Resubmissions
09-08-2024 18:10
240809-wsd7vatdpq 1009-08-2024 18:06
240809-wpp5yaxdpa 1009-08-2024 13:45
240809-q2hzhavera 10Analysis
-
max time kernel
726s -
max time network
725s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
-
submitted
09-08-2024 18:10
General
-
Target
SaturnTempSpoofer.exe
-
Size
181KB
-
MD5
0380311e496051295f02a440d4f34308
-
SHA1
d2b2d91ced3d0526fcb13f310bb5f7be4844b346
-
SHA256
ab0f362333e655da8332ba89226f9ac0c90e31aa53e633097cf6f88aead1a389
-
SHA512
b95a20df94c311deb080d45e1bcd7cd3f79e449041acd52bc67423adb50f49ec9e4728838f96aaec0f67d1fb9cb7403be0e445db06928434f49baac565be600e
-
SSDEEP
3072:UVqoCl/YgjxEufVU0TbTyDDalQlzw+jqZ91UbTK4I:UsLqdufVUNDaRW491Ub8
Malware Config
Extracted
xenorat
73.131.36.77
Saturn Temp Spoofer
-
install_path
appdata
-
port
4782
-
startup_name
AppWindows.exe
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 20 IoCs
-
XenorRat
XenorRat is a remote access trojan written in C#.
-
Executes dropped EXE 64 IoCs
-
Adds Run key to start application 2 TTPs 40 IoCs
-
Drops file in System32 directory 20 IoCs
-
Drops file in Windows directory 8 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 4 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 9 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 34 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\SaturnTempSpoofer.exe"C:\Users\Admin\AppData\Local\Temp\SaturnTempSpoofer.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\temp\saturntempspoofer.exec:\users\admin\appdata\local\temp\saturntempspoofer.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "AppWindows.exe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA6DF.tmp" /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe7⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe7⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe7⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe7⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe7⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe7⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe7⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe7⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe7⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE8⤵
- Executes dropped EXE
-
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe9⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe11⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe11⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe13⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe13⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe15⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE16⤵
- Executes dropped EXE
-
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe17⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe17⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR18⤵
- Executes dropped EXE
-
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe19⤵
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE20⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1968 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 23600 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1aae9e7-eedd-4111-8ebf-da4ed1cf40c0} 6064 "\\.\pipe\gecko-crash-server-pipe.6064" gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2348 -prefMapHandle 2344 -prefsLen 23636 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6bc632e1-7697-4e69-8432-b3f6cdcd4ed3} 6064 "\\.\pipe\gecko-crash-server-pipe.6064" socket3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3100 -childID 1 -isForBrowser -prefsHandle 2564 -prefMapHandle 2952 -prefsLen 23777 -prefMapSize 244628 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b169088d-6ee2-4895-9f26-f7640ae95e5c} 6064 "\\.\pipe\gecko-crash-server-pipe.6064" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3868 -childID 2 -isForBrowser -prefsHandle 3860 -prefMapHandle 3660 -prefsLen 29010 -prefMapSize 244628 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c4f6516d-24b6-4b95-9faf-0d2b18f4b4e5} 6064 "\\.\pipe\gecko-crash-server-pipe.6064" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4732 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4708 -prefMapHandle 4684 -prefsLen 29010 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6380da21-256b-4100-8064-57b40e5c2d10} 6064 "\\.\pipe\gecko-crash-server-pipe.6064" utility3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5300 -childID 3 -isForBrowser -prefsHandle 5212 -prefMapHandle 5232 -prefsLen 26882 -prefMapSize 244628 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d4f15813-7e0f-405e-8f95-49dd8ca7282a} 6064 "\\.\pipe\gecko-crash-server-pipe.6064" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5520 -childID 4 -isForBrowser -prefsHandle 5440 -prefMapHandle 5444 -prefsLen 26882 -prefMapSize 244628 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2e6eddc-0555-476b-8501-2fc8f7a791d0} 6064 "\\.\pipe\gecko-crash-server-pipe.6064" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5712 -childID 5 -isForBrowser -prefsHandle 5632 -prefMapHandle 5636 -prefsLen 26882 -prefMapSize 244628 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b64814e-6ad7-4ff3-b2be-107dd3501dbd} 6064 "\\.\pipe\gecko-crash-server-pipe.6064" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6200 -childID 6 -isForBrowser -prefsHandle 6192 -prefMapHandle 6188 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dfab303e-7359-4421-93bf-28a703086370} 6064 "\\.\pipe\gecko-crash-server-pipe.6064" tab3⤵
-
-
-
C:\Windows\system32\notepad.exe"C:\Windows\system32\notepad.exe"1⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe"1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /12⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\Resources\Themes\icsys.icn.exe"C:\Windows\Resources\Themes\icsys.icn.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Resources\Themes\icsys.icn.exe"C:\Windows\Resources\Themes\icsys.icn.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Resources\Themes\icsys.icn.exe"C:\Windows\Resources\Themes\icsys.icn.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SDRSVC1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffac862cc40,0x7ffac862cc4c,0x7ffac862cc582⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1820,i,3877979199071798909,5205215465897557490,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1816 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2056,i,3877979199071798909,5205215465897557490,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2116 /prefetch:32⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2180,i,3877979199071798909,5205215465897557490,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2188 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,3877979199071798909,5205215465897557490,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3104 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3112,i,3877979199071798909,5205215465897557490,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3152 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4468,i,3877979199071798909,5205215465897557490,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4496 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Windows\System32\exl6lw.exe"C:\Windows\System32\exl6lw.exe"1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD59e466b4837d8431be725d6b9c1b4d9ef
SHA13f247b7c89985a41d839cad351cd0fc182fcb284
SHA2562f9a5eeb5ac8cec52a3e73621e4d392f501f5d657dfec3215ccd40eec317208d
SHA51201de0fda555d63b5c38339b0f6d38c28de2a882643439679e63cf5d75f13516b57dc90e8dfb8c638bda328fc12342e58d1e501acec8f85b92dbd5589dac06418
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
960B
MD516846df493521e84fe47cd6b6451ec8f
SHA16d99eb017c5aec08d3a7e908bbd4a051ce250c02
SHA25669f19f2ab2f3625faca623477864766ab1ef3a21712bc892d7b2b0886585b3f9
SHA512aefa5121601b8273cff6b79b7f76417c71e29e835b66faf3e1a67d0d38fb9ebe90320b75493fd5c4a2d9ea3e3c485d0a84bcdbfb78c26a8ecee3175cd8bd93cd
-
Filesize
1KB
MD54e56f7e33b08abc3eea9ae388ddf017f
SHA1c6e5555f3e4f0ca7e45ed45ab71ff0ff36d35f20
SHA2565d38b29f661cf8ac6580948dcf6eebdd1cb34e16d8dd4bdf095dd9d574104a54
SHA51219ea0654c9cf2ed720aeefddb133b97ab24a8ee8bf0c84b23689f8c339bc5ca1e3f96cf62404f6ad7e66bb8215424f96ce46d8de8c8d0a4e635ecd84b2f0c0d1
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD5d1239b582408aab6b030aa3e47ff3538
SHA150b276e5d937c9e17dc49aeb7dd314b1cf0a9cb6
SHA256cec3805008ecc68f5154025a95aa3cf214104f1206868287f48d42c64210fc2b
SHA5121104fe4877a4ae1affa49116ed2de12c29fe9c63bd66c2bef907e91a903fd0f19dd5fca91f014940616d3d89acbf623de03e671954b2c7a1c8d9a48554ebbe66
-
Filesize
8KB
MD5137bf1e53f3f1f5bc7d588b43ddf292f
SHA1b8cbb9f889ab6a54d968b6d16a58542489b40900
SHA256f02b6c2b89ac81ef1c82dab5c5d1530824c39d04e73584bf7fce6362f806e82a
SHA512e944a6b024479923b50266daf2597bca0d611c64a1e50a2a55093be9360d9a98fad5acea4460a037a6a6dbbfe7d645e66ff1c881d5b77739d2eab7b36a2eadd3
-
Filesize
100KB
MD5040a25b6086b4f7c0bbb3f1fac4f9354
SHA180ea33fb8be6ba6c18f56341893b13a4c609dc03
SHA2569e43c15a11f8cb5e6148e8d9d1049662723b171b4cc211e94f4fb6808c69289a
SHA512e71166fdbbef7bbebe93a23dd71f3d8175b8c5ce3e57e68be86bda3517d088b3194af0e3d7ead5c150b628c030743716f3fea2d30c754c5e058274da1cd2c77c
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
35KB
MD5218c7205341bda9aac52463517beb9d1
SHA1f6228a0587c56794771431934f709eda3af0102b
SHA256c07ee7ccff409a305e7c2f5b1e014cb15f6c96445ca4f053a028a1dfa3c3ab11
SHA512d4ad0cf71083c68d487432b7586a49c5de627d084ab7bf4b5e42cd4b1600a9b1f10f8826a4b73b0b131b773414d4c31480ff725285e148c94be9327d230b8152
-
Filesize
10KB
MD5eed1599235b9dd933e13cbd5751d7eec
SHA1d461f7edc8bdb31b672f97b18d34e38bb7c96c4b
SHA25613ee96f0fd8b45de1603cea7aa86ddaa749ea580989d6cb806d944f3547fbf43
SHA5129679690676ef1ede8030e26359381a092eaec7cb671d51e91d8cd446006301bcb98518b977fd5d475e777baa11dd28e69135c517e3b3d74475134bfed4e8da9e
-
Filesize
46KB
MD5601c4ed7cdaa8a844937fe5fd62a8aff
SHA15ad9cf4a98cff0711ef7c0ca68353161d026a783
SHA256c1d9b0e2b4967ddeace94b452b8db110137d165c4725d3ab61ec0a8b44f27765
SHA51217d9b61107f327da1baed79779b834e669ecc4c38515e7334cc3424d9e773966937de09dc364111af37013fcdd3b00a3cd0cfcc2950db2bb61797ee1704cd477
-
Filesize
1KB
MD54a6533ac35b34ba35ea7fe0a37192a66
SHA129d3cbd1d4b9542175c17d6d4f20a5d992ae4c01
SHA256b4eff105fd062397dd2931dd5b138323a3c7d05c9e4f630cf51a24949eb2bacb
SHA512a356c1d8a46679a9fc2c3a14615d98c3fb4c00ac908b8f44c99a9070cb32d00c3b3eeb1700152f12a78924de79adc2de8452432e647fe0ed46baf1e065451d3d
-
Filesize
8KB
MD56dd5fbad585385f1195996c7128f1408
SHA1b7df20ffccc4572de83408d1043ce13d42b17799
SHA256c6a2013ca17ccf535ef307f8f8b9b5e7d04ba42932776c36300e9af63b515b58
SHA51240cc22ee5e86eb9b1660ad6f0f1cb5d90cfd5b4d48a1c7e382ae24d967ce2bd4b1a5b295c8667221fbd548c5446074b86221cc2292f3c6f4acffa9493449ccbd
-
Filesize
15KB
MD589bdd67619cf274616ee77168a9a4167
SHA1f05f18c080d705ca7f25df8c2e43c60f5f4d41b1
SHA256d10f33b7e832ccc185cbc26a69f3e1b3c8349e64911f689801eb06094e8ba16b
SHA512a25e8fdec7909d9744c5d2265eccede451765aa117d331df9a6db148c374858a86a66ccbc505f5c504cf65b40659e62796d768f5190e76cb91ce3ed0da9b048f
-
Filesize
5KB
MD5b5385569dec711df2a9a7628fdbf9b1f
SHA11732fb927c62bdf34d75a3aa1d909d4bf506ae2f
SHA25640b4434fee2be2d55de86d42ccf1c6bdd7a48a98030528566b97f69b4e575133
SHA51264d31e60562d2c0b7b4346b3a39204fbb9f7e87f844ed5fb3af47b8b15b5e7f6467e4b71fec700e7ddf69c50a5a14ff49a80275bac1bd5abd891cda09c1c8fde
-
Filesize
5KB
MD5c1bd448e487438b4754aa349789665c8
SHA114f43d0f8d6f15a16fe4720fd284467f153d1b3e
SHA256e719ed0ca41d7d667364a8a1744ca189aa7fc419c6912eab9625398f7a8661d4
SHA51292acec90009cb195c55392107afcf32790c26d105be9aec7b3138929333f38a12b1d437fb3ab41f1aff20c00bfd1f1cbf783cc6d2120e8637da9ca345be3674e
-
Filesize
5KB
MD547e369405738de79228072b916bc7eb7
SHA1c401675353e187051ac28c864de3195e10df070a
SHA256568c3a86e795a6f9ea67aedde08555d1b0f6bff532e8584e0494279deac69267
SHA51216697f3b715117fa6cf1fc85eefa20bbcbfb9ac5404a14dafd68eef0da3a7d8a396f054b623723d55ecca9e1730ffe2a616ba39819a24086111dbaf4372ce239
-
Filesize
671B
MD5a668bbcd9ec01b66a51440cb333041a1
SHA1a385a5386caaea7efbaf647fcad59e0c5d41f05c
SHA256c6baa7f8fcc0b01ba6d208bd3fa735c8845c2fbc9cd8c9e7a8d50c3294288b0b
SHA5125716ff7b58c8e1cd89cd4fc43170b48823d5ca0e094085372cc29c8ca8f3434482449e4c0a65424cf61fa9443945787366f2a49ba38770d90c87e010bb7c1425
-
Filesize
25KB
MD5e70a50b154904cac7edbf35399f6947b
SHA1da079f8d09b93fcaa6b15099d1095f703f2560b0
SHA256c5d1ff91dbe74c8c8d2eac77ca281b704133108abb1e09a7a5f557eadc1d97ae
SHA5125626dd7108259f7c778ab39d46e04d16f70aaa1215b94fae27bbf97e3517f9080515fe0e00a68e107774919e7e99a74a2156adfc6e6cb36e348c0c2be13c7782
-
Filesize
982B
MD5c923c886bc7384bdbdf04208345a133a
SHA1f4c84c7af450be4c025f2592d80e1762079b9c03
SHA25692bd71925368bd4cedca7cec6b6f9aff20ed566628a86dc353ba9bad7b86306b
SHA51285673f936e1b4cc04853d0e08e7c4cc9e1abdd22b42ce83582cdd940290cb1395cc054a35f9d4eb903668cca39b735a8489ec31e5bf35a2dc9f6dfc4bd2a20d7
-
Filesize
11KB
MD55b6a6a3358a9b5e9732e2d9307bdbfe3
SHA11815c1195582142eb3bebbb1cfdc3fd0d622c911
SHA256de1250568fe59c41fe4487c977b21d760847849068b9a5234a9853e52fd0d231
SHA5125e750769d9c7fefeea9d589b8652bbd50c98085cde91296d5679f2a1cbcef76364983cdc9f301ab779c85e3db5e3e1f7b7674a4746a08879821fbcb9de6fde8c
-
Filesize
135KB
MD5384c8b66ee398deb1a6515e6ca8be71f
SHA184354219171a7938f5166ea6f0f430e2f7549f50
SHA2561fe4cf2e40c4663712b06f6168408e036103880274f5686c68dc31034309be44
SHA5123e4f943a1d99b44a1a8e7868456aad4d145edbb5def993b2c9e79a4133c06087de4f376599a6db83573d01667007b032511085cb996dacf1132d0cc158e02ac3
-
Filesize
135KB
MD5d6d054e7390aa12da74bd9dfaf246917
SHA162d73f8b9b0cae264d2036204c4c6b05f4fa88d2
SHA256b89f7426b1d3c5293ff6d0d51f5673c4e670f15d47463461785daec6e3e98903
SHA51266e4dedd18ad17a9df47dc553937a7048177bf439b682dddb7dcc847e48fdbd00b1e280fd9c5448fc03569c610e104e803dccd5fc0eecc2a140a298ea95f45c2
-
Filesize
135KB
MD5f2d71f30ee9ccd2936b97a6605b48db8
SHA1747313cf5523e6485df16e099f814eb0f7c6b058
SHA2568ca6cf952799ce594acd162c8df1c26710648c720bc46f92f41f9a3416323ccc
SHA51206add7d5a5199f37adbb91782e0701c918353cc8569b9e5f001add96752de639fc515c63e7528b07f308abe6fd0d402bceeb3cc9457eb4b5a480dd19fd4d364e
-
Filesize
135KB
MD55fe1243db4c4fe886bdb77ad84da3b15
SHA11389d3fbd7f122f9fe6c472d8fe85d31455cd89c
SHA2562fffcda910b6e4cc006fc46a98267f0552ed21fdac22814853c6ee1fdc36d62c
SHA512e76397af312fb4242433da02034ad160afd5612a03d5812eb0af919caeef6a444fe92e3e7d0d25699c08633c18a8ba488eb1ad8abaf07b50ebe3786f16cd8f7f
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB