10d4e15b63a07368299f2245661d7a4626cd1a91a9950a3cbed5b4276d2dc31f

Resubmissions

21/09/2024, 01:58

240921-cdy4xszdnb 10

21/09/2024, 01:55

240921-cb94eazdql 10

21/09/2024, 01:54

240921-cbs5wszcrc 10

20/09/2024, 22:19

240920-18ynms1gln 10

Analysis

max time kernel
149s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
21/09/2024, 01:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

download.ps1
Size

222B
MD5

4225b2ad70add8281a8d8ac6e1c5d9da
SHA1

85bb57d35c69a159849b694b80618f1de6b8633c
SHA256

10d4e15b63a07368299f2245661d7a4626cd1a91a9950a3cbed5b4276d2dc31f
SHA512

412d63aaf85d2ba0c48bd9513484731d84f83b231b8b0ac88de102c54e06e5a126e2a0ea1c266849b369e2084d4f37624d899ea420e771a17fc14227ee56b4a6

Score

8^/10

discovery execution

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	3144	powershell.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3144	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\GPU	TextInputHost.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133713574161601746"	chrome.exe

Modifies registry class 38 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	TextInputHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	TextInputHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\localhost\ = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\localhost\ = "0"	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Root\CRLs	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\trust\Certificates	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\trust\CTLs	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\localhost	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Root\Certificates	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\TrustedPeople	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\localhost	TextInputHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\localhost\NumberOfSubdomains = "1"	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Disallowed\CRLs	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\trust\CRLs	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Root	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Root\CTLs	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	TextInputHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\localhost\NumberOfSubdomains = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\localhost\NumberOfSubdomains = "0"	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Disallowed\CTLs	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Disallowed\Certificates	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\trust	TextInputHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\CA\CTLs	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Disallowed	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\CA\Certificates	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\CA\CRLs	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	TextInputHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\MuiCache	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\CA	TextInputHost.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3384	TextInputHost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3144	powershell.exe
3144	powershell.exe
2288	chrome.exe
2288	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3144	powershell.exe
Token: 33	1876	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1876	AUDIODG.EXE
Token: SeShutdownPrivilege	2288	chrome.exe
Token: SeCreatePagefilePrivilege	2288	chrome.exe
Token: SeShutdownPrivilege	2288	chrome.exe
Token: SeCreatePagefilePrivilege	2288	chrome.exe
Token: SeShutdownPrivilege	2288	chrome.exe
Token: SeCreatePagefilePrivilege	2288	chrome.exe
Token: SeShutdownPrivilege	2288	chrome.exe
Token: SeCreatePagefilePrivilege	2288	chrome.exe
Token: SeShutdownPrivilege	2288	chrome.exe
Token: SeCreatePagefilePrivilege	2288	chrome.exe
Token: SeShutdownPrivilege	2288	chrome.exe
Token: SeCreatePagefilePrivilege	2288	chrome.exe
Token: SeShutdownPrivilege	2288	chrome.exe
Token: SeCreatePagefilePrivilege	2288	chrome.exe
Token: SeShutdownPrivilege	2288	chrome.exe
Token: SeCreatePagefilePrivilege	2288	chrome.exe
Token: SeShutdownPrivilege	2288	chrome.exe
Token: SeCreatePagefilePrivilege	2288	chrome.exe
Token: SeShutdownPrivilege	2288	chrome.exe
Token: SeCreatePagefilePrivilege	2288	chrome.exe
Token: SeShutdownPrivilege	2288	chrome.exe
Token: SeCreatePagefilePrivilege	2288	chrome.exe
Token: SeShutdownPrivilege	2288	chrome.exe
Token: SeCreatePagefilePrivilege	2288	chrome.exe
Token: SeShutdownPrivilege	2288	chrome.exe
Token: SeCreatePagefilePrivilege	2288	chrome.exe
Token: SeShutdownPrivilege	2288	chrome.exe
Token: SeCreatePagefilePrivilege	2288	chrome.exe
Token: SeShutdownPrivilege	2288	chrome.exe
Token: SeCreatePagefilePrivilege	2288	chrome.exe
Token: SeShutdownPrivilege	2288	chrome.exe
Token: SeCreatePagefilePrivilege	2288	chrome.exe
Token: SeShutdownPrivilege	2288	chrome.exe
Token: SeCreatePagefilePrivilege	2288	chrome.exe
Token: SeShutdownPrivilege	2288	chrome.exe
Token: SeCreatePagefilePrivilege	2288	chrome.exe
Token: SeShutdownPrivilege	2288	chrome.exe
Token: SeCreatePagefilePrivilege	2288	chrome.exe
Token: SeShutdownPrivilege	2288	chrome.exe
Token: SeCreatePagefilePrivilege	2288	chrome.exe
Token: SeShutdownPrivilege	2288	chrome.exe
Token: SeCreatePagefilePrivilege	2288	chrome.exe
Token: SeShutdownPrivilege	2288	chrome.exe
Token: SeCreatePagefilePrivilege	2288	chrome.exe
Token: SeShutdownPrivilege	2288	chrome.exe
Token: SeCreatePagefilePrivilege	2288	chrome.exe
Token: SeShutdownPrivilege	2288	chrome.exe
Token: SeCreatePagefilePrivilege	2288	chrome.exe
Token: SeShutdownPrivilege	2288	chrome.exe
Token: SeCreatePagefilePrivilege	2288	chrome.exe
Token: SeShutdownPrivilege	2288	chrome.exe
Token: SeCreatePagefilePrivilege	2288	chrome.exe
Token: SeShutdownPrivilege	2288	chrome.exe
Token: SeCreatePagefilePrivilege	2288	chrome.exe
Token: SeShutdownPrivilege	2288	chrome.exe
Token: SeCreatePagefilePrivilege	2288	chrome.exe
Token: SeShutdownPrivilege	2288	chrome.exe
Token: SeCreatePagefilePrivilege	2288	chrome.exe
Token: SeShutdownPrivilege	2288	chrome.exe
Token: SeCreatePagefilePrivilege	2288	chrome.exe
Token: SeShutdownPrivilege	2288	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3440	MiniSearchHost.exe
3384	TextInputHost.exe
3384	TextInputHost.exe
3384	TextInputHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 2944	2288	chrome.exe	97
PID 2288 wrote to memory of 2944	2288	chrome.exe	97
PID 2288 wrote to memory of 4032	2288	chrome.exe	98
PID 2288 wrote to memory of 4032	2288	chrome.exe	98
PID 2288 wrote to memory of 4032	2288	chrome.exe	98
PID 2288 wrote to memory of 4032	2288	chrome.exe	98
PID 2288 wrote to memory of 4032	2288	chrome.exe	98
PID 2288 wrote to memory of 4032	2288	chrome.exe	98
PID 2288 wrote to memory of 4032	2288	chrome.exe	98
PID 2288 wrote to memory of 4032	2288	chrome.exe	98
PID 2288 wrote to memory of 4032	2288	chrome.exe	98
PID 2288 wrote to memory of 4032	2288	chrome.exe	98
PID 2288 wrote to memory of 4032	2288	chrome.exe	98
PID 2288 wrote to memory of 4032	2288	chrome.exe	98
PID 2288 wrote to memory of 4032	2288	chrome.exe	98
PID 2288 wrote to memory of 4032	2288	chrome.exe	98
PID 2288 wrote to memory of 4032	2288	chrome.exe	98
PID 2288 wrote to memory of 4032	2288	chrome.exe	98
PID 2288 wrote to memory of 4032	2288	chrome.exe	98
PID 2288 wrote to memory of 4032	2288	chrome.exe	98
PID 2288 wrote to memory of 4032	2288	chrome.exe	98
PID 2288 wrote to memory of 4032	2288	chrome.exe	98
PID 2288 wrote to memory of 4032	2288	chrome.exe	98
PID 2288 wrote to memory of 4032	2288	chrome.exe	98
PID 2288 wrote to memory of 4032	2288	chrome.exe	98
PID 2288 wrote to memory of 4032	2288	chrome.exe	98
PID 2288 wrote to memory of 4032	2288	chrome.exe	98
PID 2288 wrote to memory of 4032	2288	chrome.exe	98
PID 2288 wrote to memory of 4032	2288	chrome.exe	98
PID 2288 wrote to memory of 4032	2288	chrome.exe	98
PID 2288 wrote to memory of 4032	2288	chrome.exe	98
PID 2288 wrote to memory of 4032	2288	chrome.exe	98
PID 2288 wrote to memory of 5092	2288	chrome.exe	99
PID 2288 wrote to memory of 5092	2288	chrome.exe	99
PID 2288 wrote to memory of 4944	2288	chrome.exe	100
PID 2288 wrote to memory of 4944	2288	chrome.exe	100
PID 2288 wrote to memory of 4944	2288	chrome.exe	100
PID 2288 wrote to memory of 4944	2288	chrome.exe	100
PID 2288 wrote to memory of 4944	2288	chrome.exe	100
PID 2288 wrote to memory of 4944	2288	chrome.exe	100
PID 2288 wrote to memory of 4944	2288	chrome.exe	100
PID 2288 wrote to memory of 4944	2288	chrome.exe	100
PID 2288 wrote to memory of 4944	2288	chrome.exe	100
PID 2288 wrote to memory of 4944	2288	chrome.exe	100
PID 2288 wrote to memory of 4944	2288	chrome.exe	100
PID 2288 wrote to memory of 4944	2288	chrome.exe	100
PID 2288 wrote to memory of 4944	2288	chrome.exe	100
PID 2288 wrote to memory of 4944	2288	chrome.exe	100
PID 2288 wrote to memory of 4944	2288	chrome.exe	100
PID 2288 wrote to memory of 4944	2288	chrome.exe	100
PID 2288 wrote to memory of 4944	2288	chrome.exe	100
PID 2288 wrote to memory of 4944	2288	chrome.exe	100
PID 2288 wrote to memory of 4944	2288	chrome.exe	100
PID 2288 wrote to memory of 4944	2288	chrome.exe	100
PID 2288 wrote to memory of 4944	2288	chrome.exe	100
PID 2288 wrote to memory of 4944	2288	chrome.exe	100
PID 2288 wrote to memory of 4944	2288	chrome.exe	100
PID 2288 wrote to memory of 4944	2288	chrome.exe	100
PID 2288 wrote to memory of 4944	2288	chrome.exe	100
PID 2288 wrote to memory of 4944	2288	chrome.exe	100
PID 2288 wrote to memory of 4944	2288	chrome.exe	100
PID 2288 wrote to memory of 4944	2288	chrome.exe	100
PID 2288 wrote to memory of 4944	2288	chrome.exe	100
PID 2288 wrote to memory of 4944	2288	chrome.exe	100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\download.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4768

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:3412

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3384

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C8 0x00000000000004CC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc371bcc40,0x7ffc371bcc4c,0x7ffc371bcc58
  2⤵
  PID:2944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1764,i,1282055293411997015,11550269013898439849,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1792 /prefetch:2
  2⤵
  PID:4032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2096,i,1282055293411997015,11550269013898439849,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2108 /prefetch:3
  2⤵
  PID:5092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2212,i,1282055293411997015,11550269013898439849,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2408 /prefetch:8
  2⤵
  PID:4944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,1282055293411997015,11550269013898439849,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:3628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3160,i,1282055293411997015,11550269013898439849,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3560,i,1282055293411997015,11550269013898439849,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4496 /prefetch:1
  2⤵
  PID:5036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4664,i,1282055293411997015,11550269013898439849,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4904 /prefetch:8
  2⤵
  PID:5156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4932,i,1282055293411997015,11550269013898439849,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4520 /prefetch:8
  2⤵
  PID:5276

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5228

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:5616

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:5696

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:5792

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:5976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
d7c59f33ba2c61b3c0f0a6911211ae2a

SHA1
382811572175b834d64e0a5c6e9c414a5813fce8

SHA256
a272d3e3f1a7c58de7f452e6e7f27802ab0a3fd01230fa7d148772399c29cabd

SHA512
ac01c182d69b99479b23e5bf5255c46f29d273abc5093622aab6e66afdb84aaf241320e5128c47aa1413dfe3b2b03903fb586d9a78235867fdddf6acb7c8cab6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
45a12dbe22e46cfd7310b1b13b611c58

SHA1
73d33c041177e544505a8dff9880d23a8d5dc855

SHA256
01eb0d5d55d603bb8b3d2e359963e51e99c67b395c88b02436080c9861e52a9b

SHA512
add116d0307a1aad726c2486ac325c50d15191518d2300783ed110c7af862713447b626d0a67ab6f9e6666cf231fc103160e4f7b890db40425c972cc56216383

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
eee80225f2818cf499dca2e486c312e3

SHA1
9ad8bb1e022cce00126f9439d326eda9dc864086

SHA256
9984576b8b8238d2f05003f1710224b53f1191eeda3b53e7e366dd0c4fa5178c

SHA512
4d816161e011d1fd0abd02898571839443fec11043cc9a3343520b900f805289890b3c3d23435c3485d6f6ba432728ea8a2e12ebc299a87349efb1796eaebdbe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ee54591c9365694f4024d5f8f7cc91c1

SHA1
ebe49cff71111267840441bd1431cb989c699eea

SHA256
914dde4021dfdcf5be0af1ae2e8bfda57c86be069786f0255bbd7f0367e92c78

SHA512
67e8955acc83c7786311e6d1e4f7482ad05e31e3d86f6f28d453726e66e55c3a85e9f151fd5df500e1cbe314ee3f4083ae87586b2b342d479232ff8e6d917d95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2386d9537fa4a0145f9f7532710d4639

SHA1
4092dc3ddad61a157140957b593d5a51fe7c6fe5

SHA256
ae3145b749b32516cacd879e671f29b92f4cb2e282e10cc94d374b3a7782c1dc

SHA512
a7d059f142727850588c4bd923fad4831dd5567754beb4133f2e50e1a0150f119fa44b8bbb598fd995505a8e0dedcaed358e23970b503e9a646978a19d7ae42a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b5878a3befb167078a6402b7d2e23963

SHA1
eb4bbb7dea762e37bec2095eec430e89e3b45b16

SHA256
e6c74cc23335ced4bbffc8a7c3309669e0fa1d1de957e63dfd9c8a60c71b57a9

SHA512
db4f3fb232809b14410fa3af17ef23f88f473f1acc4bfe3345daafdcaff7f159eb1b8bf7235307b5158e6f2ec14bee84326acce656991bb34ac026e21f846f79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7867ec30257bf0e96a0b9bf6e15e91b2

SHA1
288c2634ea018c545bce2fb7004634e8123ac3bf

SHA256
ed61649bfda9e68ca7f3dbfcc696738517973e57e0527ced4a089c2fffb886aa

SHA512
91c031ce98806347fe68ef1356803317634d39360d6de201638797ce67b0c11a13c079cc4a139a72cc0d8fd38de6df8c5ab300d6cb2cee524c5998eaef4af5ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
c28ac10fb77dda46683512b1dc95f350

SHA1
89a74f1140abd47c87fdce9cd2011dfe22cc2fef

SHA256
975221b8d925459b43a29dec8cedbdd80555a2944a910577c9818a0576a961f4

SHA512
254636b5cd45ff8b5e71fcfca4fd800b5308ee306577c62aaa8231a206f87026768316df45a3ea6db61c85d04a329026e360736163d7dff19c3af7bd6a6d0e4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
211KB

MD5
35959c8a342297c255e12f7a417b7ad0

SHA1
afd5d459e4decf8f2d730cdcd84d40fd116d3232

SHA256
93d7e340036a0b421398de3c7226a3faf91fbbfc5a461f9ea7b4755325e8c294

SHA512
af8e6dac49bdccb2d2f6fbddcc83f9621a91d6ce66e84f88bf334ec043d46282660c7dea0ef7ea6e1a3229c66edc81f4473ff80f52350b50293e291b0cb24b03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
211KB

MD5
87516674a0e4ece919e78e17fe6b02ff

SHA1
c32e450c210ba5db9380c0b2ec054cb0d1256ebc

SHA256
012bf55eb9a6bcc10480d79ef92628425d6f8fde4f35f1be4a7ef71c4c40460a

SHA512
468247c8e7bbdf1c51989b3a0ddde5728dbc69ba793d6d1357d235d9e306754ac83604cd2b354493fb51a88ba102c1e2532f2b0f6dd24e4a3d38a482a2967539

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-9-21.157.5696.1.odl

Filesize
706B

MD5
2ccdffffc1aa88cad01285743a0fde6b

SHA1
d3b7a815e272bbeb7e9db59396690af638a5013b

SHA256
8276a62e9ab5949543bef5d88cfc1d2bce39a6812cd392f791e5f6882f2e01bd

SHA512
50c0877b1f000d4a7ac45f4e987342b24b35094a63b9e4378d3551b03f36da8976e92fd35a4601ad6d03da45b3d904c47fab7d24b01c2d3485e148c0f2b4fc21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-9-21.157.5792.1.odl

Filesize
706B

MD5
805bfd5727f390bc2caa913dff4eff61

SHA1
730b9dfbb85e08debfeb6b85abc9abfd738577ee

SHA256
61c885661aa0153d6d172609d3e0a851815f14da8429cadb5c1d879b44ecb5e5

SHA512
17362c070a5ab92c36b9e46b0d31b42ab529093b6a7979290dc42e25cb4c728d20a76b48c2f0900518ee01ca3ce27b623419dde21338cfc4731361614ac9ed31

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Temp\APPX.43gd85xy97hk7zzj_l07vdmkd.tmp

Filesize
9KB

MD5
24ebdb1228a1818eee374bc8794869b7

SHA1
79fc3adb42a5d7ee12ff6729ef5f7a81e563cd2d

SHA256
92a7d7d3b0bfac458ddcef07afcdad3646653ba7f4ad048fdd7a5ec673235923

SHA512
63764d99a0118fac409327d5bf70f2aa9b31caf5277c4bc1e595016a50c524cd6c3d67924321b0fcad12cd968de1a62bd292151e35fd907034efd0f40b743d6a

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Temp\APPX.9172c0ureb15zq1jkec9kzqdh.tmp

Filesize
2KB

MD5
530f1945913c81b38450c5a468428ee6

SHA1
0c6d47f5376342002ffdbc9a26ebec22c48dca37

SHA256
4112d529734d33abda74478c199f6ddc5098767e69214a00d80f23d2ea7291ff

SHA512
3906427ffb8f2dfea76ba9bb8cac6bd7dece3ebee7e94ea92da5bbdb55d8859c41260a2bda4e84fab7e1fb857ad12a2e286694ea64d00d0aa6cab200fbbf64f0

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Temp\APPX.k3w13k2rugtxe0bgcr_h8yape.tmp

Filesize
1KB

MD5
4085b7b25606706f1a1ad9a88211a9b7

SHA1
31019f39a5e0bf2b1aa9fe5dda31856b30e963cc

SHA256
b64efcb638291c1e1c132ed5636afbb198031cee44384f3ecf67d82b73accecc

SHA512
9537559523839e3e708feabe8c04f40236add7d200ec36bad00c10a69337a15001103c17093dcc0d8cadb4713d911f39a6411624c1db4cbf1ea1af272a716168

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
a73ea6e1db27acedbe4055c448f82ef7

SHA1
01769a266d26c4b4b374099606e86b8874ddd55f

SHA256
c3059c62596021e555ec7901361fcde75078ad931bcac6027539930bef8b77d9

SHA512
f9cfe99077e40ac3ff11ab39020d6e159ec06cf50f9b1d156858198d48851d29de8882a18609a17dd30ddea421c6c415683b8d7b14fa30a51ddd1cd76032deb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lstsq2le.nnj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3144-11-0x00007FFC3A430000-0x00007FFC3AEF2000-memory.dmp

Filesize
10.8MB

Download
memory/3144-0-0x00007FFC3A433000-0x00007FFC3A435000-memory.dmp

Filesize
8KB

Download
memory/3144-10-0x00007FFC3A430000-0x00007FFC3AEF2000-memory.dmp

Filesize
10.8MB

Download
memory/3144-12-0x00007FFC3A430000-0x00007FFC3AEF2000-memory.dmp

Filesize
10.8MB

Download
memory/3144-15-0x00007FFC3A430000-0x00007FFC3AEF2000-memory.dmp

Filesize
10.8MB

Download
memory/3144-9-0x000001ED2C460000-0x000001ED2C482000-memory.dmp

Filesize
136KB

Download