-Update.exe" Empyrean Removal Tool.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in Windows directory 4 IoCs
Processes:
UserOOBEBroker.exedescription ioc process File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\setupact.log UserOOBEBroker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133615522471658525" chrome.exe -
Modifies registry class 1 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings chrome.exe -
NTFS ADS 1 IoCs
Processes:
chrome.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Empyrean Removal Tool.exe:Zone.Identifier chrome.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
chrome.exechrome.exepid process 340 chrome.exe 340 chrome.exe 1700 chrome.exe 1700 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
Processes:
chrome.exepid process 340 chrome.exe 340 chrome.exe 340 chrome.exe 340 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Empyrean Removal Tool.exechrome.exedescription pid process Token: SeDebugPrivilege 2600 Empyrean Removal Tool.exe Token: SeShutdownPrivilege 340 chrome.exe Token: SeCreatePagefilePrivilege 340 chrome.exe Token: SeShutdownPrivilege 340 chrome.exe Token: SeCreatePagefilePrivilege 340 chrome.exe Token: SeShutdownPrivilege 340 chrome.exe Token: SeCreatePagefilePrivilege 340 chrome.exe Token: SeShutdownPrivilege 340 chrome.exe Token: SeCreatePagefilePrivilege 340 chrome.exe Token: SeShutdownPrivilege 340 chrome.exe Token: SeCreatePagefilePrivilege 340 chrome.exe Token: SeShutdownPrivilege 340 chrome.exe Token: SeCreatePagefilePrivilege 340 chrome.exe Token: SeShutdownPrivilege 340 chrome.exe Token: SeCreatePagefilePrivilege 340 chrome.exe Token: SeShutdownPrivilege 340 chrome.exe Token: SeCreatePagefilePrivilege 340 chrome.exe Token: SeShutdownPrivilege 340 chrome.exe Token: SeCreatePagefilePrivilege 340 chrome.exe Token: SeShutdownPrivilege 340 chrome.exe Token: SeCreatePagefilePrivilege 340 chrome.exe Token: SeShutdownPrivilege 340 chrome.exe Token: SeCreatePagefilePrivilege 340 chrome.exe Token: SeShutdownPrivilege 340 chrome.exe Token: SeCreatePagefilePrivilege 340 chrome.exe Token: SeShutdownPrivilege 340 chrome.exe Token: SeCreatePagefilePrivilege 340 chrome.exe Token: SeShutdownPrivilege 340 chrome.exe Token: SeCreatePagefilePrivilege 340 chrome.exe Token: SeShutdownPrivilege 340 chrome.exe Token: SeCreatePagefilePrivilege 340 chrome.exe Token: SeShutdownPrivilege 340 chrome.exe Token: SeCreatePagefilePrivilege 340 chrome.exe Token: SeShutdownPrivilege 340 chrome.exe Token: SeCreatePagefilePrivilege 340 chrome.exe Token: SeShutdownPrivilege 340 chrome.exe Token: SeCreatePagefilePrivilege 340 chrome.exe Token: SeShutdownPrivilege 340 chrome.exe Token: SeCreatePagefilePrivilege 340 chrome.exe Token: SeShutdownPrivilege 340 chrome.exe Token: SeCreatePagefilePrivilege 340 chrome.exe Token: SeShutdownPrivilege 340 chrome.exe Token: SeCreatePagefilePrivilege 340 chrome.exe Token: SeShutdownPrivilege 340 chrome.exe Token: SeCreatePagefilePrivilege 340 chrome.exe Token: SeShutdownPrivilege 340 chrome.exe Token: SeCreatePagefilePrivilege 340 chrome.exe Token: SeShutdownPrivilege 340 chrome.exe Token: SeCreatePagefilePrivilege 340 chrome.exe Token: SeShutdownPrivilege 340 chrome.exe Token: SeCreatePagefilePrivilege 340 