Analysis
-
max time kernel
157s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:18
Static task
static1
URLScan task
urlscan1
Malware Config
Signatures
-
A potential corporate email address has been identified in the URL: [email protected]
-
Executes dropped EXE 2 IoCs
Processes:
Deeply.pifDeeply.pifpid Process 2416 Deeply.pif 5084 Deeply.pif -
Enumerates processes with tasklist 1 TTPs 4 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exepid Process 4184 tasklist.exe 2988 tasklist.exe 4520 tasklist.exe 788 tasklist.exe -
Drops file in Windows directory 10 IoCs
Processes:
Xeno.exeXeno.exedescription ioc Process File opened for modification C:\Windows\InsteadCash Xeno.exe File opened for modification C:\Windows\FearsImposed Xeno.exe File opened for modification C:\Windows\ApproachesAsp Xeno.exe File opened for modification C:\Windows\FearsImposed Xeno.exe File opened for modification C:\Windows\ApproachesAsp Xeno.exe File opened for modification C:\Windows\ArchitectExplained Xeno.exe File opened for modification C:\Windows\SubaruAtmosphere Xeno.exe File opened for modification C:\Windows\ArchitectExplained Xeno.exe File opened for modification C:\Windows\SubaruAtmosphere Xeno.exe File opened for modification C:\Windows\InsteadCash Xeno.exe -
System Location Discovery: System Language Discovery 1 TTPs 21 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
findstr.exechoice.execmd.exetasklist.exeDeeply.piffindstr.execmd.exeDeeply.piffindstr.exefindstr.execmd.exefindstr.exetasklist.exetasklist.exetasklist.exechoice.exeXeno.execmd.exeXeno.execmd.execmd.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deeply.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deeply.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Xeno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Xeno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133756751137523250" chrome.exe -
Modifies registry class 1 IoCs
Processes:
chrome.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings chrome.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
chrome.exeDeeply.pifDeeply.pifpid Process 2392 chrome.exe 2392 chrome.exe 2416 Deeply.pif 2416 Deeply.pif 2416 Deeply.pif 2416 Deeply.pif 2416 Deeply.pif 2416 Deeply.pif 5084 Deeply.pif 5084 Deeply.pif 5084 Deeply.pif 5084 Deeply.pif 5084 Deeply.pif 5084 Deeply.pif -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
Processes:
chrome.exepid Process 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exedescription pid Process Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe Token: SeShutdownPrivilege 2392 chrome.exe Token: SeCreatePagefilePrivilege 2392 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
chrome.exepid Process 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe -
Suspicious use of SendNotifyMessage 30 IoCs
Processes:
chrome.exeDeeply.pifDeeply.pifpid Process 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2392 chrome.exe 2416 Deeply.pif 2416 Deeply.pif 2416 Deeply.pif 5084 Deeply.pif 5084 Deeply.pif 5084 Deeply.pif -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid Process procid_target PID 2392 wrote to memory of 3752 2392 chrome.exe 84 PID 2392 wrote to memory of 3752 2392 chrome.exe 84 PID 2392 wrote to memory of 3632 2392 chrome.exe 85 PID 2392 wrote to memory of 3632 2392 chrome.exe 85 PID 2392 wrote to memory of 3632 2392 chrome.exe 85 PID 2392 wrote to memory of 3632 2392 