74faf334cb0bdd3e9dfab8c323d4eb3b9b089bcaadc7dbd639d9aa93a4f6f829

Analysis

max time kernel
832s
max time network
834s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2024 13:10

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

x360ce.exe
Size

14.7MB
MD5

be80f3348b240bcee1aa96d33fe0e768
SHA1

40ea5de9a7a15f6e0d891cd1ba4bca8519bb85ed
SHA256

74faf334cb0bdd3e9dfab8c323d4eb3b9b089bcaadc7dbd639d9aa93a4f6f829
SHA512

dfb3b191152981f21180e93597c7b1891da6f10b811db2c8db9f45bbecc9feb54bc032bdd648c7ad1134e9b09e5e2b9705d5e21294e1ae328a4390350745536a
SSDEEP

196608:n+/7/fO/vBSVnf+viDyJBwhsCArf+viDyJBQhsCAaIF/f+viDyJBaF9hsCA6EJ0k:nX/vu0Bwhs8vu0BQhsvFOvu0BaF9hsR

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

Processes:

flow	ioc
133	camo.githubusercontent.com
134	camo.githubusercontent.com
135	camo.githubusercontent.com
136	camo.githubusercontent.com
138	raw.githubusercontent.com
118	camo.githubusercontent.com
131	camo.githubusercontent.com
132	camo.githubusercontent.com

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 6 IoCs

Processes:

x360ce.exe

description	ioc	process
File created	C:\Windows\INF\c_volume.PNF	x360ce.exe
File created	C:\Windows\INF\c_monitor.PNF	x360ce.exe
File created	C:\Windows\INF\c_diskdrive.PNF	x360ce.exe
File created	C:\Windows\INF\c_media.PNF	x360ce.exe
File created	C:\Windows\INF\c_display.PNF	x360ce.exe
File created	C:\Windows\INF\c_processor.PNF	x360ce.exe

Loads dropped DLL 1 IoCs

Processes:

x360ce.exe

pid process

3588 x360ce.exe

Checks SCSI registry key(s) 3 TTPs 28 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

x360ce.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	x360ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Mfg	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	x360ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	x360ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	x360ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	x360ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	x360ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	x360ce.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	x360ce.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

Processes:

LogonUI.exechrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "193"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133659554684760267"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

x360ce.exechrome.exe

pid process

3588 x360ce.exe
3588 x360ce.exe
3588 x360ce.exe
3588 x360ce.exe
3588 x360ce.exe
3588 x360ce.exe
3588 x360ce.exe
1520 chrome.exe
1520 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exe

pid process

1520 chrome.exe
1520 chrome.exe
1520 chrome.exe
1520 chrome.exe
1520 chrome.exe

pid	process
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe

Suspicious use of AdjustPrivilegeToken 61 IoCs

Processes:

x360ce.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	3588	x360ce.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe
Token: SeShutdownPrivilege	1520	chrome.exe
Token: SeCreatePagefilePrivilege	1520	chrome.exe

Suspicious use of FindShellTrayWindow 30 IoCs

Processes:

x360ce.exechrome.exe

pid	process
3588	x360ce.exe
3588	x360ce.exe
3588	x360ce.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe

Suspicious use of SendNotifyMessage 26 IoCs

Processes:

x360ce.exechrome.exe

pid	process
3588	x360ce.exe
3588	x360ce.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe
1520	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

