407cf0f38b4b6b3dc030e70329d35be5eabfef45829240cc6df0442768189cec

Analysis

max time kernel
121s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-08-2024 20:11

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

MSIAfterburnerSetup.zip
Size

55.6MB
MD5

828ff95c0462aa425c9e31e19a9e3747
SHA1

1a0dc69c059a98fcb35f9ff41d54e70bc8ca2077
SHA256

407cf0f38b4b6b3dc030e70329d35be5eabfef45829240cc6df0442768189cec
SHA512

98fbd293457faabc371591c86556bc0e0184d61bd7dcf3ecd74d10d60a9443a69f76853e97fd4e87ae84ec85a2d3f00a431025ae708f24bb510d899978a8e14f
SSDEEP

1572864:Ch40yrkh15LWRKEwJ8pEF5IUZnNFqezUHo2nP4A:CG9Qt6RKSKF5I3FI2nP4A

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133675351710027567"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "184"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3228	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3932	chrome.exe
3932	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe
Token: SeShutdownPrivilege	3932	chrome.exe
Token: SeCreatePagefilePrivilege	3932	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe
3932	chrome.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3228	POWERPNT.EXE
3228	POWERPNT.EXE
3228	POWERPNT.EXE
3228	POWERPNT.EXE
2012	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3932 wrote to memory of 1516	3932	chrome.exe	90
PID 3932 wrote to memory of 1516	3932	chrome.exe	90
PID 3932 wrote to memory of 220	3932	chrome.exe	91
PID 3932 wrote to memory of 220	3932	chrome.exe	91
PID 3932 wrote to memory of 220	3932	chrome.exe	91
PID 3932 wrote to memory of 220	3932	chrome.exe	91
PID 3932 wrote to memory of 220	3932	chrome.exe	91
PID 3932 wrote to memory of 220	3932	chrome.exe	91
PID 3932 wrote to memory of 220	3932	chrome.exe	91
PID 3932 wrote to memory of 220	3932	chrome.exe	91
PID 3932 wrote to memory of 220	3932	chrome.exe	91
PID 3932 wrote to memory of 220	3932	chrome.exe	91
PID 3932 wrote to memory of 220	3932	chrome.exe	91
PID 3932 wrote to memory of 220	3932	chrome.exe	91
PID 3932 wrote to memory of 220	3932	chrome.exe	91
PID 3932 wrote to memory of 220	3932	chrome.exe	91
PID 3932 wrote to memory of 220	3932	chrome.exe	91
PID 3932 wrote to memory of 220	3932	chrome.exe	91
PID 3932 wrote to memory of 220	3932	chrome.exe	91
PID 3932 wrote to memory of 220	3932	chrome.exe	91
PID 3932 wrote to memory of 220	3932	chrome.exe	91
PID 3932 wrote to memory of 220	3932	chrome.exe	91
PID 3932 wrote to memory of 220	3932	chrome.exe	91
PID 3932 wrote to memory of 220	3932	chrome.exe	91
PID 3932 wrote to memory of 220	3932	chrome.exe	91
PID 3932 wrote to memory of 220	3932	chrome.exe	91
PID 3932 wrote to memory of 220	3932	chrome.exe	91
PID 3932 wrote to memory of 220	3932	chrome.exe	91
PID 3932 wrote to memory of 220	3932	chrome.exe	91
PID 3932 wrote to memory of 220	3932	chrome.exe	91
PID 3932 wrote to memory of 220	3932	chrome.exe	91
PID 3932 wrote to memory of 220	3932	chrome.exe	91
PID 3932 wrote to memory of 3540	3932	chrome.exe	92
PID 3932 wrote to memory of 3540	3932	chrome.exe	92
PID 3932 wrote to memory of 4608	3932	chrome.exe	93
PID 3932 wrote to memory of 4608	3932	chrome.exe	93
PID 3932 wrote to memory of 4608	3932	chrome.exe	93
PID 3932 wrote to memory of 4608	3932	chrome.exe	93
PID 3932 wrote to memory of 4608	3932	chrome.exe	93
PID 3932 wrote to memory of 4608	3932	chrome.exe	93
PID 3932 wrote to memory of 4608	3932	chrome.exe	93
PID 3932 wrote to memory of 4608	3932	chrome.exe	93
PID 3932 wrote to memory of 4608	3932	chrome.exe	93
PID 3932 wrote to memory of 4608	3932	chrome.exe	93
PID 3932 wrote to memory of 4608	3932	chrome.exe	93
PID 3932 wrote to memory of 4608	3932	chrome.exe	93
PID 3932 wrote to memory of 4608	3932	chrome.exe	93
PID 3932 wrote to memory of 4608	3932	chrome.exe	93
PID 3932 wrote to memory of 4608	3932	chrome.exe	93
PID 3932 wrote to memory of 4608	3932	chrome.exe	93
PID 3932 wrote to memory of 4608	3932	chrome.exe	93
PID 3932 wrote to memory of 4608	3932	chrome.exe	93
PID 3932 wrote to memory of 4608	3932	chrome.exe	93
PID 3932 wrote to memory of 4608	3932	chrome.exe	93
PID 3932 wrote to memory of 4608	3932	chrome.exe	93
PID 3932 wrote to memory of 4608	3932	chrome.exe	93
PID 3932 wrote to memory of 4608	3932	chrome.exe	93
PID 3932 wrote to memory of 4608	3932	chrome.exe	93
PID 3932 wrote to memory of 4608	3932	chrome.exe	93
PID 3932 wrote to memory of 4608	3932	chrome.exe	93
PID 3932 wrote to memory of 4608	3932	chrome.exe	93
PID 3932 wrote to memory of 4608	3932	chrome.exe	93
PID 3932 wrote to memory of 4608	3932	chrome.exe	93
PID 3932 wrote to memory of 4608	3932	chrome.exe	93