chrome.exe 85 PID 2392 wrote to memory of 3632 2392 chrome.exe 85 PID 2392 wrote to memory of 3632 2392 chrome.exe 85 PID 2392 wrote to memory of 3632 2392 chrome.exe 85 PID 2392 wrote to memory of 3632 2392 chrome.exe 85 PID 2392 wrote to memory of 3632 2392 chrome.exe 85 PID 2392 wrote to memory of 3632 2392 chrome.exe 85 PID 2392 wrote to memory of 3632 2392 chrome.exe 85 PID 2392 wrote to memory of 3632 2392 chrome.exe 85 PID 2392 wrote to memory of 3632 2392 chrome.exe 85 PID 2392 wrote to memory of 3632 2392 chrome.exe 85 PID 2392 wrote to memory of 3632 2392 chrome.exe 85 PID 2392 wrote to memory of 3632 2392 chrome.exe 85 PID 2392 wrote to memory of 3632 2392 chrome.exe 85 PID 2392 wrote to memory of 3632 2392 chrome.exe 85 PID 2392 wrote to memory of 3632 2392 chrome.exe 85 PID 2392 wrote to memory of 3632 2392 chrome.exe 85 PID 2392 wrote to memory of 3632 2392 chrome.exe 85 PID 2392 wrote to memory of 3632 2392 chrome.exe 85 PID 2392 wrote to memory of 3632 2392 chrome.exe 85 PID 2392 wrote to memory of 3632 2392 chrome.exe 85 PID 2392 wrote to memory of 3632 2392 chrome.exe 85 PID 2392 wrote to memory of 3632 2392 chrome.exe 85 PID 2392 wrote to memory of 3632 2392 chrome.exe 85 PID 2392 wrote to memory of 3632 2392 chrome.exe 85 PID 2392 wrote to memory of 3632 2392 chrome.exe 85 PID 2392 wrote to memory of 3632 2392 chrome.exe 85 PID 2392 wrote to memory of 4280 2392 chrome.exe 86 PID 2392 wrote to memory of 4280 2392 chrome.exe 86 PID 2392 wrote to memory of 2900 2392 chrome.exe 87 PID 2392 wrote to memory of 2900 2392 chrome.exe 87 PID 2392 wrote to memory of 2900 2392 chrome.exe 87 PID 2392 wrote to memory of 2900 2392 chrome.exe 87 PID 2392 wrote to memory of 2900 2392 chrome.exe 87 PID 2392 wrote to memory of 2900 2392 chrome.exe 87 PID 2392 wrote to memory of 2900 2392 chrome.exe 87 PID 2392 wrote to memory of 2900 2392 chrome.exe 87 PID 2392 wrote to memory of 2900 2392 chrome.exe 87 PID 2392 wrote to memory of 2900 2392 chrome.exe 87 PID 2392 wrote to memory of 2900 2392 chrome.exe 87 PID 2392 wrote to memory of 2900 2392 chrome.exe 87 PID 2392 wrote to memory of 2900 2392 chrome.exe 87 PID 2392 wrote to memory of 2900 2392 chrome.exe 87 PID 2392 wrote to memory of 2900 2392 chrome.exe 87 PID 2392 wrote to memory of 2900 2392 chrome.exe 87 PID 2392 wrote to memory of 2900 2392 chrome.exe 87 PID 2392 wrote to memory of 2900 2392 chrome.exe 87 PID 2392 wrote to memory of 2900 2392 chrome.exe 87 PID 2392 wrote to memory of 2900 2392 chrome.exe 87 PID 2392 wrote to memory of 2900 2392 chrome.exe 87 PID 2392 wrote to memory of 2900 2392 chrome.exe 87 PID 2392 wrote to memory of 2900 2392 chrome.exe 87 PID 2392 wrote to memory of 2900 2392 chrome.exe 87 PID 2392 wrote to memory of 2900 2392 chrome.exe 87 PID 2392 wrote to memory of 2900 2392 chrome.exe 87 PID 2392 wrote to memory of 2900 2392 chrome.exe 87 PID 2392 wrote to memory of 2900 2392 chrome.exe 87 PID 2392 wrote to memory of 2900 2392 chrome.exe 87 PID 2392 wrote to memory of 2900 2392 chrome.exe 87
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://ryos.ws/1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffeff8acc40,0x7ffeff8acc4c,0x7ffeff8acc582⤵PID:3752
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1904,i,15974034362477624952,8517881453981839996,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1900 /prefetch:22⤵PID:3632
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2124,i,15974034362477624952,8517881453981839996,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2152 /prefetch:32⤵PID:4280
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2224,i,15974034362477624952,8517881453981839996,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2404 /prefetch:82⤵PID:2900
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,15974034362477624952,8517881453981839996,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3152 /prefetch:12⤵PID:2100
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,15974034362477624952,8517881453981839996,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3196 /prefetch:12⤵PID:5060
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4588,i,15974034362477624952,8517881453981839996,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4600 /prefetch:82⤵PID:5080
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4616,i,15974034362477624952,8517881453981839996,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4800 /prefetch:12⤵PID:4580
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=3204,i,15974034362477624952,8517881453981839996,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3192 /prefetch:12⤵PID:2568
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3280,i,15974034362477624952,8517881453981839996,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5212 /prefetch:12⤵PID:2748
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5412,i,15974034362477624952,8517881453981839996,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5420 /prefetch:82⤵PID:4356
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5428,i,15974034362477624952,8517881453981839996,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5372 /prefetch:82⤵PID:3268
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4956,i,15974034362477624952,8517881453981839996,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4628 /prefetch:82⤵PID:4620
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:2400
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:3456
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3556
-
C:\Users\Admin\Desktop\Release\Xeno.exe"C:\Users\Admin\Desktop\Release\Xeno.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4448 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Differently Differently.bat & Differently.bat2⤵
- System Location Discovery: System Language Discovery
PID:1360 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
PID:4184
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"3⤵
- System Location Discovery: System Language Discovery
PID:2904
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
PID:2988
-
-
C:\Windows\SysWOW64\findstr.exefindstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"3⤵
- System Location Discovery: System Language Discovery
PID:3020
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 5234253⤵
- System Location Discovery: System Language Discovery
PID:2520
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "EnsuresCareySaySpeech" Worm3⤵
- System Location Discovery: System Language Discovery
PID:1048
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Revolution + ..\Function + ..\Vincent + ..\Aspects + ..\Hereby + ..\Battle + ..\Bo I3⤵
- System Location Discovery: System Language Discovery
PID:5036
-
-
C:\Users\Admin\AppData\Local\Temp\523425\Deeply.pifDeeply.pif I3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:2416
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 53⤵
- System Location Discovery: System Language Discovery
PID:3944
-
-
-
C:\Users\Admin\Desktop\Release\Xeno.exe"C:\Users\Admin\Desktop\Release\Xeno.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1028 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Differently Differently.bat & Differently.bat2⤵
- System Location Discovery: System Language Discovery
PID:3092 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
PID:4520
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"3⤵
- System Location Discovery: System Language Discovery
PID:3144
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
PID:788
-
-
C:\Windows\SysWOW64\findstr.exefindstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"3⤵
- System Location Discovery: System Language Discovery
PID:3932
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 5234253⤵
- System Location Discovery: System Language Discovery
PID:4360
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Revolution + ..\Function + ..\Vincent + ..\Aspects + ..\Hereby + ..\Battle + ..\Bo I3⤵
- System Location Discovery: System Language Discovery
PID:860
-
-
C:\Users\Admin\AppData\Local\Temp\523425\Deeply.pifDeeply.pif I3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:5084
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 53⤵
- System Location Discovery: System Language Discovery
PID:3420
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
116KB
MD57bf848a16ddd5d80c9552c6667909dc2
SHA1c59e34d55044126c1dc3afb478de4f84af875765
SHA25639be0d3770a0291dcc52c0644958b22ea17c3bd296c9655e17430bab90fb6f3d
SHA512ac1dfc1cdad5518fc97fc1cf7634969ff9c41d60bc36a1a0a02892b3b2bd86da732492e3d21cfd14afbb4cae0f4a260e6f20551197a865770a02edac04be5adb
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\4de6fd78-ce80-47ed-897d-ed64e6638528.tmp
Filesize9KB
MD55e2660b4a7e79369ae43e66bb53e4a6a
SHA1f3e381a6d394aef6628204964da3c5bf0125425f
SHA2562ed381d9b77bbe16efa9b536a28dc3f29511f8a3bee5526552f599377b8a5bca
SHA512cf8bf6796f7c0a66269865246aec2f9dbe51fe7d9ad7948958024b3dd1f238c3231776a2f9aae1f93ee99fcbef9f2f895663645fd40993e4cb435f05ae845c2e
-
Filesize
649B
MD53c3e13bc4d37759c91db9cc4b5fc88f1
SHA1956648af34e1d40edcc83c118a9628d0e3b16d1d
SHA2564613b1f4796f1d5051f8041d1e1859624b42a21246f4c6ced9b569f871113de9
SHA5122aeb01968062f32f31b5a6c59c4230a1e8f1e6ca0b86d756cb5f2667072a753ecd62177a60e9b538745e1788a357d3babcbd135a7756449ac49fbf55bc091483
-
Filesize
120B
MD5f8b3ffdc2d3f8b5399359b8e7b621c2d
SHA1c580cba5fb604e7839262c101a0df6749df6d5be
SHA25685e88fa840b2b216a9baa6fe7293cea8ba4c6eb5da321ed12a82c8068876971f
SHA512974cfc73a7bd6fed0a0b4a374d26ad8ec1c2bda5ffbbb898950cd14386e8cba55e5dbcdf28822019ee9a7aac6e41b2656703ebed0857994b9743f97647c4dfef
-
Filesize
264KB
MD5bb8737d55b303dff8f9c1117e8f0319c
SHA146d329301b366349431d015357a054da34163a67
SHA25648dbf2b5d1dc644581ee09d1924074de847fccd66c88303844d1dd595c9c2ef6
SHA512050d190412ead1027cd7ab0e44e3c56f92852fcf02b05cf51502220fa42cf36a6dcac15ba3fb30c5d62a44d7ae7b755db9e22782ef3a0903b4e0ee30d58f8ae7
-
Filesize
3KB
MD5042a980b79366957a13326ae14921a25
SHA18b9f5057d67562e8b81c991d733ffcd7bc49c7aa
SHA25671775b77b28d39e6e84a3e86b4b5dc060b81d94095fc33c6939e268cced8569b
SHA51221de784a54d8608039fd8bbc03c8512e636a1c16bad0eec56999933cff1abe0be4e93dc92a0174f399f19fa1ecb68da5bda7cdaf81b6e4a833773de1d4bbdab0
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
1KB
MD5ec0084f8a8de3df9b8c30a55a9a47fce
SHA141d228b051369255f0a214993561f3bc910053e6
SHA256b288c761d43206b6bd11a32f2b567db3841b396366ce65165332be914a6d8141
SHA512e161b21292e035c559626fd36d50e40a999e289814fe2ed13c33aa3af59e34f2e9cc2f07937c26e2ba8f55f94a56fdd4275b1bd3d0920d46fded9599ed610d95
-
Filesize
1KB
MD51d9833fd186a40cd87de546f8b577edf
SHA17e135efffaa20a01657e1043b6625e9f530e4061
SHA25653bbd789907db6f9245e95cc10e732072f512cb5f6549338e5e1637bff094ea6
SHA5121ae712510f371075680a24ef13149e6925b49d81eef71b175e5cd9a6be338c03e186ad84b1c8bd40d62ab13ce487508080418ce5e7afcd5e78e646c93aeff631
-
Filesize
9KB
MD567c197b29db4c6744fd303357e8dd030
SHA19a755a231d6b8b9365816ff55c39467946e6f646
SHA2562d5e811a1484b26034ec0f2a513c44ace95f4c8359f486df045d0d2bbb6ba080
SHA512d1684f2188718f6d2b2f485a3b426070e038c09f09a9fa1ef50662da5e16388934ad3619061635fddec0139ce4da3d7c77bf3448747b09625b13e1605e48b744
-
Filesize
9KB
MD527b1c8cdb9e6ae66713fcc8eac8a25b7
SHA11399a519ca1f030059044a8804cabd97d044b6a1
SHA2567ab1fcc63f2e7acb9de436035510f0af2145cc84e2b6184062378a86a05059d7
SHA5123771794e8f96171908bd47de360f220bc7328e3a2c02043e53aa484790bcc4afb70ae334e3097d7b4def9525edb9947d9d09326648d35f3848038b4085989d67
-
Filesize
9KB
MD516edfa2c005158a453b6293739190191
SHA16e43ccb18d105151d8103a1263e9e299351717a1
SHA25688b23c022aa1222bdae1195ca4bd0dff97e6410d8a2cfda14d5cc884990bd61b
SHA512f7af99cca7e3f293e2ebe50e84ccfbfe852d885cfa3c62db98b934a7843aaecdd57e20092ad9d69a7df94e694fd8eb69a0b22c15169c1435eea4b114fe3a0fec
-
Filesize
9KB
MD5e2a7e96342f22d856e3346806c7d9b1a
SHA198666c67220a0fd3b4922d4f3d43d6457171d322
SHA256ce7c9f79398bb819f235863991dad86eebdb57a78252715ec9153c31a2a6b5ca
SHA51243b6aa2be2434e89451bcbadfcd9f926baf9a68c97e5cea969dd9da1645c4c23f140774f5a2d6bb5f3d4d60b1cd696b070a54ecb6340f4b5e632acd6ee46add4
-
Filesize
9KB
MD5b20217f95663cab1741fa7797b013145
SHA11c30f09c9236f65415888be0419a71ae1214affa
SHA256161927b6c6bccc47c66b0df7f6e078fcc2f88e6c123cf070f24f802aa7fb7f29
SHA512708cb8890d19bee39abd0f8fbb6e1c97ebcd6c8407ac0ca37c89337533323187787fa9bc70787fa04e84811af241ebd2f934d6730c843104ba64b4df84939973
-
Filesize
9KB
MD53f91ba0b893ccee6b448c07c0c3b393e
SHA1c7d87a0f677b4ebe2152eacd2751a7047c29c574
SHA2563cf198541cef999e3a10ab941fea261f9298b195f042bb32879053b036edc0fc
SHA5125d83bb9e2c69dc8a16b4d7b7cfad9e0707cbe0f1c07465e451e3e0a71f61aaf5c1a859a778fa8eb1f65821141bd7aa300620fe5277a92c8e5256f505a7e583cf
-
Filesize
116KB
MD56e16b4e4797792ddef317e825a52b4e9
SHA19128a8979105f809e538b6ef08c3abe8143ff113
SHA256e74df96b80918d904ad8bd35b16aef81d1b9d16d602ed5eab10a039649ddd3c2
SHA5122f73bd4f171e6cccbcf142d9960b5fb7000ec3faa1ec8826e507cec0b4c4321ccac42f03c928b1b784e07320290185fec7a585a4fda9402e1c42e04522c17355
-
Filesize
116KB
MD57284c9ff4b1e93a00feea988aa620a77
SHA1959d276bb146b7f70c0a9cedba4be6d09aa1d7de
SHA25604356bc6992904f5e8df03d9f1f06cb08ca93b723b370e19dd0c29ecaf0653fa
SHA5121f2beb7942e9bb95510cdb47fdb7095e7b87b54775d04ad11456a6af4d269ff762477674f6037c6c3f51913c107864f6562e13684aa6acaacc0ddbf20300c050
-
Filesize
116KB
MD5dcc7be0c46431c6151bd09aa156f1452
SHA15bdb85bdc4524947e641168c0fc9df11408f8d9b
SHA256ece490c0c3998b2477edcbaf90f324e361df00a1a3ebb491e822aa405643a4b3
SHA512ec0f494b50476757270b00c154ca57a8c1953058e7fe1dccf7791c7a39006e4f3417e03c7bdaf94786278254f13f8e96fa21d56891bb5fd0965075eabd265583
-
Filesize
921KB
MD578ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
Filesize
451KB
MD57805ba3334f3033b869bc9e7218a65e3
SHA1f9aa3e97a613ccc024afae6513c8ad3ea5e74eeb
SHA25603e15b00fbb91ee0e8797f8bf324ef2275aebee4dc4b2ec2b8f81a20862396d1
SHA51270bbce783be297fd19cab7bd693424e5bc35f165e1653323c8e99ae635f69eb5878dc568e522e688bfa9d16fa41bfcdf43ded773d729cf97788045e2fa40ca36
-
Filesize
70KB
MD5da776af7ac2c144d36fe2f985b5b2e1f
SHA1d4856a85d41ac2bfcd19a94bd9f84b40944c29e8
SHA256f69bb07d5d5940b79eb18850586978f4fe479043e3d373e1891256b2c30e2487
SHA5128bbe1efe65880faa5188a3177b9c818c1b096a1406d34992ae263078d25dc27003de0b54f79cfa2b84ad57294d8dc8e790369c1dad406f6fd392887b22a4a694
-
Filesize
60KB
MD5423089d13f1acc60e547d02cd62eb2a4
SHA13a53bc42384268c69d7ad525f2e6725cf3feddbf
SHA25618690435d6a51d01360f92953ee72b8042e84b70b201917125141e64e7ad3d53
SHA512b42c58145e7345fcbfaa9ed3e0c89d799019f44f0aa69c7bc15be738c0eac13f9885b00438efae240b3f6a9c00314bf22fb1bc85d36ba647a105c87ea18f9b84
-
Filesize
36KB
MD58b143a1df9db092a85fb88a29b92f75c
SHA1817ceddad39609c1cac8ac74a1cead59ddb6a364
SHA2566d433c986b98bac14bfcdaebc0886b1aa425fa392071828c01466fd6d60706b2
SHA5121f5a5386faff395ca566b450896f444928b9bc1332261e693e8e71c1683f565483aeee19e3dcda83c31abc48e7cf67517a2990a7050f85dc7d64ec292bf0b4a9
-
Filesize
12KB
MD511e6a983b9939dae2e0742b94a6e2c01
SHA10dbd1feebf7a79e2d4080beb688a217b44bed2a2
SHA2563516853481c620d36d05363da30531edf0c06ede9d01cf8996c5396957c5aa03
SHA5120fd0b7169bd2eb19146d6a9c0ea50012742ed1a43845c7cc0be79b86deb90a351edef6279fbf5515d98bfcd706f7a168e51e9dd9d65edd9d03ff770ab00aa1bc
-
Filesize
54KB
MD55a793d906cc429cc3805fd6f8f4807c2
SHA13cec49b0ff7c071951c0744c74a793b9da2346db
SHA256671ba5b1ff6ec0444f83f2667115b470d52ee168b65c85977fa3af1545fb9dd0
SHA5126167f79e81525a8e8d1239b3717d3a1e6598042dae256c4866eaea0db049fdeec2c1b40ad52c166c5974fc7202a74e9ec21bb1aff5d855a18c7ba156c4ca09cb
-
Filesize
50KB
MD5fc653f94a33bf26f7f6db051c72f8c69
SHA13e11efb8a544056ad2409be2cd996adae08ae7a7
SHA25615ee85b8db35184591346749dedb79452a434156d4d1f5924b771418ae6ed870
SHA5125b8139cf01ddb1ab60b24598e0e38dfe9083fb5fef638803d904fbde5f026773e73cd029af1a633eacd289ff32ec2f196cc6aa76d65c57ee7e9fc2b2272c25ba
-
Filesize
909KB
MD539d5325afdee284e635418189c69262f
SHA1bd8c83f92c350cad594c97e0a35f28bfe695c053
SHA256a5fad7cbb1d57891cff48867112358b2db38a57e8fcd03ccdda6e41e31e789d0
SHA5122d2bb63a2688747bfc5897015d923e115a55f1a340a9e423fd3c2617bb2f946de95eb387bd1bbf307a9ab75767fa6350a9266e5e3e558d980ba08df9467cd330
-
Filesize
99KB
MD5a58783d906707a5e3e04d00eb1178707
SHA197726d5a7cdfcb0d0c60d924774290ee044b68b9
SHA256284d62b0eb5044a91c7514b2f3da50785ee606bb040cbcea3bb27ed33085928b
SHA512134640c043c777bdb44d24449dc19bf386be397e019b5e9b7f29db68e0a358e6d129cb9e3535d57cac92b2114d5a1b9a7cdd0e210d42466ace64217295331573
-
Filesize
82KB
MD58d35d33727531bcf81f9772b4e1b864e
SHA17ef7f29608e6049e836fc293880f76ab1ef1767d
SHA256fd2891a4b4b256d8d4ac2a1de389ed4fc1584e17f7fd5b2f7de7d92db5b7b248
SHA512d50e5066b3128caa15c4a2b48109f4d2bccade6ff8f6228ea0890d92871e6a5ec09d6a73a17c331751727830faa31c967ae56fcde61f0da9af6c9a403880c23f
-
Filesize
12KB
MD5b1185c9142ba8b4a6e72a55d912a4156
SHA13d147e6c03fe416bfddd755fa72a9492861a2ff1
SHA256ba004b66054a52d447c6c0b7f1f9f768ad4fdf29ad1dbb4cbc564745eb3a0dbb
SHA5126d9b5dd24a39875d9a9b0159c2682568cbe0638de6a5f314c6d88bd969ee7a090ab4fee57eec0b766f8863a0848c03feb39ad05d0ef3ebee593369bcabf7ba95
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e