Analysis
-
max time kernel
157s -
max time network
163s -
platform
windows10-1703_x64 -
resource
win10-20240611-en -
resource tags
arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system -
submitted
07-08-2024 17:55
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://westechsolutions.net/sites/WindowedBorderlessGaming/download&token=b978821a&token=b98c8073
Resource
win10-20240611-en
General
-
Target
http://westechsolutions.net/sites/WindowedBorderlessGaming/download&token=b978821a&token=b98c8073
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exeschtasks.exeschtasks.exeschtasks.exeWindowedBorderlessGaming.exeschtasks.execmd.execmd.execmd.exeWindowedBorderlessGaming.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WindowedBorderlessGaming.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WindowedBorderlessGaming.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 17 IoCs
Processes:
LogonUI.exechrome.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133675269915508094" chrome.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe -
Modifies registry class 1 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings chrome.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1448 NOTEPAD.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 38 IoCs
Processes:
chrome.exeWindowedBorderlessGaming.exepid process 904 chrome.exe 904 chrome.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 904 chrome.exe 904 chrome.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WindowedBorderlessGaming.exepid process 5064 WindowedBorderlessGaming.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
chrome.exepid process 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exedescription pid process Token: SeShutdownPrivilege 904 chrome.exe Token: SeCreatePagefilePrivilege 904 chrome.exe Token: SeShutdownPrivilege 904 chrome.exe Token: SeCreatePagefilePrivilege 904 chrome.exe Token: SeShutdownPrivilege 904 chrome.exe Token: SeCreatePagefilePrivilege 904 chrome.exe Token: SeShutdownPrivilege 904 chrome.exe Token: SeCreatePagefilePrivilege 904 chrome.exe Token: SeShutdownPrivilege 904 chrome.exe Token: SeCreatePagefilePrivilege 904 chrome.exe Token: SeShutdownPrivilege 904 chrome.exe Token: SeCreatePagefilePrivilege 904 chrome.exe Token: SeShutdownPrivilege 904 chrome.exe Token: SeCreatePagefilePrivilege 904 chrome.exe Token: SeShutdownPrivilege 904 chrome.exe Token: SeCreatePagefilePrivilege 904 chrome.exe Token: SeShutdownPrivilege 904 chrome.exe Token: SeCreatePagefilePrivilege 904 chrome.exe Token: SeShutdownPrivilege 904 chrome.exe Token: SeCreatePagefilePrivilege 904 chrome.exe Token: SeShutdownPrivilege 904 chrome.exe Token: SeCreatePagefilePrivilege 904 chrome.exe Token: SeShutdownPrivilege 904 chrome.exe Token: SeCreatePagefilePrivilege 904 chrome.exe Token: SeShutdownPrivilege 904 chrome.exe Token: SeCreatePagefilePrivilege 904 chrome.exe Token: SeShutdownPrivilege 904 chrome.exe Token: SeCreatePagefilePrivilege 904 chrome.exe Token: SeShutdownPrivilege 904 chrome.exe Token: SeCreatePagefilePrivilege 904 chrome.exe Token: SeShutdownPrivilege 904 chrome.exe Token: SeCreatePagefilePrivilege 904 chrome.exe Token: SeShutdownPrivilege 904 chrome.exe Token: SeCreatePagefilePrivilege 904 chrome.exe Token: SeShutdownPrivilege 904 chrome.exe Token: SeCreatePagefilePrivilege 904 chrome.exe Token: SeShutdownPrivilege 904 chrome.exe Token: SeCreatePagefilePrivilege 904 chrome.exe Token: SeShutdownPrivilege 904 chrome.exe Token: SeCreatePagefilePrivilege 904 chrome.exe Token: SeShutdownPrivilege 904 chrome.exe Token: SeCreatePagefilePrivilege 904 chrome.exe Token: SeShutdownPrivilege 904 chrome.exe Token: SeCreatePagefilePrivilege 904 chrome.exe Token: SeShutdownPrivilege 904 chrome.exe Token: SeCreatePagefilePrivilege 904 chrome.exe Token: SeShutdownPrivilege 904 chrome.exe Token: SeCreatePagefilePrivilege 904 chrome.exe Token: SeShutdownPrivilege 904 chrome.exe Token: SeCreatePagefilePrivilege 904 chrome.exe Token: SeShutdownPrivilege 904 chrome.exe Token: SeCreatePagefilePrivilege 904 chrome.exe Token: SeShutdownPrivilege 904 chrome.exe Token: SeCreatePagefilePrivilege 904 chrome.exe Token: SeShutdownPrivilege 904 chrome.exe Token: SeCreatePagefilePrivilege 904 chrome.exe Token: SeShutdownPrivilege 904 chrome.exe Token: SeCreatePagefilePrivilege 904 chrome.exe Token: SeShutdownPrivilege 904 chrome.exe Token: SeCreatePagefilePrivilege 904 chrome.exe Token: SeShutdownPrivilege 904 chrome.exe Token: SeCreatePagefilePrivilege 904 chrome.exe Token: SeShutdownPrivilege 904 chrome.exe Token: SeCreatePagefilePrivilege 904 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
chrome.exeWindowedBorderlessGaming.exepid process 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
chrome.exeWindowedBorderlessGaming.exepid process 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 904 chrome.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe 4716 WindowedBorderlessGaming.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WindowedBorderlessGaming.exeWindowedBorderlessGaming.exeLogonUI.exepid process 4716 WindowedBorderlessGaming.exe 5064 WindowedBorderlessGaming.exe 2420 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 904 wrote to memory of 1384 904 chrome.exe chrome.exe PID 904 wrote to memory of 1384 904 chrome.exe chrome.exe PID 904 wrote to memory of 3512 904 chrome.exe chrome.exe PID 904 wrote to memory of 3512 904 chrome.exe chrome.exe PID 904 wrote to memory of 3512 904 chrome.exe chrome.exe PID 904 wrote to memory of 3512 904 chrome.exe chrome.exe PID 904 wrote to memory of 3512 904 chrome.exe chrome.exe PID 904 wrote to memory of 3512 904 chrome.exe chrome.exe PID 904 wrote to memory of 3512 904 chrome.exe chrome.exe PID 904 wrote to memory of 3512 904 chrome.exe chrome.exe PID 904 wrote to memory of 3512 904 chrome.exe chrome.exe PID 904 wrote to memory of 3512 904 chrome.exe chrome.exe PID 904 wrote to memory of 3512 904 chrome.exe chrome.exe PID 904 wrote to memory of 3512 904 chrome.exe chrome.exe PID 904 wrote to memory of 3512 904 chrome.exe chrome.exe PID 904 wrote to memory of 3512 904 chrome.exe chrome.exe PID 904 wrote to memory of 3512 904 chrome.exe chrome.exe PID 904 wrote to memory of 3512 904 chrome.exe chrome.exe PID 904 wrote to memory of 3512 904 chrome.exe chrome.exe PID 904 wrote to memory of 3512 904 chrome.exe chrome.exe PID 904 wrote to memory of 3512 904 chrome.exe chrome.exe PID 904 wrote to memory of 3512 904 chrome.exe chrome.exe PID 904 wrote to memory of 3512 904 chrome.exe chrome.exe PID 904 wrote to memory of 3512 904 chrome.exe chrome.exe PID 904 wrote to memory of 3512 904 chrome.exe chrome.exe PID 904 wrote to memory of 3512 904 chrome.exe chrome.exe PID 904 wrote to memory of 3512 904 chrome.exe chrome.exe PID 904 wrote to memory of 3512 904 chrome.exe chrome.exe PID 904 wrote to memory of 3512 904 chrome.exe chrome.exe PID 904 wrote to memory of 3512 904 chrome.exe chrome.exe PID 904 wrote to memory of 3512 904 chrome.exe chrome.exe PID 904 wrote to memory of 3512 904 chrome.exe chrome.exe PID 904 wrote to memory of 3512 904 chrome.exe chrome.exe PID 904 wrote to memory of 3512 904 chrome.exe chrome.exe PID 904 wrote to memory of 3512 904 chrome.exe chrome.exe PID 904 wrote to memory of 3512 904 chrome.exe chrome.exe PID 904 wrote to memory of 3512 904 chrome.exe chrome.exe PID 904 wrote to memory of 3512 904 chrome.exe chrome.exe PID 904 wrote to memory of 3512 904 chrome.exe chrome.exe PID 904 wrote to memory of 3512 904 chrome.exe chrome.exe PID 904 wrote to memory of 3272 904 chrome.exe chrome.exe PID 904 wrote to memory of 3272 904 chrome.exe chrome.exe PID 904 wrote to memory of 2416 904 chrome.exe chrome.exe PID 904 wrote to memory of 2416 904 chrome.exe chrome.exe PID 904 wrote to memory of 2416 904 chrome.exe chrome.exe PID 904 wrote to memory of 2416 904 chrome.exe chrome.exe PID 904 wrote to memory of 2416 904 chrome.exe chrome.exe PID 904 wrote to memory of 2416 904 chrome.exe chrome.exe PID 904 wrote to memory of 2416 904 chrome.exe chrome.exe PID 904 wrote to memory of 2416 904 chrome.exe chrome.exe PID 904 wrote to memory of 2416 904 chrome.exe chrome.exe PID 904 wrote to memory of 2416 904 chrome.exe chrome.exe PID 904 wrote to memory of 2416 904 chrome.exe chrome.exe PID 904 wrote to memory of 2416 904 chrome.exe chrome.exe PID 904 wrote to memory of 2416 904 chrome.exe chrome.exe PID 904 wrote to memory of 2416 904 chrome.exe chrome.exe PID 904 wrote to memory of 2416 904 chrome.exe chrome.exe PID 904 wrote to memory of 2416 904 chrome.exe chrome.exe PID 904 wrote to memory of 2416 904 chrome.exe chrome.exe PID 904 wrote to memory of 2416 904 chrome.exe chrome.exe PID 904 wrote to memory of 2416 904 chrome.exe chrome.exe PID 904 wrote to memory of 2416 904 chrome.exe chrome.exe PID 904 wrote to memory of 2416 904 chrome.exe chrome.exe PID 904 wrote to memory of 2416 904 chrome.exe chrome.exe
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://westechsolutions.net/sites/WindowedBorderlessGaming/download&token=b978821a&token=b98c80731⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffb93079758,0x7ffb93079768,0x7ffb930797782⤵PID:1384
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1632 --field-trial-handle=1764,i,9416601320354870005,3275348777168094807,131072 /prefetch:22⤵PID:3512
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1936 --field-trial-handle=1764,i,9416601320354870005,3275348777168094807,131072 /prefetch:82⤵PID:3272
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2052 --field-trial-handle=1764,i,9416601320354870005,3275348777168094807,131072 /prefetch:82⤵PID:2416
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2712 --field-trial-handle=1764,i,9416601320354870005,3275348777168094807,131072 /prefetch:12⤵PID:980
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2720 --field-trial-handle=1764,i,9416601320354870005,3275348777168094807,131072 /prefetch:12⤵PID:4836
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3748 --field-trial-handle=1764,i,9416601320354870005,3275348777168094807,131072 /prefetch:12⤵PID:4720
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4796 --field-trial-handle=1764,i,9416601320354870005,3275348777168094807,131072 /prefetch:82⤵PID:4368
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4528 --field-trial-handle=1764,i,9416601320354870005,3275348777168094807,131072 /prefetch:82⤵PID:3284
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 --field-trial-handle=1764,i,9416601320354870005,3275348777168094807,131072 /prefetch:82⤵PID:4864
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5288 --field-trial-handle=1764,i,9416601320354870005,3275348777168094807,131072 /prefetch:12⤵PID:2940
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4972 --field-trial-handle=1764,i,9416601320354870005,3275348777168094807,131072 /prefetch:12⤵PID:3920
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3084 --field-trial-handle=1764,i,9416601320354870005,3275348777168094807,131072 /prefetch:12⤵PID:1920
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6080 --field-trial-handle=1764,i,9416601320354870005,3275348777168094807,131072 /prefetch:82⤵PID:4848
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5804 --field-trial-handle=1764,i,9416601320354870005,3275348777168094807,131072 /prefetch:82⤵PID:220
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5460 --field-trial-handle=1764,i,9416601320354870005,3275348777168094807,131072 /prefetch:12⤵PID:3140
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5840 --field-trial-handle=1764,i,9416601320354870005,3275348777168094807,131072 /prefetch:12⤵PID:4312
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6052 --field-trial-handle=1764,i,9416601320354870005,3275348777168094807,131072 /prefetch:82⤵PID:3800
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5196 --field-trial-handle=1764,i,9416601320354870005,3275348777168094807,131072 /prefetch:12⤵PID:4548
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5264 --field-trial-handle=1764,i,9416601320354870005,3275348777168094807,131072 /prefetch:12⤵PID:4412
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:3808
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3904
-
C:\Users\Admin\AppData\Local\Temp\Temp1_WindowedBorderlessGaming_2.1.0.1.zip\WindowedBorderlessGaming.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_WindowedBorderlessGaming_2.1.0.1.zip\WindowedBorderlessGaming.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4716 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Schtasks /Query /fo list2⤵
- System Location Discovery: System Language Discovery
PID:4660 -
C:\Windows\SysWOW64\schtasks.exeSchtasks /Query /fo list3⤵
- System Location Discovery: System Language Discovery
PID:3260 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Schtasks /Query /fo list2⤵
- System Location Discovery: System Language Discovery
PID:3120 -
C:\Windows\SysWOW64\schtasks.exeSchtasks /Query /fo list3⤵
- System Location Discovery: System Language Discovery
PID:3888 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe "/c" "schtasks" "/create" "/tn" "WindowedBorderlessGaming-Admin" "/tr" "C:\Users\Admin\AppData\Local\Temp\TEMP1_~1.ZIP\WINDOW~1.EXE" "/sc" "ONLOGON" "/ru" "Admin" "/it" "/rl" "HIGHEST"2⤵
- System Location Discovery: System Language Discovery
PID:4544 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" "/create" "/tn" "WindowedBorderlessGaming-Admin" "/tr" "C:\Users\Admin\AppData\Local\Temp\TEMP1_~1.ZIP\WINDOW~1.EXE" "/sc" "ONLOGON" "/ru" "Admin" "/it" "/rl" "HIGHEST3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:828 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Schtasks /Query /fo list2⤵
- System Location Discovery: System Language Discovery
PID:3524 -
C:\Windows\SysWOW64\schtasks.exeSchtasks /Query /fo list3⤵
- System Location Discovery: System Language Discovery
PID:236 -
C:\Users\Admin\AppData\Local\Temp\Temp1_WindowedBorderlessGaming_2.1.0.1.zip\WindowedBorderlessGaming.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_WindowedBorderlessGaming_2.1.0.1.zip\WindowedBorderlessGaming.exe" "-GameSettings"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5064
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_WindowedBorderlessGaming_2.1.0.1.zip\ReadMe.txt1⤵
- Opens file in notepad (likely ransom note)
PID:1448
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3ae9055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2420
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
210KB
MD548d2860dd3168b6f06a4f27c6791bcaa
SHA1f5f803efed91cd45a36c3d6acdffaaf0e863bf8c
SHA25604d7bf7a6586ef00516bdb3f7b96c65e0b9c6b940f4b145121ed00f6116bbb77
SHA512172da615b5b97a0c17f80ddd8d7406e278cd26afd1eb45a052cde0cb55b92febe49773b1e02cf9e9adca2f34abbaa6d7b83eaad4e08c828ef4bf26f23b95584e
-
Filesize
240B
MD5a450bcd1b4891024b1ac559d9cdc2ae0
SHA1fc1c9213af42251aaaf9a75c910e1e202786aba0
SHA2560759615b76aa0908999e37ce97b40964b45832176d182036004cc64116e349fb
SHA512557324e2f6bb0b98061159473e0e06b14ab983b985ad90b1afaf9d8b01d182fe2cc6259f47054d64caf8c0e29d4481eddf2e56bf3dc8cf4eb50b0bca8faa59ef
-
Filesize
873B
MD563ffd7b143a66e2632332e8b914249e7
SHA1a5056c31a4452785fdbcafd1d34df68d56a91c40
SHA256d7065e175cad5d0c03f34ca3f4ac3822362f87e95f52a748ec9198ab8cb5bb61
SHA512936df799faf13f7621c052f44569ba480588e46c71be4f639bebd89da29afc602e756c526eeebe05cd27fdfa685e65f0a9d2765d9a6e8597f9ef7459b195a583
-
Filesize
873B
MD52c0c3844902212f266e37af5aaedb8fe
SHA1cead3540d46ab0d9a2ca14bf8a4bb8ad44d4bb34
SHA256c4b8231119a97fa15f7d2a1070f3ee92bf0275f849ec0a952ce47ee9bc77d283
SHA51283dc58185090f825fffb2e793ba25d78cd747167515ac86a4081f9fc6596c0680951425dbe7769c946dddf2018adf7dcd3734ab922f102c05d58094fa038b753
-
Filesize
369B
MD59a1f039cf0ee14619c460e3681c6ddf0
SHA15fff0209e9d0b4ca68044f9f633ca10ff3a18b53
SHA256e381e6d1488bfb7cc58cee9880da590c36af1a2e531411af7bb4c8f1a6986e75
SHA512ed8a667b819a45f76f820c572761b7cd55c5d5a51cee853c9a460d36be5be78c09c7b5b9eebc3324f79d2341ed653dad1e87affe0f378c260b96ad0b9a03e34d
-
Filesize
371B
MD54aa19be5a37d38cf9a471ac0c89db1f1
SHA1f3aee82a9d8f6799f7e7bef628fd5ecc9b7cc489
SHA256b7a20eb916a0d0c6102633e2019b2843e9f2bec04dd0c3e759f71a0368d0fb62
SHA512309b2c95d8d80b3ff6e03cc384af7d17f928732a085be957f37b099be09e7bd66c439cb3125eadcdfd760558ee049d173962491e9d4dab8bdc9e9e15974eb35f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\f1e40179-ebf5-4ff7-9adf-6f72f9e4dac9.tmp
Filesize1KB
MD5a22f48525a8953bd2af47f4c27e38dda
SHA15853285a101dafe4bf3da986512921e2755eee30
SHA25621870225c9ccbcdd3d38d48aa929a27c5c086ba6e3e3467e86fff9dfde8185ce
SHA512be6383b16f4e037f99398bcc5ba9505bd7c01a905f194d9a22c318cbb1d552eb398081599c80f9ef60e1f6b22963e3c979861e134ab531ffe455e9664269c59e
-
Filesize
6KB
MD513dc48f282778f3bc439fd5cf9a2e40c
SHA1d894dc014374add3f0cd2d0d128569730520bef2
SHA256efccff8996d75a1f896f34ba78a1685db09368a1eaadc1aea07ebc36ebb52875
SHA512b33e811b2a9fab8c8b12157ea35ce81a798cb8f51919158ee4acb06f280e1fe2f88935d1013b952fa74d45821da3f53d7f38b5c5cfe3610a9f518fbe4666e11f
-
Filesize
6KB
MD57458c3b34922915ddcfe691a2ac07028
SHA11eec0a3b78d9e8ae9b6247ce64579360a83d6388
SHA256c2fcf51987fb95a4761b9cc1c760f32a5cd3635178292993f392efd62263780d
SHA51233b7d20f5b2193ee542e2ce8a81951f7363bed30ad7c57e33c83e2fbc3935d7dfb9c421a56823fc183c9c1f6170b31da2f9d0f582c3a37bec59bd46f72a62537
-
Filesize
6KB
MD5fc7affff5b4d59566ac82a5243532bef
SHA1b63afcc698ad06a655de1cb09120c7f8ab479118
SHA2568ccfd50e025f9af12074591755fffd2c73fac59a6eeab21e9c33cb322b58960b
SHA5128c1fcdbe9fbe71301dbb204aa15cdbfbcfb862ea1ca18f35ce7fd94e0c181b23c9f12d434b4a6ed9098a1e810f82a02da9cc3f8586dd26470abdb6a2731a0864
-
Filesize
6KB
MD5d35c487768d4707b4b6282b417da9634
SHA1aa362a43f37d3cefc88263c3b83f7fa29510a181
SHA2564e6d66328c97a0047d1b5aaee802f8f1e940b748539d8c46d83952418620dc98
SHA51287a1b546315e316f3fff3bdc6f42520728ef8b34e4455043f07de8081a7f2aca60d5992d91d88841fc433dc73fcc00f6a6e0192dc7450afc697ac781e532971a
-
Filesize
5KB
MD504c1e1d9e5e73955fb8c610600a052c9
SHA1910af809dbf4b208537e522337c19f666a97c733
SHA25618a76a73614f34aee9287cace5a0b57028fff9d404474947b59ce70637017dba
SHA512ff474b520ee368498d81947835c50ab4d388bbb607c762fc8d8ac531809d2ef6984bcd5e011a728cf1685a4d279ac26f5d191ddea58f9411472f9e13028b81ba
-
Filesize
149KB
MD57b91a482132d4f150f32ec513762ae47
SHA173a8905913ae3426d5ea57e5770953957ceaaa36
SHA256cf5c32ab29e04b6537225cd84218fa12be1c21ff530aac9555c0ad5cb2d35139
SHA5124c0565bdb297603bbe97af2e5ef5604fe4a3661b6ccd2d95667e95ad0155d10d3625833bb6b37e58085ad1b688f01f4df885ecda9cbd322e3c63eaf49aab3352
-
Filesize
168KB
MD5588fed3072928cf4d84169d8efec6c40
SHA11b949b3d4573f32ba392805ca9748dd995ea4a40
SHA2562a51f44f03961461da9a190aa230f95e2f6c2492bc0320db066cbfc7eef2d118
SHA512ad5fa29298a17926d21171c5b6eb2bfbacdaef22601b1efc875f6e54d63190a38ed07c6a30af446bb9cfdff2aaf2b11ff128d43a4bb815ab4315f325efac4b28
-
Filesize
157KB
MD55166c9b80e2ec82104af70317c91732b
SHA1c65ab7d3fc539bd852ac1c8d8940dd7c04c7895a
SHA256362c06996b177dbfc218d41dead6fb711f8a0bebfa7b78c52505ad559a211d9c
SHA5122dd9be8686f9a49d685149fe19ced9e534037cb0595ff617f2fbbb8af8ff26bcc8264c197e64463c1a8e3a820c17e966425268f09863d5d9e1751feb2ae87b36
-
Filesize
150KB
MD5349852c8b19ada57d5af487d1556e807
SHA1c220dfe0c99d1d8391cda39cfd7988d0bb07d823
SHA2564a1141484e5f2bd9070c9861274f3dbf45102036d46bd7c76c11e3f333913e74
SHA5124d72f89991480b5e8a612d2be8379ce6426653c06fff63586a2f0075e1fd8b18b7eb3b6a0187d75b2fd1ac4bfedb9c02d21ef8d54778a71e9a1c368778704ba0
-
Filesize
150KB
MD5dbdee4da7e74192cb7fe066b8b9c2f27
SHA145d875f2a016d35d91d8612fa44965d86f77472c
SHA2560e1bad3bb42821fb1fd88b0f5b7f5c997c3e9ecf07c29fc4619d95e62e56c422
SHA512f8572c558bab1da69772d929864eae7a1e3c6871042836b90bb1c39b307c4988a55e5a55c1538c1a59c489779678e2e6c6df05ce0a1db9851c7e17e6e3f020f6
-
Filesize
150KB
MD5b5e8437f2e956e2fa0ff6df3e31c54ed
SHA15d70df5efeca4b4d7fc24c5db5e2f686ae09b499
SHA2568d0b9faa5467486b6b669e68eda750057832132a102ce790474eec2406513b06
SHA512928d20a96c54f7ee5542ee6887bf3c3450748e9c4891fc78b89417c1562ac0dacf4beb85691ac245858b7870ae914cd2a60e892ef678b37852d35ee1acbe5182
-
Filesize
103KB
MD57c6b0797174105a8476ffed5dd398b70
SHA1ae29735d35035d7d094c45369c89fb1d97fbd38c
SHA2567bff400b5a5f5b511b4b252b834ab31eca7862821be630670d30ebfc5422acb4
SHA5122a47aeadc003eaabb5f33dea4e5b611f2110afbc3b3e5544fd75032010b4aad51a61ec1b0f787d7f1a328c18d09ecc86c9036c80c8925774daf434c5c2d4a37b
-
Filesize
100KB
MD5bcab68538e1a564f737fb73e5f250054
SHA1f5f67d0016f5f87f7d012123a4136a56dc11a7b2
SHA2560883d8a071732569212beba240cdd350c767b527a178c3d385bbf4f3d5c5e441
SHA51210e1cee00fa43b855cc08014c84202ae6c01cf925bf69f8fc1b9f06e129cbb63eff930b20a1ba8735a0643dfb3d32610b2518511d466bc6677e32cd8b1d3a2a4
-
Filesize
264KB
MD5250e716ca81b3e0c57c6b36edaa16958
SHA178631921499d1daa502f9627976a63c7335fb493
SHA25681b467fe27f1f8927173c2fb9f4505855c23a29d2b153e3e2040f74016ea6187
SHA5122b3e18f6e0378c75346b24a56ff02d0e03cb7c5c5cda2979071f888d2ebfff9fdde2d7aed4163f60177f5ca441e7ca7583ccad5483f815fbb8ecdbc4302225dd
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
314B
MD522479528144ae6a71723c29006c7fd96
SHA1ae35d65d37a44ed2612a206e0634e2ce5538e9c7
SHA256c9dbf738eb23a717a1bf2aaa5f47c383cefc4718885d8c4bb398fd5e3fabb158
SHA5125214775cd1179a9eb5ec1853d4f719e06ecac1a2ae04a7ba58476b7ecc1953878d5be32382f77315474de7d7410e9e74c64bdf6ed5dd4a18bf8276fec2ce5eab
-
Filesize
464KB
MD5a6d2811762a0c71f029e2ce35adfba84
SHA1e6417f785b49d3e19757a564d82e055a88a512ea
SHA256fb6b8f77ed92c1775ecb7132cda28b578028128fa86408250a6afa8736ede0e3
SHA512f850782530af811637008f8c3ae425a8ebe5860c7e73762d7ee9daa93ab0b7bc263d0f5577f53155cd7f0e00c4bc892a836a325648dc4668d4b9cd998296355f
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e