5293e722ecf4aa4b69f8b01bb782bf514c623ec63e22949410fcb938a1a3d8b0

Analysis

max time kernel
150s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2024, 07:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Miro - formerly RealtimeBoard.exe
Size

123KB
MD5

5a5423201c13e51b4c7132122ec27795
SHA1

2eef19745b6c275b5b7df18e4ee2567bfe5d53b4
SHA256

23f0b110cc2e04a17773651ade934d2c28d5596f66a285f0a39fd1bf04a46b1e
SHA512

48ddd21aa1cc75795dc429d7562df52d408c724ab33c18ffa8e36b182fd43ed0a69fd6644b3615e679a5b10f077263c2512ac68ca81021d774cfba4f5a4d2230
SSDEEP

768:Bpv7uTAGAb3ERQ5O1+j3plpv3uIClFVl000PGGqPYi7YF5DAMxkEF:BpTiAGzRzgrQ3000PGGqP77YLjxp

Score

5^/10

execution

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	Miro - formerly RealtimeBoard.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2072	powershell.exe
372	powershell.exe
1624	powershell.exe
3920	powershell.exe
4324	powershell.exe
2508	powershell.exe
2552	powershell.exe
5088	powershell.exe
3556	powershell.exe
1616	powershell.exe
624	powershell.exe
3724	powershell.exe
3168	powershell.exe
4844	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Miro.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Miro.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Miro.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Miro.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Miro.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Miro.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Miro.exe

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\miroapp\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Miro.exe\" \"%1\""	Miro.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\miroapp	Miro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\miroapp\URL Protocol	Miro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\miroapp\ = "URL:miroapp"	Miro.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\miroapp\shell\open\command	Miro.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\miroapp\shell	Miro.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\miroapp\shell\open	Miro.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
3920	powershell.exe
3920	powershell.exe
1624	powershell.exe
1624	powershell.exe
2508	powershell.exe
2508	powershell.exe
2552	powershell.exe
2552	powershell.exe
3724	powershell.exe
3724	powershell.exe
624	powershell.exe
624	powershell.exe
3168	powershell.exe
3168	powershell.exe
2552	powershell.exe
3920	powershell.exe
1624	powershell.exe
2508	powershell.exe
3724	powershell.exe
624	powershell.exe
3168	powershell.exe
4324	powershell.exe
4324	powershell.exe
2072	powershell.exe
2072	powershell.exe
372	powershell.exe
372	powershell.exe
2072	powershell.exe
5088	powershell.exe
5088	powershell.exe
4844	powershell.exe
4844	powershell.exe
3556	powershell.exe
3556	powershell.exe
1616	powershell.exe
1616	powershell.exe
372	powershell.exe
4324	powershell.exe
5088	powershell.exe
3556	powershell.exe
4844	powershell.exe
1616	powershell.exe
3724	Miro.exe
3724	Miro.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4112	Miro.exe
Token: SeCreatePagefilePrivilege	4112	Miro.exe
Token: SeDebugPrivilege	3724	powershell.exe
Token: SeDebugPrivilege	3920	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	624	powershell.exe
Token: SeDebugPrivilege	3168	powershell.exe
Token: SeShutdownPrivilege	4112	Miro.exe
Token: SeCreatePagefilePrivilege	4112	Miro.exe
Token: SeShutdownPrivilege	4112	Miro.exe
Token: SeCreatePagefilePrivilege	4112	Miro.exe
Token: SeIncreaseQuotaPrivilege	3724	powershell.exe
Token: SeSecurityPrivilege	3724	powershell.exe
Token: SeTakeOwnershipPrivilege	3724	powershell.exe
Token: SeLoadDriverPrivilege	3724	powershell.exe
Token: SeSystemProfilePrivilege	3724	powershell.exe
Token: SeSystemtimePrivilege	3724	powershell.exe
Token: SeProfSingleProcessPrivilege	3724	powershell.exe
Token: SeIncBasePriorityPrivilege	3724	powershell.exe
Token: SeCreatePagefilePrivilege	3724	powershell.exe
Token: SeBackupPrivilege	3724	powershell.exe
Token: SeRestorePrivilege	3724	powershell.exe
Token: SeShutdownPrivilege	3724	powershell.exe
Token: SeDebugPrivilege	3724	powershell.exe
Token: SeSystemEnvironmentPrivilege	3724	powershell.exe
Token: SeRemoteShutdownPrivilege	3724	powershell.exe
Token: SeUndockPrivilege	3724	powershell.exe
Token: SeManageVolumePrivilege	3724	powershell.exe
Token: 33	3724	powershell.exe
Token: 34	3724	powershell.exe
Token: 35	3724	powershell.exe
Token: 36	3724	powershell.exe
Token: SeIncreaseQuotaPrivilege	2508	powershell.exe
Token: SeSecurityPrivilege	2508	powershell.exe
Token: SeTakeOwnershipPrivilege	2508	powershell.exe
Token: SeLoadDriverPrivilege	2508	powershell.exe
Token: SeSystemProfilePrivilege	2508	powershell.exe
Token: SeSystemtimePrivilege	2508	powershell.exe
Token: SeProfSingleProcessPrivilege	2508	powershell.exe
Token: SeIncBasePriorityPrivilege	2508	powershell.exe
Token: SeCreatePagefilePrivilege	2508	powershell.exe
Token: SeBackupPrivilege	2508	powershell.exe
Token: SeRestorePrivilege	2508	powershell.exe
Token: SeShutdownPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeSystemEnvironmentPrivilege	2508	powershell.exe
Token: SeRemoteShutdownPrivilege	2508	powershell.exe
Token: SeUndockPrivilege	2508	powershell.exe
Token: SeManageVolumePrivilege	2508	powershell.exe
Token: 33	2508	powershell.exe
Token: 34	2508	powershell.exe
Token: 35	2508	powershell.exe
Token: 36	2508	powershell.exe
Token: SeIncreaseQuotaPrivilege	3920	powershell.exe
Token: SeSecurityPrivilege	3920	powershell.exe
Token: SeTakeOwnershipPrivilege	3920	powershell.exe
Token: SeLoadDriverPrivilege	3920	powershell.exe
Token: SeSystemProfilePrivilege	3920	powershell.exe
Token: SeSystemtimePrivilege	3920	powershell.exe
Token: SeProfSingleProcessPrivilege	3920	powershell.exe
Token: SeIncBasePriorityPrivilege	3920	powershell.exe
Token: SeCreatePagefilePrivilege	3920	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 4112	1760	Miro - formerly RealtimeBoard.exe	85
PID 1760 wrote to memory of 4112	1760	Miro - formerly RealtimeBoard.exe	85
PID 4112 wrote to memory of 5088	4112	Miro.exe	86
PID 4112 wrote to memory of 5088	4112	Miro.exe	86
PID 5088 wrote to memory of 3440	5088	cmd.exe	88
PID 5088 wrote to memory of 3440	5088	cmd.exe	88
PID 4112 wrote to memory of 1900	4112	Miro.exe	89
PID 4112 wrote to memory of 1900	4112	Miro.exe	89
PID 4112 wrote to memory of 3208	4112	Miro.exe	90
PID 4112 wrote to memory of 3208	4112	Miro.exe	90
PID 4112 wrote to memory of 3208	4112	Miro.exe	90
PID 4112 wrote to memory of 3208	4112	Miro.exe	90
PID 4112 wrote to memory of 3208	4112	Miro.exe	90
PID 4112 wrote to memory of 3208	4112	Miro.exe	90
PID 4112 wrote to memory of 3208	4112	Miro.exe	90
PID 4112 wrote to memory of 3208	4112	Miro.exe	90
PID 4112 wrote to memory of 3208	4112	Miro.exe	90
PID 4112 wrote to memory of 3208	4112	Miro.exe	90
PID 4112 wrote to memory of 3208	4112	Miro.exe	90
PID 4112 wrote to memory of 3208	4112	Miro.exe	90
PID 4112 wrote to memory of 3208	4112	Miro.exe	90
PID 4112 wrote to memory of 3208	4112	Miro.exe	90
PID 4112 wrote to memory of 3208	4112	Miro.exe	90
PID 4112 wrote to memory of 3208	4112	Miro.exe	90
PID 4112 wrote to memory of 3208	4112	Miro.exe	90
PID 4112 wrote to memory of 3208	4112	Miro.exe	90
PID 4112 wrote to memory of 3208	4112	Miro.exe	90
PID 4112 wrote to memory of 3208	4112	Miro.exe	90
PID 4112 wrote to memory of 3208	4112	Miro.exe	90
PID 4112 wrote to memory of 3208	4112	Miro.exe	90
PID 4112 wrote to memory of 3208	4112	Miro.exe	90
PID 4112 wrote to memory of 3208	4112	Miro.exe	90
PID 4112 wrote to memory of 3208	4112	Miro.exe	90
PID 4112 wrote to memory of 3208	4112	Miro.exe	90
PID 4112 wrote to memory of 3208	4112	Miro.exe	90
PID 4112 wrote to memory of 3208	4112	Miro.exe	90
PID 4112 wrote to memory of 3208	4112	Miro.exe	90
PID 4112 wrote to memory of 3208	4112	Miro.exe	90
PID 4112 wrote to memory of 448	4112	Miro.exe	91
PID 4112 wrote to memory of 448	4112	Miro.exe	91
PID 4112 wrote to memory of 3168	4112	Miro.exe	92
PID 4112 wrote to memory of 3168	4112	Miro.exe	92
PID 4112 wrote to memory of 2552	4112	Miro.exe	93
PID 4112 wrote to memory of 2552	4112	Miro.exe	93
PID 4112 wrote to memory of 3724	4112	Miro.exe	94
PID 4112 wrote to memory of 3724	4112	Miro.exe	94
PID 4112 wrote to memory of 3920	4112	Miro.exe	95
PID 4112 wrote to memory of 3920	4112	Miro.exe	95
PID 4112 wrote to memory of 624	4112	Miro.exe	96
PID 4112 wrote to memory of 624	4112	Miro.exe	96
PID 4112 wrote to memory of 2508	4112	Miro.exe	97
PID 4112 wrote to memory of 2508	4112	Miro.exe	97
PID 4112 wrote to memory of 1624	4112	Miro.exe	98
PID 4112 wrote to memory of 1624	4112	Miro.exe	98
PID 4112 wrote to memory of 4128	4112	Miro.exe	108
PID 4112 wrote to memory of 4128	4112	Miro.exe	108
PID 4112 wrote to memory of 4324	4112	Miro.exe	109
PID 4112 wrote to memory of 4324	4112	Miro.exe	109
PID 4112 wrote to memory of 2072	4112	Miro.exe	110
PID 4112 wrote to memory of 2072	4112	Miro.exe	110
PID 4112 wrote to memory of 5088	4112	Miro.exe	111
PID 4112 wrote to memory of 5088	4112	Miro.exe	111
PID 4112 wrote to memory of 372	4112	Miro.exe	112
PID 4112 wrote to memory of 372	4112	Miro.exe	112

C:\Users\Admin\AppData\Local\Temp\Miro - formerly RealtimeBoard.exe
"C:\Users\Admin\AppData\Local\Temp\Miro - formerly RealtimeBoard.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Users\Admin\AppData\Local\Temp\Miro.exe
  "C:\Users\Admin\AppData\Local\Temp\Miro.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5088
  - - C:\Windows\system32\chcp.com
      chcp
      4⤵
      PID:3440
- - C:\Users\Admin\AppData\Local\Temp\Miro.exe
    C:\Users\Admin\AppData\Local\Temp\Miro.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\RealtimeBoard /prefetch:4 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\RealtimeBoard\Crashpad --url=https://f.a.k/e --annotation=_productName=RealtimeBoard --annotation=_version=0.8.68 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=30.0.2 --initial-client-data=0x520,0x524,0x528,0x514,0x52c,0x7ff65a790e58,0x7ff65a790e64,0x7ff65a790e70
    3⤵
    PID:1900
- - C:\Users\Admin\AppData\Local\Temp\Miro.exe
    "C:\Users\Admin\AppData\Local\Temp\Miro.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\RealtimeBoard" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1852,i,7146595846236095791,14268888686888896841,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1844 /prefetch:2
    3⤵
    PID:3208
- - C:\Users\Admin\AppData\Local\Temp\Miro.exe
    "C:\Users\Admin\AppData\Local\Temp\Miro.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\RealtimeBoard" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --field-trial-handle=2164,i,7146595846236095791,14268888686888896841,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2160 /prefetch:3
    3⤵
    PID:448
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3168
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2552
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3724
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3920
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:624
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1624
- - C:\Users\Admin\AppData\Local\Temp\Miro.exe
    "C:\Users\Admin\AppData\Local\Temp\Miro.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\RealtimeBoard" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --touch-events=enabled --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --field-trial-handle=3036,i,7146595846236095791,14268888686888896841,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3032 /prefetch:1
    3⤵
    PID:4128
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4324
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2072
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5088
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:372
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4844
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3556
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1616
- - C:\Users\Admin\AppData\Local\Temp\Miro.exe
    "C:\Users\Admin\AppData\Local\Temp\Miro.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\RealtimeBoard" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --enable-blink-features --disable-blink-features --touch-events=enabled --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3468,i,7146595846236095791,14268888686888896841,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3576 /prefetch:1
    3⤵
    PID:4000
- - C:\Users\Admin\AppData\Local\Temp\Miro.exe
    "C:\Users\Admin\AppData\Local\Temp\Miro.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\RealtimeBoard" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --enable-blink-features --disable-blink-features --touch-events=enabled --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3556,i,7146595846236095791,14268888686888896841,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3440 /prefetch:1
    3⤵
    PID:4432
- - C:\Users\Admin\AppData\Local\Temp\Miro.exe
    "C:\Users\Admin\AppData\Local\Temp\Miro.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\RealtimeBoard" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --enable-blink-features --disable-blink-features --touch-events=enabled --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3432,i,7146595846236095791,14268888686888896841,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3428 /prefetch:1
    3⤵
    PID:3680
- - C:\Users\Admin\AppData\Local\Temp\Miro.exe
    "C:\Users\Admin\AppData\Local\Temp\Miro.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\RealtimeBoard" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --enable-blink-features --disable-blink-features --touch-events=enabled --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3520,i,7146595846236095791,14268888686888896841,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3540 /prefetch:1
    3⤵
    PID:1584
- - C:\Users\Admin\AppData\Local\Temp\Miro.exe
    "C:\Users\Admin\AppData\Local\Temp\Miro.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\RealtimeBoard" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2264,i,7146595846236095791,14268888686888896841,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1800 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
7a1e03fe1039bf494d77070f2c583626

SHA1
bb6b31d644873fea13cb3c37e6225670b5682c8b

SHA256
53bb6e31c2534c61d2bb23c0ef4d9550c1b9361610bd01ef1816a97297147ed2

SHA512
e45c36ab8a4ba0c84783b2ddb2c26a9ab66cd5d26f1f0999b1288656288b1f8f33922a92c05641e6dfad03fac708525a1a37815d8ce1088ed0c72217e2f82827

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
2f87410b0d834a14ceff69e18946d066

SHA1
f2ec80550202d493db61806693439a57b76634f3

SHA256
5422bc17b852ad463110de0db9b59ffa4219e065d3e2843618d6ebbd14273c65

SHA512
a313702f22450ceff0a1d7f890b0c16cf667dbcd668dbafa6dbecd0791236c0bc68e834d12113cc75352365c2a2b6cfcf30b6ef7c97ea53ed135da50de389db4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
28c65370f12e84b734af87ad491ea257

SHA1
402d3a8203115f1365d48fa72daf0a56e14d8a08

SHA256
4ea873fb3d77a2f8eefae82c943f621f16723516e181bde133568f8f0c91290c

SHA512
56eb34162b0a39da4aaf66aad35ef355a7709982b5060792e3b4849c36650725176e927815537ec58e7ddf0fb1763066b203d6b7f9d1b3dd2c8bc091c0c850cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
d588e5f3965636eaaacc2287a1eb6669

SHA1
0dd6ad63026d7a2a5a9295a833de3c36f59ccbfe

SHA256
6c30c202a24f6dd15ccf4e90edae22d760733dd23b6e32c6a70eac95520c3997

SHA512
f864dbcc191a023a3363ba19aa3f68ef73367274be77d122881889404cd02746aebb143312c338dbd793dd50fad6f212e39bb4cf963934ca9b078ac6db024adb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
8c946d634ece7ac33cd29166d5aae9b1

SHA1
6ca896e5bf0e5c4cd372985108de9be0310c83f8

SHA256
de062f309da0f1bed1727e0cc453a470d79153dd25270e35e705ae0105dcb0f2

SHA512
c2b88b264faa71696da1e659debdd2dca941d8a477ce6b539a86a7ed5d7db2ace96b61cefb1eade915203ce8998cce029e6faba20ec8a896642b5da16132e1f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
7b28da6977de62ea014ffd51b7c65c8f

SHA1
66fec0ec0d082a20b12012e6ba2a6bbd609f78c2

SHA256
94f54bd15eff6ce4f1d62f14469f9a8e59593b119f23adf8f173fbe9e7404e96

SHA512
b01e2f39799727945701f1bf2b4c8bd76cee07ab8f28d23de7933d0e722841ae650b323407f75f9c0952c4f278aeb24049992d6235b3b68ecef0d364ccba3809

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
cc1fa9053852ee9af23f083c748d8c6b

SHA1
697f73f247a42e63203940f1a5653dc0c0675035

SHA256
8349649427b9355c8ae8acd7bdd0b544d0dfcd356d22de570af378cd5e2a10c2

SHA512
73893a008c7f472eea32a4a65d696542d8c64fef2dba765f0d08892fa4b9211513516ee9e8a04fbc0a15fe52755a7090352b5eab905a0890a1c4f61c72c8d5e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
bf897e06dd22c47d00261831a7953065

SHA1
b4218690e3eb9b325639c5a8e1bb5a636bb7514e

SHA256
3520f3ade64d43826ce0151beb82d4bd0b902bef031833e889eda9b688b4d6ff

SHA512
3962999ad1c0b6bc9243b2863763e73c395a2995d9f0dc7c3324d03ab5e5ed7426e66a2aa1aaf25c5589ae545013176fba31995a6cdd75271bdd48410c2e585a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
bca196b3dbfa32e6bb591fe5ef0649c8

SHA1
5a76776baedfc2f3a4455ffdd61c4fbca2392fdd

SHA256
a504b094d75785f39acc51c292bf0c9578b31780abdab168ed29b06589c52741

SHA512
3a2a23f7d8b45a711964638bd82a8f6dd0f8324d7b02fc3c3a736c28188c49f74e17ffb419be14f0cf2af2505828f22518817793e9f34b3c8e1c4636c067b692

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iovxnuhp.1cz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\RealtimeBoard\1469796b-daa9-496c-bb6e-9c09875be1e8.tmp

Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
C:\Users\Admin\AppData\Roaming\RealtimeBoard\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
599934821c25b3e4d22a14c060fae359

SHA1
89872e94c769f08ca454c1369e123bae240ef3b2

SHA256
221b3bd3585e30db09af599ad0e39a9a24dda56d821eb32b99a6bb7c65dc59f3

SHA512
84064599daa8d5392177a73b8e3fc82cc1291cc5be3733b8de3a6b618a91e2512f93269df8b1c8fa274c1a4102ec0e1a4c13d746af791231eab8bf1811bfdd1e

Download Submit
C:\Users\Admin\AppData\Roaming\RealtimeBoard\Code Cache\js\index-dir\the-real-index~RFe58adfe.TMP

Filesize
48B

MD5
698b95df628a6055b7c4ddc8f79f527e

SHA1
1cc55f017103999b24cae774c3d0162405a72740

SHA256
f32427541106ecc8e90ba5f1e73f57ec943d9a7fd3931caea9f842e3d17e4144

SHA512
7b1b05e74fbf91982364c6740da006bca87fc8bb623306b58ff79fc86839d7d9e4fe2bac94d53e2af1e346b6e6108a1d24ece7dbaa5b84546344e27b5048ec6c

Download Submit
C:\Users\Admin\AppData\Roaming\RealtimeBoard\Network\019b8753-c8a1-4e47-ab3f-7018433ef3a6.tmp

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\RealtimeBoard\Network\Network Persistent State

Filesize
1KB

MD5
6aba3b8fd55a90f8b3a3ca457df9f2e7

SHA1
e125aa05ed5ca46f42f2a60c758b94c2fdc01528

SHA256
ee8c1813e68ec684d4b64632fb57ed8e93ba5639a8183b9269250f3aaa00c648

SHA512
9b903f4452aedaea37d5f4ab7c667b2286b0a7fa2e9d678c1bb4b2bf08e12511445aa38998173562790e253efa1349177e9e631be37f80a2ad7be25f6c4ce105

Download Submit
C:\Users\Admin\AppData\Roaming\RealtimeBoard\Network\TransportSecurity

Filesize
690B

MD5
48a7475f3b37983b97ce51e96c085b13

SHA1
a3aad963c0270c5f2bde3ded33d754e671bfd83f

SHA256
a185d5490b6764e874b6eaee6cf6dbd5d580e0224f4550c69c619574e5bd497d

SHA512
a764081a6848c036919c09cc7005f140dfb423c7e98c32e2ca701a76654bbd65d1e4cd9a0be61b7a594163c089852b05527a8e9d16569a8865eb018459820c43

Download Submit
C:\Users\Admin\AppData\Roaming\RealtimeBoard\Network\TransportSecurity

Filesize
1KB

MD5
a1c9b3520c76b2c501b20b2dcff4065e

SHA1
e898f4e5b106c8f4b260c1cc6e127acfcb53ff55

SHA256
e4a94a8ecdc4cc69d44be0f8660b28084ae6458f539a42f7d8aa08c739a95388

SHA512
97863d4c7e32f9f93fd01cbc5e173c0b172353253de31cda9788d85087ff8fb2e29cc556b2a5e7a9351b2d496fb382c2b3de8c76c9964851b069d51d49612a77

Download Submit
C:\Users\Admin\AppData\Roaming\RealtimeBoard\Network\TransportSecurity

Filesize
1KB

MD5
a537dc7e7e269daed0679cf4f57c5398

SHA1
d0a4a030a6e8ed3dab07a667998bbac43242d57a

SHA256
d28920d261b7fc45745e0c667fa56f42433d24fb1c5e3eea98fab9c365234869

SHA512
e6fc8b593b8c3965e1c4c447255fc64524f16ab6b5c31f35602f5b7054e5e27fd0cd0439f85dd79f42235a2713ff2e0ccdccb77bf6dcc5058c857ff682e2af71

Download Submit
C:\Users\Admin\AppData\Roaming\RealtimeBoard\Network\TransportSecurity

Filesize
1024B

MD5
2effe443f78050dc51cdd273690ff0cd

SHA1
aa5890a5dfb283eaec0798da03a0a52be2681e35

SHA256
8caf824823d22ff8979083bc522221a9f932cac8ccdcb745ae19a5a501f518bd

SHA512
7435fc3db162fdc5f052f90806bdb4c05a26d7df1206ece3e8566be099841b192ebd72aa7830229a5265f2d982be8a16044234183f22bf256ac0b373ec6c484e

Download Submit
C:\Users\Admin\AppData\Roaming\RealtimeBoard\Network\TransportSecurity~RFe584c17.TMP

Filesize
355B

MD5
9c72753af2add2020994f870ccfc40c8

SHA1
0c94f9914832ad834e7a7e0058a734b535a4748b

SHA256
ce0ad6b969ae42e52d32360c2b2697692c750d0ae67b7e21f4f1520ce42514d4

SHA512
b763ee66b3a4b5f51145332cd10a9ec62182074e97917b2f13a942365887405f054c38cd1c455ebbb87f0fdb70fc2cc2771dc132a46d8a9841571651a0b97c10

Download Submit
C:\Users\Admin\AppData\Roaming\RealtimeBoard\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\RealtimeBoard\settings.json

Filesize
201B

MD5
dd8d798e719a89d60f6cab00bba8e394

SHA1
a1570b02c3205d2ea80853d0d2c19aa38e152881

SHA256
aa1dbee7ceefbf25248befe3e40bef9ddbac4320b7a2082f55176bd9812ee8ba

SHA512
77ada68d0b316e7794931c55dcb3f4207e1566fdcfc59602a9dcd8b8fc3bde8e5085c39505b0d85b91a5ad993f4da300cb7373c3123540e520ce64a9357a068d

Download Submit
C:\Users\Admin\AppData\Roaming\RealtimeBoard\settings.json

Filesize
283B

MD5
3bb82f62f2ae2eccdc8db2a026c63d28

SHA1
34fb0617a3e76f93fe89aab702ea14b048ecea6e

SHA256
80e7283b4901ceede0b47b71b2f0b750ed84b1aebcd9ef8b9d5b352b1088e38c

SHA512
ea0edd5074952ff824e10d62f4592409637b3bf79bcf0e42d81cf0cba1fdbfb78e5899c24fe225cb2205af67aaea2801100772125ef9d81954705c205e951b24

Download Submit
C:\Users\Admin\AppData\Roaming\RealtimeBoard\settings.json

Filesize
182B

MD5
2a8138d260045691ba83da50e4bedb92

SHA1
e0fcd9e202cccc75a8ad30423909bd71af590052

SHA256
3b39e0204da4d06775de04046416c11d381275b5e29712e5e753af943906bbf3

SHA512
d48813886a2c10b4585509c0da24f8f9ad41aa53b0b9bb7132b86ed0526eb2cc3b1cb16e53a7535a34e926ac52e0afc63844a1267fa2ac2c403e3295d932abd6

Download Submit
C:\Users\Admin\AppData\Roaming\RealtimeBoard\settings.json

Filesize
139B

MD5
e7b2933fbfb7f6e4e6114c025500fcee

SHA1
c3c7e3f37b5ef4dc933199c6e660081bee98c2c7

SHA256
bef7467620457cf0aff69b43b97f19ce40a7c104994b874c66bc1195454924ba

SHA512
72061b135929a9fce7437d671e5ea5ac588afe40a3425713ab92a74c2c0d162a5ba5afbeb4614f14e3e7dca31d62f5fdd9aea3e8015eb7c3b6ae909f82d169f7

Download Submit
C:\Users\Admin\AppData\Roaming\RealtimeBoard\settings.json.tmp-163400267313f868

Filesize
221B

MD5
d06446b006cd179794cc818f99268e47

SHA1
64e33416d072eb99f03ac6c8dcfa7d0d2e3a2a55

SHA256
2ce0addd87b732fec8df0982ad05c61b103826065cb33bac52a346a76361c295

SHA512
a47256fb09fb41c93d025ad16c7167a548af11bb73cab274fa20c8f07c905cfa538c928bad244d2670de9c801026470a7e09c5726213e2150fe9828059f8c214

Download Submit
memory/1760-0-0x0000000074EAE000-0x0000000074EAF000-memory.dmp

Filesize
4KB

Download
memory/1760-1-0x0000000000CA0000-0x0000000000CC2000-memory.dmp

Filesize
136KB

Download
memory/2508-115-0x000001B2F9E00000-0x000001B2F9E76000-memory.dmp

Filesize
472KB

Download
memory/2508-121-0x000001B2F9DB0000-0x000001B2F9DDA000-memory.dmp

Filesize
168KB

Download
memory/2508-114-0x000001B2F9D30000-0x000001B2F9D74000-memory.dmp

Filesize
272KB

Download
memory/2508-122-0x000001B2F9DB0000-0x000001B2F9DD4000-memory.dmp

Filesize
144KB

Download
memory/3724-498-0x000001BCF33E0000-0x000001BCF33E1000-memory.dmp

Filesize
4KB

Download
memory/3724-491-0x000001BCF33E0000-0x000001BCF33E1000-memory.dmp

Filesize
4KB

Download
memory/3724-490-0x000001BCF33E0000-0x000001BCF33E1000-memory.dmp

Filesize
4KB

Download
memory/3724-496-0x000001BCF33E0000-0x000001BCF33E1000-memory.dmp

Filesize
4KB

Download
memory/3724-502-0x000001BCF33E0000-0x000001BCF33E1000-memory.dmp

Filesize
4KB

Download
memory/3724-501-0x000001BCF33E0000-0x000001BCF33E1000-memory.dmp

Filesize
4KB

Download
memory/3724-500-0x000001BCF33E0000-0x000001BCF33E1000-memory.dmp

Filesize
4KB

Download
memory/3724-497-0x000001BCF33E0000-0x000001BCF33E1000-memory.dmp

Filesize
4KB

Download
memory/3724-499-0x000001BCF33E0000-0x000001BCF33E1000-memory.dmp

Filesize
4KB

Download
memory/3724-492-0x000001BCF33E0000-0x000001BCF33E1000-memory.dmp

Filesize
4KB

Download
memory/3920-59-0x00000205D3030000-0x00000205D3052000-memory.dmp

Filesize
136KB

Download