2470895443a4678d66bc39158fca6775343b6d1aa6e332bd8229892d1a2bfffd

Reason

Machine shutdown

General

Target

OptiFine_1.20.4_HD_U_I7.jar
Size

6.9MB
MD5

35bb67f2fa6e6e0bcbff13c23724deee
SHA1

f2475e8d5746477d1d2972cd5aae62a5d9c04264
SHA256

2470895443a4678d66bc39158fca6775343b6d1aa6e332bd8229892d1a2bfffd
SHA512

acca2b7348925a378e1d0c85882fd276df834a96fe541d488dce831e2ffa9dbc868aa160b872abb8fe511b4ef6143da33776e5d8bf4599083d1d6b23de765d6c
SSDEEP

98304:ZSJGFWo77Qgj248F11/r1Acy9BuXrluT4PkLBIV7MfzPyAvl0APaoq05:rFWo7Mgj2lvrO19BufPjVcPV2APa9W

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

4368 icacls.exe
Drops file in System32 directory 1 IoCs

Processes:

bootim.exe

description ioc process

File opened for modification C:\Windows\system32\Recovery\ReAgent.xml bootim.exe

pid	process
4368	icacls.exe

description	ioc	process
File opened for modification	C:\Windows\system32\Recovery\ReAgent.xml	bootim.exe

Drops file in Windows directory 4 IoCs

Processes:

bootim.exe

description	ioc	process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	bootim.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	bootim.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	bootim.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	bootim.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

Processes:

chrome.exeLogonUI.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133629798340075752"	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "137"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

chrome.exepowershell.exe

pid process

4888 chrome.exe
4888 chrome.exe
5436 powershell.exe
5436 powershell.exe
5436 powershell.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

bootim.exe

pid process

5220 bootim.exe

pid	process
5220	bootim.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

Processes:

chrome.exe

pid	process
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

java.exeLogonUI.exe

pid process

1596 java.exe
1596 java.exe
5864 LogonUI.exe

pid	process
1596	java.exe
1596	java.exe
5864	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

java.exechrome.exe

description	pid	process	target process
PID 1596 wrote to memory of 4368	1596	java.exe	icacls.exe
PID 1596 wrote to memory of 4368	1596	java.exe	icacls.exe
PID 4888 wrote to memory of 4820	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4820	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4364	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4364	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4364	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4364	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4364	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4364	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4364	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4364	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4364	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4364	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4364	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4364	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4364	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4364	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4364	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4364	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4364	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4364	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4364	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4364	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4364	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4364	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4364	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4364	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4364	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4364	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4364	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4364	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4364	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4364	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4364	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4464	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 4464	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 1472	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 1472	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 1472	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 1472	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 1472	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 1472	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 1472	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 1472	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 1472	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 1472	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 1472	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 1472	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 1472	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 1472	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 1472	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 1472	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 1472	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 1472	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 1472	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 1472	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 1472	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 1472	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 1472	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 1472	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 1472	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 1472	4888	chrome.exe	chrome.exe
PID 4888 wrote to memory of 1472	4888	chrome.exe	chrome.exe

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\OptiFine_1.20.4_HD_U_I7.jar
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
2⤵
- Modifies file permissions
PID:4368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcae15ab58,0x7ffcae15ab68,0x7ffcae15ab78
2⤵
PID:4820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=1824,i,4342118623225170696,11165697258882956445,131072 /prefetch:2
2⤵
PID:4364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 --field-trial-handle=1824,i,4342118623225170696,11165697258882956445,131072 /prefetch:8
2⤵
PID:4464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2288 --field-trial-handle=1824,i,4342118623225170696,11165697258882956445,131072 /prefetch:8
2⤵
PID:1472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3180 --field-trial-handle=1824,i,4342118623225170696,11165697258882956445,131072 /prefetch:1
2⤵
PID:2284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3252 --field-trial-handle=1824,i,4342118623225170696,11165697258882956445,131072 /prefetch:1
2⤵
PID:1792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4368 --field-trial-handle=1824,i,4342118623225170696,11165697258882956445,131072 /prefetch:1
2⤵
PID:1908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4744 --field-trial-handle=1824,i,4342118623225170696,11165697258882956445,131072 /prefetch:8
2⤵
PID:3624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4892 --field-trial-handle=1824,i,4342118623225170696,11165697258882956445,131072 /prefetch:8
2⤵
PID:2204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5088 --field-trial-handle=1824,i,4342118623225170696,11165697258882956445,131072 /prefetch:1
2⤵
PID:5200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5024 --field-trial-handle=1824,i,4342118623225170696,11165697258882956445,131072 /prefetch:1
2⤵
PID:5208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4156 --field-trial-handle=1824,i,4342118623225170696,11165697258882956445,131072 /prefetch:1
2⤵
PID:5216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5148 --field-trial-handle=1824,i,4342118623225170696,11165697258882956445,131072 /prefetch:1
2⤵
PID:5224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3472 --field-trial-handle=1824,i,4342118623225170696,11165697258882956445,131072 /prefetch:1
2⤵
PID:5412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4956 --field-trial-handle=1824,i,4342118623225170696,11165697258882956445,131072 /prefetch:1
2⤵
PID:5484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4608 --field-trial-handle=1824,i,4342118623225170696,11165697258882956445,131072 /prefetch:1
2⤵
PID:5660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=876 --field-trial-handle=1824,i,4342118623225170696,11165697258882956445,131072 /prefetch:1
2⤵
PID:3280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4080,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=3736 /prefetch:8
1⤵
PID:864

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3800

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:560

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5436

C:\Windows\system32\shutdown.exe
"C:\Windows\system32\shutdown.exe" s- t- 10
3⤵
PID:5580

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3968855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5864

C:\Windows\system32\bootim.exe
bootim.exe /startpage:1
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
PID:5220

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
Filesize
46B

MD5
df438a46723817bc192149c3fee2178a

SHA1
99bf5e4f8dc17fd2d36c9cf5f4494b46d5e581ee

SHA256
d3120bcde2b08ac1e29e58194de0100f8465a442203b607fb700c88b40cdd9d4

SHA512
10659ae72a91bf8075158e12d21dceecec4923f3c61449adadc4c30d6c21e900450bc7ff332176b6853785e162a21b05bf5fad6efd71322609ea8931957ead62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
117d4a9e6a22f00787a71e0b2bb7c9d6

SHA1
902a3b9384d1b0216af010013de6aafcd27ea924

SHA256
b12088c4b51734feb3f4c4033678d01a0aca777a3cfb35f09a13ef03fb653b85

SHA512
9d6ca8782beef3396b66d6c85dc0e8020d398834775fa7cbbbc49d6467225ecfde007e587ff2caba03af2f49893b55fe29232d9cfe07248ee8d90ab4d61188b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
b84dd3d68043733fdb2d1baa303f8582

SHA1
64a1316fa169b2acc4e99eb042c8eb664ae5e154

SHA256
25bb761dbcc1190d79990bf34ad04ef9171c113b140bd98829368385972bf3aa

SHA512
d9a04d2795c50c8578282bfc369f8d7bd6a15a0fb6956fd60edec3aebdcab401857f3eddcdcdf4cc51702a878700f72d58bdce8a738f603af2ac5b96ac467254

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
255KB

MD5
7ec5b79310cd7a9ede4c7639526a2540

SHA1
a43686de2244fb09b057a5fe1d0ccdaa6ce6f6fa

SHA256
d6e0721e7b14b85102e8ed8b06bbb6adf098cfee4991000c7dafec9d7b5003b3

SHA512
6245f17b536cbb08daa3964c58cb99eadd55c32e4e16665cac462d9daddd9491300a669b936b87ea90c22ea38896640aa7888809c9bee652e895c02d30e2373c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
255KB

MD5
b371175de6b712bb6b7d4e2a570af750

SHA1
67c87fa3b4634fe21ecdbc5e7a4d8fe0d8b14989

SHA256
41ebe93387871be3f54e46c02a00f241c9e74e94543b0432d3f294ee9e92fcfe

SHA512
0c8f1290bce358196eed3915b1a536ffd1d8ee05e3a039778c319534be12e72f4e6621a403ef92990d64f3e56864a083ccce12bf58ab7b854af164595b15528f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_abljpt4m.2wj.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System32\Recovery\ReAgent.xml
Filesize
1KB

MD5
1c3d9dbc3773e76f2507074e03791014

SHA1
89eb66e704e2c16d9130949025bcb4145f0e7c56

SHA256
4c4ef6ea5137f1b668c38506d16ccdc60362c07b8a1732f47cbf6034bbc5e497

SHA512
6e57da2f2d5fe403d6df3305628c8f91825aa3a4f3980aa5ba519618c70016f426c3e66368b80a35810f6e3cb88f299a4e1a4fbc85eb791c54d5740ba2612082

Download Submit
\??\pipe\crashpad_4888_IHDSQATNTZMGPJXS
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1596-81-0x0000028C1CC40000-0x0000028C1CC50000-memory.dmp

Filesize
64KB

Download
memory/1596-68-0x0000028C1C9D0000-0x0000028C1CC40000-memory.dmp

Filesize
2.4MB

Download
memory/1596-2-0x0000028C1C9D0000-0x0000028C1CC40000-memory.dmp

Filesize
2.4MB

Download
memory/1596-25-0x0000028C1CC40000-0x0000028C1CC50000-memory.dmp

Filesize
64KB

Download
memory/1596-18-0x0000028C1C9B0000-0x0000028C1C9B1000-memory.dmp

Filesize
4KB

Download
memory/5436-109-0x000001E1F3360000-0x000001E1F3382000-memory.dmp

Filesize
136KB

Download
memory/5436-114-0x000001E1F3850000-0x000001E1F3894000-memory.dmp

Filesize
272KB

Download
memory/5436-115-0x000001E1F3920000-0x000001E1F3996000-memory.dmp

Filesize
472KB

Download

pid	process
4888	chrome.exe
4888	chrome.exe
5436	powershell.exe
5436	powershell.exe
5436	powershell.exe

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads