b7d148da962c5abb761e5b79e9d2823997b0dfdebf8e410a3e8dfc0d39e21581

Analysis

max time kernel
174s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 22:48

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

nitro-lifetime-method.txt
Size

1KB
MD5

0d7229d6ddfb223cd4c5ef9ac4a88cdb
SHA1

24702f249ddc03f1362de41f8aa1d59c949f77e9
SHA256

b7d148da962c5abb761e5b79e9d2823997b0dfdebf8e410a3e8dfc0d39e21581
SHA512

253a0eb97ecd4879b2beb5e3c839efd0a837661bbdf911f085fabc91700853d93d36a4595560edcd75dbf188c7102726ae4334622c370af94f7ba763c2357448

Score

10^/10

discovery evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\system.exe"	reg.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Executes dropped EXE 1 IoCs

pid	Process
2388	system.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\system.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
60	raw.githubusercontent.com
61	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SCHTASKS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133714326095846985"	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "103"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4740	SCHTASKS.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1644	chrome.exe
1644	chrome.exe
3944	chrome.exe
3944	chrome.exe
3944	chrome.exe
3944	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe
Token: SeShutdownPrivilege	1644	chrome.exe
Token: SeCreatePagefilePrivilege	1644	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe
1644	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2716	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 4224	1644	chrome.exe	96
PID 1644 wrote to memory of 4224	1644	chrome.exe	96
PID 1644 wrote to memory of 640	1644	chrome.exe	97
PID 1644 wrote to memory of 640	1644	chrome.exe	97
PID 1644 wrote to memory of 640	1644	chrome.exe	97
PID 1644 wrote to memory of 640	1644	chrome.exe	97
PID 1644 wrote to memory of 640	1644	chrome.exe	97
PID 1644 wrote to memory of 640	1644	chrome.exe	97
PID 1644 wrote to memory of 640	1644	chrome.exe	97
PID 1644 wrote to memory of 640	1644	chrome.exe	97
PID 1644 wrote to memory of 640	1644	chrome.exe	97
PID 1644 wrote to memory of 640	1644	chrome.exe	97
PID 1644 wrote to memory of 640	1644	chrome.exe	97
PID 1644 wrote to memory of 640	1644	chrome.exe	97
PID 1644 wrote to memory of 640	1644	chrome.exe	97
PID 1644 wrote to memory of 640	1644	chrome.exe	97
PID 1644 wrote to memory of 640	1644	chrome.exe	97
PID 1644 wrote to memory of 640	1644	chrome.exe	97
PID 1644 wrote to memory of 640	1644	chrome.exe	97
PID 1644 wrote to memory of 640	1644	chrome.exe	97
PID 1644 wrote to memory of 640	1644	chrome.exe	97
PID 1644 wrote to memory of 640	1644	chrome.exe	97
PID 1644 wrote to memory of 640	1644	chrome.exe	97
PID 1644 wrote to memory of 640	1644	chrome.exe	97
PID 1644 wrote to memory of 640	1644	chrome.exe	97
PID 1644 wrote to memory of 640	1644	chrome.exe	97
PID 1644 wrote to memory of 640	1644	chrome.exe	97
PID 1644 wrote to memory of 640	1644	chrome.exe	97
PID 1644 wrote to memory of 640	1644	chrome.exe	97
PID 1644 wrote to memory of 640	1644	chrome.exe	97
PID 1644 wrote to memory of 640	1644	chrome.exe	97
PID 1644 wrote to memory of 640	1644	chrome.exe	97
PID 1644 wrote to memory of 744	1644	chrome.exe	98
PID 1644 wrote to memory of 744	1644	chrome.exe	98
PID 1644 wrote to memory of 1660	1644	chrome.exe	99
PID 1644 wrote to memory of 1660	1644	chrome.exe	99
PID 1644 wrote to memory of 1660	1644	chrome.exe	99
PID 1644 wrote to memory of 1660	1644	chrome.exe	99
PID 1644 wrote to memory of 1660	1644	chrome.exe	99
PID 1644 wrote to memory of 1660	1644	chrome.exe	99
PID 1644 wrote to memory of 1660	1644	chrome.exe	99
PID 1644 wrote to memory of 1660	1644	chrome.exe	99
PID 1644 wrote to memory of 1660	1644	chrome.exe	99
PID 1644 wrote to memory of 1660	1644	chrome.exe	99
PID 1644 wrote to memory of 1660	1644	chrome.exe	99
PID 1644 wrote to memory of 1660	1644	chrome.exe	99
PID 1644 wrote to memory of 1660	1644	chrome.exe	99
PID 1644 wrote to memory of 1660	1644	chrome.exe	99
PID 1644 wrote to memory of 1660	1644	chrome.exe	99
PID 1644 wrote to memory of 1660	1644	chrome.exe	99
PID 1644 wrote to memory of 1660	1644	chrome.exe	99
PID 1644 wrote to memory of 1660	1644	chrome.exe	99
PID 1644 wrote to memory of 1660	1644	chrome.exe	99
PID 1644 wrote to memory of 1660	1644	chrome.exe	99
PID 1644 wrote to memory of 1660	1644	chrome.exe	99
PID 1644 wrote to memory of 1660	1644	chrome.exe	99
PID 1644 wrote to memory of 1660	1644	chrome.exe	99
PID 1644 wrote to memory of 1660	1644	chrome.exe	99
PID 1644 wrote to memory of 1660	1644	chrome.exe	99
PID 1644 wrote to memory of 1660	1644	chrome.exe	99
PID 1644 wrote to memory of 1660	1644	chrome.exe	99
PID 1644 wrote to memory of 1660	1644	chrome.exe	99
PID 1644 wrote to memory of 1660	1644	chrome.exe	99
PID 1644 wrote to memory of 1660	1644	chrome.exe	99

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\nitro-lifetime-method.txt
1⤵
PID:3048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffb1786cc40,0x7ffb1786cc4c,0x7ffb1786cc58
  2⤵
  PID:4224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1920,i,11361023593501776714,9964125298041335671,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2184,i,11361023593501776714,9964125298041335671,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2420 /prefetch:3
  2⤵
  PID:744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2216,i,11361023593501776714,9964125298041335671,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2428 /prefetch:8
  2⤵
  PID:1660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3160,i,11361023593501776714,9964125298041335671,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:1872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3408,i,11361023593501776714,9964125298041335671,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:3872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4580,i,11361023593501776714,9964125298041335671,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4048 /prefetch:1
  2⤵
  PID:4396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4856,i,11361023593501776714,9964125298041335671,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4868 /prefetch:8
  2⤵
  PID:5008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5060,i,11361023593501776714,9964125298041335671,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5068 /prefetch:8
  2⤵
  PID:4748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3824,i,11361023593501776714,9964125298041335671,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5220 /prefetch:1
  2⤵
  PID:4976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5228,i,11361023593501776714,9964125298041335671,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4668 /prefetch:8
  2⤵
  PID:3468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4400,i,11361023593501776714,9964125298041335671,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3548 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3944

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1996

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1328

C:\Users\Admin\Desktop\[email protected]
"C:\Users\Admin\Desktop\[email protected]"
1⤵
- System Location Discovery: System Language Discovery
PID:4840
- C:\Users\Admin\AppData\Local\system.exe
  "C:\Users\Admin\AppData\Local\system.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4932
- - C:\Windows\SysWOW64\SCHTASKS.exe
    C:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4740
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1512
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
      4⤵
      Modifies WinLogon for persistence
      System Location Discovery: System Language Discovery
      PID:1216
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:532
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:3412
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1612
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:4716
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2152
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:3544
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1384
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:4312
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2464
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      PID:1920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4396
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:4016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:668
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown -r -t 10 -f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1584

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3948855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\257de7db-9ec5-4e18-97e3-70a55765adfc.tmp

Filesize
15KB

MD5
996814ecec12a8c873fbb484d4d5ee15

SHA1
2617552551536b01d82383e7047bd6a825cacab1

SHA256
2cd56dd689dfe81446142b621be4fbee60d095e05b0d622014d470fc07de7bdd

SHA512
2879bef484dcddb907e8d56b0a1fba514cee8975fee125640bd8b75d30e1bad0ca9a4bd178d7aa2e451e168dd385290709d8ba7657eaad6811eb6f4f29679fe2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
6fb744e07a5ba9a3f092bcafb0bca263

SHA1
e37caeacc7479483a1971c14b90a2e4e90b3312c

SHA256
3e2d3ff4ed507018b29ae4f808d34cddae2aca421cc4db00e9944c6de8680821

SHA512
7e5811e10522788dd07274e0fd0b3e9e19baf358cfccff6f9c387ecaf3e7ad6df4b5a872d7c439592ee7d5610abde46a78c697ee58f3a0b2ab8499967db95a2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
139KB

MD5
c6f3d62c4fb57212172d358231e027bc

SHA1
11276d7a49093a51f04667975e718bb15bc1289b

SHA256
ea60123ec363610c8cfcd0ad5f0ab2832934af69a3c715020a09e6d907691d4c

SHA512
0f58acac541e6dece45949f4bee300e5bbb15ff1e60defe6b854ff4fb57579b18718b313bce425999d3f24319cfb3034cd05ebff0ecbd4c55ce42c7f59169b44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
5c0013eff692dbb1cea2290b203cebce

SHA1
5abd7e8dd966f686ab150c93a81bb47796f92ffa

SHA256
b8146233a316e9af3bc0a10b0850f97446d6ce6d64df9f7140d038c48352c306

SHA512
8bf662b83a36e48907c44cd90b73c0e9c819dd3c9a31e70a8f2ca0cc7b199ba11ea1581d803909716e904d8673472f917402efdd318ed01c864f7ac685d3c79d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
789f805cb37dbabb825127913b54b24e

SHA1
708bcb64734cd3ae31b678367779b58341efd9a9

SHA256
1fe0a4da0e0da6ed4d2368a1023f10aefdec9c779c0497851f6c68d24975c319

SHA512
820aea5f263e9cfa8733a88948273153af9f5574c0ff6f211bc2db54d3c3985e8062127d0fee6ad8f8d6da9953f4dceb080738578cb287a1193e04a365fb5e10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
069c1505f4fefde1629a1fb119d6a923

SHA1
412b92b61e4429a9291a709fac825759c0a847ef

SHA256
b0841107b05f6066e3e9a51e5e7cf902f998f7335896a0077365dfc9a9e8fe8b

SHA512
2efadef5d0d34780ec45157a099bcff22eb112454c39f809650121a28660eba8d6c303935c22bdf2cfe299a3e634cf48abc5fc6716da9625ac3669bc1f342bd7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
012e9bef396c6a774d558d84d1065e6c

SHA1
4d7afa101b4d02df1dffd83238f779f9e2317c5f

SHA256
97ea193229c06e0173bc387b130acfffc922173bf5d3adce9fb1684981cfa22f

SHA512
a93c41d666bb30432e88039c4d28f0cab8f4405e348049492ff3de35cb4c4e554e7e03d3d74ca193065fb84cf6862523418da875f9e89fce57ea51734db15d4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
68d69357ec815458856eba355ed84296

SHA1
61a3ae31d1fc104c06f6b5376fe99e62f86c3517

SHA256
be8029f2c726366532a8998df856c41dc102f110017dfe0ed860b5ead7b527ab

SHA512
c6803a475107430c03cb92466fca78ab9c66c58b1ebc631e6c65e3b8009d246e4f47f1835d1c83a539f59c913d080b8c4fea65ba9ff1d84b7b06207aafa78faf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fb28e3487b77424f8c6f907618842bd2

SHA1
8891cdd3a771ab478a12fc7b82e5ff8af57ef2e6

SHA256
0893c443433a3bd4b82660bdb5e96a806a4568fc6700039b7033ebe399c356fe

SHA512
4ebcfea13b36610b5192e4549970a17882d8eb2ced93df6f7e2dde16554b139104a931822823ee16e1611530a6ef7e4a7ae0b6716f745012ec28c8bda2b5f64e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
830b15c61e60e69236f2580fd396202c

SHA1
ca2a06d63d2ca2d379fc1a290cbef69e8675b188

SHA256
e05f75d22652556f507701c43cac61127c35bfe97e9e31890462439cde8ad430

SHA512
ff64b7634227df6696e18f2a003fe4eb10bc26009e9f699800558f531ea4000302ed460351b7b3d615559a580ddfeb099cab0daace78cc1d0b3aefeb62ca6b39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0545d96f9e0725b6cd4ecd27a917622a

SHA1
235aaaedf33264c96d429cedc6e8f7414d807143

SHA256
18e927e9836aa4a6e5a0d7c5023b4826708feabbf50610f652837d64939a73f8

SHA512
fc4364677136acef179611e205f70f89bba1a668a5e9dd79f361e11465dd14aea8b1502504a413cab20bf68e31b707b4db95e6a7db6b9386fe6d2995c63982a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9b1f7332a2b00ed2a8f7567d097eaa19

SHA1
35d2e0c9714ec12678db8be2a52717b0f80a737c

SHA256
d1c23e40cef1fbc77b102a3f4363a566e9e1bd23edb19c0258baec0776cc38f7

SHA512
6b1458abbcb7b649e3b60eaf8d4dc2bcc5838748da8a9557c72f547a0dee2cca3a756ff4d8fd1797745a3afed4b15ef9be4cae0fa59b57dc9906b023dafa45f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bfcb0b618f45abc3816301fd2654863d

SHA1
5af880d0d7e90a52b7a623deeca19d090d5d9133

SHA256
7faac48753287798f0044d4a7b33c0fd2a2c99518f21115751f1aa6c257a172c

SHA512
3e36c9d8ab9c12b2e8d12ff9252f210d5ee7dfdc7e18e1674e94d19f0e62a63909f7f7d501ac34e03bf34c671a2df86dee6e61044ae002cce8b9a6ffbcdf0aed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9997ee91061f66f70683a609e5e158f4

SHA1
24a16e0e2f426271c98f3179b1ac0e017e6736f7

SHA256
1d375ea577dbb2b2f7385575fe42ec27772ce410c6cff33b1f3cca9046a21746

SHA512
9b225ada6b7941b818c6f6c98ed13696959f56866221c5aee3932dbfe02a570db28007ff24077d30c8baf4ba769d7687490b418800b5f807eb8c79ecc7fecd1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7c4f2af8f9264dd06010cf16911b7ef0

SHA1
6060585bddfb5b28a5dbd6d5809ff7c97cb975a4

SHA256
01232327b231f3dadee961c39b9ff1a1ff2e6638b019e1bc795fb8e856e88b31

SHA512
a6b2ea86d334df91f4ed1ed026976415cf1dc8a920dc056c474b5ee811a36f62ef4db8d5666c9afed9abbd0c5e69876e9560b60409184d12a18225e813eaed89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
981f68acfb1079cdc8e255cf6f2fc66e

SHA1
64145337d34147286258ab0479ea0be458d56cf2

SHA256
6b11b01d452672f24de679f7951d1ecbaa131cca404de6f12665ecf02cb2791d

SHA512
71f46e2dadfd52444e1400d99cd65b1b1aad1dc2aaab49c9025adb04a6ef97a149571e3ca5a98bd62824d89cfd73bd6f30d32c01428f209b6ae495e59bc4a5a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7e48c459fbbd6d83ed16bc29c5253520

SHA1
53e9a9ec44dd13d105cde7f85a53770547fad4da

SHA256
5032af4ce635126ef9e63d51fad579fb1e7b0a716eff66f1dd1aae739009362a

SHA512
ff838cb22028eb676d77e488ccc1733a1bec900e3ffb91c6efe518092234e817ff33cc23a5c92e0e0a152483219a171935921fac92115478a8b392643615d88c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
211KB

MD5
18752b67066aa7c7e97170f1f0550378

SHA1
dcf15103fc6c1284d9b3c3f794e1ebaa679e9c1b

SHA256
8bf70e6a6ac5433655b1a2fead4ff0f7bd2b6b24808b21dc5e21f1930e2222bf

SHA512
3ed3479c61f9a3a4d8a8f4eb0f848f347a1c586f214422447a6003a76534662510c31cd49f5f54ee10c1a3787bdc32e44e7525a3ed8262d861cc4c7b19fd14ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
211KB

MD5
06648d049a8a12ea4339c8c4218d95ea

SHA1
04e244dcd8547ec24307ac7471dd0a8f9f9fa70c

SHA256
eee413ad93157303694785170f5a201683f7f6fcea772927dae17cedc33b85c6

SHA512
b051b94c4e885766216a87a5fa91aa1f16aff65d3fb6f7a2a55d81709d904e002662dd53a8badbd4dd70f1042f83a4a15f65dc3b02c37b142efae988702987c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
211KB

MD5
ae270aed0c623f45e831f3cc2d20239c

SHA1
9606cbf4358f5126edcfda238c9c4f4db94734b7

SHA256
ddec3aa86322fded129d4f0c23f7ef03e99a356d53ff2a773ae162e31ba5917e

SHA512
f9bd97c6c070f4f867f9ebba69779ee0c41ac4b10797853a80ffb4c71b60b64b0f8d7988895469174957959d3e940647e4b73deefb836ed381d73096f6791177

Download Submit
C:\Users\Admin\AppData\Local\del.bat

Filesize
65B

MD5
5be54536acf6854d3d0217fee5092ce3

SHA1
823d25753559795f3b5a53de6b019b8815abc834

SHA256
076a50ec803f409306be46309faf35ddca3f7a41f6a884a0e0ce55497c10cb62

SHA512
b92ff21c43b6fa1a9711e7422a328583bf304bf7e2020c466825ce9172e6a31c4b04ce4adaf14a0e72a3eab364493dbfccbfb64586deab687c900ebbe541c681

Download Submit
C:\Users\Admin\AppData\Local\system.exe

Filesize
315KB

MD5
87fb609e7e7eb66f4f4da58632dfaeab

SHA1
4513955d5e863bd33287215c6b12c28978d5b885

SHA256
8c2ee7ae5d9f8f3aef4d5c1e50e35ac1d49d2990b27cb2e733ec02495313197f

SHA512
49fc19aecc1317f16099d91fc2c08a7f28d3d3ea6abbdcbea6f2492fdd72c53e9fedcb0c6486b2dc9249d6b5e7c0c5442a54c5ad9a58c4a54bc74bdfb3710820

Download Submit

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads