Analysis
-
max time kernel
125s -
max time network
127s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
12/06/2024, 15:08
Static task
static1
Behavioral task
behavioral1
Sample
Screenshot 2024-05-23 150600.png
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Screenshot 2024-05-23 150600.png
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Screenshot 2024-05-23 150600.png
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
Screenshot 2024-05-23 150600.png
Resource
win11-20240508-en
General
-
Target
Screenshot 2024-05-23 150600.png
-
Size
13KB
-
MD5
6f876ae028604bb4a249a6867210a2a9
-
SHA1
c1267e953c79345137abb10b095c7311ac975309
-
SHA256
a39a47b8af14e487c4569745ee567714543a906e398f6c399d6e90f95ae2fd9f
-
SHA512
64fb3e33763c5e2f81ec3fffd4dcdff977f7e84ea5fa37221ec2fa9c5c750807d4cca9de1275668bf13597e071399993e9222d952cd7feefe8edacbb87b688c4
-
SSDEEP
192:jMKVzc1hb+m0eFmLBlklkAKlFEUF2x6bWLh3ZE75wZKD6GkGuxntHDQLcH+6KniA:IKcL+8FmFGlvBx6bEdZYwmBPOSEYl
Malware Config
Signatures
-
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\setupact.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log UserOOBEBroker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 17 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "24" LogonUI.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133626786009557194" chrome.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 684 chrome.exe 684 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 684 chrome.exe 684 chrome.exe 684 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2380 firefox.exe Token: SeDebugPrivilege 2380 firefox.exe Token: SeShutdownPrivilege 684 chrome.exe Token: SeCreatePagefilePrivilege 684 chrome.exe Token: SeShutdownPrivilege 684 chrome.exe Token: SeCreatePagefilePrivilege 684 chrome.exe Token: SeShutdownPrivilege 684 chrome.exe Token: SeCreatePagefilePrivilege 684 chrome.exe Token: SeShutdownPrivilege 684 chrome.exe Token: SeCreatePagefilePrivilege 684 chrome.exe Token: SeShutdownPrivilege 684 chrome.exe Token: SeCreatePagefilePrivilege 684 chrome.exe Token: SeShutdownPrivilege 684 chrome.exe Token: SeCreatePagefilePrivilege 684 chrome.exe Token: SeShutdownPrivilege 684 chrome.exe Token: SeCreatePagefilePrivilege 684 chrome.exe Token: SeShutdownPrivilege 684 chrome.exe Token: SeCreatePagefilePrivilege 684 chrome.exe Token: SeShutdownPrivilege 684 chrome.exe Token: SeCreatePagefilePrivilege 684 chrome.exe Token: SeShutdownPrivilege 684 chrome.exe Token: SeCreatePagefilePrivilege 684 chrome.exe Token: SeShutdownPrivilege 684 chrome.exe Token: SeCreatePagefilePrivilege 684 chrome.exe Token: SeShutdownPrivilege 684 chrome.exe Token: SeCreatePagefilePrivilege 684 chrome.exe Token: SeShutdownPrivilege 684 chrome.exe Token: SeCreatePagefilePrivilege 684 chrome.exe Token: SeShutdownPrivilege 684 chrome.exe Token: SeCreatePagefilePrivilege 684 chrome.exe Token: SeShutdownPrivilege 684 chrome.exe Token: SeCreatePagefilePrivilege 684 chrome.exe Token: SeShutdownPrivilege 684 chrome.exe Token: SeCreatePagefilePrivilege 684 chrome.exe Token: SeShutdownPrivilege 684 chrome.exe Token: SeCreatePagefilePrivilege 684 chrome.exe Token: SeShutdownPrivilege 684 chrome.exe Token: SeCreatePagefilePrivilege 684 chrome.exe Token: SeShutdownPrivilege 684 chrome.exe Token: SeCreatePagefilePrivilege 684 chrome.exe Token: SeShutdownPrivilege 684 chrome.exe Token: SeCreatePagefilePrivilege 684 chrome.exe Token: SeShutdownPrivilege 684 chrome.exe Token: SeCreatePagefilePrivilege 684 chrome.exe Token: SeShutdownPrivilege 684 chrome.exe Token: SeCreatePagefilePrivilege 684 chrome.exe Token: SeShutdownPrivilege 684 chrome.exe Token: SeCreatePagefilePrivilege 684 chrome.exe Token: SeShutdownPrivilege 684 chrome.exe Token: SeCreatePagefilePrivilege 684 chrome.exe Token: SeShutdownPrivilege 684 chrome.exe Token: SeCreatePagefilePrivilege 684 chrome.exe Token: SeShutdownPrivilege 684 chrome.exe Token: SeCreatePagefilePrivilege 684 chrome.exe Token: SeShutdownPrivilege 684 chrome.exe Token: SeCreatePagefilePrivilege 684 chrome.exe Token: SeShutdownPrivilege 684 chrome.exe Token: SeCreatePagefilePrivilege 684 chrome.exe Token: SeShutdownPrivilege 684 chrome.exe Token: SeCreatePagefilePrivilege 684 chrome.exe Token: SeShutdownPrivilege 684 chrome.exe Token: SeCreatePagefilePrivilege 684 chrome.exe Token: SeShutdownPrivilege 684 chrome.exe Token: SeCreatePagefilePrivilege 684 chrome.exe -
Suspicious use of FindShellTrayWindow 31 IoCs
pid Process 2380 firefox.exe 2380 firefox.exe 2380 firefox.exe 2380 firefox.exe 684 chrome.exe 684 chrome.exe 684 chrome.exe 684 chrome.exe 684 chrome.exe 684 chrome.exe 684 chrome.exe 684 chrome.exe 684 chrome.exe 684 chrome.exe 684 chrome.exe 684 chrome.exe 684 chrome.exe 684 chrome.exe 684 chrome.exe 684 chrome.exe 684 chrome.exe 684 chrome.exe 684 chrome.exe 684 chrome.exe 684 chrome.exe 684 chrome.exe 684 chrome.exe 684 chrome.exe 684 chrome.exe 684 chrome.exe 684 chrome.exe -
Suspicious use of SendNotifyMessage 15 IoCs
pid Process 2380 firefox.exe 2380 firefox.exe 2380 firefox.exe 684 chrome.exe 684 chrome.exe 684 chrome.exe 684 chrome.exe 684 chrome.exe 684 chrome.exe 684 chrome.exe 684 chrome.exe 684 chrome.exe 684 chrome.exe 684 chrome.exe 684 chrome.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2380 firefox.exe 2900 SystemSettingsAdminFlows.exe 1948 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 236 wrote to memory of 2380 236 firefox.exe 81 PID 236 wrote to memory of 2380 236 firefox.exe 81 PID 236 wrote to memory of 2380 236 firefox.exe 81 PID 236 wrote to memory of 2380 236 firefox.exe 81 PID 236 wrote to memory of 2380 236 firefox.exe 81 PID 236 wrote to memory of 2380 236 firefox.exe 81 PID 236 wrote to memory of 2380 236 firefox.exe 81 PID 236 wrote to memory of 2380 236 firefox.exe 81 PID 236 wrote to memory of 2380 236 firefox.exe 81 PID 236 wrote to memory of 2380 236 firefox.exe 81 PID 236 wrote to memory of 2380 236 firefox.exe 81 PID 2380 wrote to memory of 4128 2380 firefox.exe 82 PID 2380 wrote to memory of 4128 2380 firefox.exe 82 PID 2380 wrote to memory of 4128 2380 firefox.exe 82 PID 2380 wrote to memory of 4128 2380 firefox.exe 82 PID 2380 wrote to memory of 4128 2380 firefox.exe 82 PID 2380 wrote to memory of 4128 2380 firefox.exe 82 PID 2380 wrote to memory of 4128 2380 firefox.exe 82 PID 2380 wrote to memory of 4128 2380 firefox.exe 82 PID 2380 wrote to memory of 4128 2380 firefox.exe 82 PID 2380 wrote to memory of 4128 2380 firefox.exe 82 PID 2380 wrote to memory of 4128 2380 firefox.exe 82 PID 2380 wrote to memory of 4128 2380 firefox.exe 82 PID 2380 wrote to memory of 4128 2380 firefox.exe 82 PID 2380 wrote to memory of 4128 2380 firefox.exe 82 PID 2380 wrote to memory of 4128 2380 firefox.exe 82 PID 2380 wrote to memory of 4128 2380 firefox.exe 82 PID 2380 wrote to memory of 4128 2380 firefox.exe 82 PID 2380 wrote to memory of 4128 2380 firefox.exe 82 PID 2380 wrote to memory of 4128 2380 firefox.exe 82 PID 2380 wrote to memory of 4128 2380 firefox.exe 82 PID 2380 wrote to memory of 4128 2380 firefox.exe 82 PID 2380 wrote to memory of 4128 2380 firefox.exe 82 PID 2380 wrote to memory of 4128 2380 firefox.exe 82 PID 2380 wrote to memory of 4128 2380 firefox.exe 82 PID 2380 wrote to memory of 4128 2380 firefox.exe 82 PID 2380 wrote to memory of 4128 2380 firefox.exe 82 PID 2380 wrote to memory of 4128 2380 firefox.exe 82 PID 2380 wrote to memory of 4128 2380 firefox.exe 82 PID 2380 wrote to memory of 4128 2380 firefox.exe 82 PID 2380 wrote to memory of 4128 2380 firefox.exe 82 PID 2380 wrote to memory of 4128 2380 firefox.exe 82 PID 2380 wrote to memory of 4128 2380 firefox.exe 82 PID 2380 wrote to memory of 4128 2380 firefox.exe 82 PID 2380 wrote to memory of 4128 2380 firefox.exe 82 PID 2380 wrote to memory of 4128 2380 firefox.exe 82 PID 2380 wrote to memory of 4128 2380 firefox.exe 82 PID 2380 wrote to memory of 4128 2380 firefox.exe 82 PID 2380 wrote to memory of 4128 2380 firefox.exe 82 PID 2380 wrote to memory of 4128 2380 firefox.exe 82 PID 2380 wrote to memory of 4128 2380 firefox.exe 82 PID 2380 wrote to memory of 4128 2380 firefox.exe 82 PID 2380 wrote to memory of 4128 2380 firefox.exe 82 PID 2380 wrote to memory of 4128 2380 firefox.exe 82 PID 2380 wrote to memory of 4028 2380 firefox.exe 83 PID 2380 wrote to memory of 4028 2380 firefox.exe 83 PID 2380 wrote to memory of 4028 2380 firefox.exe 83 PID 2380 wrote to memory of 4028 2380 firefox.exe 83 PID 2380 wrote to memory of 4028 2380 firefox.exe 83 PID 2380 wrote to memory of 4028 2380 firefox.exe 83 PID 2380 wrote to memory of 4028 2380 firefox.exe 83 PID 2380 wrote to memory of 4028 2380 firefox.exe 83 PID 2380 wrote to memory of 4028 2380 firefox.exe 83 PID 2380 wrote to memory of 4028 2380 firefox.exe 83 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Screenshot 2024-05-23 150600.png"1⤵PID:2720
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:236 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.0.135712598\92976449" -parentBuildID 20230214051806 -prefsHandle 1756 -prefMapHandle 1748 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e45501c-c4e3-4bd4-b121-a4ed359b848b} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 1848 1af0e10a058 gpu3⤵PID:4128
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.1.924894941\594771187" -parentBuildID 20230214051806 -prefsHandle 2360 -prefMapHandle 2356 -prefsLen 22110 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {395e7317-24a7-4fe1-8615-e5fbba0ad1f5} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 2372 1af01385658 socket3⤵
- Checks processor information in registry
PID:4028
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.2.792689539\1881108692" -childID 1 -isForBrowser -prefsHandle 2832 -prefMapHandle 3056 -prefsLen 22148 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5aa6402-9b09-4dd2-8679-fc3713448e00} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 3120 1af109d9858 tab3⤵PID:4152
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.3.1541400480\408503307" -childID 2 -isForBrowser -prefsHandle 3392 -prefMapHandle 3240 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {328b4239-bc05-422d-900f-511556282fd4} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 3228 1af127e1058 tab3⤵PID:1724
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.4.1169559926\145756084" -childID 3 -isForBrowser -prefsHandle 4992 -prefMapHandle 5036 -prefsLen 27690 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2cbe7342-aa83-43f4-8bd2-b584668f7499} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 5032 1af15c60858 tab3⤵PID:3024
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.5.1008742324\1975777336" -childID 4 -isForBrowser -prefsHandle 5180 -prefMapHandle 5184 -prefsLen 27690 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {808b75a3-9f03-4e1a-900a-48435e95571b} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 5168 1af1550da58 tab3⤵PID:3112
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2380.6.1080181801\1174597921" -childID 5 -isForBrowser -prefsHandle 5456 -prefMapHandle 5452 -prefsLen 27690 -prefMapSize 235121 -jsInitHandle 1324 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {44fbd1e8-0fbd-4bd6-a499-a55d3b5f2801} 2380 "\\.\pipe\gecko-crash-server-pipe.2380" 5372 1af1550f558 tab3⤵PID:784
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:684 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffa635ab58,0x7fffa635ab68,0x7fffa635ab782⤵PID:2204
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1548 --field-trial-handle=1748,i,4875093053405332426,8331843734736542425,131072 /prefetch:22⤵PID:1992
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1676 --field-trial-handle=1748,i,4875093053405332426,8331843734736542425,131072 /prefetch:82⤵PID:1112
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2200 --field-trial-handle=1748,i,4875093053405332426,8331843734736542425,131072 /prefetch:82⤵PID:4824
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3080 --field-trial-handle=1748,i,4875093053405332426,8331843734736542425,131072 /prefetch:12⤵PID:236
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3172 --field-trial-handle=1748,i,4875093053405332426,8331843734736542425,131072 /prefetch:12⤵PID:1952
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4256 --field-trial-handle=1748,i,4875093053405332426,8331843734736542425,131072 /prefetch:12⤵PID:3548
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4508 --field-trial-handle=1748,i,4875093053405332426,8331843734736542425,131072 /prefetch:82⤵PID:2472
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4688 --field-trial-handle=1748,i,4875093053405332426,8331843734736542425,131072 /prefetch:82⤵PID:3560
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level2⤵PID:4896
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x7ff7bb60ae48,0x7ff7bb60ae58,0x7ff7bb60ae683⤵PID:900
-
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level2⤵PID:72
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x7ff7bb60ae48,0x7ff7bb60ae58,0x7ff7bb60ae683⤵PID:2436
-
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:4060
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:460
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
PID:3136
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵PID:2880
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" TroubleshootActivation1⤵
- Suspicious use of SetWindowsHookEx
PID:2900
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3a2b855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1948
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
811B
MD51b9058fc700543c9b6b36a184614a488
SHA1ac8d47f0639a3c4c8afd1ef95ed44ff1ea693d2c
SHA2566c8363b28b89a27c73c90debc7ab8a95aaeef3def12307376e3cb829f5a69a89
SHA51224fb3466d3252757ca00fd9fc3d75503c29d6339273cf898767dac6a98309a4a786d1eee558c5691f0ae013d4487968a01ef825cca2ea0fb3f81d034cb267ef0
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
7KB
MD59f6c6da6af4f5b97216d22d9ca836bd9
SHA1a53884394d5c8329e8be3e06bc47f0231593e1b7
SHA256f65103393bef9d5b52a84926d36867db84d37cb4312793ce21f87b6631a939e2
SHA512bfa01236358f6175eadf0d58e9c8db47683bddde8101192b779a9f3cce73e1d641d1f9fb7bbaf8e74bb6848530962fab96f4082fa236f3fa8b01ff26c5b386da
-
Filesize
129KB
MD598752827e2792bccf4a3432860d69325
SHA180f0be09abb888bcdf987b6c9a8a2b8bd6042368
SHA2565b44501b17bc71ecb157a5c4da921da01c48c378c40465120973613d9b92b85a
SHA512188725eec10131645669ac6012fbc8d2e3aab635e16265c5303ced13779fd9c82fdbcba65fe9bac289ebbaa935ffd97038d8a7889e945ffb3fe749490eff1fcc
-
Filesize
129KB
MD51818d3f700a48d014da1ae9b864f543c
SHA1ce69a0a97e27df8ca39a365066bee0690faab809
SHA2564efafd0631858f7ffea76cb48ebde651f8250581edffa49e659eb55f7c5c4686
SHA512784592eb681fd5f5afebb251bd9e94bd67b16a530c445bad0aaf8a140998f0419a945a910c4de3be6665d2c6f6b5e3f95281d7b74edd7e3e0486d50871f132bc
-
Filesize
264KB
MD570fc493dcf843725209b61bf01e07af5
SHA1961627e8f37dc0aef4f3fe24bdfd43dc646d9c16
SHA256b3cb926c09cbdf3f66e27be813d9dfe1fb0423ae0123c571397d7c624531faf7
SHA51238c0d1a082bc1bc95b0cc832b7d46fe969749d282c0d3fae37f8a228d9b409d41b8bfd54c1454e5bc119139e6adb530e7e4a09474991f1d64756bc1a8e4fbeb2
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r6lt1pc6.default-release\activity-stream.discovery_stream.json.tmp
Filesize24KB
MD577810453b5fe125233fca152d0d1588f
SHA12be58e763c81c307e5bc394cd55c686572cef5ac
SHA25638288bf640660835906f2c67b17a986ea942381095231baeba40338b8fa2efc3
SHA51218bce601a1843fc0b8fb1fe4b0c329f1b7ce1a18534e6b772042dd73bd3808a00225041ea5d466e80bb63413187ad0dade29fadf7647044ff45d7e49cb5654b3
-
Filesize
7KB
MD570d598b108e8116abb1f3bef6dd2bf80
SHA1b7ba3d2a708c40292cf08ec707e8f23b8d59fdeb
SHA25693419f2c8f8f417b11a89eb68ffa3e47bb8ee2d30cfcd645ce88eebf8b25ba9f
SHA5129df068cc4bba7467680830dc83beb34249e8c7ea5017b3b12809302d7c60ffdf3fcdaa0b42023af91f206711daa3588310d759a98892b46ff0ed875b33464dd1
-
Filesize
6KB
MD5ca738e6bc32e2d63ac5506aaaacf5705
SHA1de2cb641c2729ba639f919a71454c0977e5c1c65
SHA2562bed469b5bc3997b8738edde82e795705386a182d4ed989984e879c9e7978341
SHA512b8d836403277305dbe8b5266a27fcfd904c8fd93e0081dd79b23711da71be870dc74180d0d6ca3def188c3099a39bc01263fdfcceba86cd43d677392d7879727
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r6lt1pc6.default-release\sessionstore.jsonlz4
Filesize902B
MD532ecbaff4214a32be780dd4548fc8d4f
SHA1c60bf5b140eb10ab6d656e291ec7e57c35c8d620
SHA256ce399522babc574c2faa3b43f8f7eea5243799182dc4f5208c5ee56c4e3d0d7c
SHA5125865d49ece49188eeaa674619f0ea2dc3d8592fcf167f0889b9732c0c5c6ecfc5c2789ff1d18ddb5489db9b887bf486e9633030520cbfb146e47a7c379bcba4d
-
Filesize
40B
MD57e334f6f67d39e6ade57ec0134e6eb22
SHA1050069e127ad538fedc51bdf283401860428d04c
SHA2566049d57289a1b5a8244285241bc90efdb6ce8d673ae85ab4f7f4b7f958f541ca
SHA51223fac90144f96e227f8a1dd73b9b40752c14a7babda282c2a33cd66d13fc9e29a60e693201a0b3bb7599cba13feb9424714b9aa8d81da2eca3b10c64e3e3c691