7ba60c548a30dfd291328ea52c96c5aa5f3eb1beeb71f195802842b645d27a8e

Analysis

max time kernel
25s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2024 05:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TETR.IO.exe
Size

168.2MB
MD5

320d2c73c633341c2b114c796d941161
SHA1

09fe45a79a6d6accbc20e6a84ae169a82531f0d4
SHA256

eb12da60c8f3c26bc96406b06b38718b23f13f22c74f56b8196968fe386fe9eb
SHA512

da784359301460e681f62108ab61fd253be11ab76f05fc4e593d52cf31d420c7b28455205a73c85aff4096b907e9004a71614298a31c43684f6d87406475f8b2
SSDEEP

1572864:TQqT4eFUirK1e2zSQ5Rcw/N5cae/bHhrPdacyodvcPSBoHESUlyAzl/5:FBKRcAMyAzB5

Score

7^/10

execution

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TETR.IO.exeTETR.IO.exeTETR.IO.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TETR.IO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TETR.IO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TETR.IO.exe

Loads dropped DLL 1 IoCs

Processes:

TETR.IO.exe

pid process

4580 TETR.IO.exe

pid	process
4580	TETR.IO.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
388	powershell.exe
1164	powershell.exe
644	powershell.exe
1080	powershell.exe
3748	powershell.exe
3456	powershell.exe
1756	powershell.exe
4684	powershell.exe
1184	powershell.exe

Modifies registry class 7 IoCs

Processes:

TETR.IO.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\tetrio\URL Protocol	TETR.IO.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\tetrio\ = "URL:tetrio"	TETR.IO.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\tetrio\shell\open\command	TETR.IO.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\tetrio\shell	TETR.IO.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\tetrio\shell\open	TETR.IO.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\tetrio\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\TETR.IO.exe\" \"%1\""	TETR.IO.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\tetrio	TETR.IO.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4684	powershell.exe
4684	powershell.exe
1756	powershell.exe
1756	powershell.exe
1080	powershell.exe
1080	powershell.exe
644	powershell.exe
644	powershell.exe
3748	powershell.exe
3748	powershell.exe
1164	powershell.exe
1164	powershell.exe
3456	powershell.exe
3456	powershell.exe
1184	powershell.exe
1184	powershell.exe
388	powershell.exe
388	powershell.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

Processes:

powershell.exeTETR.IO.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4684	powershell.exe
Token: SeShutdownPrivilege	4580	TETR.IO.exe
Token: SeCreatePagefilePrivilege	4580	TETR.IO.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeShutdownPrivilege	4580	TETR.IO.exe
Token: SeCreatePagefilePrivilege	4580	TETR.IO.exe
Token: SeShutdownPrivilege	4580	TETR.IO.exe
Token: SeCreatePagefilePrivilege	4580	TETR.IO.exe
Token: SeShutdownPrivilege	4580	TETR.IO.exe
Token: SeCreatePagefilePrivilege	4580	TETR.IO.exe
Token: SeDebugPrivilege	1080	powershell.exe
Token: SeShutdownPrivilege	4580	TETR.IO.exe
Token: SeCreatePagefilePrivilege	4580	TETR.IO.exe
Token: SeShutdownPrivilege	4580	TETR.IO.exe
Token: SeCreatePagefilePrivilege	4580	TETR.IO.exe
Token: SeShutdownPrivilege	4580	TETR.IO.exe
Token: SeCreatePagefilePrivilege	4580	TETR.IO.exe
Token: SeShutdownPrivilege	4580	TETR.IO.exe
Token: SeCreatePagefilePrivilege	4580	TETR.IO.exe
Token: SeShutdownPrivilege	4580	TETR.IO.exe
Token: SeCreatePagefilePrivilege	4580	TETR.IO.exe
Token: SeShutdownPrivilege	4580	TETR.IO.exe
Token: SeCreatePagefilePrivilege	4580	TETR.IO.exe
Token: SeShutdownPrivilege	4580	TETR.IO.exe
Token: SeCreatePagefilePrivilege	4580	TETR.IO.exe
Token: SeShutdownPrivilege	4580	TETR.IO.exe
Token: SeCreatePagefilePrivilege	4580	TETR.IO.exe
Token: SeDebugPrivilege	644	powershell.exe
Token: SeShutdownPrivilege	4580	TETR.IO.exe
Token: SeCreatePagefilePrivilege	4580	TETR.IO.exe
Token: SeShutdownPrivilege	4580	TETR.IO.exe
Token: SeCreatePagefilePrivilege	4580	TETR.IO.exe
Token: SeShutdownPrivilege	4580	TETR.IO.exe
Token: SeCreatePagefilePrivilege	4580	TETR.IO.exe
Token: SeShutdownPrivilege	4580	TETR.IO.exe
Token: SeCreatePagefilePrivilege	4580	TETR.IO.exe
Token: SeShutdownPrivilege	4580	TETR.IO.exe
Token: SeCreatePagefilePrivilege	4580	TETR.IO.exe
Token: SeShutdownPrivilege	4580	TETR.IO.exe
Token: SeCreatePagefilePrivilege	4580	TETR.IO.exe
Token: SeShutdownPrivilege	4580	TETR.IO.exe
Token: SeCreatePagefilePrivilege	4580	TETR.IO.exe
Token: SeDebugPrivilege	3748	powershell.exe
Token: SeShutdownPrivilege	4580	TETR.IO.exe
Token: SeCreatePagefilePrivilege	4580	TETR.IO.exe
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeShutdownPrivilege	4580	TETR.IO.exe
Token: SeCreatePagefilePrivilege	4580	TETR.IO.exe
Token: SeDebugPrivilege	3456	powershell.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeShutdownPrivilege	4580	TETR.IO.exe
Token: SeCreatePagefilePrivilege	4580	TETR.IO.exe
Token: SeShutdownPrivilege	4580	TETR.IO.exe
Token: SeCreatePagefilePrivilege	4580	TETR.IO.exe
Token: SeDebugPrivilege	388	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

TETR.IO.execmd.exe

description	pid	process	target process
PID 4580 wrote to memory of 5028	4580	TETR.IO.exe	cmd.exe
PID 4580 wrote to memory of 5028	4580	TETR.IO.exe	cmd.exe
PID 5028 wrote to memory of 1028	5028	cmd.exe	chcp.com
PID 5028 wrote to memory of 1028	5028	cmd.exe	chcp.com
PID 4580 wrote to memory of 388	4580	TETR.IO.exe	powershell.exe
PID 4580 wrote to memory of 388	4580	TETR.IO.exe	powershell.exe
PID 4580 wrote to memory of 1164	4580	TETR.IO.exe	powershell.exe
PID 4580 wrote to memory of 1164	4580	TETR.IO.exe	powershell.exe
PID 4580 wrote to memory of 1080	4580	TETR.IO.exe	powershell.exe
PID 4580 wrote to memory of 1080	4580	TETR.IO.exe	powershell.exe
PID 4580 wrote to memory of 1756	4580	TETR.IO.exe	powershell.exe
PID 4580 wrote to memory of 1756	4580	TETR.IO.exe	powershell.exe
PID 4580 wrote to memory of 644	4580	TETR.IO.exe	powershell.exe
PID 4580 wrote to memory of 644	4580	TETR.IO.exe	powershell.exe
PID 4580 wrote to memory of 1184	4580	TETR.IO.exe	powershell.exe
PID 4580 wrote to memory of 1184	4580	TETR.IO.exe	powershell.exe
PID 4580 wrote to memory of 4684	4580	TETR.IO.exe	powershell.exe
PID 4580 wrote to memory of 4684	4580	TETR.IO.exe	powershell.exe
PID 4580 wrote to memory of 3456	4580	TETR.IO.exe	powershell.exe
PID 4580 wrote to memory of 3456	4580	TETR.IO.exe	powershell.exe
PID 4580 wrote to memory of 3748	4580	TETR.IO.exe	powershell.exe
PID 4580 wrote to memory of 3748	4580	TETR.IO.exe	powershell.exe
PID 4580 wrote to memory of 996	4580	TETR.IO.exe	TETR.IO.exe
PID 4580 wrote to memory of 996	4580	TETR.IO.exe	TETR.IO.exe
PID 4580 wrote to memory of 1448	4580	TETR.IO.exe	TETR.IO.exe
PID 4580 wrote to memory of 1448	4580	TETR.IO.exe	TETR.IO.exe
PID 4580 wrote to memory of 3488	4580	TETR.IO.exe	TETR.IO.exe
PID 4580 wrote to memory of 3488	4580	TETR.IO.exe	TETR.IO.exe
PID 4580 wrote to memory of 3488	4580	TETR.IO.exe	TETR.IO.exe
PID 4580 wrote to memory of 3488	4580	TETR.IO.exe	TETR.IO.exe
PID 4580 wrote to memory of 3488	4580	TETR.IO.exe	TETR.IO.exe
PID 4580 wrote to memory of 3488	4580	TETR.IO.exe	TETR.IO.exe
PID 4580 wrote to memory of 3488	4580	TETR.IO.exe	TETR.IO.exe
PID 4580 wrote to memory of 3488	4580	TETR.IO.exe	TETR.IO.exe
PID 4580 wrote to memory of 3488	4580	TETR.IO.exe	TETR.IO.exe
PID 4580 wrote to memory of 3488	4580	TETR.IO.exe	TETR.IO.exe
PID 4580 wrote to memory of 3488	4580	TETR.IO.exe	TETR.IO.exe
PID 4580 wrote to memory of 3488	4580	TETR.IO.exe	TETR.IO.exe
PID 4580 wrote to memory of 3488	4580	TETR.IO.exe	TETR.IO.exe
PID 4580 wrote to memory of 3488	4580	TETR.IO.exe	TETR.IO.exe
PID 4580 wrote to memory of 3488	4580	TETR.IO.exe	TETR.IO.exe
PID 4580 wrote to memory of 3488	4580	TETR.IO.exe	TETR.IO.exe
PID 4580 wrote to memory of 3488	4580	TETR.IO.exe	TETR.IO.exe
PID 4580 wrote to memory of 3488	4580	TETR.IO.exe	TETR.IO.exe
PID 4580 wrote to memory of 3488	4580	TETR.IO.exe	TETR.IO.exe
PID 4580 wrote to memory of 3488	4580	TETR.IO.exe	TETR.IO.exe
PID 4580 wrote to memory of 3488	4580	TETR.IO.exe	TETR.IO.exe
PID 4580 wrote to memory of 3488	4580	TETR.IO.exe	TETR.IO.exe
PID 4580 wrote to memory of 3488	4580	TETR.IO.exe	TETR.IO.exe
PID 4580 wrote to memory of 3488	4580	TETR.IO.exe	TETR.IO.exe
PID 4580 wrote to memory of 3488	4580	TETR.IO.exe	TETR.IO.exe
PID 4580 wrote to memory of 3488	4580	TETR.IO.exe	TETR.IO.exe
PID 4580 wrote to memory of 3488	4580	TETR.IO.exe	TETR.IO.exe
PID 4580 wrote to memory of 3488	4580	TETR.IO.exe	TETR.IO.exe
PID 4580 wrote to memory of 3488	4580	TETR.IO.exe	TETR.IO.exe
PID 4580 wrote to memory of 3488	4580	TETR.IO.exe	TETR.IO.exe
PID 4580 wrote to memory of 3488	4580	TETR.IO.exe	TETR.IO.exe
PID 4580 wrote to memory of 3488	4580	TETR.IO.exe	TETR.IO.exe
PID 4580 wrote to memory of 3488	4580	TETR.IO.exe	TETR.IO.exe
PID 4580 wrote to memory of 2952	4580	TETR.IO.exe	TETR.IO.exe
PID 4580 wrote to memory of 2952	4580	TETR.IO.exe	TETR.IO.exe
PID 4580 wrote to memory of 2952	4580	TETR.IO.exe	TETR.IO.exe
PID 4580 wrote to memory of 2952	4580	TETR.IO.exe	TETR.IO.exe
PID 4580 wrote to memory of 2952	4580	TETR.IO.exe	TETR.IO.exe

C:\Users\Admin\AppData\Local\Temp\TETR.IO.exe
"C:\Users\Admin\AppData\Local\Temp\TETR.IO.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "chcp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Windows\system32\chcp.com
    chcp
    3⤵
    PID:1028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3748
- C:\Users\Admin\AppData\Local\Temp\TETR.IO.exe
  "C:\Users\Admin\AppData\Local\Temp\TETR.IO.exe" --type=gpu-process --disable-gpu-sandbox --disable-gpu-vsync --disable-gpu-vsync --user-data-dir="C:\Users\Admin\AppData\Roaming\tetrio-desktop" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1912 --field-trial-handle=1920,i,1332500875429671574,627370052342562142,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2
  2⤵
  PID:996
- C:\Users\Admin\AppData\Local\Temp\TETR.IO.exe
  "C:\Users\Admin\AppData\Local\Temp\TETR.IO.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\tetrio-desktop" --mojo-platform-channel-handle=2176 --field-trial-handle=1920,i,1332500875429671574,627370052342562142,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:3
  2⤵
  PID:1448
- C:\Users\Admin\AppData\Local\Temp\TETR.IO.exe
  "C:\Users\Admin\AppData\Local\Temp\TETR.IO.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\tetrio-desktop" --app-user-model-id=sh.osk.tetrio-client --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --disable-blink-features=PreloadMediaEngagementData,AutoplayIgnoreWebAudio,MediaEngagementBypassAutoplayPolicies --autoplay-policy=no-user-gesture-required --disable-frame-rate-limit --force-color-profile=srgb --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-zero-copy --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2244 --field-trial-handle=1920,i,1332500875429671574,627370052342562142,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1
  2⤵
  - Checks computer location settings
  PID:3488
- C:\Users\Admin\AppData\Local\Temp\TETR.IO.exe
  "C:\Users\Admin\AppData\Local\Temp\TETR.IO.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\tetrio-desktop" --app-user-model-id=sh.osk.tetrio-client --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --disable-blink-features=PreloadMediaEngagementData,AutoplayIgnoreWebAudio,MediaEngagementBypassAutoplayPolicies --autoplay-policy=no-user-gesture-required --disable-frame-rate-limit --force-color-profile=srgb --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-zero-copy --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3400 --field-trial-handle=1920,i,1332500875429671574,627370052342562142,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1
  2⤵
  - Checks computer location settings
  PID:2952
- C:\Users\Admin\AppData\Local\Temp\TETR.IO.exe
  "C:\Users\Admin\AppData\Local\Temp\TETR.IO.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --user-data-dir="C:\Users\Admin\AppData\Roaming\tetrio-desktop" --mojo-platform-channel-handle=3320 --field-trial-handle=1920,i,1332500875429671574,627370052342562142,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
  2⤵
  PID:532
- C:\Users\Admin\AppData\Local\Temp\TETR.IO.exe
  "C:\Users\Admin\AppData\Local\Temp\TETR.IO.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --disable-gpu-sandbox --disable-gpu-vsync --disable-gpu-vsync --user-data-dir="C:\Users\Admin\AppData\Roaming\tetrio-desktop" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1172 --field-trial-handle=1920,i,1332500875429671574,627370052342562142,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
  2⤵
  PID:5356

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2ec 0x484
1⤵
PID:1752

C:\Windows\system32\werfault.exe
werfault.exe /hc /shared Global\4ec380cc651348a5b6232d7ef1622073 /t 1720 /p 1872 1752
1⤵
PID:5708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sowcndpu.5zi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\e764bea9-b8db-4e0d-a4a3-a9f3d3980faa.tmp.node

Filesize
95KB

MD5
e9dd3524a69d66b498da49581e72b70b

SHA1
b6ade7129a96d3be63d01da67f3917451b4eb999

SHA256
7aca2ed3da7e033d1a4251f7a92b774bbd8b794734ae8bac750d86dbaf62385f

SHA512
154c11f4d78f160c76f5610e3efde82eaea5159fb7eefb0e8bd5da129a0fecccfceeceb4102488ba36d881733f808959c57cf85dd150232d1f493f08d3d2a929

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\tetrio-desktop\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
9f91f0e52f3a79dadb08396edf7633b1

SHA1
98c87b461ad9d7b72d0aba573c581cd254ef5e19

SHA256
c537e9ca54d7f9613e59ce0bc36f6194de298656f390e634a8956f8d0894c53b

SHA512
0b40fc14d1e02f7668003147d1798e30835e9ba79c8d031f0b731ff3fef30ee87119b86f357d166b9715964a85fed5af6a0cd258b1990eefc3f78505321e518d

Download Submit
C:\Users\Admin\AppData\Roaming\tetrio-desktop\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
fa4c3c4dae7f78d26d40336e7d2da318

SHA1
4811f2056d10b02e14ce59bfeeb2a10e928994af

SHA256
47a0722c584cb2b0e148e9b47c2dd012daee779f30f06b55e972aed28249e92a

SHA512
1b15cb40ac1120625203df1308869e463ff15de145e27cb680b9ec3b25ea9c85308774b674f4c01493f6c44023922cfbe06926465f4fd2805027e9a3f0b998f7

Download Submit
C:\Users\Admin\AppData\Roaming\tetrio-desktop\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
9438c1cba0067277f16695c0f98bfd2c

SHA1
2ab67ddec9547026f4395e829a8d4d9f4d76f446

SHA256
cda96c15ee26b3c85526796f5d0e1fb72ee189f92f9691b848aea1c45d689c71

SHA512
b3be5be2f58e8e84f80b02933fd8d99dd89f56cca5d4ad62aa64402eed7055161868bd799339f9ca8176c3ad22190813c801cc0ff6cda535e2863b322cdfdab0

Download Submit
C:\Users\Admin\AppData\Roaming\tetrio-desktop\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
f9f8e8d4efc15cdc2c74e22e04623270

SHA1
5ba1d2403782e6507a6838a9d589e8a406cfb15e

SHA256
360a34cc3f9201bf7018bfc6724532a8d515255b146e3320db1b370d4bf6ede3

SHA512
45b83b8cefed1a3180f309caede35ede7f7126e4599319382d3b59aa8c4c90bfdd3c49c9921ca06f7fa5298cc6217daea8ded1124858d66f4fb2199804705981

Download Submit
C:\Users\Admin\AppData\Roaming\tetrio-desktop\Network\Network Persistent State

Filesize
59B

MD5
78bfcecb05ed1904edce3b60cb5c7e62

SHA1
bf77a7461de9d41d12aa88fba056ba758793d9ce

SHA256
c257f929cff0e4380bf08d9f36f310753f7b1ccb5cb2ab811b52760dd8cb9572

SHA512
2420dff6eb853f5e1856cdab99561a896ea0743fcff3e04b37cb87eddf063770608a30c6ffb0319e5d353b0132c5f8135b7082488e425666b2c22b753a6a4d73

Download Submit
C:\Users\Admin\AppData\Roaming\tetrio-desktop\Network\Network Persistent State

Filesize
686B

MD5
67cfa9c2cbbad89c1cbe5e11d2b82ab2

SHA1
1e703bdfd17440dd0e731f790274cbd6238a09db

SHA256
871525832c5bb321e576dc727601fdf76fd388ce63fb3c2805c02fbf587400f5

SHA512
48b20b6f4a76d133967fe58d2337e08e13b39addadfecd54e356251a7e8ebe05d8e5c22cced7452008e49bea783c6a9cf7ae47d4f0d75af6c0f2a80aeab5bde2

Download Submit
C:\Users\Admin\AppData\Roaming\tetrio-desktop\Network\Network Persistent State~RFe584021.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\tetrio-desktop\Network\TransportSecurity

Filesize
355B

MD5
63f9d0064a6e28bd56343e2d19d47a44

SHA1
69217a6735bb283c43a813505acf37443330d92a

SHA256
cc745384e18c105395f21cf10f8514c5651f0a6236a86a161f948eec2d16ad01

SHA512
3d0e6b3926282adbbe6921effa4abdd8980d360107a294d7db94691e01452ab1fbb4b57960d8a8403a7baf0705b6b37573cef52436574d9197c51966a716db2c

Download Submit
C:\Users\Admin\AppData\Roaming\tetrio-desktop\Network\TransportSecurity

Filesize
355B

MD5
aac744afcb3f2899234aa03fc5e1a2d1

SHA1
43dd553e8cd2a21395e1163bfecaf08d85bcce01

SHA256
eb4a818464cf65d1815e4999e0dd5f83dec0b2cfac858f25c057220c7b757044

SHA512
3bf6f0fbf2eb83d3126ac5c46b790558c2b534bef76b23e4f948ea466d76a3cfe18043fa8fc792be8b43d060f1bc7a7b58b9dcfc36c0f68279a28aeb9b90d473

Download Submit
C:\Users\Admin\AppData\Roaming\tetrio-desktop\Network\TransportSecurity

Filesize
857B

MD5
6c84cf673b9dad85470a9c3647ca5fb1

SHA1
6e95909d5e9d9033e2e2a8503c91835935cd67c8

SHA256
2dbaa485f02f5265d44eb00e4d8dfaffcfe6e7f26287eb1580092e5fd67e3d54

SHA512
406cc9ddca5c8bfcb7854d86b6d01a7fc4380ccdd0576ad39ceff4fc01fb50784f01fcf77793a80b2ea8b9bb2a789868998b58d1a36a359ab35bc929f3375590

Download Submit
C:\Users\Admin\AppData\Roaming\tetrio-desktop\Network\TransportSecurity

Filesize
857B

MD5
95946c2fb2ca43c86247cc7bf1feb750

SHA1
10d78146e1a8f91c74d555372a5217e40d9224c5

SHA256
1b012b0fc940812ee4a9567ad6d1b694eb9e28f50abf083c35b9fabd0fdc3903

SHA512
b20a79a9feec11ffaea4e21c8962a7cefdfac7420b4019f03de4cebcd35f0ac7ef0e642216ae55160e57a9c303a002520cee8ee5a9270b4d8944821080e2271d

Download Submit
C:\Users\Admin\AppData\Roaming\tetrio-desktop\Network\TransportSecurity

Filesize
857B

MD5
78082fd820e5b9a5d6ea141bdccbd719

SHA1
f9c995bb9a247a74edb0c10ff7b24b71d8e6bba7

SHA256
4d358ae947e57ffdbfcc457b8cbda69a2eb1acd9ab2419760976a313b860fb2c

SHA512
58138717e10a8f21bdeb2bd998abbdcbdad2d1dd5d710d202334b5e70e0d665d64ce458dd41f244a91363dc41d9373a25220f42fb4d7f782cfb5d5bd70de3800

Download Submit
C:\Users\Admin\AppData\Roaming\tetrio-desktop\Network\TransportSecurity

Filesize
690B

MD5
ecc5e1eb67d01801f2bbf36d1e8d89e7

SHA1
8e9f7d9823f85f36f751d0394ff78706a8cd5fb6

SHA256
e519e07756d2450c47738563ffa1b8bb4dbde8bd376d7c8d03c41f0c4233dfd2

SHA512
60120f2dc36058003148c9f091a01b7cbec9ac859582044bf2e0806eb2805925eaffda3bc7bb768683ec532fd82a2981936343b52a9f4f1dbd94a05a4e4e2af9

Download Submit
C:\Users\Admin\AppData\Roaming\tetrio-desktop\Network\TransportSecurity

Filesize
857B

MD5
fcffccceaa6b59217cafe98cebd03f97

SHA1
868c7b74e76f6eb077be86eb4e919f687ff1edb4

SHA256
cedd94427ecde603bff505a0159b76a037879e914387d8bfcb0e9c0a8c4619cb

SHA512
8292b6300b8f30f827386fe535abecd1d6322ae059749427ebf40317262893730ca798acbe45ab83090b355c58de3ce1584f891a7ff0c384692819e4ed34da2c

Download Submit
C:\Users\Admin\AppData\Roaming\tetrio-desktop\Network\TransportSecurity~RFe5861d2.TMP

Filesize
355B

MD5
8ea730420006441396b500b537523b50

SHA1
a34cf1ed1e45910cdd3bd97a721184e06e9677a8

SHA256
8a21b7eb030203ad866815406eb57dc51667169ad9466ee657adc516dacfbeff

SHA512
3a495296a434482f737da9f982cf1af3b61c600aed2fed54a9ae52a3954e6127cb31d32d2eb712840ebab0e8c3c302cdbb4f5ed23d62cf45353b19b03c60d563

Download Submit
C:\Users\Admin\AppData\Roaming\tetrio-desktop\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
memory/1080-384-0x0000012E34330000-0x0000012E3435A000-memory.dmp

Filesize
168KB

Download
memory/1080-68-0x0000012E33D70000-0x0000012E33D92000-memory.dmp

Filesize
136KB

Download
memory/1080-385-0x0000012E34330000-0x0000012E34354000-memory.dmp

Filesize
144KB

Download
memory/1756-179-0x00000293A34C0000-0x00000293A3504000-memory.dmp

Filesize
272KB

Download
memory/2952-176-0x000001EC79F30000-0x000001EC79FDD000-memory.dmp

Filesize
692KB

Download
memory/3488-53-0x00007FFE97E20000-0x00007FFE97E21000-memory.dmp

Filesize
4KB

Download
memory/3488-52-0x00007FFE98440000-0x00007FFE98441000-memory.dmp

Filesize
4KB

Download
memory/3488-93-0x000002DED6680000-0x000002DED672D000-memory.dmp

Filesize
692KB

Download
memory/4684-195-0x000001DB6D880000-0x000001DB6D8F6000-memory.dmp

Filesize
472KB

Download
memory/5356-440-0x0000022448DE0000-0x0000022448DE1000-memory.dmp

Filesize
4KB

Download
memory/5356-429-0x0000022448DE0000-0x0000022448DE1000-memory.dmp

Filesize
4KB

Download
memory/5356-441-0x0000022448DE0000-0x0000022448DE1000-memory.dmp

Filesize
4KB

Download
memory/5356-430-0x0000022448DE0000-0x0000022448DE1000-memory.dmp

Filesize
4KB

Download
memory/5356-439-0x0000022448DE0000-0x0000022448DE1000-memory.dmp

Filesize
4KB

Download
memory/5356-438-0x0000022448DE0000-0x0000022448DE1000-memory.dmp

Filesize
4KB

Download
memory/5356-437-0x0000022448DE0000-0x0000022448DE1000-memory.dmp

Filesize
4KB

Download
memory/5356-436-0x0000022448DE0000-0x0000022448DE1000-memory.dmp

Filesize
4KB

Download
memory/5356-435-0x0000022448DE0000-0x0000022448DE1000-memory.dmp

Filesize
4KB

Download
memory/5356-428-0x0000022448DE0000-0x0000022448DE1000-memory.dmp

Filesize
4KB

Download