Analysis
-
max time kernel
174s -
max time network
172s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
27-12-2024 01:22
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.youtube.com/redirect?event=comments&redir_token=QUFFLUhqbGZhNjNLUlRLVUFURF8zWldNV1I2cndIMFphUXxBQ3Jtc0trSkRTa0hoMFpZT3JDZWYxOUtvYmZCZG5iOFpQUGNiSU04REtQNF9DVDFuN2ppWEc5M2ZoYXB0MkJXcW1hWHcwbmxyX2k0SWw2RUtVMVV1akd5LWxUZzJRUzM0Mk5OTnFpVWFJelF6SzhjckV4R25kOA&q=https%3A%2F%2Froblxgets.com%2Fwave
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral2
Sample
https://www.youtube.com/redirect?event=comments&redir_token=QUFFLUhqbGZhNjNLUlRLVUFURF8zWldNV1I2cndIMFphUXxBQ3Jtc0trSkRTa0hoMFpZT3JDZWYxOUtvYmZCZG5iOFpQUGNiSU04REtQNF9DVDFuN2ppWEc5M2ZoYXB0MkJXcW1hWHcwbmxyX2k0SWw2RUtVMVV1akd5LWxUZzJRUzM0Mk5OTnFpVWFJelF6SzhjckV4R25kOA&q=https%3A%2F%2Froblxgets.com%2Fwave
Resource
win11-20241007-en
General
-
Target
https://www.youtube.com/redirect?event=comments&redir_token=QUFFLUhqbGZhNjNLUlRLVUFURF8zWldNV1I2cndIMFphUXxBQ3Jtc0trSkRTa0hoMFpZT3JDZWYxOUtvYmZCZG5iOFpQUGNiSU04REtQNF9DVDFuN2ppWEc5M2ZoYXB0MkJXcW1hWHcwbmxyX2k0SWw2RUtVMVV1akd5LWxUZzJRUzM0Mk5OTnFpVWFJelF6SzhjckV4R25kOA&q=https%3A%2F%2Froblxgets.com%2Fwave
Malware Config
Signatures
-
resource yara_rule behavioral1/files/0x002700000004659b-194.dat cryptone -
A potential corporate email address has been identified in the URL: [email protected]
-
Executes dropped EXE 3 IoCs
pid Process 6100 Bootstrapper.exe 5748 Bootstrapper.exe 4696 Bootstrapper.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SystemTemp chrome.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bootstrapper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bootstrapper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bootstrapper.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133797361743092997" chrome.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000_Classes\Local Settings chrome.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3172 chrome.exe 3172 chrome.exe 5996 chrome.exe 5996 chrome.exe 5996 chrome.exe 5996 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe -
Suspicious use of FindShellTrayWindow 59 IoCs
pid Process 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 6056 7zG.exe 5516 7zG.exe 3092 7zG.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3172 wrote to memory of 2044 3172 chrome.exe 91 PID 3172 wrote to memory of 2044 3172 chrome.exe 91 PID 3172 wrote to memory of 4000 3172 chrome.exe 92 PID 3172 wrote to memory of 4000 3172 chrome.exe 92 PID 3172 wrote to memory of 4000 3172 chrome.exe 92 PID 3172 wrote to memory of 4000 3172 chrome.exe 92 PID 3172 wrote to memory of 4000 3172 chrome.exe 92 PID 3172 wrote to memory of 4000 3172 chrome.exe 92 PID 3172 wrote to memory of 4000 3172 chrome.exe 92 PID 3172 wrote to memory of 4000 3172 chrome.exe 92 PID 3172 wrote to memory of 4000 3172 chrome.exe 92 PID 3172 wrote to memory of 4000 3172 chrome.exe 92 PID 3172 wrote to memory of 4000 3172 chrome.exe 92 PID 3172 wrote to memory of 4000 3172 chrome.exe 92 PID 3172 wrote to memory of 4000 3172 chrome.exe 92 PID 3172 wrote to memory of 4000 3172 chrome.exe 92 PID 3172 wrote to memory of 4000 3172 chrome.exe 92 PID 3172 wrote to memory of 4000 3172 chrome.exe 92 PID 3172 wrote to memory of 4000 3172 chrome.exe 92 PID 3172 wrote to memory of 4000 3172 chrome.exe 92 PID 3172 wrote to memory of 4000 3172 chrome.exe 92 PID 3172 wrote to memory of 4000 3172 chrome.exe 92 PID 3172 wrote to memory of 4000 3172 chrome.exe 92 PID 3172 wrote to memory of 4000 3172 chrome.exe 92 PID 3172 wrote to memory of 4000 3172 chrome.exe 92 PID 3172 wrote to memory of 4000 3172 chrome.exe 92 PID 3172 wrote to memory of 4000 3172 chrome.exe 92 PID 3172 wrote to memory of 4000 3172 chrome.exe 92 PID 3172 wrote to memory of 4000 3172 chrome.exe 92 PID 3172 wrote to memory of 4000 3172 chrome.exe 92 PID 3172 wrote to memory of 4000 3172 chrome.exe 92 PID 3172 wrote to memory of 4000 3172 chrome.exe 92 PID 3172 wrote to memory of 3904 3172 chrome.exe 93 PID 3172 wrote to memory of 3904 3172 chrome.exe 93 PID 3172 wrote to memory of 3024 3172 chrome.exe 94 PID 3172 wrote to memory of 3024 3172 chrome.exe 94 PID 3172 wrote to memory of 3024 3172 chrome.exe 94 PID 3172 wrote to memory of 3024 3172 chrome.exe 94 PID 3172 wrote to memory of 3024 3172 chrome.exe 94 PID 3172 wrote to memory of 3024 3172 chrome.exe 94 PID 3172 wrote to memory of 3024 3172 chrome.exe 94 PID 3172 wrote to memory of 3024 3172 chrome.exe 94 PID 3172 wrote to memory of 3024 3172 chrome.exe 94 PID 3172 wrote to memory of 3024 3172 chrome.exe 94 PID 3172 wrote to memory of 3024 3172 chrome.exe 94 PID 3172 wrote to memory of 3024 3172 chrome.exe 94 PID 3172 wrote to memory of 3024 3172 chrome.exe 94 PID 3172 wrote to memory of 3024 3172 chrome.exe 94 PID 3172 wrote to memory of 3024 3172 chrome.exe 94 PID 3172 wrote to memory of 3024 3172 chrome.exe 94 PID 3172 wrote to memory of 3024 3172 chrome.exe 94 PID 3172 wrote to memory of 3024 3172 chrome.exe 94 PID 3172 wrote to memory of 3024 3172 chrome.exe 94 PID 3172 wrote to memory of 3024 3172 chrome.exe 94 PID 3172 wrote to memory of 3024 3172 chrome.exe 94 PID 3172 wrote to memory of 3024 3172 chrome.exe 94 PID 3172 wrote to memory of 3024 3172 chrome.exe 94 PID 3172 wrote to memory of 3024 3172 chrome.exe 94 PID 3172 wrote to memory of 3024 3172 chrome.exe 94 PID 3172 wrote to memory of 3024 3172 chrome.exe 94 PID 3172 wrote to memory of 3024 3172 chrome.exe 94 PID 3172 wrote to memory of 3024 3172 chrome.exe 94 PID 3172 wrote to memory of 3024 3172 chrome.exe 94 PID 3172 wrote to memory of 3024 3172 chrome.exe 94 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.youtube.com/redirect?event=comments&redir_token=QUFFLUhqbGZhNjNLUlRLVUFURF8zWldNV1I2cndIMFphUXxBQ3Jtc0trSkRTa0hoMFpZT3JDZWYxOUtvYmZCZG5iOFpQUGNiSU04REtQNF9DVDFuN2ppWEc5M2ZoYXB0MkJXcW1hWHcwbmxyX2k0SWw2RUtVMVV1akd5LWxUZzJRUzM0Mk5OTnFpVWFJelF6SzhjckV4R25kOA&q=https%3A%2F%2Froblxgets.com%2Fwave1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ff91578cc40,0x7ff91578cc4c,0x7ff91578cc582⤵PID:2044
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1900,i,367383899422561377,205220506134297060,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=1896 /prefetch:22⤵PID:4000
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2144,i,367383899422561377,205220506134297060,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=1904 /prefetch:32⤵PID:3904
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2240,i,367383899422561377,205220506134297060,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2432 /prefetch:82⤵PID:3024
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3136,i,367383899422561377,205220506134297060,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3172 /prefetch:12⤵PID:2180
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3160,i,367383899422561377,205220506134297060,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3344 /prefetch:12⤵PID:2616
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4628,i,367383899422561377,205220506134297060,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4644 /prefetch:82⤵PID:4288
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4712,i,367383899422561377,205220506134297060,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4648 /prefetch:12⤵PID:3944
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=5012,i,367383899422561377,205220506134297060,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5032 /prefetch:12⤵PID:4928
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3188,i,367383899422561377,205220506134297060,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3536 /prefetch:12⤵PID:5228
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3496,i,367383899422561377,205220506134297060,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3352 /prefetch:12⤵PID:5240
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5240,i,367383899422561377,205220506134297060,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5216 /prefetch:12⤵PID:5248
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5116,i,367383899422561377,205220506134297060,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5236 /prefetch:82⤵PID:5600
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5564,i,367383899422561377,205220506134297060,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5396 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5996
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:2740
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:4572
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations=is-enterprise-managed=no --field-trial-handle=5784,i,690293423614796501,17475910179943560176,262144 --variations-seed-version --mojo-platform-channel-handle=1836 /prefetch:81⤵PID:4236
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5892
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Release-App-Botstrap-x64\" -spe -an -ai#7zMap2093:110:7zEvent208781⤵
- Suspicious use of FindShellTrayWindow
PID:6056
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Release-App-Botstrap-x64\" -spe -an -ai#7zMap10471:110:7zEvent287001⤵
- Suspicious use of FindShellTrayWindow
PID:5516
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Release-App-Botstrap-x64\Release\" -spe -an -ai#7zMap27593:126:7zEvent196591⤵
- Suspicious use of FindShellTrayWindow
PID:3092
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations=is-enterprise-managed=no --field-trial-handle=3792,i,690293423614796501,17475910179943560176,262144 --variations-seed-version --mojo-platform-channel-handle=3700 /prefetch:81⤵PID:4356
-
C:\Users\Admin\Downloads\Release-App-Botstrap-x64\Release\Bootstrapper.exe"C:\Users\Admin\Downloads\Release-App-Botstrap-x64\Release\Bootstrapper.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6100
-
C:\Users\Admin\Downloads\Release-App-Botstrap-x64\Release\Bootstrapper.exe"C:\Users\Admin\Downloads\Release-App-Botstrap-x64\Release\Bootstrapper.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5748
-
C:\Users\Admin\Downloads\Release-App-Botstrap-x64\Release\Bootstrapper.exe"C:\Users\Admin\Downloads\Release-App-Botstrap-x64\Release\Bootstrapper.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4696
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649B
MD526d12de31204be48f0e21c116a0f6d2d
SHA10fa8a45b8955c810cff0437580a3dc1e61d5f4e5
SHA256f9e3fb3e857be9350d48d3bb41fcf01b7d9a958c9f5e1ccc638a952e4b5f3838
SHA5126c368653dddb59772ebe938c054a3909964a4e0732ce2f8d40f038265cc916cd21ac2761c98e5998536253e006a7a2db33182b4597d60355ed13e34398f103cf
-
Filesize
216B
MD57584f62d92567316b87f0de77f3df309
SHA16ae29c1bbbdbd20ccae3771c4de648f54d09dce6
SHA256bc3f325f00654354c3bef16516cd898db0fbe8ca01277252948f4aa095affe1a
SHA512c7ffeef8ce309831f3e144d317281638538d5dcd179ef418e4ffa790b09b7594e0b2c50115c54979bba1b19afd3a1268643fec31c0df4da9ff08d1d5f6b7763c
-
Filesize
3KB
MD5109375c8e71c5d219542a417411af2c7
SHA1bf58290fdeee87bb6ad6ca1b70b8dd6f7ed67fcd
SHA256d361e18b0fc7a78af62472249fd5fa2e5018c1fd28cd51769c29f78b90aae2f8
SHA512ed94b80f215f3abf410edfd396d505d790ea7e693d1077efde0c3a884c6c80a62f3289afab14355c27fe1784e97f80a9cb5b6cd842840eca09e086572a50387d
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
1KB
MD5c211c12b7e8362d0e7e42049b4fc0912
SHA1f7635ac6d0672bf3314ad23cd2bc7829d03e219f
SHA256f6fe2e740507ed865f6d2d9980e82349958ad0e4875b27e19d658a016dd5dc45
SHA5126c4fed97d847bb334452fc818a5bc05fec778cb9fa343cdfe354ffab3c02bc8d0b14cef37454f38c73e10c7a661b0118b2b52d62c2967a8124f2c10581d4fec3
-
Filesize
9KB
MD585a2a3bdf8ee681a793238624ed448af
SHA1838e5366bb44fc56cf238cc2b9847cbb5704c36c
SHA256bda3d45440b0500c7f478b3e900250bfa0387977fd4cbf03906fb10dcf3f9c35
SHA5121aca7975e710c95cdcb417c8f6af00c38320f00fa36a0efda7c8bc97dbb032a63e5da868e3dbdb58fe074fa335bb3e3877f1f5ed9172d9124fb6b84f533e5e16
-
Filesize
10KB
MD5c24f323495ce336e7c3f9a7e5bde39c3
SHA1b2f1b3b23ad76d1b04818f4b59b31500d6d27ae3
SHA25697e3310c4417786437669a415a256db479242c72cc566ae0b122b31a9d3c5bea
SHA5121be9dc0a6990556d5587e669c144eb3a173b715ef5b4e77556d8605bffaaa2d84956c7409ff75c48f288fedef75edbd93873256f8de2225a71790a89c6d97948
-
Filesize
10KB
MD541cfc910df8b47ade7cad2f3466a50a2
SHA1334b79728356fd004598454253c35f3f8dc1da80
SHA25679fa45bb9d9034ad9e0a428b09ba777c066c776f34b969953d2dd8dbae0e7cbd
SHA51262952c54940b761fce7c4757bf7cb4d8eabbc823a06b78a64620804ba35aa3e8fafa7de2133b3edcb2d29d3cb02ff02445ff6e0ed09aa0a569a89270faa95483
-
Filesize
10KB
MD5b600174a49fc393f9d143129a3e2eae7
SHA1931fcb8c544a7c121bcf9ce132a3afa2c2d3b83e
SHA2561855b1a09d2381d727ffbd5089dc7f66c98b4e11cae1a63a68d7e8d447d4b60c