x360ce.exeLogonUI.exe

pid process

3588 x360ce.exe
2564 LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1520 wrote to memory of 2056	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 2056	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 2176	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 2176	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 2176	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 2176	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 2176	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 2176	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 2176	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 2176	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 2176	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 2176	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 2176	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 2176	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 2176	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 2176	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 2176	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 2176	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 2176	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 2176	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 2176	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 2176	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 2176	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 2176	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 2176	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 2176	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 2176	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 2176	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 2176	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 2176	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 2176	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 2176	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 2096	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 2096	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3768	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3768	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3768	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3768	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3768	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3768	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3768	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3768	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3768	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3768	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3768	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3768	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3768	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3768	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3768	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3768	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3768	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3768	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3768	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3768	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3768	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3768	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3768	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3768	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3768	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3768	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3768	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3768	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3768	1520	chrome.exe	chrome.exe
PID 1520 wrote to memory of 3768	1520	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\x360ce.exe
"C:\Users\Admin\AppData\Local\Temp\x360ce.exe"
1⤵
- Drops file in Windows directory
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fff3115cc40,0x7fff3115cc4c,0x7fff3115cc58
2⤵
PID:2056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1936,i,12049579729139694199,5898346287884739218,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=1932 /prefetch:2
2⤵
PID:2176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2100,i,12049579729139694199,5898346287884739218,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2092 /prefetch:3
2⤵
PID:2096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2316,i,12049579729139694199,5898346287884739218,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2516 /prefetch:8
2⤵
PID:3768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,12049579729139694199,5898346287884739218,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3136 /prefetch:1
2⤵
PID:928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2128,i,12049579729139694199,5898346287884739218,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3288 /prefetch:1
2⤵
PID:2820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4564,i,12049579729139694199,5898346287884739218,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4568 /prefetch:1
2⤵
PID:2688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4796,i,12049579729139694199,5898346287884739218,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4848 /prefetch:8
2⤵
PID:3348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4076,i,12049579729139694199,5898346287884739218,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5016 /prefetch:8
2⤵
PID:2288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5100,i,12049579729139694199,5898346287884739218,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4924 /prefetch:1
2⤵
PID:4836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4052,i,12049579729139694199,5898346287884739218,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3432 /prefetch:1
2⤵
PID:1468

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:3380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:1556

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3936855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2564

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\X360CE\Temp\ViGEmClient.dll.84A31178\ViGEmClient.dll
Filesize
29KB

MD5
a8781afcba77ccb180939fdbd5767168

SHA1
3cb4fe39072f12309910dbe91ce44d16163d64d5

SHA256
02b50cbe797600959f43148991924d93407f04776e879bce7b979f30dd536ba9

SHA512
8184e22bb4adfcb40d0e0108d2b97c834cba8ab1e60fee5fd23332348298a0b971bd1d15991d8d02a1bc1cc504b2d34729ed1b8fea2c6adb57e36c33ac9559e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
Filesize
649B

MD5
c9c27cc21d2abf11beabb26943956c20

SHA1
dbe5434fe10da98572df5a4bdced3c665cfaebb6

SHA256
888e76e334573d2da0152a23255ece74766a413f7f5b41ab8052dfc2084717cc

SHA512
7f269d84db552a3aca1c22317f5246efcdb21d63419033a8220f136dc89c916a66cc70c8dda1ba78a0a9cae1fb8893eab60ee6b2ab6fd4046b003bcbf5f0452a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001
Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
86447dc9a9176a89e7792b86a4c44717

SHA1
3b59dcd1997cf51e6946b14fff8a28a094503d63

SHA256
210b21fd1ff8c7dfb1f649e84e2bf11a4352e21c6dc17e634a774d4c3f8e6ff4

SHA512
666f23554967434b72ad02d2299598525abea000deaa80f5a3c77b805211ae36e38cb39a7f2e573f35912b92970adff5364533a6d5d9dc186e1cee776aba1338

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1
Filesize
264KB

MD5
7a5477d2fc0f9649c44deb42c030035e

SHA1
fedd98668cdafa79681176ae7703a3f23dd003c9

SHA256
d2ff413b96615d7a3a62dccd13e3e116cdeb82885b5021d7c60244521f124f0c

SHA512
ee2108067ca62d9d299fdeaf0e7720d709aa38c69a8b015af8a9a601088bfa23e434f1609a7a6f99ba9ad9361544383acd16757fabf1b94ea292cce981321226

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
4KB

MD5
1e9391dd267d1bea05edf1f9a7ea36ac

SHA1
e9bac3dbe2b5b447d71387607897fcd13508716d

SHA256
12fb1cc6d2f65ebf8ac5e508dfcac1cf2301f3c2a457fccae4030eb423f432e9

SHA512
999e42946f0e8a530c73ede5a40c4e0dc6ae34bc3542cedf8e84f3137719c09d3bf163e90ebee60501c1ee993248ec99aafbaeb200ad0bb4203467e278a0b447

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
8f83edf26bb90d4a074940c3e0cfe048

SHA1
4cf08163de7f71289492db6efe8d80fbdc04436c

SHA256
d32e249b277830329eb0b7d0c0ee94151aa3ef311b7c1fbd0aa777c6a61d42af

SHA512
b0ddb3cc340ee1d376106924aaa2fa6587ae506a60893da0ab1e6ad97bf4125f3c4518623172c2e17745473c9dd4aad481f035c3c13176aef9eb593df463fc6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
354B

MD5
a212ecca8ec104c18245cff87f26ea52

SHA1
6b58457ed9058997d9487e9994d80169a362f7aa

SHA256
45a7c30f3a521def1ee97681a932d3fc7ad84682eddb4fd5ef80accf1ca44ff9

SHA512
72d4efadd327a9491c60dbc87d7714ba802b532b270f4e40a2a5a099d8f58ef0f135709e268c0f0936f91bde57c6d878560f9de30e39d35e209be928fd751f0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
8596be9cf20b7e96ac0c9e84bdd9c41b

SHA1
d8beb92d029925a5f19576e314f11ad040bf2b1f

SHA256
4afbaacddd9c5c4efe899775133a71a4d292e71ed3d939399c7fecbe7a21ae8c

SHA512
af510df4223cd5fec2bf7fe79e96434fed729bf6ea09fbc857600b7706028133a03b9c4ac4058ea46f30c79dbed52ab9881c393b23c2f0b363482264bb7e136f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
9KB

MD5
03008e3baa595c843884098764b2e74d

SHA1
d2e05262354ce26e9a5ec2bf6ba22be1f02b5dc5

SHA256
00bab1d07c0739abeb363f031e7fa21af51ca0eb9fa396feca5c19d6bc4b0190

SHA512
d15f622027574dbbd9f813c4ccbd1460eb1f275d4f42ad1fcccabe91eb55c11f4b00f86c49aa42d9ac253a8637c86b44b188f373f4303f68e7d53c59b1a1cfdf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
9KB

MD5
b5a996147eb21026aafbdf5f54214268

SHA1
d5b8fe3feb8cdfeb9ab9dc448c3e368e89cd23aa

SHA256
887d3f56404860af7d499156f54d251f153cf3fa6327d216456bcffb678f60b2

SHA512
58a51491a078f8be15eee384f084fbe269934e10c18cd504770eaa666dd32a718992c759d71db01a2a015d4f546d3053b220bc4fc1069218ca234f0fb76f320b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
10KB

MD5
c013852d5a8ce6b0a240ea3417e10593

SHA1
5e8f362cbcc4717e4e1f3d66fa7d023a857e12ff

SHA256
b297253a14ae88750bd4132f7a32d68365dff3e4ab53983ebf363bc1c42cabec

SHA512
960bad8339147e58b07817a56d9f5f97d4be391b0d76900e6a54d25c332bf99d87df0f09fa466fc0035157fa41847ea12972855b7aee0f1c6d81b1c439675cbb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
2655c22c9f0c4552715622f43b80bbe5

SHA1
6d484e267d156026e9c2607f37507f8b6c85aa09

SHA256
4dab9d3622e4425f6430daa578bc517357efe7bb7689eddac882f6da44be727d

SHA512
3caef59c60e0ee1f3ef71e34dd241f93db453a8b00198c55b02591d890030d5acda7cc617865c8e2d27d9ae2e265df167f93c6097769cc01f8c921aa9dcad6d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
185KB

MD5
23b5a753118a6de439298ab6110ffed9

SHA1
f2baafba565d8070f025d40fab3ed9b9b6359e46

SHA256
95a01faf3da6b1e994f6ea4ab6b869ba09228feef0e3b8378be1c82ebb8630fd

SHA512
7762130a08861ee28a354ae16e5a1972ae7b722bed3577b982e64caca5f628bd18b8660eda800e77a463655337f6306866d0a4948780dfb43502db7a68a387c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
185KB

MD5
7495bf7102f561121b9a04430f265f2a

SHA1
ed8675daa90d4f5956fac4fb2c129d9adf501552

SHA256
a492288559461f500a208ec51040abdbf46658602dc55230bd86d9b123e3d95c

SHA512
7de4907b654ce11e6836aa708c7517be16b4db30d313c80bbbaa274097ed03d70ab3eded2468fde0b1edaef4f0b813df3dfc337fe8579ad0b48bace4a0929c74

Download Submit
\??\pipe\crashpad_1520_NLZHXPLJFXLYHRRP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3588-23-0x000001F36EAC0000-0x000001F36EAEC000-memory.dmp

Filesize
176KB

Download
memory/3588-0-0x00007FFF21F33000-0x00007FFF21F35000-memory.dmp

Filesize
8KB

Download
memory/3588-44-0x00007FFF21F30000-0x00007FFF229F1000-memory.dmp

Filesize
10.8MB

Download
memory/3588-45-0x00007FFF21F30000-0x00007FFF229F1000-memory.dmp

Filesize
10.8MB

Download
memory/3588-46-0x00007FFF21F30000-0x00007FFF229F1000-memory.dmp

Filesize
10.8MB

Download
memory/3588-47-0x00007FFF21F30000-0x00007FFF229F1000-memory.dmp

Filesize
10.8MB

Download
memory/3588-61-0x00007FFF21F30000-0x00007FFF229F1000-memory.dmp

Filesize
10.8MB

Download
memory/3588-42-0x00007FFF21F33000-0x00007FFF21F35000-memory.dmp

Filesize
8KB

Download
memory/3588-28-0x00007FFF21F30000-0x00007FFF229F1000-memory.dmp

Filesize
10.8MB

Download
memory/3588-27-0x000001F36EBA0000-0x000001F36EBA8000-memory.dmp

Filesize
32KB

Download
memory/3588-26-0x00007FFF21F30000-0x00007FFF229F1000-memory.dmp

Filesize
10.8MB

Download
memory/3588-25-0x000001F36EB70000-0x000001F36EB92000-memory.dmp

Filesize
136KB

Download
memory/3588-24-0x000001F36EAF0000-0x000001F36EB3A000-memory.dmp

Filesize
296KB

Download
memory/3588-43-0x00007FFF21F30000-0x00007FFF229F1000-memory.dmp

Filesize
10.8MB

Download
memory/3588-22-0x000001F36CBA0000-0x000001F36CBBC000-memory.dmp

Filesize
112KB

Download
memory/3588-12-0x00007FFF21F30000-0x00007FFF229F1000-memory.dmp

Filesize
10.8MB

Download
memory/3588-9-0x000001F36CA80000-0x000001F36CAA0000-memory.dmp

Filesize
128KB

Download
memory/3588-8-0x00007FFF21F30000-0x00007FFF229F1000-memory.dmp

Filesize
10.8MB

Download
memory/3588-6-0x000001F36CCB0000-0x000001F36CCFA000-memory.dmp

Filesize
296KB

Download
memory/3588-4-0x00007FFF21F30000-0x00007FFF229F1000-memory.dmp

Filesize
10.8MB

Download
memory/3588-3-0x000001F36BE60000-0x000001F36C23A000-memory.dmp

Filesize
3.9MB

Download
memory/3588-2-0x000001F36B7B0000-0x000001F36B942000-memory.dmp

Filesize
1.6MB

Download
memory/3588-1-0x000001F350310000-0x000001F3511D2000-memory.dmp

Filesize
14.8MB

Download
memory/3836-472-0x00007FFF3E230000-0x00007FFF3E27E000-memory.dmp

Filesize
312KB

Download
memory/3836-476-0x00007FFF3D9A0000-0x00007FFF3D9EB000-memory.dmp

Filesize
300KB

Download
memory/3836-479-0x00007FFF3D800000-0x00007FFF3D834000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads