Overview
overview
10Static
static
10TrashMalwa...in.exe
windows10-2004-x64
8TrashMalwa...er.exe
windows10-2004-x64
8TrashMalwa...nk.exe
windows10-2004-x64
8TrashMalwa...oN.bat
windows10-2004-x64
8TrashMalwa...zz.exe
windows10-2004-x64
6TrashMalwa...de.exe
windows10-2004-x64
8TrashMalwa...20.exe
windows10-2004-x64
7TrashMalwa...ll.exe
windows10-2004-x64
8TrashMalwa...le.exe
windows10-2004-x64
8TrashMalwa...oe.bat
windows10-2004-x64
TrashMalwa....0.exe
windows10-2004-x64
7TrashMalwa....0.exe
windows10-2004-x64
8TrashMalwa....0.exe
windows10-2004-x64
8TrashMalwa...ic.exe
windows10-2004-x64
6TrashMalwa...OD.exe
windows10-2004-x64
10TrashMalwa...um.exe
windows10-2004-x64
6TrashMalwa...er.exe
windows10-2004-x64
8TrashMalwa...MZ.exe
windows10-2004-x64
1TrashMalwa...ch.exe
windows10-2004-x64
8TrashMalwa....5.exe
windows10-2004-x64
8TrashMalwa...ol.exe
windows10-2004-x64
8TrashMalwa...hm.exe
windows10-2004-x64
10TrashMalwa...10.exe
windows10-2004-x64
7TrashMalwa...V6.exe
windows10-2004-x64
7TrashMalwa.../x.exe
windows10-2004-x64
7Analysis
-
max time kernel
307s -
max time network
337s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
18-09-2022 14:13
Behavioral task
behavioral1
Sample
TrashMalwares-main/AcidRain.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral2
Sample
TrashMalwares-main/Antivirus_Installer.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral3
Sample
TrashMalwares-main/Dro trojan. Virus prank.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral4
Sample
TrashMalwares-main/FaZoN.bat
Resource
win10v2004-20220901-en
Behavioral task
behavioral5
Sample
TrashMalwares-main/Fizz.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral6
Sample
TrashMalwares-main/Ginxide.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
TrashMalwares-main/Install Windows20.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral8
Sample
TrashMalwares-main/MS-RickRoll.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral9
Sample
TrashMalwares-main/MercuryXhoffle.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral10
Sample
TrashMalwares-main/NetPakoe.bat
Resource
win10v2004-20220812-en
Behavioral task
behavioral11
Sample
TrashMalwares-main/NetPakoe3.0.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral12
Sample
TrashMalwares-main/NoEscape8.0.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral13
Sample
TrashMalwares-main/PC shaking v4.0.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral14
Sample
TrashMalwares-main/Phsyletric.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral15
Sample
TrashMalwares-main/RealBSOD.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral16
Sample
TrashMalwares-main/Sankylium.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral17
Sample
TrashMalwares-main/SuperWacker.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral18
Sample
TrashMalwares-main/TEMZ.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral19
Sample
TrashMalwares-main/ach.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral20
Sample
TrashMalwares-main/even0.5.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral21
Sample
TrashMalwares-main/lol.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral22
Sample
TrashMalwares-main/mhm.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral23
Sample
TrashMalwares-main/winnit6.6.6 V10.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral24
Sample
TrashMalwares-main/winnit6.6.6_V6.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral25
Sample
TrashMalwares-main/x.exe
Resource
win10v2004-20220812-en
General
-
Target
TrashMalwares-main/AcidRain.exe
-
Size
401KB
-
MD5
ca7d220a719d83aa0dd379dd2c31037a
-
SHA1
88518880ee68f2b108a99449da73ec92b5e3658a
-
SHA256
fa9189d2c7408a9f3bcb0af1be7f00ba71af5014a8bca0986eb11a891fa6c8b5
-
SHA512
eee05cd53f4f5edf6c6929a294284473c39b8193b211a3165333ed65c38ea4e9d5cc6a8e1a1ae2bb38652e83bc7d2ad20fa6d38f8cdbf3a94a7a10fb6358af78
-
SSDEEP
12288:aToPWBv/cpGrU3yy/paSymdM3Gi3AryjBi:aTbBv5rUVRdM2iwejBi
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory 6 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\SysWOW64\drivers\afunix.sys cmd.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui cmd.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui cmd.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui cmd.exe File opened for modification C:\Windows\SysWOW64\drivers\gm.dls cmd.exe File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt cmd.exe -
Executes dropped EXE 4 IoCs
Processes:
NyanCatIsHere.exeAcid Rain.exemsedge.exemsedge.exepid process 4864 NyanCatIsHere.exe 2004 Acid Rain.exe 5124 msedge.exe 4992 msedge.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
AcidRain.exeAcid Rain.execmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation AcidRain.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Acid Rain.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation cmd.exe -
Drops startup file 11 IoCs
Processes:
cmd.exetaskmgr.exeAcidRain.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\n0rt0nant1ldks.vbs cmd.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\n0rt0nant1ldks.vbs taskmgr.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NyanCatIsHere.exe AcidRain.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NyanCatIsHere.exe AcidRain.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sodnciwkms.vbs cmd.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\sodnciwkms.vbs taskmgr.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hifjdnfejfnejnkdpamzm.vbs cmd.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\__tmp_rar_sfx_access_check_240599625 AcidRain.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Acid Rain.exe AcidRain.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Acid Rain.exe AcidRain.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\hifjdnfejfnejnkdpamzm.vbs taskmgr.exe -
Loads dropped DLL 4 IoCs
Processes:
msedge.exemsedge.exepid process 5124 msedge.exe 5124 msedge.exe 4992 msedge.exe 4992 msedge.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
NyanCatIsHere.exemsedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run NyanCatIsHere.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\NyanCatIsHere.exe" NyanCatIsHere.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
NyanCatIsHere.exedescription ioc process File opened for modification \??\PhysicalDrive0 NyanCatIsHere.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\BITLOC~1\autorun.inf cmd.exe -
Drops file in System32 directory 64 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\System32\DriverStore\FileRepository\MONITO~1.INF\monitor.inf cmd.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\NT2B13~1.INF\I386\PCLXL.GPD cmd.exe File opened for modification C:\Windows\SysWOW64\Dism\it-IT\AppxProvider.dll.mui cmd.exe File opened for modification C:\Windows\System32\DriverStore\de-DE\iaLPSS2i_GPIO2_GLK.inf_loc cmd.exe File opened for modification C:\Windows\System32\DriverStore\en-US\mwlu97w8x64.inf_loc cmd.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netmlx5.inf_amd64_101a408e6cb1d8f8\netmlx5.inf cmd.exe File opened for modification C:\Windows\SysWOW64\combase.dll cmd.exe File opened for modification C:\Windows\SysWOW64\de-DE\DevicePairingFolder.dll.mui cmd.exe File opened for modification C:\Windows\System32\DriverStore\de-DE\msdv.inf_loc cmd.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\c_usbfn.inf_amd64_64da5751ebd2f2f4\c_usbfn.inf cmd.exe File opened for modification C:\Windows\System32\DriverStore\es-ES\netbxnda.inf_loc cmd.exe File opened for modification C:\Windows\SysWOW64\Dism\it-IT\OfflineSetupProvider.dll.mui cmd.exe File opened for modification C:\Windows\System32\DriverStore\de-DE\HalExtIntcLpioDma.inf_loc cmd.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\circlass.inf_amd64_9f3f831d13d3df1f\circlass.inf cmd.exe File opened for modification C:\Windows\SysWOW64\dpapimig.exe cmd.exe File opened for modification C:\Windows\System32\DriverStore\es-ES\netvwifibus.inf_loc cmd.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\eeprom_qca9377_1p1_NFA435_olpc_DE_089C.bin cmd.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.inf cmd.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\c_fsinfrastructure.inf_amd64_1ef682cfd6fc7d1c\c_fsinfrastructure.inf cmd.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\ialpss2i_gpio2_glk.inf_amd64_dad1e0a2b185e32b\iaLPSS2i_GPIO2_GLK.inf cmd.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_amd64_144351277838b429\nvraid.inf cmd.exe File opened for modification C:\Windows\System32\DriverStore\en-US\mausbhost.inf_loc cmd.exe File opened for modification C:\Windows\System32\DriverStore\es-ES\CompositeBus.inf_loc cmd.exe File opened for modification C:\Windows\System32\DriverStore\es-ES\NETAX88179_178a.inf_loc cmd.exe File opened for modification C:\Windows\System32\DriverStore\es-ES\UcmUcsiAcpiClient.inf_loc cmd.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\kdnic.inf_amd64_6649425cdcae9b5f\kdnic.sys cmd.exe File opened for modification C:\Windows\SysWOW64\Dism\ja-JP\FolderProvider.dll.mui cmd.exe File opened for modification C:\Windows\System32\DriverStore\de-DE\ipmidrv.inf_loc cmd.exe File opened for modification C:\Windows\System32\DriverStore\en-US\AcpiDev.inf_loc cmd.exe File opened for modification C:\Windows\System32\DriverStore\en-US\ndisuio.inf_loc cmd.exe File opened for modification C:\Windows\System32\DriverStore\es-ES\iaLPSS2i_GPIO2_CNL.inf_loc cmd.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\eeprom_ar6320_3p0_NFA344a_highTX_LE_3.bin cmd.exe File opened for modification C:\Windows\SysWOW64\cryptdll.dll cmd.exe File opened for modification C:\Windows\System32\DriverStore\de-DE\mshdc.inf_loc cmd.exe File opened for modification C:\Windows\System32\DriverStore\de-DE\percsas3i.inf_loc cmd.exe File opened for modification C:\Windows\System32\DriverStore\de-DE\volume.inf_loc cmd.exe File opened for modification C:\Windows\SysWOW64\d3d10core.dll cmd.exe File opened for modification C:\Windows\System32\DriverStore\de-DE\hiddigi.inf_loc cmd.exe File opened for modification C:\Windows\System32\DriverStore\en-US\netmlx5.inf_loc cmd.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmelsa.inf_amd64_f187fca538857daa\mdmelsa.inf cmd.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netvwwanmp.inf_amd64_f9e30429669d7fff\netvwwanmp.inf cmd.exe File opened for modification C:\Windows\System32\DriverStore\de-DE\termmou.inf_loc cmd.exe File opened for modification C:\Windows\System32\DriverStore\en-US\usbvideo.inf_loc cmd.exe File opened for modification C:\Windows\SysWOW64\at.exe cmd.exe File opened for modification C:\Windows\SysWOW64\de-DE\azman.msc cmd.exe File opened for modification C:\Windows\System32\DriverStore\en-US\netl260a.inf_loc cmd.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmtdkj7.inf_amd64_161e1375bcff85d9\mdmtdkj7.inf cmd.exe File opened for modification C:\Windows\SysWOW64\de-DE\imapi2.dll.mui cmd.exe File opened for modification C:\Windows\System32\DriverStore\de-DE\displayoverride.inf_loc cmd.exe File opened for modification C:\Windows\System32\DriverStore\es-ES\netip6.inf_loc cmd.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mchgr.inf_amd64_399f04975a0af112\ddsmc.sys cmd.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\NTPRIN~3.INF\Amd64\PSCRIPT.HLP cmd.exe File opened for modification C:\Windows\SysWOW64\de-DE\wextract.exe.mui cmd.exe File opened for modification C:\Windows\System32\DriverStore\de-DE\netl1e64.inf_loc cmd.exe File opened for modification C:\Windows\System32\DriverStore\en-US\c_scmvolume.inf_loc cmd.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\NT2B13~1.INF\I386\PS_SCHM.GDL cmd.exe File opened for modification C:\Windows\SysWOW64\AdvancedInstallers\cmiv2.dll cmd.exe File opened for modification C:\Windows\SysWOW64\downlevel\api-ms-win-core-profile-l1-1-0.dll cmd.exe File opened for modification C:\Windows\SysWOW64\dpnlobby.dll cmd.exe File opened for modification C:\Windows\System32\DriverStore\de-DE\hpsamd.inf_loc cmd.exe File opened for modification C:\Windows\System32\DriverStore\en-US\c_dot4print.inf_loc cmd.exe File opened for modification C:\Windows\System32\DriverStore\en-US\ks.inf_loc cmd.exe File opened for modification C:\Windows\System32\DriverStore\es-ES\rhproxy.inf_loc cmd.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\eeprom_qca9377_1p1_NFA425_olpc_A_BC_CBXA0.bin cmd.exe -
Drops file in Program Files directory 64 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\PROGRA~1\WindowsApps\DELETE~1\MIF8C5~1.SCA\Assets\Images\SKYPEL~4.PNG cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\MI46F3~1.0_X\Assets\CONTRA~2\PEB467~1.PNG cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\MI33D2~1.0_X\RESOUR~1\strings\LOB38B~1.JSO cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\MI83BA~1.0_X\Assets\INSIDE~3.PNG cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\DELETE~1\MI63E7~1.SCA\Assets\AppTiles\CONTRA~1\STOREL~1.PNG cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\MICROS~3.0_X\Assets\AppTiles\CONTRA~1\WEATHE~3.PNG cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\MI8AAC~1.0_X\MICROS~3.DLL cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\MI92C9~1.0_X\IRISPR~1.DLL cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\MI0A11~1.0_X\MSOARI~1.DLL cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\MI6132~1.0_X\Assets\AppList.targetsize-64.png cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\MI6132~1.0_X\Assets\CONTRA~2\AppList.targetsize-30_altform-unplated_contrast-white.png cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\MI83BA~1.0_X\Assets\INB472~1.PNG cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\DELETE~1\MI7D2A~1.SCA\Assets\TIMERW~2.PNG cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\DELETE~1\MIE788~1.SCA\Assets\SECOND~1\DIRECT~1\Work\LTR\CONTRA~1\SMALLT~1.PNG cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\MICROS~3.0_X\Assets\AppTiles\WEATHE~2\423x173\3.jpg cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\MID5E5~1.0_X\Assets\AppList.targetsize-60.png cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\MID540~1.SCA\Assets\CONTRA~1\MIXEDR~3.PNG cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\MIE908~1.SCA\Assets\SECOND~1\Work\CONTRA~2\SMALLT~1.PNG cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\MI4DB5~1.0_X\Assets\SECOND~1\TRAFFI~1\CONTRA~1\MEDTIL~1.PNG cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\DELETE~1\MICROS~4.SCA\RESOUR~1.PRI cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\MI11B4~1.0_X\images\HxCalendarWideTile.scale-400.png cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\MIBE99~1.0_X\Assets\GA33C9~1.PNG cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\MI0A7F~1.0_X\Assets\APF26E~1.PNG cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\MI0A11~1.0_X\images\OneNoteNotebookLargeTile.scale-200.png cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\MI7414~1.SCA\Assets\CA23E5~1.PNG cmd.exe File opened for modification C:\PROGRA~2\REFERE~1\MICROS~1\FRAMEW~1\v3.5\de\System.Data.DataSetExtensions.Resources.dll cmd.exe File opened for modification C:\PROGRA~2\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\ContainExactly.Tests.ps1 cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\MIAFF4~1.0_X\RESOUR~1.PRI cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\MI6132~1.0_X\Assets\AppList.targetsize-96_altform-unplated.png cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\MID54F~1.0_X\Assets\PhotosAppList.targetsize-20.png cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\MIB44A~1.0_X\Assets\CalculatorAppList.targetsize-40_altform-unplated.png cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\MI11B4~1.0_X\TELEME~1\hxcalendarappimm.exe_Rules.xml cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\MI32BC~1.0_X\Assets\APC3EB~1.PNG cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\MICROS~4.0_X\Assets\CONTRA~1\APBE3C~1.PNG cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\MI0A11~1.0_X\images\OneNoteNewNoteMedTile.scale-100.png cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\MI10D6~1.0_X\Assets\CONTRA~2\BadgeLogo.scale-200_contrast-white.png cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\MI11B4~1.0_X\images\CONTRA~1\HX42FD~1.PNG cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\MI11B4~1.0_X\images\CONTRA~2\HxA-Yahoo-Dark.scale-100.png cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\MICB88~1.0_X\Assets\AppTiles\AppIcon.targetsize-40.png cmd.exe File opened for modification C:\PROGRA~2\REFERE~1\MICROS~1\FRAMEW~1\v3.5\fr\Microsoft.Build.Engine.resources.dll cmd.exe File opened for modification C:\PROGRA~2\WINDOW~4\fr-FR\WMPMediaSharing.dll.mui cmd.exe File opened for modification C:\PROGRA~3\MICROS~1\Windows\AppRepository\STATER~1.SRD cmd.exe File opened for modification C:\PROGRA~1\COMMON~1\MICROS~1\ink\de-DE\mshwLatin.dll.mui cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\DELETE~1\MID374~1.SCA\Assets\GA0241~1.PNG cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\MID54F~1.0_X\MICROS~1.MEC\Assets\OFFLIN~1\Scripts\Me\MECONT~1\offline\WEBVIE~1.JS cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\MIB44A~1.0_X\Assets\CA3C41~1.PNG cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\MI11B4~1.0_X\images\CONTRA~1\EM67DB~1.PNG cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\MIBE99~1.0_X\Assets\GamesXboxHubWideTile.scale-100.png cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\DELETE~1\MICROS~4.SCA\Assets\WINDOW~1\WIB6F3~1.PNG cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\MI6F49~1.0_X\Assets\Images\Stickers\THUMBN~1\STC83F~1.PNG cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\MIB28C~1.0_X\Assets\CONTRA~1\AppList.targetsize-48_altform-unplated_contrast-black.png cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\MI11B4~1.0_X\images\OFFICE~2.PNG cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\MIE908~1.SCA\Assets\SECOND~1\Home\CONTRA~1\WIDETI~1.PNG cmd.exe File opened for modification C:\PROGRA~1\WI54FB~1\es-ES\wmpnetwk.exe.mui cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\MICROS~4.0_X\Assets\CONTRA~2\AP63CA~1.PNG cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\MI0A11~1.0_X\images\CONTRA~2\ONF0B7~1.PNG cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\MI4DB5~1.0_X\Assets\Images\PRINTA~1\GL5018~1.PNG cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\MI377C~1.0_N\APPXSI~1.P7X cmd.exe File opened for modification C:\PROGRA~3\MICROS~1\Windows\AppRepository\Packages\C5E252~1.102\ACTIVA~2.LOG cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\DELETE~1\MI2D19~1.SCA\Assets\AppPackageStoreLogo.scale-100.png cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\MI05FA~1.0_X\Assets\VIEWPO~1\Dark\Cavalier.png cmd.exe File opened for modification C:\PROGRA~3\MICROS~1\Windows\AppRepository\Packages\MIE997~1.0_X\ACTIVA~2.LOG cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\MI0A11~1.0_X\images\CONTRA~2\ONA315~1.PNG cmd.exe File opened for modification C:\PROGRA~1\WindowsApps\MI6132~1.0_X\Assets\WideTile.scale-200.png cmd.exe -
Drops file in Windows directory 64 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-Printing-PremiumTools-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat cmd.exe File opened for modification C:\Windows\ImmersiveControlPanel\images\wide.Holographic.png cmd.exe File opened for modification C:\Windows\servicing\Packages\HY6B83~1.CAT cmd.exe File opened for modification C:\Windows\servicing\Packages\MI900C~2.CAT cmd.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fr\System.Drawing.Design.resources.dll cmd.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Net.WebHeaderCollection.dll cmd.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Runtime.Serialization.Formatters.dll cmd.exe File opened for modification C:\Windows\servicing\Packages\MI1629~1.CAT cmd.exe File opened for modification C:\Windows\servicing\Packages\Package_9_for_KB4557968~31bf3856ad364e35~amd64~~19041.262.1.1.cat cmd.exe File opened for modification C:\Windows\diagnostics\system\IESecurity\it-IT\RS_PhishingFilter.psd1 cmd.exe File opened for modification C:\Windows\diagnostics\system\WINDOW~3\DiagPackage.diagpkg cmd.exe File opened for modification C:\Windows\Fonts\cga40woa.fon cmd.exe File opened for modification C:\Windows\PLA\Rules\de-DE\Rules.System.Configuration.xml cmd.exe File opened for modification C:\Windows\servicing\INBOXF~1\metadata\LA0CA3~1.MUM cmd.exe File opened for modification C:\Windows\servicing\Packages\MIF832~1.CAT cmd.exe File opened for modification C:\Windows\INF\c_fscfsmetadataserver.inf cmd.exe File opened for modification C:\Windows\servicing\INBOXF~1\metadata\LA023E~1.MUM cmd.exe File opened for modification C:\Windows\servicing\Packages\HY78D8~1.CAT cmd.exe File opened for modification C:\Windows\servicing\Packages\MIFB8C~1.CAT cmd.exe File opened for modification C:\Windows\Boot\PCAT\ko-KR\memtest.exe.mui cmd.exe File opened for modification C:\Windows\diagnostics\system\Apps\de-DE\CL_LocalizationData.psd1 cmd.exe File opened for modification C:\Windows\Globalization\Time Zone\timezoneMapping.xml cmd.exe File opened for modification C:\Windows\servicing\Packages\HY6B13~1.CAT cmd.exe File opened for modification C:\Windows\ShellExperiences\WindowsInternal.People.Relevance.QueryClient.dll cmd.exe File opened for modification C:\Windows\Cursors\aero_working_l.ani cmd.exe File opened for modification C:\Windows\ImmersiveControlPanel\pris\resources.en-US.pri cmd.exe File opened for modification C:\Windows\PolicyDefinitions\OSPolicy.admx cmd.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-UtilityVM-Containers-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.867.cat cmd.exe File opened for modification C:\Windows\INF\mdmnttme.inf cmd.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\de\System.Web.Routing.resources.dll cmd.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Web.DynamicData.Design.dll cmd.exe File opened for modification C:\Windows\servicing\Packages\MU691E~1.CAT cmd.exe File opened for modification C:\Windows\Fonts\ssee1256.fon cmd.exe File opened for modification C:\Windows\INF\prnms012.inf cmd.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-Management-SecureAssessment-Package~31bf3856ad364e35~amd64~~10.0.19041.1023.cat cmd.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\es-ES\ServiceModelInstallRC.dll.mui cmd.exe File opened for modification C:\Windows\rescache\_merged\393768~1\307610~1.PRI cmd.exe File opened for modification C:\Windows\servicing\INBOXF~1\metadata\LA633A~1.MUM cmd.exe File opened for modification C:\Windows\servicing\Packages\MI0C2B~1.CAT cmd.exe File opened for modification C:\Windows\INF\hidir.inf cmd.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\V20~1.507\it\System.Web.Resources.dll cmd.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\1040\vbc7ui.dll cmd.exe File opened for modification C:\Windows\servicing\Packages\HYA0BA~1.CAT cmd.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-Client-Desktop-Required-Package01~31bf3856ad364e35~amd64~en-US~10.0.19041.1266.cat cmd.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-EnterpriseClientSync-Host-Opt-Package~31bf3856ad364e35~amd64~~10.0.19041.207.cat cmd.exe File opened for modification C:\Windows\diagnostics\system\Audio\RS_AudioServiceResponse.ps1 cmd.exe File opened for modification C:\Windows\INF\BITS\0000\bitsctrs.ini cmd.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ja\Microsoft.CSharp.resources.dll cmd.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.rsp cmd.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-COM-MSMQ-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat cmd.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\Microsoft.Build.Conversion.v4.0.resources.dll cmd.exe File opened for modification C:\Windows\servicing\it-IT\CbsMsg.dll.mui cmd.exe File opened for modification C:\Windows\servicing\Packages\HyperV-KMCL-Host-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat cmd.exe File opened for modification C:\Windows\Boot\EFI\pl-PL\memtest.efi.mui cmd.exe File opened for modification C:\Windows\INF\c_avc.inf cmd.exe File opened for modification C:\Windows\Installer\$PATCH~1\Managed\1926E8~1\100~1.402\F_BB64~1 cmd.exe File opened for modification C:\Windows\servicing\Packages\MIA191~1.CAT cmd.exe File opened for modification C:\Windows\INF\msdv.inf cmd.exe File opened for modification C:\Windows\Installer\$PATCH~1\Managed\68AB67~1\157~1.200\ADOBEP~1.PMP cmd.exe File opened for modification C:\Windows\PrintDialog\appxblockmap.xml cmd.exe File opened for modification C:\Windows\servicing\Packages\HyperV-RDP4VS-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.84.cat cmd.exe File opened for modification C:\Windows\servicing\Packages\MI9F30~1.CAT cmd.exe File opened for modification C:\Windows\servicing\Packages\MIAAE3~1.CAT cmd.exe File opened for modification C:\Windows\diagnostics\system\IESecurity\fr-FR\RS_PhishingFilter.psd1 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 10 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid process 3560 timeout.exe 224 timeout.exe 3500 timeout.exe 2464 timeout.exe 960 timeout.exe 5532 timeout.exe 5700 timeout.exe 3836 timeout.exe 4504 timeout.exe 3172 timeout.exe -
Enumerates system info in registry 2 TTPs 5 IoCs
Processes:
msedge.exeSearchApp.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchApp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchApp.exe -
Modifies registry class 64 IoCs
Processes:
SearchApp.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "0" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total\ = "0" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 2 0009 aa 000a ae 000b ah 000c ao 000d aw 000e ax 000f ay 0010 b 0011 ch 0012 d 0013 dh 0014 eh 0015 er 0016 ey 0017 f 0018 g 0019 h 001a ih 001b iy 001c jh 001d k 001e l 001f m 0020 n 0021 ng 0022 ow 0023 oy 0024 p 0025 r 0026 s 0027 sh 0028 t 0029 th 002a uh 002b uw 002c v 002d w 002e y 002f z 0030 zh 0031" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "Anywhere;Trailing" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "Microsoft Speech SW Voice Activation - English (United States)" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "2848" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "0" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\r1033sr.lxa" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "{179F3D56-1B0B-42B2-A962-59B7EF59FE1B}" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "HW" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "7338" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "{14E74C62-DC97-43B0-8F2F-581496A65D60}" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\lsr1033.lxa" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "82" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "10293" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\CortanaVoices\\Tokens\\MSTTS_V110_enUS_EvaM" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "spell=NativeSupported; cardinal=GlobalSupported; ordinal=NativeSupported; date=GlobalSupported; time=GlobalSupported; telephone=NativeSupported; currency=NativeSupported; net=NativeSupported; url=NativeSupported; address=NativeSupported; alphanumeric=NativeSupported; Name=NativeSupported; media=NativeSupported; message=NativeSupported; companyName=NativeSupported; computer=NativeSupported; math=NativeSupported; duration=NativeSupported" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "{E164F996-FF93-4675-BDD8-6C47AB0B86B1}" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\AudioInput\\TokenEnums\\MMAudioIn\\" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\tn1033.bin" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com\ = "0" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "3460" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "55" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "411" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "{2984A9DB-5689-43AD-877D-14999A15DD46}" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com\ = "0" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "French Phone Converter" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "SR en-US Locale Handler" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "7338" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CacheVersion = "1" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com\NumberOfSubdomains = "0" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "6;18;22" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "You have selected %1 as the default voice." SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "Microsoft David - English (United States)" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState\EdpState = "0" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "3460" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "1" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "CC" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "MS-1033-110-WINMO-DNN" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "Microsoft Mark" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "309C 309C 30A1 30A1 30A2 30A2 30A3 30A3 30A4 30A4 30A5 30A5 30A6 30A6 30A7 30A7 30A8 30A8 30A9 30A9 30AA 30AA 30AB 30AB 30AC 30AC 30AD 30AD 30AE 30AE 30AF 30AF 30B0 30B0 30B1 30B1 30B2 30B2 30B3 30B3 30B4 30B4 30B5 30B5 30B6 30B6 30B7 30B7 30B8 30B8 30B9 30B9 30BA 30BA 30BB 30BB 30BC 30BC 30BD 30BD 30BE 30BE 30BF 30BF 30C0 30C0 30C1 30C1 30C2 30C2 30C3 30C3 30C4 30C4 30C5 30C5 30C6 30C6 30C7 30C7 30C8 30C8 30C9 30C9 30CA 30CA 30CB 30CB 30CC 30CC 30CD 30CD 30CE 30CE 30CF 30CF 30D0 30D0 30D1 30D1 30D2 30D2 30D3 30D3 30D4 30D4 30D5 30D5 30D6 30D6 30D7 30D7 30D8 30D8 30D9 30D9 30DA 30DA 30DB 30DB 30DC 30DC 30DD 30DD 30DE 30DE 30DF 30DF 30E0 30E0 30E1 30E1 30E2 30E2 30E3 30E3 30E4 30E4 30E5 30E5 30E6 30E6 30E7 30E7 30E8 30E8 30E9 30E9 30EA 30EA 30EB 30EB 30EC 30EC 30ED 30ED 30EE 30EE 30EF 30EF 30F0 30F0 30F1 30F1 30F2 30F2 30F3 30F3 30F4 30F4 30F5 30F5 30F6 30F6 30F7 30F7 30F8 30F8 30F9 30F9 30FA 30FA 30FB 30FB 30FC 30FC 30FD 30FD 30FE 30FE 0021 0021 0027 0027 002B 002B 002E 002E 003F 003F 005F 005F 007C 007C" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\MSTTSLocenUS.dat" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CacheVersion = "1" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "22" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "11.0.2016.0129" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\VoiceActivation_en-US.dat.prev" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "7787" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "8465" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 ^ 0008 1 0009 2 000a ~ 000b : 000c a 000d aw 000e ax 000f ay 0010 b 0011 d 0012 ch 0013 eh 0014 eu 0015 ey 0016 f 0017 g 0018 h 0019 ih 001a iy 001b jh 001c k 001d l 001e m 001f n 0020 ng 0021 oe 0022 oh 0023 ow 0024 oy 0025 p 0026 pf 0027 r 0028 s 0029 sh 002a t 002b ts 002c ue 002d uh 002e uw 002f uy 0030 v 0031 x 0032 y 0033 z 0034 zh 0035" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "Spanish Phone Converter" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "1" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\M1033Mark" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "10293" SearchApp.exe -
Modifies registry key 1 TTPs 2 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
taskmgr.exemsedge.exemsedge.exepid process 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4724 msedge.exe 4724 msedge.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 616 msedge.exe 616 msedge.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 4180 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs
Processes:
msedge.exepid process 616 msedge.exe 616 msedge.exe 616 msedge.exe 616 msedge.exe 616 msedge.exe 616 msedge.exe 616 msedge.exe 616 msedge.exe 616 msedge.exe 616 msedge.exe 616 msedge.exe 616 msedge.exe 616 msedge.exe 616 msedge.exe 616 msedge.exe 616 msedge.exe 616 msedge.exe 616 msedge.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
taskmgr.exesvchost.exeSearchApp.exedescription pid process Token: SeDebugPrivilege 4180 taskmgr.exe Token: SeSystemProfilePrivilege 4180 taskmgr.exe Token: SeCreateGlobalPrivilege 4180 taskmgr.exe Token: SeManageVolumePrivilege 1076 svchost.exe Token: SeDebugPrivilege 2388 SearchApp.exe Token: SeDebugPrivilege 2388 SearchApp.exe Token: SeDebugPrivilege 2388 SearchApp.exe Token: SeDebugPrivilege 2388 SearchApp.exe Token: SeDebugPrivilege 2388 SearchApp.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exemsedge.exepid process 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 616 msedge.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 616 msedge.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe 4180 taskmgr.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
Processes:
mspaint.exemspaint.exeSearchApp.exepid process 2040 mspaint.exe 2040 mspaint.exe 2040 mspaint.exe 2040 mspaint.exe 1108 mspaint.exe 1108 mspaint.exe 1108 mspaint.exe 1108 mspaint.exe 2388 SearchApp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
AcidRain.exeNyanCatIsHere.exeAcid Rain.execmd.exemsedge.exenet.exenet.exedescription pid process target process PID 1812 wrote to memory of 4864 1812 AcidRain.exe NyanCatIsHere.exe PID 1812 wrote to memory of 4864 1812 AcidRain.exe NyanCatIsHere.exe PID 1812 wrote to memory of 4864 1812 AcidRain.exe NyanCatIsHere.exe PID 1812 wrote to memory of 2004 1812 AcidRain.exe Acid Rain.exe PID 1812 wrote to memory of 2004 1812 AcidRain.exe Acid Rain.exe PID 1812 wrote to memory of 2004 1812 AcidRain.exe Acid Rain.exe PID 4864 wrote to memory of 4480 4864 NyanCatIsHere.exe schtasks.exe PID 4864 wrote to memory of 4480 4864 NyanCatIsHere.exe schtasks.exe PID 4864 wrote to memory of 4480 4864 NyanCatIsHere.exe schtasks.exe PID 2004 wrote to memory of 672 2004 Acid Rain.exe cmd.exe PID 2004 wrote to memory of 672 2004 Acid Rain.exe cmd.exe PID 2004 wrote to memory of 672 2004 Acid Rain.exe cmd.exe PID 672 wrote to memory of 616 672 cmd.exe msedge.exe PID 672 wrote to memory of 616 672 cmd.exe msedge.exe PID 672 wrote to memory of 3620 672 cmd.exe reg.exe PID 672 wrote to memory of 3620 672 cmd.exe reg.exe PID 672 wrote to memory of 3620 672 cmd.exe reg.exe PID 672 wrote to memory of 3836 672 cmd.exe timeout.exe PID 672 wrote to memory of 3836 672 cmd.exe timeout.exe PID 672 wrote to memory of 3836 672 cmd.exe timeout.exe PID 616 wrote to memory of 4348 616 msedge.exe msedge.exe PID 616 wrote to memory of 4348 616 msedge.exe msedge.exe PID 672 wrote to memory of 772 672 cmd.exe net.exe PID 672 wrote to memory of 772 672 cmd.exe net.exe PID 672 wrote to memory of 772 672 cmd.exe net.exe PID 772 wrote to memory of 1392 772 net.exe net1.exe PID 772 wrote to memory of 1392 772 net.exe net1.exe PID 772 wrote to memory of 1392 772 net.exe net1.exe PID 672 wrote to memory of 4504 672 cmd.exe timeout.exe PID 672 wrote to memory of 4504 672 cmd.exe timeout.exe PID 672 wrote to memory of 4504 672 cmd.exe timeout.exe PID 672 wrote to memory of 1512 672 cmd.exe net.exe PID 672 wrote to memory of 1512 672 cmd.exe net.exe PID 672 wrote to memory of 1512 672 cmd.exe net.exe PID 1512 wrote to memory of 2756 1512 net.exe net1.exe PID 1512 wrote to memory of 2756 1512 net.exe net1.exe PID 1512 wrote to memory of 2756 1512 net.exe net1.exe PID 672 wrote to memory of 3172 672 cmd.exe timeout.exe PID 672 wrote to memory of 3172 672 cmd.exe timeout.exe PID 672 wrote to memory of 3172 672 cmd.exe timeout.exe PID 672 wrote to memory of 1548 672 cmd.exe reg.exe PID 672 wrote to memory of 1548 672 cmd.exe reg.exe PID 672 wrote to memory of 1548 672 cmd.exe reg.exe PID 672 wrote to memory of 3560 672 cmd.exe timeout.exe PID 672 wrote to memory of 3560 672 cmd.exe timeout.exe PID 672 wrote to memory of 3560 672 cmd.exe timeout.exe PID 616 wrote to memory of 4536 616 msedge.exe msedge.exe PID 616 wrote to memory of 4536 616 msedge.exe msedge.exe PID 616 wrote to memory of 4536 616 msedge.exe msedge.exe PID 616 wrote to memory of 4536 616 msedge.exe msedge.exe PID 616 wrote to memory of 4536 616 msedge.exe msedge.exe PID 616 wrote to memory of 4536 616 msedge.exe msedge.exe PID 616 wrote to memory of 4536 616 msedge.exe msedge.exe PID 616 wrote to memory of 4536 616 msedge.exe msedge.exe PID 616 wrote to memory of 4536 616 msedge.exe msedge.exe PID 616 wrote to memory of 4536 616 msedge.exe msedge.exe PID 616 wrote to memory of 4536 616 msedge.exe msedge.exe PID 616 wrote to memory of 4536 616 msedge.exe msedge.exe PID 616 wrote to memory of 4536 616 msedge.exe msedge.exe PID 616 wrote to memory of 4536 616 msedge.exe msedge.exe PID 616 wrote to memory of 4536 616 msedge.exe msedge.exe PID 616 wrote to memory of 4536 616 msedge.exe msedge.exe PID 616 wrote to memory of 4536 616 msedge.exe msedge.exe PID 616 wrote to memory of 4536 616 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\AcidRain.exe"C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\AcidRain.exe"1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NyanCatIsHere.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NyanCatIsHere.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NyanCatIsHere.exe"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Acid Rain.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Acid Rain.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4CB8.tmp\Acid Rain.bat" "3⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops startup file
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/enh1BYrI#N5sD3k_HwM4hL3-l-w2Ahb6uP2I-LyVeKgGO-CmfJA04⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffde04846f8,0x7ffde0484708,0x7ffde04847185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2464 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3012 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3916 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5288 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5560 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6388 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x200,0x22c,0x7ff66b545460,0x7ff66b545470,0x7ff66b5454806⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6388 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2916 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3168 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3396 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2700 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1864 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2632 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6764 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6536 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=192 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6940 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7504 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7096 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7512 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7148 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8008 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7048 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8540 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5960 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4112 /prefetch:85⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1340 /prefetch:85⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\reg.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
-
C:\Windows\SysWOW64\timeout.exeTimeout 14⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\net.exenet user Admin 888Z.QrK2T!ZDshw5jZ.QrK2T!ZDshw5jRR4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Admin 888Z.QrK2T!ZDshw5jZ.QrK2T!ZDshw5jRR5⤵
-
C:\Windows\SysWOW64\timeout.exeTimeout 14⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\net.exenet stop wuauserv4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv5⤵
-
C:\Windows\SysWOW64\timeout.exeTimeout 14⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\reg.exeREG add HKCU\Software\Policies\Microsoft\Windows\System /f /v DisableCMD /t REG_DWORD /d 000000024⤵
- Modifies registry key
-
C:\Windows\SysWOW64\timeout.exeTimeout 504⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sodnciwkms.vbs"4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/ZXMSRSgb#CZCknCulyrMI41JcV-HN4mth37dIfpkEw6156NbD4104⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffde04846f8,0x7ffde0484708,0x7ffde04847185⤵
-
C:\Windows\SysWOW64\timeout.exeTimeout 654⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\mspaint.exemspaint4⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=how+to+make+your+own+virus4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0xd8,0x7ffde04846f8,0x7ffde0484708,0x7ffde04847185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=how+to+speed+up+your+computer4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffde04846f8,0x7ffde0484708,0x7ffde04847185⤵
-
C:\Windows\SysWOW64\timeout.exeTimeout 54⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\mspaint.exemspaint4⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=FBI+OPEN+UP4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffde04846f8,0x7ffde0484708,0x7ffde04847185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=mcafee+vs+avast4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffde04846f8,0x7ffde0484708,0x7ffde04847185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=smudge+the+cat4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffde04846f8,0x7ffde0484708,0x7ffde04847185⤵
-
C:\Windows\SysWOW64\timeout.exeTimeout 54⤵
- Delays execution with timeout.exe
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=how+to+make+your+own+rickroll4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffde04846f8,0x7ffde0484708,0x7ffde04847185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.thisworldthesedays.com/how-to-remove-acid-rainexe-step-by-step-guide.html4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffde04846f8,0x7ffde0484708,0x7ffde04847185⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\n0rt0nant1ldks.vbs"4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=is+safe+deleting+system32F4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffde04846f8,0x7ffde0484708,0x7ffde04847185⤵
-
C:\Windows\SysWOW64\timeout.exeTimeout 54⤵
- Delays execution with timeout.exe
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1TMp5UbzwcHprY7PhC9g58KsCN9EZVdBV/view4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffde04846f8,0x7ffde0484708,0x7ffde04847185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=how+to+make+a+ransomware+in+batch4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffde04846f8,0x7ffde0484708,0x7ffde04847185⤵
-
C:\Windows\SysWOW64\timeout.exeTimeout 54⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hifjdnfejfnejnkdpamzm.vbs"4⤵
-
C:\Windows\SysWOW64\timeout.exeTimeout 554⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops startup file
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.Search_cw5n1h2txyewy1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\SETUPM~1\202209~1.PMAFilesize
1KB
MD5c04318faf0c800948603459b8a0f522e
SHA13aec68ec0dd3240ef6064a191875cd6aa8568ec5
SHA2566335b24f5b264200c8f86a1351582f148ad4b6c253cc0430c01ac60112df81d7
SHA512ff781d19280f918d3dc537963bbaf977afa149325c700f87c1f89b37b4a9982faae74b8062928aa67eb94cc72778e36b53468674ef05fd63802d280a11def64d
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_elf.dllFilesize
1.2MB
MD5d2bddb1b48b3c5d0d35479662eab0f59
SHA162cfed69a68edbb156ce45e7425859ecf7d594a5
SHA2569a7486d838a4ea36a4287593042cb16265fe1c6cb3baf8c1b5aa5e319df5f081
SHA51244fde54e4b00dc2636c152d66928e3d2872e71e14ae733e18489950c1401cbfbd1fa8c69752b920167a7839e670b28137daaa4d9231fd789b6c3c78f20ee8f29
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeFilesize
3.2MB
MD5ad8536c7440638d40156e883ac25086e
SHA1fa9e8b7fb10473a01b8925c4c5b0888924a1147c
SHA25673d84d249f16b943d1d3f9dd9e516fadd323e70939c29b4a640693eb8818ee9a
SHA512b5f368be8853aa142dba614dcca7e021aba92b337fe36cfc186714092a4dab1c7a2181954cd737923edd351149980182a090dbde91081c81d83f471ff18888fe
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5962644599f0c746e1b17a064c670d314
SHA173ccfa471325f9fe38767edab76fa81e95565eed
SHA25612a158f591771e7f38f053f1313393c645faa7f295dc9f6585ebca642b9e1966
SHA512cd0cbce39701693991473c1d6b8fbbe63123cbad26f5f745fcc2e0eab2db17926a577b0bc72b7d84a9cbc976112a054a5f071c5fafd6e38c32facba28d79c4cb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5962644599f0c746e1b17a064c670d314
SHA173ccfa471325f9fe38767edab76fa81e95565eed
SHA25612a158f591771e7f38f053f1313393c645faa7f295dc9f6585ebca642b9e1966
SHA512cd0cbce39701693991473c1d6b8fbbe63123cbad26f5f745fcc2e0eab2db17926a577b0bc72b7d84a9cbc976112a054a5f071c5fafd6e38c32facba28d79c4cb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5962644599f0c746e1b17a064c670d314
SHA173ccfa471325f9fe38767edab76fa81e95565eed
SHA25612a158f591771e7f38f053f1313393c645faa7f295dc9f6585ebca642b9e1966
SHA512cd0cbce39701693991473c1d6b8fbbe63123cbad26f5f745fcc2e0eab2db17926a577b0bc72b7d84a9cbc976112a054a5f071c5fafd6e38c32facba28d79c4cb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5962644599f0c746e1b17a064c670d314
SHA173ccfa471325f9fe38767edab76fa81e95565eed
SHA25612a158f591771e7f38f053f1313393c645faa7f295dc9f6585ebca642b9e1966
SHA512cd0cbce39701693991473c1d6b8fbbe63123cbad26f5f745fcc2e0eab2db17926a577b0bc72b7d84a9cbc976112a054a5f071c5fafd6e38c32facba28d79c4cb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5962644599f0c746e1b17a064c670d314
SHA173ccfa471325f9fe38767edab76fa81e95565eed
SHA25612a158f591771e7f38f053f1313393c645faa7f295dc9f6585ebca642b9e1966
SHA512cd0cbce39701693991473c1d6b8fbbe63123cbad26f5f745fcc2e0eab2db17926a577b0bc72b7d84a9cbc976112a054a5f071c5fafd6e38c32facba28d79c4cb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5962644599f0c746e1b17a064c670d314
SHA173ccfa471325f9fe38767edab76fa81e95565eed
SHA25612a158f591771e7f38f053f1313393c645faa7f295dc9f6585ebca642b9e1966
SHA512cd0cbce39701693991473c1d6b8fbbe63123cbad26f5f745fcc2e0eab2db17926a577b0bc72b7d84a9cbc976112a054a5f071c5fafd6e38c32facba28d79c4cb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5962644599f0c746e1b17a064c670d314
SHA173ccfa471325f9fe38767edab76fa81e95565eed
SHA25612a158f591771e7f38f053f1313393c645faa7f295dc9f6585ebca642b9e1966
SHA512cd0cbce39701693991473c1d6b8fbbe63123cbad26f5f745fcc2e0eab2db17926a577b0bc72b7d84a9cbc976112a054a5f071c5fafd6e38c32facba28d79c4cb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5962644599f0c746e1b17a064c670d314
SHA173ccfa471325f9fe38767edab76fa81e95565eed
SHA25612a158f591771e7f38f053f1313393c645faa7f295dc9f6585ebca642b9e1966
SHA512cd0cbce39701693991473c1d6b8fbbe63123cbad26f5f745fcc2e0eab2db17926a577b0bc72b7d84a9cbc976112a054a5f071c5fafd6e38c32facba28d79c4cb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5962644599f0c746e1b17a064c670d314
SHA173ccfa471325f9fe38767edab76fa81e95565eed
SHA25612a158f591771e7f38f053f1313393c645faa7f295dc9f6585ebca642b9e1966
SHA512cd0cbce39701693991473c1d6b8fbbe63123cbad26f5f745fcc2e0eab2db17926a577b0bc72b7d84a9cbc976112a054a5f071c5fafd6e38c32facba28d79c4cb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5962644599f0c746e1b17a064c670d314
SHA173ccfa471325f9fe38767edab76fa81e95565eed
SHA25612a158f591771e7f38f053f1313393c645faa7f295dc9f6585ebca642b9e1966
SHA512cd0cbce39701693991473c1d6b8fbbe63123cbad26f5f745fcc2e0eab2db17926a577b0bc72b7d84a9cbc976112a054a5f071c5fafd6e38c32facba28d79c4cb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5962644599f0c746e1b17a064c670d314
SHA173ccfa471325f9fe38767edab76fa81e95565eed
SHA25612a158f591771e7f38f053f1313393c645faa7f295dc9f6585ebca642b9e1966
SHA512cd0cbce39701693991473c1d6b8fbbe63123cbad26f5f745fcc2e0eab2db17926a577b0bc72b7d84a9cbc976112a054a5f071c5fafd6e38c32facba28d79c4cb
-
C:\Users\Admin\AppData\Local\Temp\4CB8.tmp\Acid Rain.batFilesize
6KB
MD516a6fe0a61c21d85803c2b8383d5d3c2
SHA1fec9adfac8c278c3dc548989a97c574ccdcb0934
SHA2561942dd34f70465202360d5f299e7160cea4d108ac4305a94dbabd9b97f4b7bd0
SHA5126dd03c5c69caf470584153e5e91ae074868e3002dcc76a07e1782c8d23fa8f309c09b0a50b787606be958f051ef0fdb67d24d0c91eee261549d6d60b857ce061
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Acid Rain.exeFilesize
80KB
MD5b3904e987387ac3ff87b2d16e3e28156
SHA1d575167f14fc84625b1525e8a0dfa27c514b1357
SHA256143bb189902ec44987f475f6fce4c0f90c072e5d732dae58b5f79a3c31b5f584
SHA512a105063b598555d2b4c1a3950a7ac120ffc72ad362e6c76a364b48ff8c32e8daea48ef362b22aa62d848af1c20d3ef7c6536e717e874c6fad329ec0c22e9268f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Acid Rain.exeFilesize
80KB
MD5b3904e987387ac3ff87b2d16e3e28156
SHA1d575167f14fc84625b1525e8a0dfa27c514b1357
SHA256143bb189902ec44987f475f6fce4c0f90c072e5d732dae58b5f79a3c31b5f584
SHA512a105063b598555d2b4c1a3950a7ac120ffc72ad362e6c76a364b48ff8c32e8daea48ef362b22aa62d848af1c20d3ef7c6536e717e874c6fad329ec0c22e9268f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NyanCatIsHere.exeFilesize
101KB
MD5aacce8318a2e5f0a43c8cd50907d6d29
SHA1fd5da11bbbcdb2421186626f461cb48fc634760c
SHA2567217260d8d9c6b0b6c8b797f64c516d8ebe4db48dc8a5fced46eab9082378724
SHA5128991368b7e5391b37c4584eedddfbb4041ddc554acad9742b390aad7b5b4791c106d1068b7c9c29cda9e14bd62e5c36894318246c247576162c54f30076190b5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NyanCatIsHere.exeFilesize
101KB
MD5aacce8318a2e5f0a43c8cd50907d6d29
SHA1fd5da11bbbcdb2421186626f461cb48fc634760c
SHA2567217260d8d9c6b0b6c8b797f64c516d8ebe4db48dc8a5fced46eab9082378724
SHA5128991368b7e5391b37c4584eedddfbb4041ddc554acad9742b390aad7b5b4791c106d1068b7c9c29cda9e14bd62e5c36894318246c247576162c54f30076190b5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hifjdnfejfnejnkdpamzm.vbsFilesize
60B
MD570b06bab45636ed2ce89ffa1a56a2eda
SHA1781043fb2a866fc38233be0b8beccd7fbeb0513d
SHA256a9644355bc115a7a8fce8603643254f8061cce0e1af9db037b2bda9ca62f4fff
SHA512a8a3d984b253e83c6ab4c4ad9b6ba773f69166204649be63d6850136523861e42132411d1fce3a83c4408f8051413101f5835136cecfad2b8022cc3489f004aa
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\n0rt0nant1ldks.vbsFilesize
113B
MD5076eec2d750fb2a85461d8b227b96124
SHA1d1a6638bc96e6e3adf0ca3e3cb4c846f77e365d8
SHA256a596e5753416572e877fe630002dc42afdbfa9ca80473e1385017b37e082a1a4
SHA5125c6ff87335577061483cbf79333728085f198a4ee56fabab7d2fc401cbe8b146ee5ad174a6c1f5ba02095b186bb0f3729a5927b7fda4feeb6f5ae7411fa70ab5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sodnciwkms.vbsFilesize
84B
MD5139b5edf5ba8a4aa768281a29cac1649
SHA1da8a2d689695a749288f161032e1f042122e89d5
SHA2561dd686325c7471a59a43142c6d7dec01047b3e95147254b235fbc3652f923a7c
SHA512ebf47fe1de3dca337a891330e7a97fbcf6c899a212be1c07f666d8d1179f116a70b4fcc66accfff3e3942ec83c79170882c8d48019feee0a02ffb57f66e61af8
-
C:\Windows\Debug\WIA\wiatrace.logFilesize
1KB
MD506860547265933eb764e501f800fc612
SHA114953818abb171fd02938f7ee716599136bfc9b3
SHA256097c456b0230fb248927161e10d62b7688f1730f58fed5f0d8b4ada37dc0bebb
SHA512225fbc8ca3de89d8a6a8c10f1f8d13bc995a1675ce7f1af3adc1d010981d5c2e45fdc44d4742261375d503525cd93e7ed39820c9dec0344d70d1d9a3566f3f50
-
\??\pipe\LOCAL\crashpad_616_SHMJYVKGXGYTZGJUMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/100-216-0x0000000000000000-mapping.dmp
-
memory/224-197-0x0000000000000000-mapping.dmp
-
memory/616-141-0x0000000000000000-mapping.dmp
-
memory/652-194-0x0000000000000000-mapping.dmp
-
memory/672-139-0x0000000000000000-mapping.dmp
-
memory/772-145-0x0000000000000000-mapping.dmp
-
memory/960-211-0x0000000000000000-mapping.dmp
-
memory/1072-207-0x0000000000000000-mapping.dmp
-
memory/1072-220-0x0000000000000000-mapping.dmp
-
memory/1076-264-0x0000023E27840000-0x0000023E27850000-memory.dmpFilesize
64KB
-
memory/1076-263-0x0000023E27830000-0x0000023E27840000-memory.dmpFilesize
64KB
-
memory/1076-248-0x0000023E27740000-0x0000023E27835000-memory.dmpFilesize
980KB
-
memory/1108-199-0x0000000000000000-mapping.dmp
-
memory/1116-183-0x0000000000000000-mapping.dmp
-
memory/1324-175-0x0000000000000000-mapping.dmp
-
memory/1380-222-0x0000000000000000-mapping.dmp
-
memory/1392-146-0x0000000000000000-mapping.dmp
-
memory/1428-172-0x0000000000000000-mapping.dmp
-
memory/1512-148-0x0000000000000000-mapping.dmp
-
memory/1548-151-0x0000000000000000-mapping.dmp
-
memory/1576-187-0x0000000000000000-mapping.dmp
-
memory/1684-188-0x0000000000000000-mapping.dmp
-
memory/1788-158-0x0000000000000000-mapping.dmp
-
memory/1820-178-0x0000000000000000-mapping.dmp
-
memory/1904-171-0x0000000000000000-mapping.dmp
-
memory/2004-135-0x0000000000000000-mapping.dmp
-
memory/2040-186-0x0000000000000000-mapping.dmp
-
memory/2388-278-0x000001A820C40000-0x000001A820C60000-memory.dmpFilesize
128KB
-
memory/2388-271-0x000001A8208F0000-0x000001A820910000-memory.dmpFilesize
128KB
-
memory/2388-275-0x000001A8208B0000-0x000001A8208D0000-memory.dmpFilesize
128KB
-
memory/2464-213-0x0000000000000000-mapping.dmp
-
memory/2496-196-0x0000000000000000-mapping.dmp
-
memory/2636-162-0x0000000000000000-mapping.dmp
-
memory/2732-212-0x0000000000000000-mapping.dmp
-
memory/2756-149-0x0000000000000000-mapping.dmp
-
memory/3036-204-0x0000000000000000-mapping.dmp
-
memory/3084-200-0x0000000000000000-mapping.dmp
-
memory/3172-150-0x0000000000000000-mapping.dmp
-
memory/3404-230-0x0000000000000000-mapping.dmp
-
memory/3432-210-0x0000000000000000-mapping.dmp
-
memory/3500-177-0x0000000000000000-mapping.dmp
-
memory/3560-152-0x0000000000000000-mapping.dmp
-
memory/3620-142-0x0000000000000000-mapping.dmp
-
memory/3624-191-0x0000000000000000-mapping.dmp
-
memory/3648-218-0x0000000000000000-mapping.dmp
-
memory/3684-224-0x0000000000000000-mapping.dmp
-
memory/3816-164-0x0000000000000000-mapping.dmp
-
memory/3836-143-0x0000000000000000-mapping.dmp
-
memory/3956-170-0x0000000000000000-mapping.dmp
-
memory/3968-173-0x0000000000000000-mapping.dmp
-
memory/3972-181-0x0000000000000000-mapping.dmp
-
memory/4060-185-0x0000000000000000-mapping.dmp
-
memory/4160-166-0x0000000000000000-mapping.dmp
-
memory/4348-144-0x0000000000000000-mapping.dmp
-
memory/4480-138-0x0000000000000000-mapping.dmp
-
memory/4500-190-0x0000000000000000-mapping.dmp
-
memory/4504-147-0x0000000000000000-mapping.dmp
-
memory/4536-154-0x0000000000000000-mapping.dmp
-
memory/4560-206-0x0000000000000000-mapping.dmp
-
memory/4672-225-0x0000000000000000-mapping.dmp
-
memory/4692-228-0x0000000000000000-mapping.dmp
-
memory/4704-231-0x0000000000000000-mapping.dmp
-
memory/4704-219-0x0000000000000000-mapping.dmp
-
memory/4724-155-0x0000000000000000-mapping.dmp
-
memory/4740-201-0x0000000000000000-mapping.dmp
-
memory/4760-168-0x0000000000000000-mapping.dmp
-
memory/4864-132-0x0000000000000000-mapping.dmp
-
memory/4936-176-0x0000000000000000-mapping.dmp
-
memory/4996-160-0x0000000000000000-mapping.dmp
-
memory/5024-198-0x0000000000000000-mapping.dmp