SHA5129c0ca59a3debfd9f2f203e0085ed0ef718fb79bd11934b3531254f9971d9a1dfe8abdbb3818ec7d597d571a20531e570753eabee671ad699533fc82b20de8edc
-
Filesize
9KB
MD529eec8b21296f54ae240c184f96ca3c3
SHA17426455962010e45336e4c739c3a6b1baaade016
SHA256d666d25b1b3140c07f1cf00f3e9efeac819d4d0c0524128103d8707d1605fe15
SHA51232aec2b60085cad7f6363bf7fca15bb64f56f99c3123b36e0be7bbc7882a15536dbf88b3e833e21e5898fb8d07c4d2488490d9e28d580bf02f59fc3c88ad9eb2
-
Filesize
10KB
MD5443862f2bcc112b0a0e51fb57abcdb9c
SHA1a7761c1a1fd9101c8cddaf923a759d0d9ce3fa1b
SHA2562a258fb31d58216d8a32a5ca6e2262bdfde8eb25cb7e34ce1537f61daaded1bd
SHA5121f001f00a4cd68c1f16e762ee8e82333be940411f1fa3e396d74f60fa4d13ddbbfa6b8ca7c180b703e12bef62b611f7cf51a12e7c6cc63da450e7e1d9006d75b
-
Filesize
10KB
MD5a09e5ac9aed666547d8f6d4bbab5110a
SHA104f5974a918b52754b4828dc8edfafc09aea3616
SHA256889a99038911312034e81b15dd262826393a8dc12a0336e6772f8826da296acd
SHA512dd86041af47a280492227b103f32a3ea93998493ad329634c12b13626a11893f04a8d711fffcdd4559ad0a0183aa29ee1b7a97e7bab870e9ad9a17dfd09de220
-
Filesize
10KB
MD57ec2cc4467b5c2d94b83ad0b3b4f1442
SHA19c701c07d52e7386bced2bc81a833fb512a7fc52
SHA256bf087fc92321e601014bd928a1ee1af50f3146222e869616b97f82379fce1093
SHA5120b1e9b310d5cb9efb6cfa1919e20ea23b5129830077ab8b4da62525f2d73726d187b8cc7c7dc75bfb6f3cb70d221651b33d089d0dfec9782a4a2f34347d35d3f
-
Filesize
10KB
MD5a52c140f7cc79c271e39b97ff80e3c69
SHA13b3c813ba79f0730022c811a23ba37ccb88cbc9b
SHA2562fa56fd303d716ab9e76a6bbb6c4c2c2ce75feed5def0702db8fd3ba87c63e54
SHA512a3d5654f8e99ba2662efd086e565131e2242ac5bbb7b6310cf08278e1349fe084651670c9f91e208fc8cf3dd588e46e48dfffbf37689e371ae3f454ff5fa82dc
-
Filesize
10KB
MD54eb5617903c7de57e2c5665d08bc9109
SHA1c652ddc7245c6f58ce84d90fd5da04b4f5ddb56b
SHA25694d1e21ccc339ae1daf161ec9d7ab01e67bc45638072ebe188db991542ec9eb4
SHA512348c86c1df1e5232dd930b5c1bba7961c7d3d058349f44e0069a138aad26588ecb4454f179bc30bfa6bde47c93ca0b60d9a9448245e08da295028964bd2c102e
-
Filesize
10KB
MD5a7ed431a3aa6d1cd40e5d5c535e2c5dd
SHA1c507e2c6aca4e8acd7d7b65a9904f73dc14837e4
SHA25668bc90a57602918c9d3035deff105aa970e9e58ebd0091718d887b87af0a8b71
SHA512e5f899e51ef9b38ef9d68b0728519bc3741ea3a847415b0a714b4bb3e87ced68373dfb803ab17b03e9f0cf830075ea15c5da31aefbce4e60872e965185ffb6bc
-
Filesize
118KB
MD52ffb981935c4aa9083ae08c8b458f792
SHA11208e49cfd0733c11ab0c6f326bb5fdd179d3262
SHA256321bb91a86033874250edec4e080c8854365ecd8cc796e04bcb09ca3478c412c
SHA5125dce99255e532d58c2452a048341daed9e68c937bbac10848aef834189ee45a4fd6c3e22b0f6b98378b2772feff60c8334c5c1803abaf0f055a179cacd5d5706
-
Filesize
118KB
MD5ba1403367eae0b56188028ea7a265178
SHA1c0be7566f0f5867719dfff767858c249ae5053fa
SHA25644cee06eb50c6b44fe8db985c8c344024d23ebfc868325cbfb7e3a7897948213
SHA512b2f8085b051049525970a1967023dbef137c4087c3ecbb019038de72580c74c25309dc9d74f7090e479ea7363932f0b04b2306aa0e93fa693cbc9b9c0f0577fa
-
Filesize
118KB
MD58ec60bdd5273c6288931c5b6571c1282
SHA1064efbd2cca7fa8ab7a3de97f311991a6a5cbca2
SHA2560c112a22a40b2a50112342e66c97d8fbdd3ff787898c33e73092f7d90ff1b9a6
SHA512d22c0459d4835c5606d67a4b5ed516d37241e9b45d01e1fa599caf452a8e44777b69c45f26bc88683182343760903533a27c8aca0f29f4af6d353181c85395c2
-
Filesize
41.8MB
MD58cad19ffab4ad5ef77a157f29c6a1765
SHA1fe1bf4608838ca315cf844873fc5ec05ac40ff1a
SHA256e60951d343f7560c7fa76b5a177e819fbb440c68ad9ea55a8a2cd6b1abfa4dfb
SHA512c42d055a0589322b93c40cb3b809488b8f96f78cb9aabf54b44fc42cf87e1ac4bed6c5b383a17732b345fea3676698768ddd3460ba81c689d2a580804c21eb10
-
Filesize
41.8MB
MD54039725a454445d3e01b3e7da04b491e
SHA106b5f1ec3ba83f039d69ca483686bd1276919d31
SHA2567ca62473a19301f7e7e4bcc11711036ad0d898627b31407202c9385c09f95e6b
SHA512ff47ac04a0207fd9d4bb7271b95ab9f6efd694d05f3f126e07631821db2d188cb9bc7c6d72af9d9389ea5e263420ab4d0531620f3fc743533bbc668064a472ab
-
Filesize
980KB
MD5ff6c56326f0ee63ca9360576a7449ff5
SHA10ee6aa098523f43dcd93dedaab26b7a13f37aec7
SHA256aafa6952bb4c20240c67300a13ca97756ac5907f2abfbad9b76a6377605e3bf4
SHA512631308c7104f958d8a36e9eb01a7c00c35e2092055301cca89c2669b3b3ee141129e7ff7838fb4c6d2af20fd1f3b6e57035f74805c2e02d4ed68c4b4ac7583d0
-
Filesize
18.7MB
MD588fd7dbf04bcf75123d02009aea3f7f7
SHA1cecf16bdad71e54afc941179ea2b7438a04efa1d
SHA25601481b9a862936fbc090bda4033f22d7ffa5a7bfe5dc32f47c7794332b34eec4
SHA5122c6298b5adf91b51f0042d48e0846f5b196d52a588fd4fc577bf19ec26ad8e547382279a15f8bf131b08b0d7c140534aff25f82d5e8998818b812e72c9493917
-
Filesize
7B
MD5260ca9dd8a4577fc00b7bd5810298076
SHA153a5687cb26dc41f2ab4033e97e13adefd3740d6
SHA256aee408847d35e44e99430f0979c3357b85fe8dbb4535a494301198adbee85f27
SHA51251e85deb51c2b909a21ec5b8e83b1cb28da258b1be227620105a345a2bd4c6aea549cd5429670f2df33324667b9f623a420b3a0bdbbd03ad48602211e75478a7
-
C:\Users\Admin\Downloads\Release-App-Botstrap-x64\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\DawnWebGPUCache\data_2
Filesize8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
C:\Users\Admin\Downloads\Release-App-Botstrap-x64\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\Extension State\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\Downloads\Release-App-Botstrap-x64\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\Extension State\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\Downloads\Release-App-Botstrap-x64\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\GPUCache\data_0
Filesize8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
C:\Users\Admin\Downloads\Release-App-Botstrap-x64\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\GPUCache\data_1
Filesize264KB
MD5a833653a021f29ee2ec1a845e0c2308f
SHA105071159d3c2516d67b765cef012a0a2d3337759
SHA2568e9f3538e43a68caa472fd47adaf43906e097cfb53ef55d1361caf1cc97efca7
SHA5120902a886c95cee1b34f9419ab0a10ce0fe96eae57c59ab4cefba99ba3fc2a0237741f31076ce065db14fe3dfecd325458209f0d1e9fcc8b9ac7bff8328e1744f
-
C:\Users\Admin\Downloads\Release-App-Botstrap-x64\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\GPUCache\data_3
Filesize8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
C:\Users\Admin\Downloads\Release-App-Botstrap-x64\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\Shared Dictionary\cache\index
Filesize24B
MD554cb446f628b2ea4a5bce5769910512e
SHA1c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA5128f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0