chrome.exe Token: SeShutdownPrivilege 340 chrome.exe Token: SeCreatePagefilePrivilege 340 chrome.exe Token: SeShutdownPrivilege 340 chrome.exe Token: SeCreatePagefilePrivilege 340 chrome.exe Token: SeShutdownPrivilege 340 chrome.exe Token: SeCreatePagefilePrivilege 340 chrome.exe Token: SeShutdownPrivilege 340 chrome.exe Token: SeCreatePagefilePrivilege 340 chrome.exe Token: SeShutdownPrivilege 340 chrome.exe Token: SeCreatePagefilePrivilege 340 chrome.exe Token: SeShutdownPrivilege 340 chrome.exe Token: SeCreatePagefilePrivilege 340 chrome.exe Token: SeShutdownPrivilege 340 chrome.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
Processes:
chrome.exepid process 340 chrome.exe 340 chrome.exe 340 chrome.exe 340 chrome.exe 340 chrome.exe 340 chrome.exe 340 chrome.exe 340 chrome.exe 340 chrome.exe 340 chrome.exe 340 chrome.exe 340 chrome.exe 340 chrome.exe 340 chrome.exe 340 chrome.exe 340 chrome.exe 340 chrome.exe 340 chrome.exe 340 chrome.exe 340 chrome.exe 340 chrome.exe 340 chrome.exe 340 chrome.exe 340 chrome.exe 340 chrome.exe 340 chrome.exe 340 chrome.exe 340 chrome.exe 340 chrome.exe 340 chrome.exe 340 chrome.exe 340 chrome.exe 340 chrome.exe 340 chrome.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
chrome.exepid process 340 chrome.exe 340 chrome.exe 340 chrome.exe 340 chrome.exe 340 chrome.exe 340 chrome.exe 340 chrome.exe 340 chrome.exe 340 chrome.exe 340 chrome.exe 340 chrome.exe 340 chrome.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
OpenWith.exepid process 3176 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Empyrean Removal Tool.exechrome.exedescription pid process target process PID 2600 wrote to memory of 3680 2600 Empyrean Removal Tool.exe schtasks.exe PID 2600 wrote to memory of 3680 2600 Empyrean Removal Tool.exe schtasks.exe PID 340 wrote to memory of 2396 340 chrome.exe chrome.exe PID 340 wrote to memory of 2396 340 chrome.exe chrome.exe PID 340 wrote to memory of 2576 340 chrome.exe chrome.exe PID 340 wrote to memory of 2576 340 chrome.exe chrome.exe PID 340 wrote to memory of 2576 340 chrome.exe chrome.exe PID 340 wrote to memory of 2576 340 chrome.exe chrome.exe PID 340 wrote to memory of 2576 340 chrome.exe chrome.exe PID 340 wrote to memory of 2576 340 chrome.exe chrome.exe PID 340 wrote to memory of 2576 340 chrome.exe chrome.exe PID 340 wrote to memory of 2576 340 chrome.exe chrome.exe PID 340 wrote to memory of 2576 340 chrome.exe chrome.exe PID 340 wrote to memory of 2576 340 chrome.exe chrome.exe PID 340 wrote to memory of 2576 340 chrome.exe chrome.exe PID 340 wrote to memory of 2576 340 chrome.exe chrome.exe PID 340 wrote to memory of 2576 340 chrome.exe chrome.exe PID 340 wrote to memory of 2576 340 chrome.exe chrome.exe PID 340 wrote to memory of 2576 340 chrome.exe chrome.exe PID 340 wrote to memory of 2576 340 chrome.exe chrome.exe PID 340 wrote to memory of 2576 340 chrome.exe chrome.exe PID 340 wrote to memory of 2576 340 chrome.exe chrome.exe PID 340 wrote to memory of 2576 340 chrome.exe chrome.exe PID 340 wrote to memory of 2576 340 chrome.exe chrome.exe PID 340 wrote to memory of 2576 340 chrome.exe chrome.exe PID 340 wrote to memory of 2576 340 chrome.exe chrome.exe PID 340 wrote to memory of 2576 340 chrome.exe chrome.exe PID 340 wrote to memory of 2576 340 chrome.exe chrome.exe PID 340 wrote to memory of 2576 340 chrome.exe chrome.exe PID 340 wrote to memory of 2576 340 chrome.exe chrome.exe PID 340 wrote to memory of 2576 340 chrome.exe chrome.exe PID 340 wrote to memory of 2576 340 chrome.exe chrome.exe PID 340 wrote to memory of 2576 340 chrome.exe chrome.exe PID 340 wrote to memory of 2576 340 chrome.exe chrome.exe PID 340 wrote to memory of 2576 340 chrome.exe chrome.exe PID 340 wrote to memory of 5048 340 chrome.exe chrome.exe PID 340 wrote to memory of 5048 340 chrome.exe chrome.exe PID 340 wrote to memory of 2560 340 chrome.exe chrome.exe PID 340 wrote to memory of 2560 340 chrome.exe chrome.exe PID 340 wrote to memory of 2560 340 chrome.exe chrome.exe PID 340 wrote to memory of 2560 340 chrome.exe chrome.exe PID 340 wrote to memory of 2560 340 chrome.exe chrome.exe PID 340 wrote to memory of 2560 340 chrome.exe chrome.exe PID 340 wrote to memory of 2560 340 chrome.exe chrome.exe PID 340 wrote to memory of 2560 340 chrome.exe chrome.exe PID 340 wrote to memory of 2560 340 chrome.exe chrome.exe PID 340 wrote to memory of 2560 340 chrome.exe chrome.exe PID 340 wrote to memory of 2560 340 chrome.exe chrome.exe PID 340 wrote to memory of 2560 340 chrome.exe chrome.exe PID 340 wrote to memory of 2560 340 chrome.exe chrome.exe PID 340 wrote to memory of 2560 340 chrome.exe chrome.exe PID 340 wrote to memory of 2560 340 chrome.exe chrome.exe PID 340 wrote to memory of 2560 340 chrome.exe chrome.exe PID 340 wrote to memory of 2560 340 chrome.exe chrome.exe PID 340 wrote to memory of 2560 340 chrome.exe chrome.exe PID 340 wrote to memory of 2560 340 chrome.exe chrome.exe PID 340 wrote to memory of 2560 340 chrome.exe chrome.exe PID 340 wrote to memory of 2560 340 chrome.exe chrome.exe PID 340 wrote to memory of 2560 340 chrome.exe chrome.exe PID 340 wrote to memory of 2560 340 chrome.exe chrome.exe PID 340 wrote to memory of 2560 340 chrome.exe chrome.exe PID 340 wrote to memory of 2560 340 chrome.exe chrome.exe PID 340 wrote to memory of 2560 340 chrome.exe chrome.exe PID 340 wrote to memory of 2560 340 chrome.exe chrome.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Empyrean Removal Tool.exe"C:\Users\Admin\AppData\Local\Temp\Empyrean Removal Tool.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77-Update" /tr "C:\Users\Public\$77-Update.exe"2⤵
- Creates scheduled task(s)
PID:3680
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:340 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff95e0dab58,0x7ff95e0dab68,0x7ff95e0dab782⤵PID:2396
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1508 --field-trial-handle=1656,i,3348070962311840714,1290706966153370618,131072 /prefetch:22⤵PID:2576
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1656,i,3348070962311840714,1290706966153370618,131072 /prefetch:82⤵PID:5048
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2204 --field-trial-handle=1656,i,3348070962311840714,1290706966153370618,131072 /prefetch:82⤵PID:2560
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1656,i,3348070962311840714,1290706966153370618,131072 /prefetch:12⤵PID:112
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=1656,i,3348070962311840714,1290706966153370618,131072 /prefetch:12⤵PID:2708
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4208 --field-trial-handle=1656,i,3348070962311840714,1290706966153370618,131072 /prefetch:12⤵PID:4944
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4376 --field-trial-handle=1656,i,3348070962311840714,1290706966153370618,131072 /prefetch:82⤵PID:1440
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3492 --field-trial-handle=1656,i,3348070962311840714,1290706966153370618,131072 /prefetch:82⤵PID:3000
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4572 --field-trial-handle=1656,i,3348070962311840714,1290706966153370618,131072 /prefetch:82⤵PID:2884
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4388 --field-trial-handle=1656,i,3348070962311840714,1290706966153370618,131072 /prefetch:82⤵PID:2836
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4660 --field-trial-handle=1656,i,3348070962311840714,1290706966153370618,131072 /prefetch:82⤵PID:4704
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4720 --field-trial-handle=1656,i,3348070962311840714,1290706966153370618,131072 /prefetch:12⤵PID:3932
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 --field-trial-handle=1656,i,3348070962311840714,1290706966153370618,131072 /prefetch:82⤵PID:1500
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3408 --field-trial-handle=1656,i,3348070962311840714,1290706966153370618,131072 /prefetch:82⤵PID:1028
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3428 --field-trial-handle=1656,i,3348070962311840714,1290706966153370618,131072 /prefetch:82⤵PID:5056
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4916 --field-trial-handle=1656,i,3348070962311840714,1290706966153370618,131072 /prefetch:82⤵
- NTFS ADS
PID:1584
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5016 --field-trial-handle=1656,i,3348070962311840714,1290706966153370618,131072 /prefetch:82⤵PID:1388
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2388 --field-trial-handle=1656,i,3348070962311840714,1290706966153370618,131072 /prefetch:82⤵PID:1932
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3280 --field-trial-handle=1656,i,3348070962311840714,1290706966153370618,131072 /prefetch:82⤵PID:4588
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3220 --field-trial-handle=1656,i,3348070962311840714,1290706966153370618,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1700
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:1620
-
C:\Users\Public\$77-Update.exeC:\Users\Public\$77-Update.exe1⤵
- Executes dropped EXE
PID:468
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:2028
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
PID:1968
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵PID:3360
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:3176
-
C:\Users\Public\$77-Update.exeC:\Users\Public\$77-Update.exe1⤵
- Executes dropped EXE
PID:1468
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3508
-
C:\Users\Admin\Downloads\Empyrean Removal Tool.exe"C:\Users\Admin\Downloads\Empyrean Removal Tool.exe"1⤵
- Executes dropped EXE
PID:1164
-
C:\Users\Admin\Downloads\Empyrean Removal Tool.exe"C:\Users\Admin\Downloads\Empyrean Removal Tool.exe"1⤵
- Executes dropped EXE
PID:3784
-
C:\Users\Public\$77-Update.exe"C:\Users\Public\$77-Update.exe"1⤵
- Executes dropped EXE
PID:1224
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\0dda0836-7830-40df-9089-d90a8d46dee8.tmp
Filesize7KB
MD5b61eb5d5598c7d39b47437f9f3771001
SHA19ec96d2f7a25706dd4290bb4d6ec8e97f1daac3b
SHA256a460713bd8bb2c22afb1e9f84058e4c5101aecac9f224d79c79c588867e027da
SHA5126b13e088c858aa9258128c40f2a400e358ff5b378596a0245b474620f718e6acf963072adff17c906052322c2310fba3bfc0806850a343fed4e7df8f957b9976
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\92fba9f0-2428-4cff-9a51-d30c2f966d58.tmp
Filesize6KB
MD58aa5b3fc8ffab58079984e9181e6189b
SHA128bc3ca9012c4fdcc715639566200e2260b64fe7
SHA25616175f69c571fb19fa2c8555b7f33755ce5a10fdf393544603d75a642814eede
SHA512db70e269eccbae4f58c1c2cb96b4963721875d5de3323efdd3fb3bbe695fc1dfe32500774c1f36950eedd6b3ad7d5c1f4a6283371f5822632cff90a1c2d480ed
-
Filesize
20KB
MD50f3de113dc536643a187f641efae47f4
SHA1729e48891d13fb7581697f5fee8175f60519615e
SHA2569bef33945e76bc0012cdbd9941eab34f9472aca8e0ddbbaea52658423dc579f8
SHA5128332bf7bd97ec1ebfc8e7fcf75132ca3f6dfd820863f2559ab22ac867aa882921f2b208ab76a6deb2e6fa2907bb0244851023af6c9960a77d3ad4101b314797f
-
Filesize
2KB
MD58da0aaacc9a3b1629e4bb653f6aaa981
SHA1bc01b9fcb79ec879295e4d6eaa54071894f3c9c5
SHA2565efcb1b724c0c8ccb0e2fd28defce967f57bd0b0bee655c222560e4499e75f6d
SHA512e748a216b5514d812b7f2b45428f13d6c46b78759529904b154f3fda6859fdee48e24494441664ee6b12eec46b9d20cb875929ce7cfd8aa17b704d5884d878de
-
Filesize
2KB
MD5b639e80d495d2dc5938a112926fa9eb6
SHA15e61c9a259916fdef8adc30dff7e1ca1b9a6969f
SHA2568e469ed63b55de7222910671e20508321a53f6dbe2cfaabf6bb65dc7e82be94a
SHA5124b6bbc960373af09067415458d7d5560a5c2b0682d07766fca37814eb4ad8191c1152db4e4f11bf28d14ce2a76def5e6fb1986680e9817fab9944eaa09a653a5
-
Filesize
2KB
MD56311cd5cd2b95198bad3af6576ae0e19
SHA1b4e47a82a596d525991c0e677e91230e7d244bb9
SHA2568d386b62990f6309199be725131428da1543dd7a11eab28a79a5ba92d56ffce1
SHA5125c50fca94e898c6ce1c16a39053ee5ef6ee3002df4c3812d248a5cfa37b2ba53a2f01ec9857206e94281adf6dba9d3a4492cd3d2cd908be47ad66ac1c39e7876
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
1KB
MD59878e84be11c2830f32aaa77d116f00c
SHA16e855f7e23d3b50072b23728dbd96393a162059f
SHA2567b9d32bb4beb09cc7386fc80e4b1395070c028a5ee1f68387badb69df538afd3
SHA512b572cf39789facca24e393bd77afe9a3405d6d4953bd9e7aa54ac9daa2bf9cc0ba5d41b477b1b5c65fdd3a4d50b0eed86bce5aec2d6b4e3718cf89c49dced14f
-
Filesize
1KB
MD53cb9091c77009235de795348a42cfd4f
SHA141a48dc1000a748631a72b76fcfc81e637c9e283
SHA25664e6472f7de6c7a25ef6f8a677f9a776fcd2a5e131cdfc666b8a2f1a3dcd76ca
SHA512b3d81e3d91116c6a2aad97a70a0a11aa071a13cc34ad046ad5db2b379a014853ac2cce8dde7fde017d9f07a59e712eaf6784f887ef0df113feebd27fd6565203
-
Filesize
1KB
MD56868c2a86603f375a6a76c84ffec95a6
SHA1804ba3cc779d1372ce189891ed16a6099f89a28c
SHA256c1c75aa15b533b0cd2ebd331d98b88078180b77871244602c3d81a0bf12a3284
SHA5123d8ac72c87326a797e5afb676279eb53d2f0cd61aca3addb2b6b47b51769ac8c4ef5ee321480800f923f854dbf3756f6b49785de2b34f69f4f769889e4239559
-
Filesize
356B
MD5f97bf0cd2a5c40619aede37dcf3ac04c
SHA1e0cdbb515dfd2f122db7e3a91babbdcb99be9999
SHA25620bf7dc5434108be39d9fcc8f0222a882d4a395ecfa6e9ec414be3f104339ca6
SHA512ef63c1f5dbfb27eacd477a6ffd7593ce70d5703ade7ad9209bc5d635d6f66f49c2745969257782bb572ce0ca13e713f85f4616d087a8f7da0cc9dff912dd5ff8
-
Filesize
7KB
MD57270a2d34ae76c7911b33b55a340759f
SHA15b0e0ca195c548fec712221403eaf6a7cd10a4d6
SHA25653feb383fbde6cfab9df05c2f0481a67aa33bcfc4abd0609db3f928a4aee1fd7
SHA5128932405087be5ea57c4cd23bf4d3b39ebc231265423650b957c864542bfc765eeb35d321c705c6b2dae4a46c1baca37de73bee2ea12a00441d5a0adf0be85fc4
-
Filesize
7KB
MD5fc415dd7fcbcfb47e60d5c01e28b59b2
SHA13e1a57e2de82b138a0402508780c6daf6266fab4
SHA256e1285fe33a6d52be5557f33418371e9157ffcf13b8c29a5baf872b3eeaa7b7b4
SHA5125cbf44bdbc2f4e739363d389d510556e1466fa4317dc5ff0f4f3920a236ab6b0438f638fbfad0cf18dbad5e6560a7ecdb283512adda1b7a7900cbf14b30fa05b
-
Filesize
7KB
MD59b33b02b79919a988180cee91c37cc8b
SHA111939856890fd2f9e356d21e78c3735d21040573
SHA256a317715cc1334e9b5f81c0a2c9a89008bfd8018167bff803b21dbe9572e5f73c
SHA51294abe39e2b64086d07844f9a7dd442713dd5cc5e25ded10e9e2481687f62c357c57d6e14c6a624219ea96eaf2c969a6e6844cb7b5d6afcc3d341040eb11377f3
-
Filesize
16KB
MD554fbac4a4a5945114e311a00068ac096
SHA1498055b45418115a7ea625292ce9dc16d314b48f
SHA25600c16d4f286b4f0ff02df98685a51aa6639820d99d7a22875fef1f320b177ad9
SHA5123fdb895a971ebdcfa9f2cfe555f94c6f59c9201fc04b75b33ff52b01d894bc2bfa5bc1b6ebe037eb7281f7d7fde40601146598079e46db833f73de519913e7e0
-
Filesize
260KB
MD51ce02cc1722a199f821c10fb13bb57e6
SHA17f89d0d73410db6bf19c1ef114a1d26c5f54099f
SHA25620480ac39119bd1e5c555dde70cc5603554eee4a709dc366284c76c59de580dc
SHA5121445ca91509f306d7aa0a5fabafe518f39c71d4ea3a448449ffa80ba9c6146036fd771320a14109ce846d3418356bc109819e03297193d0e919588e06e0d0187
-
Filesize
88KB
MD51d69b232b5a5119cb7ba8a58d73bcc70
SHA16c8f03f03eaf00bcac95d5d0fd16b66020dd3af5
SHA256e31424ad26289b9dcb61e632ba6c04ed4d9fc720073ac32eb555922ff6fda8d6
SHA512206f922c328874f92b3472a4bd95c52dd2ef9c42ea49b2636e3a08bb98b6e92c622027e9947504a6af1eab5ca0df2df6c8df79d7b22148301122fb1708ddf97d
-
Filesize
92KB
MD50e1c2e4e755b37de6e65265916dfb7aa
SHA1e30b6858a08bf3bacffc535b96479f50ba98a05a
SHA2567b83a79abdff377c3ca41bb977a342adc6e6af9e5fee4ae2d25eafd26a272f29
SHA512c0f3b490f22800d95ec1232a41a0d2d8fe2c207fed968dc8d563452d3e4541938acbd3a151983d29a52d091399a0afa021388ceb76a6801c83a263f9c25ff3fb
-
Filesize
83KB
MD5c2a7cd38810dd73c770113d84b34c443
SHA12f0ccaac259613c1dd1c277f6619b204deeeb9cd
SHA256e27c9755eedc981cd4a40263bbfd37a999684c715e57d6550253392f18177761
SHA5124873947284f3b92e2cc7802f7ef4ac5618c07f8242c1de4953f320807d6d2a12ed040dbcbcf945eaa754ee596adb98799796e5c06c0aeb307d8237a9fd25a565
-
Filesize
654B
MD52cbbb74b7da1f720b48ed31085cbd5b8
SHA179caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9
-
Filesize
220B
MD57463d7c0152e4b9736f6009c0862b9ba
SHA1c4724598f6a8525bd0b3833f212350615d8885dd
SHA256d38e85867cd3a6bfd0ec5e789701899b2e00b4951ff3c25a8dc3d7b7e772364f
SHA51261018ace8a2230a0edcdcd7589771c8dd82320c963f29b9248d77af79b071ad63e99e3c081e3f0863ac2bc5a7150053c605b51dfcbf4b01aff357033042f6e7b
-
Filesize
44KB
MD572dc44b2e7ef74718c563d397b1b1fbf
SHA16874f37359d554346dc024cffc4a3a68334494b2
SHA256fd8fb92324e4f5bb8665514b0c19f8bd4354ef091d8f2d088b528f1d21405066
SHA512a5a84f6ea2cdbec151de9d49b67aa07cfd2d23e9035b2863fadc59c58012f6fb9c1d69106e981bde9d49f9d28b4946c3ada80a3fcd03a7a6e353b90105c9304e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e