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\MSIAfterburnerSetup.zip
1⤵
PID:412

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffaa7c0cc40,0x7ffaa7c0cc4c,0x7ffaa7c0cc58
  2⤵
  PID:1516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1776,i,2252286228727646106,12520515353405233448,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1772 /prefetch:2
  2⤵
  PID:220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2064,i,2252286228727646106,12520515353405233448,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2092 /prefetch:3
  2⤵
  PID:3540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2256,i,2252286228727646106,12520515353405233448,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2436 /prefetch:8
  2⤵
  PID:4608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,2252286228727646106,12520515353405233448,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:1880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3316,i,2252286228727646106,12520515353405233448,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:3808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3672,i,2252286228727646106,12520515353405233448,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4576 /prefetch:1
  2⤵
  PID:4564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4712,i,2252286228727646106,12520515353405233448,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4896 /prefetch:8
  2⤵
  PID:3320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5012,i,2252286228727646106,12520515353405233448,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4728 /prefetch:8
  2⤵
  PID:4740
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Program Files directory
  PID:4100
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x7ff7927d4698,0x7ff7927d46a4,0x7ff7927d46b0
    3⤵
    - Drops file in Program Files directory
    PID:2752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4724,i,2252286228727646106,12520515353405233448,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5160 /prefetch:1
  2⤵
  PID:2844

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4000

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\Downloads\MoveSkip.pps" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3228

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa396a055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\35179eeb-f89d-4a03-b260-b3f7c76ce3f0.tmp

Filesize
8KB

MD5
e238fcb2f73775c2bb2bf97fa32e03d4

SHA1
629485ab4cd4e893afcfe48c646c6209d610d90f

SHA256
baf02c937e64263c328fa1aca1d4b7e520aeb9920e4178873061f246a1753c52

SHA512
0fbed36c545dd9c053f8af9f75d98c8f8c2d6e872d85cc3d70618cf402f0cd9755a80cf4f7544e7d5bbad13b6fc61ab09328ab20b109633bcc7f09e05ebd4cc1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c4a24bff1520f464777be76cfdc0a061

SHA1
6072e14a3325fb0266a2b65a9e5d47981f146c44

SHA256
c47cf89111212b0824a96b4312cbc728b35a2167f6cd5536b0cbb969bae444f8

SHA512
a101477ed3eb36fb6e47e5c895c6f7ac62bb95cfac4faf73bdfd9eada54b7332af7b6ee170cda0626f83706d1fa95c7f0a76dbeea428468e1ba4998c25cb0a47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
5f8680f508a14c80a39d1f8866162d1f

SHA1
833dd466f184099d2157047feece668f42c38b56

SHA256
2fba6b74ee7dc9c166385d7de53aeadd0318fc5fefc6a523d2c28054beadbcbd

SHA512
46ec67fc95fcfd5368f8dc9d192c30c2fda7d00aa5b141959b8bbdf15b7cdc4dbd900776d36e9fc3a93535f062ec484906f235b9f16fceeeb5697318df007b58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
763a31ae8a6ccd3f1dea5bb88df8c869

SHA1
a1d922cd631396c54183047de1920bc0932f3b85

SHA256
33cc2997b89eec1b579036744bc8c0c0b2bd2c780d0df4c30c602ae1c6595d5c

SHA512
926bfabcebc390b6d90e3ece3a88584c6cf157104073284d5ce8539be3a6e83dc3aefd5846743d76245768ee8deb03f2247a33207477480be796ce5a44e464fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f4e862f7a37cb5a0947d512f7e549140

SHA1
c287086175c669123a2a4378781d56dd87dcec8b

SHA256
45b860873d0ae569840e2e4d351aed0f2d64eb0ea42e8dd786bd91c87b7e3003

SHA512
ed9bd77529e476785bbf46ca5781519772a9a09924d9ca19d5052e78025b32d21f8c7eea4e0235d22142542dc9cbd89f0d256093f10d51867d86d747b9a88e24

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
61092e242ede44e19e1655b2b465d1be

SHA1
3e1ce631edafa3df1a9131fb2b5a7a4bf2ed1bdf

SHA256
0f9c74978e8a0af82b3411d63bb5c0f4d9b6e62ad06a4cc9ca688935c60bc37c

SHA512
ebb515223e68b874a797cc02ef1e52441b742376f8938f64692122ffb1009d08e5abcc6c391e522b59cc3829b48c9856139d76364c35bf28c740a159494ee9cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
bdcd4f8883adb411c5a1ff6d7cbe70f5

SHA1
d9373a5273ba288aca2943c7dc58fe085fea2c7d

SHA256
cd7470a9327500b66faef8ab4068a6d464208316e317c98a65919ec1b9f2675e

SHA512
17f5d1f9728ccc476557c8514a8b4f2ca57380601ef448c28d4246348bd1d7109c72b6a1f6c06de9b427c25703342f6981b268e1283cc72b16dea95ab3571ab8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
3928232c5281cd4a8a593ca140ee703d

SHA1
a10e59b2d5db88984666b8be7555d28f9815f00b

SHA256
6e7fb4f46f1101e9bc2ef6f7298da0d027e8046be252c7de6c168a292811212d

SHA512
15a1130c6286661c713e169bb5a4423396719106eac26958bb20ef2e5a1f761019af26f7178fc7534bcc145bf1cb71541073b3048c49a935b1f4760fbc019f4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f34dc2321735e7430e89c7d33738febb

SHA1
b1e06072181da77df6219c40349caea26a948dfb

SHA256
03e7ddf44ac2984abcf584c4e74a500a8215f0587e76c43d5ecb4f700b992a7b

SHA512
df3532fbf306d6f3a5c64b132ee6cf2ab535fd880a19c78028aeb0aa70da5917ee559ebefad897aac0e29038357f7b32a3c48310b3405011de002e71d6a00a5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
782070c9d0a5a2968b7e994c24e6ab8a

SHA1
e0b1e9bb4c71c21ab5617b6aead096953b643d50

SHA256
131c2df2db34b66437f061f4a40466e22bd3e0801d340db17dd44498767b8e38

SHA512
3271e8a3042659abb181b737279e8e4680572638fd348b81930c5f078146b55efa31460b981ad07bf2511b187682e5fa7b496b344b4c08bb7fd1b794301c4cba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
32ed796207b7c79a5cb72fa376003bb0

SHA1
d3a40f7440ec556ef6c370d93361296be7748536

SHA256
156a7b9f315bdc01d95a70c9dbe2c254bd9702af291d4ce280d961472f114749

SHA512
131ae3cbadb1348d2ca24c2b24afda58d7931f2b48868bc1d8f3dd7d72928917c45059311d78bbd41757af3001ea00402cbe8b8144648feeae2d466e68589eda

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
cd9653a33f872d848aa166b8ff631bf6

SHA1
dc69c77bed05ebd39d0cf7e7dd2f7bc0f8ebcf55

SHA256
b38715aada53bf43764f2db9349b3f42b13fcde252996b2d896b4eae654f8f84

SHA512
d3bae0a7c5d71b4d31614656068c52f9433ffdbe9c685e5aed1dc50c5de1216edbadd6404ed67dc46b06a7d1f8a563bfb3349ee968d23e556e3def1d2c1ae660

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
325c06df45a11bcddaa6217779514aa7

SHA1
d9f0e409717a1fbf5f51c05b4576ae078e140d07

SHA256
f14bae3d9cc5dcc5a4f4255c0673ae263ad33fbae5ea2217ced200d772ceefe0

SHA512
820edad3b884eb27f1b898a5e511bd82948348cd92defc406e7e6ad9d6ca834688b9e40ae1eb335c65ea38889dfb1739868156c032fc0d23375f3767efae059f

Download Submit
memory/3228-89-0x00007FFA83890000-0x00007FFA838A0000-memory.dmp

Filesize
64KB

Download
memory/3228-86-0x00007FFA858F0000-0x00007FFA85900000-memory.dmp

Filesize
64KB

Download
memory/3228-85-0x00007FFA858F0000-0x00007FFA85900000-memory.dmp

Filesize
64KB

Download
memory/3228-84-0x00007FFA858F0000-0x00007FFA85900000-memory.dmp

Filesize
64KB

Download
memory/3228-83-0x00007FFA858F0000-0x00007FFA85900000-memory.dmp

Filesize
64KB

Download
memory/3228-562-0x00007FFA858F0000-0x00007FFA85900000-memory.dmp

Filesize
64KB

Download
memory/3228-565-0x00007FFA858F0000-0x00007FFA85900000-memory.dmp

Filesize
64KB

Download
memory/3228-563-0x00007FFA858F0000-0x00007FFA85900000-memory.dmp

Filesize
64KB

Download
memory/3228-564-0x00007FFA858F0000-0x00007FFA85900000-memory.dmp

Filesize
64KB

Download
memory/3228-88-0x00007FFA83890000-0x00007FFA838A0000-memory.dmp

Filesize
64KB

Download
memory/3228-87-0x00007FFA858F0000-0x00007FFA85900000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads