Analysis
-
max time kernel
155s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12/06/2024, 15:08
Static task
static1
Behavioral task
behavioral1
Sample
Graphing data.xlsx
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Graphing data.xlsx
Resource
win10v2004-20240508-en
General
-
Target
Graphing data.xlsx
-
Size
7.6MB
-
MD5
e19d0eda637f74082459f65ef9932c06
-
SHA1
02c1b4bea5a8a8984ae4b06b88cc30c5ccbbe58e
-
SHA256
3eb94783cb0063c9fb90a79f8a157e315f627bd60e5bcfc4c426aa90b6069f1a
-
SHA512
d95c57f1f5df143956fd9f1582ee38ffcf0679724346b242d49cd5639a1eca714fb65ddbb23ff5b22518028938054277e2eaf3c8226c3c6dcfb6912f104d849f
-
SSDEEP
196608:nkDusCHhRf8ewh52r1LDpD7jruFNTiuYvWa4mApTz:kCs6dgz2r1LDpD7jUNTiuYu9
Malware Config
Signatures
-
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF svchost.exe File opened for modification C:\Windows\system32\NDF\{2E59B576-783C-420B-9941-2CC22C61E85C}-temp-06122024-1510.etl svchost.exe File opened for modification C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{eb3fb0c5-dd94-4529-b925-f32d367fda8d}\snapshot.etl svchost.exe File opened for modification C:\Windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin svchost.exe File created C:\Windows\system32\wdi\LogFiles\StartupInfo\S-1-5-21-1337824034-2731376981-3755436523-1000_StartupInfo3.xml svchost.exe File opened for modification C:\Windows\system32\SRU\SRU.chk svchost.exe File opened for modification C:\Windows\system32\SRU\SRUDB.dat svchost.exe File opened for modification C:\Windows\system32\SRU\SRUDB.jfm svchost.exe File created C:\Windows\system32\NDF\{2E59B576-783C-420B-9941-2CC22C61E85C}-temp-06122024-1510.etl svchost.exe File created C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{eb3fb0c5-dd94-4529-b925-f32d367fda8d}\snapshot.etl svchost.exe File opened for modification C:\Windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1337824034-2731376981-3755436523-1000_UserData.bin svchost.exe File opened for modification C:\Windows\system32\SRU\SRU.log svchost.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\rasphone.pbk svchost.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 5260 ipconfig.exe -
Modifies data under HKEY_USERS 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133626785314456581" chrome.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\RAS AutoDial svchost.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\RAS AutoDial\Default svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client" svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1528 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3200 chrome.exe 3200 chrome.exe 1528 EXCEL.EXE 1528 EXCEL.EXE 5776 sdiagnhost.exe 5776 sdiagnhost.exe 1396 svchost.exe 1396 svchost.exe 3200 chrome.exe 3200 chrome.exe 5696 chrome.exe 5696 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
pid Process 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3200 chrome.exe Token: SeCreatePagefilePrivilege 3200 chrome.exe Token: SeShutdownPrivilege 3200 chrome.exe Token: SeCreatePagefilePrivilege 3200 chrome.exe Token: SeShutdownPrivilege 3200 chrome.exe Token: SeCreatePagefilePrivilege 3200 chrome.exe Token: SeDebugPrivilege 1528 EXCEL.EXE Token: SeShutdownPrivilege 3200 chrome.exe Token: SeCreatePagefilePrivilege 3200 chrome.exe Token: SeShutdownPrivilege 3200 chrome.exe Token: SeCreatePagefilePrivilege 3200 chrome.exe Token: SeShutdownPrivilege 3200 chrome.exe Token: SeCreatePagefilePrivilege 3200 chrome.exe Token: SeShutdownPrivilege 3200 chrome.exe Token: SeCreatePagefilePrivilege 3200 chrome.exe Token: SeShutdownPrivilege 3200 chrome.exe Token: SeCreatePagefilePrivilege 3200 chrome.exe Token: SeShutdownPrivilege 3200 chrome.exe Token: SeCreatePagefilePrivilege 3200 chrome.exe Token: SeShutdownPrivilege 3200 chrome.exe Token: SeCreatePagefilePrivilege 3200 chrome.exe Token: SeShutdownPrivilege 3200 chrome.exe Token: SeCreatePagefilePrivilege 3200 chrome.exe Token: SeShutdownPrivilege 3200 chrome.exe Token: SeCreatePagefilePrivilege 3200 chrome.exe Token: SeShutdownPrivilege 3200 chrome.exe Token: SeCreatePagefilePrivilege 3200 chrome.exe Token: SeShutdownPrivilege 3200 chrome.exe Token: SeCreatePagefilePrivilege 3200 chrome.exe Token: SeShutdownPrivilege 3200 chrome.exe Token: SeCreatePagefilePrivilege 3200 chrome.exe Token: SeShutdownPrivilege 3200 chrome.exe Token: SeCreatePagefilePrivilege 3200 chrome.exe Token: SeShutdownPrivilege 3200 chrome.exe Token: SeCreatePagefilePrivilege 3200 chrome.exe Token: SeShutdownPrivilege 3200 chrome.exe Token: SeCreatePagefilePrivilege 3200 chrome.exe Token: SeShutdownPrivilege 3200 chrome.exe Token: SeCreatePagefilePrivilege 3200 chrome.exe Token: SeShutdownPrivilege 3200 chrome.exe Token: SeCreatePagefilePrivilege 3200 chrome.exe Token: SeShutdownPrivilege 3200 chrome.exe Token: SeCreatePagefilePrivilege 3200 chrome.exe Token: SeShutdownPrivilege 3200 chrome.exe Token: SeCreatePagefilePrivilege 3200 chrome.exe Token: SeShutdownPrivilege 3200 chrome.exe Token: SeCreatePagefilePrivilege 3200 chrome.exe Token: SeShutdownPrivilege 3200 chrome.exe Token: SeCreatePagefilePrivilege 3200 chrome.exe Token: SeShutdownPrivilege 3200 chrome.exe Token: SeCreatePagefilePrivilege 3200 chrome.exe Token: SeShutdownPrivilege 3200 chrome.exe Token: SeCreatePagefilePrivilege 3200 chrome.exe Token: SeShutdownPrivilege 3200 chrome.exe Token: SeCreatePagefilePrivilege 3200 chrome.exe Token: SeShutdownPrivilege 3200 chrome.exe Token: SeCreatePagefilePrivilege 3200 chrome.exe Token: SeShutdownPrivilege 3200 chrome.exe Token: SeCreatePagefilePrivilege 3200 chrome.exe Token: SeShutdownPrivilege 3200 chrome.exe Token: SeCreatePagefilePrivilege 3200 chrome.exe Token: SeShutdownPrivilege 3200 chrome.exe Token: SeCreatePagefilePrivilege 3200 chrome.exe Token: SeShutdownPrivilege 3200 chrome.exe -
Suspicious use of FindShellTrayWindow 37 IoCs
pid Process 1528 EXCEL.EXE 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 1528 EXCEL.EXE 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3528 msdt.exe -
Suspicious use of SendNotifyMessage 32 IoCs
pid Process 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe 3200 chrome.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1528 EXCEL.EXE 1528 EXCEL.EXE 1528 EXCEL.EXE 1528 EXCEL.EXE 1528 EXCEL.EXE 1528 EXCEL.EXE 1528 EXCEL.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3200 wrote to memory of 4908 3200 chrome.exe 88 PID 3200 wrote to memory of 4908 3200 chrome.exe 88 PID 3200 wrote to memory of 760 3200 chrome.exe 89 PID 3200 wrote to memory of 760 3200 chrome.exe 89 PID 3200 wrote to memory of 760 3200 chrome.exe 89 PID 3200 wrote to memory of 760 3200 chrome.exe 89 PID 3200 wrote to memory of 760 3200 chrome.exe 89 PID 3200 wrote to memory of 760 3200 chrome.exe 89 PID 3200 wrote to memory of 760 3200 chrome.exe 89 PID 3200 wrote to memory of 760 3200 chrome.exe 89 PID 3200 wrote to memory of 760 3200 chrome.exe 89 PID 3200 wrote to memory of 760 3200 chrome.exe 89 PID 3200 wrote to memory of 760 3200 chrome.exe 89 PID 3200 wrote to memory of 760 3200 chrome.exe 89 PID 3200 wrote to memory of 760 3200 chrome.exe 89 PID 3200 wrote to memory of 760 3200 chrome.exe 89 PID 3200 wrote to memory of 760 3200 chrome.exe 89 PID 3200 wrote to memory of 760 3200 chrome.exe 89 PID 3200 wrote to memory of 760 3200 chrome.exe 89 PID 3200 wrote to memory of 760 3200 chrome.exe 89 PID 3200 wrote to memory of 760 3200 chrome.exe 89 PID 3200 wrote to memory of 760 3200 chrome.exe 89 PID 3200 wrote to memory of 760 3200 chrome.exe 89 PID 3200 wrote to memory of 760 3200 chrome.exe 89 PID 3200 wrote to memory of 760 3200 chrome.exe 89 PID 3200 wrote to memory of 760 3200 chrome.exe 89 PID 3200 wrote to memory of 760 3200 chrome.exe 89 PID 3200 wrote to memory of 760 3200 chrome.exe 89 PID 3200 wrote to memory of 760 3200 chrome.exe 89 PID 3200 wrote to memory of 760 3200 chrome.exe 89 PID 3200 wrote to memory of 760 3200 chrome.exe 89 PID 3200 wrote to memory of 760 3200 chrome.exe 89 PID 3200 wrote to memory of 760 3200 chrome.exe 89 PID 3200 wrote to memory of 1268 3200 chrome.exe 90 PID 3200 wrote to memory of 1268 3200 chrome.exe 90 PID 3200 wrote to memory of 4488 3200 chrome.exe 91 PID 3200 wrote to memory of 4488 3200 chrome.exe 91 PID 3200 wrote to memory of 4488 3200 chrome.exe 91 PID 3200 wrote to memory of 4488 3200 chrome.exe 91 PID 3200 wrote to memory of 4488 3200 chrome.exe 91 PID 3200 wrote to memory of 4488 3200 chrome.exe 91 PID 3200 wrote to memory of 4488 3200 chrome.exe 91 PID 3200 wrote to memory of 4488 3200 chrome.exe 91 PID 3200 wrote to memory of 4488 3200 chrome.exe 91 PID 3200 wrote to memory of 4488 3200 chrome.exe 91 PID 3200 wrote to memory of 4488 3200 chrome.exe 91 PID 3200 wrote to memory of 4488 3200 chrome.exe 91 PID 3200 wrote to memory of 4488 3200 chrome.exe 91 PID 3200 wrote to memory of 4488 3200 chrome.exe 91 PID 3200 wrote to memory of 4488 3200 chrome.exe 91 PID 3200 wrote to memory of 4488 3200 chrome.exe 91 PID 3200 wrote to memory of 4488 3200 chrome.exe 91 PID 3200 wrote to memory of 4488 3200 chrome.exe 91 PID 3200 wrote to memory of 4488 3200 chrome.exe 91 PID 3200 wrote to memory of 4488 3200 chrome.exe 91 PID 3200 wrote to memory of 4488 3200 chrome.exe 91 PID 3200 wrote to memory of 4488 3200 chrome.exe 91 PID 3200 wrote to memory of 4488 3200 chrome.exe 91 PID 3200 wrote to memory of 4488 3200 chrome.exe 91 PID 3200 wrote to memory of 4488 3200 chrome.exe 91 PID 3200 wrote to memory of 4488 3200 chrome.exe 91 PID 3200 wrote to memory of 4488 3200 chrome.exe 91 PID 3200 wrote to memory of 4488 3200 chrome.exe 91 PID 3200 wrote to memory of 4488 3200 chrome.exe 91 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Graphing data.xlsx"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1528
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe80e5ab58,0x7ffe80e5ab68,0x7ffe80e5ab782⤵PID:4908
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=1880,i,9498292580889633314,11543430941259594936,131072 /prefetch:22⤵PID:760
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=1880,i,9498292580889633314,11543430941259594936,131072 /prefetch:82⤵PID:1268
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2244 --field-trial-handle=1880,i,9498292580889633314,11543430941259594936,131072 /prefetch:82⤵PID:4488
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1880,i,9498292580889633314,11543430941259594936,131072 /prefetch:12⤵PID:2044
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3084 --field-trial-handle=1880,i,9498292580889633314,11543430941259594936,131072 /prefetch:12⤵PID:2060
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4224 --field-trial-handle=1880,i,9498292580889633314,11543430941259594936,131072 /prefetch:12⤵PID:2600
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4600 --field-trial-handle=1880,i,9498292580889633314,11543430941259594936,131072 /prefetch:82⤵PID:4148
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4748 --field-trial-handle=1880,i,9498292580889633314,11543430941259594936,131072 /prefetch:82⤵PID:2276
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4948 --field-trial-handle=1880,i,9498292580889633314,11543430941259594936,131072 /prefetch:12⤵PID:2204
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4208 --field-trial-handle=1880,i,9498292580889633314,11543430941259594936,131072 /prefetch:12⤵PID:2460
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3092 --field-trial-handle=1880,i,9498292580889633314,11543430941259594936,131072 /prefetch:12⤵PID:1184
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4824 --field-trial-handle=1880,i,9498292580889633314,11543430941259594936,131072 /prefetch:12⤵PID:2164
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3380 --field-trial-handle=1880,i,9498292580889633314,11543430941259594936,131072 /prefetch:12⤵PID:2472
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4684 --field-trial-handle=1880,i,9498292580889633314,11543430941259594936,131072 /prefetch:12⤵PID:3904
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4820 --field-trial-handle=1880,i,9498292580889633314,11543430941259594936,131072 /prefetch:82⤵PID:3244
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4816 --field-trial-handle=1880,i,9498292580889633314,11543430941259594936,131072 /prefetch:82⤵PID:2724
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3476 --field-trial-handle=1880,i,9498292580889633314,11543430941259594936,131072 /prefetch:82⤵PID:4500
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4324 --field-trial-handle=1880,i,9498292580889633314,11543430941259594936,131072 /prefetch:82⤵PID:4372
-
-
C:\Windows\system32\msdt.exe-modal "66174" -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\Admin\AppData\Local\Temp\NDF74E.tmp" -ep "NetworkDiagnosticsWeb"2⤵
- Suspicious use of FindShellTrayWindow
PID:3528
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=3600 --field-trial-handle=1880,i,9498292580889633314,11543430941259594936,131072 /prefetch:12⤵PID:6028
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=4464 --field-trial-handle=1880,i,9498292580889633314,11543430941259594936,131072 /prefetch:12⤵PID:5536
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3564 --field-trial-handle=1880,i,9498292580889633314,11543430941259594936,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5696
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=2100 --field-trial-handle=1880,i,9498292580889633314,11543430941259594936,131072 /prefetch:12⤵PID:5976
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:2532
-
C:\Windows\System32\sdiagnhost.exeC:\Windows\System32\sdiagnhost.exe -Embedding1⤵
- Suspicious behavior: EnumeratesProcesses
PID:5776 -
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter2⤵PID:5944
-
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter2⤵PID:3992
-
-
C:\Windows\system32\ipconfig.exe"C:\Windows\system32\ipconfig.exe" /all2⤵
- Gathers network information
PID:5260
-
-
C:\Windows\system32\ROUTE.EXE"C:\Windows\system32\ROUTE.EXE" print2⤵PID:5296
-
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" /f NetworkConfiguration.ddf2⤵PID:4424
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1396
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4728 -
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\winethc.dll",ForceProxyDetectionOnNextRun2⤵PID:4508
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost1⤵PID:4032
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:5160
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
7KB
MD5af9be482a2bc819ce7f4aece4616037f
SHA1f6932a2dd461fa0665e0ab7b0b2cd595205b7c4d
SHA2568a2e407979827d9dc2409b30734b92eadc28930881042a8d558cbe5369151825
SHA51249e058f0a56a4ab4ca7a545f128a531c35fa6cf10d86b258f3662f75de9fa43808ee45407e0d1c1dc67696dc634668f3c1402f99b75cbbaa97ba77eb5aa41cb1
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\c8277be3-3c4a-41ae-aa53-e0c4a2c079fc.tmp
Filesize7KB
MD53d3bc1bb1b5dcf5394d3161f9397cb48
SHA1165f88e404667da4d1490b76d4968a10d444bd5c
SHA256eb85474def8d4066a7f93db04588e433a40e68dc94290cff462672938b7325d3
SHA51269e0bcfe3444b3d827b42c8194b1b1d26b9825111656d478113bf518a7b70b4944f9e43f8dffd670da96dd470943681e9dd0c8cb51f20ee1281c0f99132b5ed3
-
Filesize
257KB
MD50aeef886565b63af88c7a861b6c504e0
SHA122f529c2b94f03411a5e56a85f6668a36adad6ea
SHA256dfc94528888234305437b0ecace7bcfd30a942369c705fbead3e47fa66c2f5f0
SHA5122691a6dd1a7644512a4d9e6ad76fc2800123904a6cd9467d2e9913054081dd16b871bff5c1f8cd5464d0749463045a24de90e43adcafe667b18efd26a2799076
-
Filesize
257KB
MD51bf682e74aff091216c01742adda54bc
SHA1f0d4889a16ac6c138b5b7a83b6dcbf68300005a8
SHA256bac60a372880f17a8b5bbae7ad2671d94bbe5935befad8e81a4401cba039ff78
SHA512b3a943e4b2e00d4e410052db9f6f71acc5bd5d294d70d00cc4e82439ab6ce5cd30420a2260bdc68e5dd166123ef9302f90b8fbc43f0899ce72f450174a81e4a9
-
Filesize
92KB
MD58ce8536950296c7a096f808adaeaa295
SHA18a1074b1d5c5d6572ee53db85524a5feeb14fb98
SHA256f77ffe3f05de2656b55e8eea81da86e29e2342352492601d1e7203d0517c0386
SHA5129be086bb70e09e1f403ae4a81358301bd507ca5133985f04719b8a0adb4dbd976dd1d2daa3cad2b7afc579a2816a53ef7e0b9a5bab8d0a7abce9b7941e94ab7d
-
Filesize
88KB
MD5eb43c8974b3f1cc10f5eb8eac9167281
SHA11062add32194d556fc850c4d6f288a697b6d634a
SHA256e824cc9ba3d57021134c669829a1483f41404d61a4820b61d5be23ef95550ac0
SHA5124e44d87fdf93a6c695f01016978ae25a553ef513ce51de627194af4e7dba2dcea6a6a3df7cf85a2e4802dcb8b6b5fe6261a25fc967af0098d8da071cdf8b66a5
-
Filesize
192KB
MD53a7c43f58f39c9605476cf2f836ce1ca
SHA16b50b03b7034b1b7b8233f345c936490f5bd6858
SHA256d0ad7b546b10f83e360941c05d2fe123e9cb112c3c6aabcf79b36fffd6d54ae3
SHA512e46d3807b340e7666032b52ef5144735c1ad9456dd3b2c101c7035faf52392a8dce3930e3403f9fc94b36a672c5c5a9e7977ed08d0e12053e9a375dc0081743d
-
Filesize
768B
MD537ddbd33c2fcc7748adc5dc9cc909ce2
SHA12cc7453b62463555e8287ccf22faa410251a08ea
SHA2564ed23697c8a24a1b8ceb231f87e652cdb994c8aaa5e30408e024b7228c9fcdf3
SHA512f22822155e4b0caeda67e51fb06c9284c2ca89fd5ccad157c4e4d53773d858b4f925ded3f007349560b119d49e591c903e131f864a43a59900e10e4f61f74e2b
-
Filesize
3KB
MD5e310e5578a38aa0803fe501af84e061d
SHA1ec4e52893b7da842778df8d6658b356de731249b
SHA256904b48d7f7c6f079ddf5453bfe05bd98118a7e69d0bba17a75f2209a7a5389bd
SHA51236465ac3ee139947b6623b0efc85cbf66dc8640dbb41abb613057b7d4b48e816bb67cc4893bd994f4f81d2978397f0a8361b2300eb5fb38cb0dcf01a546bceb2
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5e6f81115390c8f409d8c464372cb304e
SHA1c40ec3270c4146c89f686821ff11ad53380c278f
SHA256e5b695be9d204621f7ba75b4d08161c1a337fe7fa798dd4707ccbd434fd85971
SHA5124762ef59067f5c362c891d5face9677b99404668ae871afbe85cc7da9048593b8bc54b620115f46a391498a2c459ab9b10669664db58e14f013e32e3fff92323
-
Filesize
231B
MD500848049d4218c485d9e9d7a54aa3b5f
SHA1d1d5f388221417985c365e8acaec127b971c40d0
SHA256ffeafbb8e7163fd7ec9abc029076796c73cd7b4eddaeeda9ba394c547419769e
SHA5123a4874a5289682e2b32108740feea586cb9ccdad9ca08bf30f67c9742370c081ad943ea714f08dbf722f9f98f3b0bb307619a8ba47f96b24301c68b0fd1086d9
-
Filesize
2KB
MD5d9fdc249634ed2ae4a9a04478f68f047
SHA19446967eabd6c341d833ddcf7585f2dbae1121e7
SHA256b6cb053d30003fe13fff4f712de98b492ff638aa5f0144cd65e214c03deded5a
SHA512b28a19090773de14267a8ae1ea9cf536fd7da833b14eb3b80c34c08b6f0ec9a9ef8653411f2a4b19af456123450a0f72d63ef0addafd08fa12bba7bd9aa256bf
-
Filesize
4KB
MD5ff2b9c24cd576b167a65a1ac27e1275d
SHA115d9b683c673035cf0d19d2892bc6cf3929a8391
SHA256ae99bd00a27cb8ace753ac4f821bebaadd074bbf716f06e47eeec8e211b9df40
SHA512fc25db71195faa96d2a88b28ba65f0b2113ca5687c92451639c9ebefd6088f8d68ffd3519051ba263278b39ee12bd47e37955ed6655ca87b906d3319e4264c12
-
Filesize
978B
MD5c7f248e40897aa864237ad7162d4ad68
SHA156b35cf55f254883b0d53aa63ae2e483c330ebae
SHA256a792831dae7114213c57e401301dd8fca16a37ba49e86f3a76443bd43b49e544
SHA512e25c80dd4f7a7c4662827843988d61061b10304e1bcd59daa46523131d2c830d71f3dad790384734cb877f15824a93623c076dda9f0ab4991444a490c98c55b8
-
Filesize
283B
MD5a4a3e817ac3af0f9d5c396bbc27a49ff
SHA141dceaafcbb3398d7e4b1682c063649c62a15fba
SHA256623702345509cbe45d4c6827077a0f1f6f2471135f46650dfbd3e388e738a160
SHA512660036360ef4caf44aa5cf0bfc76b41859f21c91ac236b39b5b796471eef2fe26a48019545c38c9d100d0d5b90009b867cd6ddf15a73e2cbe188d64551a5da70
-
Filesize
11KB
MD5d213491a2d74b38a9535d616b9161217
SHA1bde94742d1e769638e2de84dfb099f797adcc217
SHA2564662c3c94e0340a243c2a39ca8a88fd9f65c74fb197644a11d4ffcae6b191211
SHA5125fd8b91b27935711495934e5d7ca14f9dd72bc40a38072595879ef334a47f99e0608087ddc62668c6f783938d9f22a3688c5cdef3a9ad6c3575f3cfa5a3b0104
-
Filesize
25KB
MD5d0cfc204ca3968b891f7ce0dccfb2eda
SHA156dad1716554d8dc573d0ea391f808e7857b2206
SHA256e3940266b4368c04333db89804246cb89bf2073626f22b8de72bea27c522282a
SHA5124d2225b599ad8af8ba8516f12cfddca5ec0ce69c5c80b133a6a323e9aaf5e0312efbcfa54d2e4462a5095f9a7c42b9d5b39f3204e0be72c3b1992cf33b22087c
-
Filesize
10KB
MD59b222d8ec4b20860f10ebf303035b984
SHA1b30eea35c2516afcab2c49ef6531af94efaf7e1a
SHA256a32e13da40ac4b9e1dac7dd28bc1d25e2f2136b61ff93be943018b20796f15bc
SHA5128331337ccb6e3137b01aeec03e6921fd3b9e56c44fa1b17545ae5c7bfcdd39fcd8a90192884b3a82f56659009e24b63ce7f500e8766fd01e8d4e60a52de0fe67
-
Filesize
567B
MD5a660422059d953c6d681b53a6977100e
SHA10c95dd05514d062354c0eecc9ae8d437123305bb
SHA256d19677234127c38a52aec23686775a8eb3f4e3a406f4a11804d97602d6c31813
SHA51226f8cf9ac95ff649ecc2ed349bc6c7c3a04b188594d5c3289af8f2768ab59672bc95ffefcc83ed3ffa44edd0afeb16a4c2490e633a89fce7965843674d94b523
-
Filesize
53KB
MD5c912faa190464ce7dec867464c35a8dc
SHA1d1c6482dad37720db6bdc594c4757914d1b1dd70
SHA2563891846307aa9e83bca66b13198455af72af45bf721a2fbd41840d47e2a91201
SHA5125c34352d36459fd8fcda5b459a2e48601a033af31d802a90ed82c443a5a346b9480880d30c64db7ad0e4a8c35b98c98f69eceedad72f2a70d9c6cca74dce826a
-
Filesize
2KB
MD50c75ae5e75c3e181d13768909c8240ba
SHA1288403fc4bedaacebccf4f74d3073f082ef70eb9
SHA256de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f
SHA5128fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b
-
Filesize
5KB
MD5380768979618b7097b0476179ec494ed
SHA1af2a03a17c546e4eeb896b230e4f2a52720545ab
SHA2560637af30fc3b3544b1f516f6196a8f821ffbfa5d36d65a8798aeeadbf2e8a7c2
SHA512b9ef59e9bfdbd49052a4e754ead8cd54b77e79cc428e7aee2b80055ff5f0b038584af519bd2d66258cf3c01f8cc71384f6959ee32111eac4399c47e1c2352302
-
Filesize
478KB
MD5580dc3658fa3fe42c41c99c52a9ce6b0
SHA13c4be12c6e3679a6c2267f88363bbd0e6e00cac5
SHA2565b7aa413e4a64679c550c77e6599a1c940ee947cbdf77d310e142a07a237aad2
SHA51268c52cd7b762b8f5d2f546092ed9c4316924fa04bd3ab748ab99541a8b4e7d9aec70acf5c9594d1457ad3a2f207d0c189ec58421d4352ddbc7eae453324d13f2
-
Filesize
17KB
MD544c4385447d4fa46b407fc47c8a467d0
SHA141e4e0e83b74943f5c41648f263b832419c05256
SHA2568be175e8fbdae0dade54830fece6c6980d1345dbeb4a06c07f7efdb1152743f4
SHA512191cd534e85323a4cd9649a1fc372312ed4a600f6252dffc4435793650f9dd40d0c0e615ba5eb9aa437a58af334146aac7c0ba08e0a1bf24ec4837a40f966005