Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2023, 19:39
Static task
static1
Behavioral task
behavioral1
Sample
ea5c4107afa695a55a489d4c6ffc6edaa06690a6d196a62c0ae8388f0cdd87b9.html
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ea5c4107afa695a55a489d4c6ffc6edaa06690a6d196a62c0ae8388f0cdd87b9.html
Resource
win10-20220812-en
General
-
Target
ea5c4107afa695a55a489d4c6ffc6edaa06690a6d196a62c0ae8388f0cdd87b9.html
-
Size
951KB
-
MD5
b8e99f04e5a459e6f4963811d66b56ca
-
SHA1
a2c79f4e15732406addeb9c1965d7d8c000b49db
-
SHA256
ea5c4107afa695a55a489d4c6ffc6edaa06690a6d196a62c0ae8388f0cdd87b9
-
SHA512
c44cd7c72e49b1578040e0c903e24052d06061c5b63511b92a392ddff18840258928e692b3246c0c3b93c8f664c5c8a85484915336a7d7c077251fb1657a59e5
-
SSDEEP
24576:x4loHd6SM5sH0ZnieQYDVD2aYRsTITFMf:fH8TZNQe
Malware Config
Extracted
qakbot
403.973
obama212
1665497532
190.11.198.76:443
41.111.85.167:443
134.35.2.138:443
105.108.80.229:443
179.113.97.4:32101
197.158.89.85:443
197.204.101.178:443
105.69.147.88:995
41.103.252.215:443
41.104.109.190:443
41.107.209.163:443
14.227.159.241:443
82.12.196.197:443
103.156.237.139:443
196.235.137.166:443
181.141.3.126:443
102.157.22.8:443
41.111.52.120:443
197.92.143.218:443
181.44.34.172:443
94.52.127.44:443
148.213.109.165:995
163.182.177.80:443
58.186.75.42:443
1.32.64.190:80
72.88.245.71:443
102.158.135.167:443
190.100.149.122:995
186.86.212.138:443
118.216.99.232:443
41.99.208.154:443
23.225.104.250:443
186.18.77.99:443
186.188.96.197:443
41.96.120.232:443
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Executes dropped EXE 5 IoCs
pid Process 4244 win.com 3948 win.com 3988 win.com 3520 win.com 4940 win.com -
Enumerates connected drives 3 TTPs 7 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: cmd.exe File opened (read-only) \??\E: mspaint.exe File opened (read-only) \??\E: mspaint.exe File opened (read-only) \??\E: cmd.exe File opened (read-only) \??\E: cmd.exe File opened (read-only) \??\E: cmd.exe File opened (read-only) \??\E: cmd.exe -
Drops file in System32 directory 11 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log svchost.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2184 2800 WerFault.exe 96 -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A PaintStudio.View.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000003 chrome.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\HardwareID chrome.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A PaintStudio.View.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A PaintStudio.View.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName PaintStudio.View.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\FriendlyName PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 PaintStudio.View.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Service chrome.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C PaintStudio.View.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\FriendlyName PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 PaintStudio.View.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName PaintStudio.View.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies registry class 21 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content PaintStudio.View.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" PaintStudio.View.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheVersion = "1" PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\MuiCache PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings chrome.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\MuiCache PaintStudio.View.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "51200" PaintStudio.View.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1" PaintStudio.View.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheVersion = "1" PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History PaintStudio.View.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" PaintStudio.View.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache PaintStudio.View.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix PaintStudio.View.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheVersion = "1" PaintStudio.View.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1" PaintStudio.View.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix PaintStudio.View.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache PaintStudio.View.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4120 PaintStudio.View.exe 4636 PaintStudio.View.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3408 chrome.exe 3408 chrome.exe 2700 chrome.exe 2700 chrome.exe 4404 chrome.exe 4404 chrome.exe 1020 chrome.exe 1020 chrome.exe 3152 chrome.exe 3152 chrome.exe 2028 regsvr32.exe 2028 regsvr32.exe 2296 chrome.exe 2296 chrome.exe 4388 wermgr.exe 4388 wermgr.exe 4388 wermgr.exe 4388 wermgr.exe 4388 wermgr.exe 4388 wermgr.exe 4388 wermgr.exe 4388 wermgr.exe 4120 chrome.exe 4120 chrome.exe 4388 wermgr.exe 4388 wermgr.exe 4388 wermgr.exe 4388 wermgr.exe 4388 wermgr.exe 4388 wermgr.exe 4388 wermgr.exe 4388 wermgr.exe 4388 wermgr.exe 4388 wermgr.exe 4388 wermgr.exe 4388 wermgr.exe 4388 wermgr.exe 4388 wermgr.exe 4388 wermgr.exe 4388 wermgr.exe 4388 wermgr.exe 4388 wermgr.exe 4388 wermgr.exe 4388 wermgr.exe 4388 wermgr.exe 4388 wermgr.exe 4388 wermgr.exe 4388 wermgr.exe 3116 regsvr32.exe 3116 regsvr32.exe 4388 wermgr.exe 4388 wermgr.exe 4388 wermgr.exe 4388 wermgr.exe 4388 wermgr.exe 4388 wermgr.exe 2152 chrome.exe 2152 chrome.exe 4388 wermgr.exe 4388 wermgr.exe 4388 wermgr.exe 4388 wermgr.exe 4388 wermgr.exe 4388 wermgr.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
pid Process 2028 regsvr32.exe 3116 regsvr32.exe 4228 regsvr32.exe 3732 regsvr32.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 4120 PaintStudio.View.exe Token: SeDebugPrivilege 4120 PaintStudio.View.exe Token: SeDebugPrivilege 4120 PaintStudio.View.exe Token: SeDebugPrivilege 4636 PaintStudio.View.exe Token: SeDebugPrivilege 4636 PaintStudio.View.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
pid Process 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 904 mspaint.exe 4120 PaintStudio.View.exe 4560 mspaint.exe 4636 PaintStudio.View.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2700 wrote to memory of 1388 2700 chrome.exe 82 PID 2700 wrote to memory of 1388 2700 chrome.exe 82 PID 2700 wrote to memory of 4932 2700 chrome.exe 85 PID 2700 wrote to memory of 4932 2700 chrome.exe 85 PID 2700 wrote to memory of 4932 2700 chrome.exe 85 PID 2700 wrote to memory of 4932 2700 chrome.exe 85 PID 2700 wrote to memory of 4932 2700 chrome.exe 85 PID 2700 wrote to memory of 4932 2700 chrome.exe 85 PID 2700 wrote to memory of 4932 2700 chrome.exe 85 PID 2700 wrote to memory of 4932 2700 chrome.exe 85 PID 2700 wrote to memory of 4932 2700 chrome.exe 85 PID 2700 wrote to memory of 4932 2700 chrome.exe 85 PID 2700 wrote to memory of 4932 2700 chrome.exe 85 PID 2700 wrote to memory of 4932 2700 chrome.exe 85 PID 2700 wrote to memory of 4932 2700 chrome.exe 85 PID 2700 wrote to memory of 4932 2700 chrome.exe 85 PID 2700 wrote to memory of 4932 2700 chrome.exe 85 PID 2700 wrote to memory of 4932 2700 chrome.exe 85 PID 2700 wrote to memory of 4932 2700 chrome.exe 85 PID 2700 wrote to memory of 4932 2700 chrome.exe 85 PID 2700 wrote to memory of 4932 2700 chrome.exe 85 PID 2700 wrote to memory of 4932 2700 chrome.exe 85 PID 2700 wrote to memory of 4932 2700 chrome.exe 85 PID 2700 wrote to memory of 4932 2700 chrome.exe 85 PID 2700 wrote to memory of 4932 2700 chrome.exe 85 PID 2700 wrote to memory of 4932 2700 chrome.exe 85 PID 2700 wrote to memory of 4932 2700 chrome.exe 85 PID 2700 wrote to memory of 4932 2700 chrome.exe 85 PID 2700 wrote to memory of 4932 2700 chrome.exe 85 PID 2700 wrote to memory of 4932 2700 chrome.exe 85 PID 2700 wrote to memory of 4932 2700 chrome.exe 85 PID 2700 wrote to memory of 4932 2700 chrome.exe 85 PID 2700 wrote to memory of 4932 2700 chrome.exe 85 PID 2700 wrote to memory of 4932 2700 chrome.exe 85 PID 2700 wrote to memory of 4932 2700 chrome.exe 85 PID 2700 wrote to memory of 4932 2700 chrome.exe 85 PID 2700 wrote to memory of 4932 2700 chrome.exe 85 PID 2700 wrote to memory of 4932 2700 chrome.exe 85 PID 2700 wrote to memory of 4932 2700 chrome.exe 85 PID 2700 wrote to memory of 4932 2700 chrome.exe 85 PID 2700 wrote to memory of 4932 2700 chrome.exe 85 PID 2700 wrote to memory of 4932 2700 chrome.exe 85 PID 2700 wrote to memory of 3408 2700 chrome.exe 86 PID 2700 wrote to memory of 3408 2700 chrome.exe 86 PID 2700 wrote to memory of 1372 2700 chrome.exe 87 PID 2700 wrote to memory of 1372 2700 chrome.exe 87 PID 2700 wrote to memory of 1372 2700 chrome.exe 87 PID 2700 wrote to memory of 1372 2700 chrome.exe 87 PID 2700 wrote to memory of 1372 2700 chrome.exe 87 PID 2700 wrote to memory of 1372 2700 chrome.exe 87 PID 2700 wrote to memory of 1372 2700 chrome.exe 87 PID 2700 wrote to memory of 1372 2700 chrome.exe 87 PID 2700 wrote to memory of 1372 2700 chrome.exe 87 PID 2700 wrote to memory of 1372 2700 chrome.exe 87 PID 2700 wrote to memory of 1372 2700 chrome.exe 87 PID 2700 wrote to memory of 1372 2700 chrome.exe 87 PID 2700 wrote to memory of 1372 2700 chrome.exe 87 PID 2700 wrote to memory of 1372 2700 chrome.exe 87 PID 2700 wrote to memory of 1372 2700 chrome.exe 87 PID 2700 wrote to memory of 1372 2700 chrome.exe 87 PID 2700 wrote to memory of 1372 2700 chrome.exe 87 PID 2700 wrote to memory of 1372 2700 chrome.exe 87 PID 2700 wrote to memory of 1372 2700 chrome.exe 87 PID 2700 wrote to memory of 1372 2700 chrome.exe 87
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Users\Admin\AppData\Local\Temp\ea5c4107afa695a55a489d4c6ffc6edaa06690a6d196a62c0ae8388f0cdd87b9.html1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff99fae4f50,0x7ff99fae4f60,0x7ff99fae4f702⤵PID:1388
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1648,7385448104973556029,17017579888654714760,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1680 /prefetch:22⤵PID:4932
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1648,7385448104973556029,17017579888654714760,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2000 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3408
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1648,7385448104973556029,17017579888654714760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2288 /prefetch:82⤵PID:1372
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1648,7385448104973556029,17017579888654714760,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2976 /prefetch:12⤵PID:3824
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1648,7385448104973556029,17017579888654714760,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2968 /prefetch:12⤵PID:2108
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1648,7385448104973556029,17017579888654714760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4384 /prefetch:82⤵PID:3520
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1648,7385448104973556029,17017579888654714760,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4360 /prefetch:12⤵PID:1708
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1648,7385448104973556029,17017579888654714760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4620 /prefetch:82⤵PID:4156
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1648,7385448104973556029,17017579888654714760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5436 /prefetch:82⤵PID:4652
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1648,7385448104973556029,17017579888654714760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4404
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1648,7385448104973556029,17017579888654714760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1020
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1648,7385448104973556029,17017579888654714760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5500 /prefetch:82⤵PID:4696
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1648,7385448104973556029,17017579888654714760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5104 /prefetch:82⤵PID:2204
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1648,7385448104973556029,17017579888654714760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5616 /prefetch:82⤵PID:5024
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1648,7385448104973556029,17017579888654714760,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:12⤵PID:1640
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1648,7385448104973556029,17017579888654714760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5700 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3152
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1648,7385448104973556029,17017579888654714760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5488 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2296
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1648,7385448104973556029,17017579888654714760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4120
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1648,7385448104973556029,17017579888654714760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3500 /prefetch:82⤵PID:1020
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1648,7385448104973556029,17017579888654714760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5644 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2152
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1648,7385448104973556029,17017579888654714760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:82⤵PID:564
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1648,7385448104973556029,17017579888654714760,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5684 /prefetch:22⤵PID:1040
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3988
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1272
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 460 -p 2800 -ip 28001⤵PID:928
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2800 -s 8441⤵
- Program crash
PID:2184
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""E:\japonica\mastiff.cmd" "1⤵
- Enumerates connected drives
PID:1916 -
C:\Users\Admin\AppData\Local\Temp\win.comC:\Users\Admin\AppData\Local\Temp\win.com japonica\mobsters.dat2⤵
- Executes dropped EXE
PID:4244 -
C:\Windows\SysWOW64\regsvr32.exejaponica\mobsters.dat3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2028 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4388
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "E:\japonica\mastiff.cmd"1⤵
- Enumerates connected drives
PID:4460 -
C:\Users\Admin\AppData\Local\Temp\win.comC:\Users\Admin\AppData\Local\Temp\win.com japonica\mobsters.dat2⤵
- Executes dropped EXE
PID:3948 -
C:\Windows\SysWOW64\regsvr32.exejaponica\mobsters.dat3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3116 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵PID:5032
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""E:\japonica\mastiff.cmd" "1⤵
- Enumerates connected drives
PID:3768 -
C:\Users\Admin\AppData\Local\Temp\win.comC:\Users\Admin\AppData\Local\Temp\win.com japonica\mobsters.dat2⤵
- Executes dropped EXE
PID:3988 -
C:\Windows\SysWOW64\regsvr32.exejaponica\mobsters.dat3⤵
- Suspicious behavior: MapViewOfSection
PID:4228 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵PID:2376
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""E:\japonica\mastiff.cmd" "1⤵
- Enumerates connected drives
PID:2808 -
C:\Users\Admin\AppData\Local\Temp\win.comC:\Users\Admin\AppData\Local\Temp\win.com japonica\mobsters.dat2⤵
- Executes dropped EXE
PID:3520 -
C:\Windows\SysWOW64\regsvr32.exejaponica\mobsters.dat3⤵
- Suspicious behavior: MapViewOfSection
PID:3732 -
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵PID:1224
-
-
-
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "E:\japonica\proficiently.png" /ForceBootstrapPaint3D1⤵
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
PID:904
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc1⤵
- Drops file in System32 directory
PID:2296
-
C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe"C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe"1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4120
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "E:\japonica\wed.png" /ForceBootstrapPaint3D1⤵
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
PID:4560
-
C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe"C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe"1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4636
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""E:\japonica\mastiff.cmd" "1⤵
- Enumerates connected drives
PID:1804 -
C:\Users\Admin\AppData\Local\Temp\win.comC:\Users\Admin\AppData\Local\Temp\win.com japonica\mobsters.dat2⤵
- Executes dropped EXE
PID:4940
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json
Filesize246B
MD5e86006fbd4af136f4143d41b3607aa46
SHA172c778d0f41865e37b8b2703eef08ddb14838f7d
SHA256a55b4b954f423c00b1a9a9300c09ab3588fc7a7c522f4d5eafb274ab40ab165b
SHA5127cc8eb91451c577ea29d1385b96d801011d582341b701342476081797c7d65ae8e6d604097359c6d07fecb27fd957b58eeb569e810c4de19cf9895c3319007d8
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\cloudCommunitySettings.json
Filesize2KB
MD5f4e4a03ebd0ab3a953c56a300d61d223
SHA197a9acf22c3bdd6989d7c120c21077c4d5a9a80e
SHA25652bfb22aa2d7b0ce083d312fb8fa8dcda3063207186f99fc259aebd9064cbedc
SHA51212aa71eea45720a4d7d057da0b662635671e4cd165ad2e0d30a3d2a43950b47dd60c26c1bbbe049418f815850e571b8d93e4c8b8cbbd686abc3cf7926ba719c2
-
Filesize
24KB
MD5b0c2fa35d14a9fad919e99d9d75e1b9e
SHA18d7c2fd354363daee63e8f591ec52fa5d0e23f6f
SHA256022cb167a29a32dae848be91aef721c74f1975af151807dafcc5ed832db246b7
SHA512a6155e42b605425914d1bf745d9b2b5ed57976e161384731c6821a1f8fa2bc3207a863ae45d6ad371ac82733b72bb024204498baa4fb38ad46c6d7bc52e5a022
-
Filesize
24KB
MD5b0c2fa35d14a9fad919e99d9d75e1b9e
SHA18d7c2fd354363daee63e8f591ec52fa5d0e23f6f
SHA256022cb167a29a32dae848be91aef721c74f1975af151807dafcc5ed832db246b7
SHA512a6155e42b605425914d1bf745d9b2b5ed57976e161384731c6821a1f8fa2bc3207a863ae45d6ad371ac82733b72bb024204498baa4fb38ad46c6d7bc52e5a022
-
Filesize
24KB
MD5b0c2fa35d14a9fad919e99d9d75e1b9e
SHA18d7c2fd354363daee63e8f591ec52fa5d0e23f6f
SHA256022cb167a29a32dae848be91aef721c74f1975af151807dafcc5ed832db246b7
SHA512a6155e42b605425914d1bf745d9b2b5ed57976e161384731c6821a1f8fa2bc3207a863ae45d6ad371ac82733b72bb024204498baa4fb38ad46c6d7bc52e5a022
-
Filesize
24KB
MD5b0c2fa35d14a9fad919e99d9d75e1b9e
SHA18d7c2fd354363daee63e8f591ec52fa5d0e23f6f
SHA256022cb167a29a32dae848be91aef721c74f1975af151807dafcc5ed832db246b7
SHA512a6155e42b605425914d1bf745d9b2b5ed57976e161384731c6821a1f8fa2bc3207a863ae45d6ad371ac82733b72bb024204498baa4fb38ad46c6d7bc52e5a022
-
Filesize
24KB
MD5b0c2fa35d14a9fad919e99d9d75e1b9e
SHA18d7c2fd354363daee63e8f591ec52fa5d0e23f6f
SHA256022cb167a29a32dae848be91aef721c74f1975af151807dafcc5ed832db246b7
SHA512a6155e42b605425914d1bf745d9b2b5ed57976e161384731c6821a1f8fa2bc3207a863ae45d6ad371ac82733b72bb024204498baa4fb38ad46c6d7bc52e5a022
-
Filesize
24KB
MD5b0c2fa35d14a9fad919e99d9d75e1b9e
SHA18d7c2fd354363daee63e8f591ec52fa5d0e23f6f
SHA256022cb167a29a32dae848be91aef721c74f1975af151807dafcc5ed832db246b7
SHA512a6155e42b605425914d1bf745d9b2b5ed57976e161384731c6821a1f8fa2bc3207a863ae45d6ad371ac82733b72bb024204498baa4fb38ad46c6d7bc52e5a022
-
Filesize
24KB
MD5b0c2fa35d14a9fad919e99d9d75e1b9e
SHA18d7c2fd354363daee63e8f591ec52fa5d0e23f6f
SHA256022cb167a29a32dae848be91aef721c74f1975af151807dafcc5ed832db246b7
SHA512a6155e42b605425914d1bf745d9b2b5ed57976e161384731c6821a1f8fa2bc3207a863ae45d6ad371ac82733b72bb024204498baa4fb38ad46c6d7bc52e5a022