584612757412638951630e234f5103954d92edb9586e1bd12f3385aa379a3719

Analysis

max time kernel
299s
max time network
281s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
02/06/2024, 10:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

httpscdn.discordapp.comattachments1.txt
Size

184B
MD5

d727dfb40906c1561fe513ccbfd33b2b
SHA1

67645efae15afb734e736caefd480960305d04d6
SHA256

584612757412638951630e234f5103954d92edb9586e1bd12f3385aa379a3719
SHA512

8ade667197b6122ea23a88b6e996ffd62714c4e9201aaa21802de87421a35b7975c94eba2ad6ecb386e52d8e8a66fca48fa5e00dfc850d705594009e69fa7f3c

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Winword.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Winword.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Winword.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Winword.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Winword.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133617976719353762"	chrome.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\IOwnPhan.zip:Zone.Identifier	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1860	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 4 IoCs

pid	Process
4748	Winword.exe
4748	Winword.exe
2432	Winword.exe
2432	Winword.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
572	chrome.exe
572	chrome.exe
5948	chrome.exe
5948	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5100	OpenWith.exe
3828	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe
Token: SeShutdownPrivilege	572	chrome.exe
Token: SeCreatePagefilePrivilege	572	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe
572	chrome.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
5100	OpenWith.exe
5100	OpenWith.exe
5100	OpenWith.exe
5100	OpenWith.exe
5100	OpenWith.exe
5100	OpenWith.exe
5100	OpenWith.exe
5100	OpenWith.exe
5100	OpenWith.exe
5100	OpenWith.exe
5100	OpenWith.exe
5100	OpenWith.exe
5100	OpenWith.exe
5100	OpenWith.exe
5100	OpenWith.exe
4748	Winword.exe
4748	Winword.exe
4748	Winword.exe
4748	Winword.exe
4748	Winword.exe
4748	Winword.exe
4748	Winword.exe
3828	OpenWith.exe
3828	OpenWith.exe
3828	OpenWith.exe
3828	OpenWith.exe
3828	OpenWith.exe
3828	OpenWith.exe
3828	OpenWith.exe
3828	OpenWith.exe
3828	OpenWith.exe
3828	OpenWith.exe
3828	OpenWith.exe
3828	OpenWith.exe
3828	OpenWith.exe
3828	OpenWith.exe
3828	OpenWith.exe
3828	OpenWith.exe
3828	OpenWith.exe
3828	OpenWith.exe
3828	OpenWith.exe
3828	OpenWith.exe
3828	OpenWith.exe
3828	OpenWith.exe
3828	OpenWith.exe
3828	OpenWith.exe
3828	OpenWith.exe
3828	OpenWith.exe
3828	OpenWith.exe
3828	OpenWith.exe
3828	OpenWith.exe
3828	OpenWith.exe
3828	OpenWith.exe
3828	OpenWith.exe
3828	OpenWith.exe
3828	OpenWith.exe
3828	OpenWith.exe
3828	OpenWith.exe
3828	OpenWith.exe
2432	Winword.exe
2432	Winword.exe
2432	Winword.exe
2432	Winword.exe
2432	Winword.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 1860	2284	cmd.exe	81
PID 2284 wrote to memory of 1860	2284	cmd.exe	81
PID 572 wrote to memory of 1356	572	chrome.exe	87
PID 572 wrote to memory of 1356	572	chrome.exe	87
PID 572 wrote to memory of 4316	572	chrome.exe	88
PID 572 wrote to memory of 4316	572	chrome.exe	88
PID 572 wrote to memory of 4316	572	chrome.exe	88
PID 572 wrote to memory of 4316	572	chrome.exe	88
PID 572 wrote to memory of 4316	572	chrome.exe	88
PID 572 wrote to memory of 4316	572	chrome.exe	88
PID 572 wrote to memory of 4316	572	chrome.exe	88
PID 572 wrote to memory of 4316	572	chrome.exe	88
PID 572 wrote to memory of 4316	572	chrome.exe	88
PID 572 wrote to memory of 4316	572	chrome.exe	88
PID 572 wrote to memory of 4316	572	chrome.exe	88
PID 572 wrote to memory of 4316	572	chrome.exe	88
PID 572 wrote to memory of 4316	572	chrome.exe	88
PID 572 wrote to memory of 4316	572	chrome.exe	88
PID 572 wrote to memory of 4316	572	chrome.exe	88
PID 572 wrote to memory of 4316	572	chrome.exe	88
PID 572 wrote to memory of 4316	572	chrome.exe	88
PID 572 wrote to memory of 4316	572	chrome.exe	88
PID 572 wrote to memory of 4316	572	chrome.exe	88
PID 572 wrote to memory of 4316	572	chrome.exe	88
PID 572 wrote to memory of 4316	572	chrome.exe	88
PID 572 wrote to memory of 4316	572	chrome.exe	88
PID 572 wrote to memory of 4316	572	chrome.exe	88
PID 572 wrote to memory of 4316	572	chrome.exe	88
PID 572 wrote to memory of 4316	572	chrome.exe	88
PID 572 wrote to memory of 4316	572	chrome.exe	88
PID 572 wrote to memory of 4316	572	chrome.exe	88
PID 572 wrote to memory of 4316	572	chrome.exe	88
PID 572 wrote to memory of 4316	572	chrome.exe	88
PID 572 wrote to memory of 4316	572	chrome.exe	88
PID 572 wrote to memory of 4316	572	chrome.exe	88
PID 572 wrote to memory of 1400	572	chrome.exe	89
PID 572 wrote to memory of 1400	572	chrome.exe	89
PID 572 wrote to memory of 1116	572	chrome.exe	90
PID 572 wrote to memory of 1116	572	chrome.exe	90
PID 572 wrote to memory of 1116	572	chrome.exe	90
PID 572 wrote to memory of 1116	572	chrome.exe	90
PID 572 wrote to memory of 1116	572	chrome.exe	90
PID 572 wrote to memory of 1116	572	chrome.exe	90
PID 572 wrote to memory of 1116	572	chrome.exe	90
PID 572 wrote to memory of 1116	572	chrome.exe	90
PID 572 wrote to memory of 1116	572	chrome.exe	90
PID 572 wrote to memory of 1116	572	chrome.exe	90
PID 572 wrote to memory of 1116	572	chrome.exe	90
PID 572 wrote to memory of 1116	572	chrome.exe	90
PID 572 wrote to memory of 1116	572	chrome.exe	90
PID 572 wrote to memory of 1116	572	chrome.exe	90
PID 572 wrote to memory of 1116	572	chrome.exe	90
PID 572 wrote to memory of 1116	572	chrome.exe	90
PID 572 wrote to memory of 1116	572	chrome.exe	90
PID 572 wrote to memory of 1116	572	chrome.exe	90
PID 572 wrote to memory of 1116	572	chrome.exe	90
PID 572 wrote to memory of 1116	572	chrome.exe	90
PID 572 wrote to memory of 1116	572	chrome.exe	90
PID 572 wrote to memory of 1116	572	chrome.exe	90
PID 572 wrote to memory of 1116	572	chrome.exe	90
PID 572 wrote to memory of 1116	572	chrome.exe	90
PID 572 wrote to memory of 1116	572	chrome.exe	90
PID 572 wrote to memory of 1116	572	chrome.exe	90
PID 572 wrote to memory of 1116	572	chrome.exe	90

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\httpscdn.discordapp.comattachments1.txt
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\httpscdn.discordapp.comattachments1.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xec,0x10c,0x7ffb4f6aab58,0x7ffb4f6aab68,0x7ffb4f6aab78
  2⤵
  PID:1356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1608 --field-trial-handle=1800,i,209444178413490016,17780514147478714986,131072 /prefetch:2
  2⤵
  PID:4316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1800,i,209444178413490016,17780514147478714986,131072 /prefetch:8
  2⤵
  PID:1400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2208 --field-trial-handle=1800,i,209444178413490016,17780514147478714986,131072 /prefetch:8
  2⤵
  PID:1116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=1800,i,209444178413490016,17780514147478714986,131072 /prefetch:1
  2⤵
  PID:4108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3120 --field-trial-handle=1800,i,209444178413490016,17780514147478714986,131072 /prefetch:1
  2⤵
  PID:1248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4208 --field-trial-handle=1800,i,209444178413490016,17780514147478714986,131072 /prefetch:1
  2⤵
  PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4388 --field-trial-handle=1800,i,209444178413490016,17780514147478714986,131072 /prefetch:8
  2⤵
  PID:3984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4492 --field-trial-handle=1800,i,209444178413490016,17780514147478714986,131072 /prefetch:8
  2⤵
  PID:1832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4068 --field-trial-handle=1800,i,209444178413490016,17780514147478714986,131072 /prefetch:1
  2⤵
  PID:3212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4444 --field-trial-handle=1800,i,209444178413490016,17780514147478714986,131072 /prefetch:8
  2⤵
  - NTFS ADS
  PID:2492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4468 --field-trial-handle=1800,i,209444178413490016,17780514147478714986,131072 /prefetch:8
  2⤵
  PID:4224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4480 --field-trial-handle=1800,i,209444178413490016,17780514147478714986,131072 /prefetch:8
  2⤵
  PID:2820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4212 --field-trial-handle=1800,i,209444178413490016,17780514147478714986,131072 /prefetch:8
  2⤵
  PID:3800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1560 --field-trial-handle=1800,i,209444178413490016,17780514147478714986,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5948

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2792

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:700

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_IOwnPhan.zip\IOwnPhan\AutoEtherwarp.js"
1⤵
PID:4500

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5100
- C:\Program Files\Microsoft Office\root\Office16\Winword.exe
  "C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\AppData\Local\Temp\Temp1_IOwnPhan.zip\IOwnPhan\metadata.json"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:4748

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3828
- C:\Program Files\Microsoft Office\root\Office16\Winword.exe
  "C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\Downloads\IOwnPhan\IOwnPhan\AutoEtherwarp.js"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
471B

MD5
0a06fbebf0625c6ef64e4cfe1827bb58

SHA1
7d1957800794730917bbd41d8d6ba69568e678d4

SHA256
0b74f3612dd52d7879788b6b68e5f9830ac681ad5ddfa4a40bce7f6b9176d67e

SHA512
aef47897d0fbe11c4cdd731cafccdaaa7a647a3d07bd1887fea98dc1c9963aefe3a4e99bc5871a15f37fee8a6dd98390cad067ec8b5dab7b8e6eb1a668ec76bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
412B

MD5
a49c1431e380a752c84817ba7e758eea

SHA1
2bf53febc20c31d40476673b2be47987c8c39322

SHA256
bf237c3f4f1b1e209aa4c79b962ce109a07206b6e4c1866fe0232d4491d66342

SHA512
019af7494d4a8b27de784fe278b2f7c76a4dbf03f8c064f6706b3ce94815840f5105d1a56d884c85bd1920ea1123807ef313a0486a6c682903bcfce8a3515cae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
50ed7d314361dcdb0346397da02fc6b0

SHA1
c28f76acee4a529c462903d083e3c997cff29799

SHA256
4fa94c798c794eea67e696620a838b5d40efbd368908f03e91749f3ae5901a65

SHA512
b3ef5218270ae7a0d9f0fccf0f18d298ffe389e6cd6b58bc5a893e45164d467e30258bfbcc15d1acfd49b16f25d7df8492b8aac6f36b36cce04d9c14db8f6c34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
c5ff5ed201ceab80ed3c4a3db5b9b705

SHA1
28d92aa2c1a8a8cc18c8141347e2c99a0fc9b2eb

SHA256
26553aa674c2e9245cf900bcd2b33aa14bc38e559aac07b3fe809933c35b8cd2

SHA512
b7af6ac3cbd0b19bc8175ff9d214b044a2bcf5d934a58446ed6e4af0fbf1a9258468c0549c08e0f750428d1e083084a73fe9cbe604cfbfe45b6a080817ebf497

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
ade4dc7c1aa6530a14d1675856352dac

SHA1
69f91fa24def1eb4f992365927a933d7aa1cc00b

SHA256
54eeaa2158eae3e75361d0dfb729588c641e05698c3ccd86c8b868367c2a14fa

SHA512
ed420cc5f408846c9c8ea0cebda22a83559fd9d6c7d236a0cc7927ff6bbfa96e3feb99fe54e9c022dbd69660d9eb1387b1b229c82cb60d7f9fe7ee8cd0e980ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
ea039eac2163b91c7224d1aceda26796

SHA1
227e22700584db35a1b3779424252d9073800387

SHA256
b91f4069d45571f67c105e785215db9e1eb060571a816a3b29670bf863bc25c2

SHA512
232c14469ce9f5766684274aaa87681d2a0f793a9983d8e2ada6b06ffe158195401564243639e287abcd6d7ef7559b0b5d78c46c77dfc353960d0630f7826447

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
261KB

MD5
0872a153fc4584061e7fa343b908eb39

SHA1
881a50078ade1d48f8017ee4d536dcfc954019a6

SHA256
e498ec15759ebb36a88852e25f31df4a0b07800c6f807de71932cbd3bcb13fc0

SHA512
e7774c4aaac6d1f3617499049b1512cbcc996e26c5fe36f8f8857cd3ed3a2ca81071e4f2a7d69d5fb093cd8afdeb581e69059cb0dc5c136f9fa484d3fb9cabd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

Filesize
21B

MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

Filesize
417B

MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

Filesize
87B

MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json

Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\AF10BC41-2F5B-45F4-9757-C7B039F5FF5A

Filesize
161KB

MD5
1e91e6fad6d47718bf9c1e22a206fbb4

SHA1
f8d09d4ca358454818b7f31957f24044cd373ce0

SHA256
692a24a74dc3f99013d6b0496126a7e75e86bcd303308695f5281615b08e8b55

SHA512
98ffbfa08e129f41fcb6dd0a1589dd0651bf8c6ffd4a0695c058728c7ff6e824205980a90b4218e4b603fba482f2d2fccc18ec315d16da7eb134ca23f5b85d4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
21KB

MD5
a5e090e57ddeae22329474258cf44f48

SHA1
a9c25185e21096e4ef6a8e41c078b71445e4c97d

SHA256
52b1ebac1f0b520a39719ffc5308b2b1cd04d4e628b287f24636990d5ff3bbc4

SHA512
aa310585e2df2a809263236c6e8024f85c3a96fdf839abf30336eff952e973b0abcc8431a9e43d86f78fc41464293b6595831d53eada664bf7f6eed95558640a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db

Filesize
24KB

MD5
b00f3f56c104c94e03cd2ad8452c14e7

SHA1
51b78e45015e0d9d62fbdf31b75a22535a107204

SHA256
ba2b669020334ff01a85bfc900ea4371ea557bd315f154875d9bdfdc16ae8b50

SHA512
93e1609be5bbb414c285f37432ce93294c3d1583ef46c7c6c570c122f0b166c34b0ad87de708005c8af97dee27923ba53395a34c2563cdadf3c0a708848b3525

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD9DDD.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
257B

MD5
29002bcddb12277a5f14d5c96a37ac8e

SHA1
2cfbfb6213d7969d2434eef1a4bc1ef88dcf1cd9

SHA256
d936283900512fc4cf81a4b1f011f36d7d54797785d0071c1c757fcdae3b13ef

SHA512
e37f3c827d9198c4b158d840214e04ecd73ea8ca368c5c85f3b673b677996288a8d61fa93bdd93fb14fd217fd37368cc160de490c98e0bf0251bd582683401ab

Download Submit
C:\Users\Admin\Downloads\IOwnPhan.zip

Filesize
1KB

MD5
4228527fac355cec9000915e62c6502c

SHA1
8d5c2bb5baa6a6c165cf784b96d3705d146ac045

SHA256
f7b694fea9110b098f644015a03d5c4ce13afb7eca00d5ba11eab324427509e6

SHA512
c89ef26435530c434493c2fe816d901f2437a098d2c1292a2abb18f9c1cb63d4adc9c8da462e1eca449429623b61e28c2c0ca36b2f1adb45bd16487d7ab3b194

Download Submit
C:\Users\Admin\Downloads\IOwnPhan.zip:Zone.Identifier

Filesize
220B

MD5
c4b0a033993d9fb0f1b99f733d8baf58

SHA1
ecb4b6e3d0cc9bd888f02a590e2dcd2364a50318

SHA256
4607579112d8b6c88bbf0c95a2ea3744ace53cd3bcfaa59f728c5343bc2db469

SHA512
b4461849d0cde349e9150c338f2d904328bfc31f964a4221f88c653543d2831b13beecf246f9879379f111d57bea4119a2707100663308ef9e6b897465a8c4b9

Download Submit
memory/2432-120-0x00007FFB30830000-0x00007FFB30840000-memory.dmp

Filesize
64KB

Download
memory/2432-119-0x00007FFB30830000-0x00007FFB30840000-memory.dmp

Filesize
64KB

Download
memory/2432-118-0x00007FFB30830000-0x00007FFB30840000-memory.dmp

Filesize
64KB

Download
memory/2432-122-0x00007FFB30830000-0x00007FFB30840000-memory.dmp

Filesize
64KB

Download
memory/2432-121-0x00007FFB30830000-0x00007FFB30840000-memory.dmp

Filesize
64KB

Download
memory/2432-658-0x00007FFB30830000-0x00007FFB30840000-memory.dmp

Filesize
64KB

Download
memory/2432-656-0x00007FFB30830000-0x00007FFB30840000-memory.dmp

Filesize
64KB

Download
memory/2432-657-0x00007FFB30830000-0x00007FFB30840000-memory.dmp

Filesize
64KB

Download
memory/2432-655-0x00007FFB30830000-0x00007FFB30840000-memory.dmp

Filesize
64KB

Download
memory/4748-80-0x00007FFB2DC90000-0x00007FFB2DCA0000-memory.dmp

Filesize
64KB

Download
memory/4748-79-0x00007FFB2DC90000-0x00007FFB2DCA0000-memory.dmp

Filesize
64KB

Download
memory/4748-78-0x00007FFB30830000-0x00007FFB30840000-memory.dmp

Filesize
64KB

Download
memory/4748-77-0x00007FFB30830000-0x00007FFB30840000-memory.dmp

Filesize
64KB

Download
memory/4748-76-0x00007FFB30830000-0x00007FFB30840000-memory.dmp

Filesize
64KB

Download
memory/4748-75-0x00007FFB30830000-0x00007FFB30840000-memory.dmp

Filesize
64KB

Download
memory/4748-74-0x00007FFB30830000-0x00007FFB30840000-memory.dmp

Filesize
64KB

Download
memory/4748-105-0x00007FFB30830000-0x00007FFB30840000-memory.dmp

Filesize
64KB

Download
memory/4748-106-0x00007FFB30830000-0x00007FFB30840000-memory.dmp

Filesize
64KB

Download
memory/4748-108-0x00007FFB30830000-0x00007FFB30840000-memory.dmp

Filesize
64KB

Download
memory/4748-107-0x00007FFB30830000-0x00007FFB30840000-memory.dmp

Filesize
64KB

Download