hxxps://github[.]com/CipherSHLD/Ms-P-1A[.]git

Analysis

max time kernel
144s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
09/01/2023, 18:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/CipherSHLD/Ms-P-1A.git

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4660	Ms P-1A47.exe
3516	Ms P-1A47.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	Ms P-1A47.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	Ms P-1A47.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2786368309"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 6072dba85e24d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2786408791"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31007838"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D15208D5-9051-11ED-919F-DAD30C974647} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e6851ef31fd3cf49b332bbb4721c97480000000002000000000010660000000100002000000009fae169e36c65a463d6a71b6dbe24e018c67d357d2e9e51be2518f140657521000000000e8000000002000020000000ee7c6da0e3ab19264f4e4f99a8640e96fddeeebc0e49f84bce92dba9aabf87052000000071a355cac7565536bf1d9ab6ed6a48d2c1e600095ea75b2dbaadd3a6236fdf5840000000942ba1eca88a46a9db8183e8d6d043c81ff12b9fa1742a87fc9bd728c7080bb72458896063a4f3817ce1ca3299882f64c06cc1054045b1fd8d078358336e6385	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0f7caa85e24d901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e6851ef31fd3cf49b332bbb4721c9748000000000200000000001066000000010000200000000aa15a7a613b228786041cf1f15b6c76c13149d7799ded625b9d1f899a54057f000000000e8000000002000020000000eaba18dedd2c1b73b89cb9cdabd79d494f9922c48eae287e0a4fa50dfa07cb12200000003ddbd60a47e75dde29290d9196fdaf4dfbaad87711b44ec2acd161a0a90ea52c4000000040ccd5b89804516e3ccee13eef03fab3e88d30ce6181851fb8a258ffae40a27ff54526510707e4dfc973d736a3c4457d3d5662b6bc85a248572b11fa527c4083	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31007838"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Setup Ms P-1A.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Setup Ms P-1A.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1192	chrome.exe
1192	chrome.exe
4352	chrome.exe
4352	chrome.exe
4796	chrome.exe
4796	chrome.exe
4612	chrome.exe
4612	chrome.exe
4092	chrome.exe
4092	chrome.exe
2100	chrome.exe
2100	chrome.exe
3116	chrome.exe
3116	chrome.exe
1464	chrome.exe
1464	chrome.exe
912	chrome.exe
912	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1500	Setup Ms P-1A.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
4472	iexplore.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4472	iexplore.exe
4472	iexplore.exe
4940	IEXPLORE.EXE
4940	IEXPLORE.EXE
4940	IEXPLORE.EXE
4940	IEXPLORE.EXE
4940	IEXPLORE.EXE
4940	IEXPLORE.EXE
4940	IEXPLORE.EXE
4940	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4472 wrote to memory of 4940	4472	iexplore.exe	84
PID 4472 wrote to memory of 4940	4472	iexplore.exe	84
PID 4472 wrote to memory of 4940	4472	iexplore.exe	84
PID 4352 wrote to memory of 2456	4352	chrome.exe	95
PID 4352 wrote to memory of 2456	4352	chrome.exe	95
PID 4352 wrote to memory of 3264	4352	chrome.exe	96
PID 4352 wrote to memory of 3264	4352	chrome.exe	96
PID 4352 wrote to memory of 3264	4352	chrome.exe	96
PID 4352 wrote to memory of 3264	4352	chrome.exe	96
PID 4352 wrote to memory of 3264	4352	chrome.exe	96
PID 4352 wrote to memory of 3264	4352	chrome.exe	96
PID 4352 wrote to memory of 3264	4352	chrome.exe	96
PID 4352 wrote to memory of 3264	4352	chrome.exe	96
PID 4352 wrote to memory of 3264	4352	chrome.exe	96
PID 4352 wrote to memory of 3264	4352	chrome.exe	96
PID 4352 wrote to memory of 3264	4352	chrome.exe	96
PID 4352 wrote to memory of 3264	4352	chrome.exe	96
PID 4352 wrote to memory of 3264	4352	chrome.exe	96
PID 4352 wrote to memory of 3264	4352	chrome.exe	96
PID 4352 wrote to memory of 3264	4352	chrome.exe	96
PID 4352 wrote to memory of 3264	4352	chrome.exe	96
PID 4352 wrote to memory of 3264	4352	chrome.exe	96
PID 4352 wrote to memory of 3264	4352	chrome.exe	96
PID 4352 wrote to memory of 3264	4352	chrome.exe	96
PID 4352 wrote to memory of 3264	4352	chrome.exe	96
PID 4352 wrote to memory of 3264	4352	chrome.exe	96
PID 4352 wrote to memory of 3264	4352	chrome.exe	96
PID 4352 wrote to memory of 3264	4352	chrome.exe	96
PID 4352 wrote to memory of 3264	4352	chrome.exe	96
PID 4352 wrote to memory of 3264	4352	chrome.exe	96
PID 4352 wrote to memory of 3264	4352	chrome.exe	96
PID 4352 wrote to memory of 3264	4352	chrome.exe	96
PID 4352 wrote to memory of 3264	4352	chrome.exe	96
PID 4352 wrote to memory of 3264	4352	chrome.exe	96
PID 4352 wrote to memory of 3264	4352	chrome.exe	96
PID 4352 wrote to memory of 3264	4352	chrome.exe	96
PID 4352 wrote to memory of 3264	4352	chrome.exe	96
PID 4352 wrote to memory of 3264	4352	chrome.exe	96
PID 4352 wrote to memory of 3264	4352	chrome.exe	96
PID 4352 wrote to memory of 3264	4352	chrome.exe	96
PID 4352 wrote to memory of 3264	4352	chrome.exe	96
PID 4352 wrote to memory of 3264	4352	chrome.exe	96
PID 4352 wrote to memory of 3264	4352	chrome.exe	96
PID 4352 wrote to memory of 3264	4352	chrome.exe	96
PID 4352 wrote to memory of 3264	4352	chrome.exe	96
PID 4352 wrote to memory of 1192	4352	chrome.exe	97
PID 4352 wrote to memory of 1192	4352	chrome.exe	97
PID 4352 wrote to memory of 2644	4352	chrome.exe	98
PID 4352 wrote to memory of 2644	4352	chrome.exe	98
PID 4352 wrote to memory of 2644	4352	chrome.exe	98
PID 4352 wrote to memory of 2644	4352	chrome.exe	98
PID 4352 wrote to memory of 2644	4352	chrome.exe	98
PID 4352 wrote to memory of 2644	4352	chrome.exe	98
PID 4352 wrote to memory of 2644	4352	chrome.exe	98
PID 4352 wrote to memory of 2644	4352	chrome.exe	98
PID 4352 wrote to memory of 2644	4352	chrome.exe	98
PID 4352 wrote to memory of 2644	4352	chrome.exe	98
PID 4352 wrote to memory of 2644	4352	chrome.exe	98
PID 4352 wrote to memory of 2644	4352	chrome.exe	98
PID 4352 wrote to memory of 2644	4352	chrome.exe	98
PID 4352 wrote to memory of 2644	4352	chrome.exe	98
PID 4352 wrote to memory of 2644	4352	chrome.exe	98
PID 4352 wrote to memory of 2644	4352	chrome.exe	98
PID 4352 wrote to memory of 2644	4352	chrome.exe	98

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/CipherSHLD/Ms-P-1A.git
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4472
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4472 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7fff1bf04f50,0x7fff1bf04f60,0x7fff1bf04f70
  2⤵
  PID:2456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1572,17951269493494165612,2507226960225996496,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1620 /prefetch:2
  2⤵
  PID:3264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1572,17951269493494165612,2507226960225996496,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1996 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1572,17951269493494165612,2507226960225996496,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2268 /prefetch:8
  2⤵
  PID:2644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,17951269493494165612,2507226960225996496,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2908 /prefetch:1
  2⤵
  PID:3100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,17951269493494165612,2507226960225996496,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3092 /prefetch:1
  2⤵
  PID:3124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,17951269493494165612,2507226960225996496,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3792 /prefetch:1
  2⤵
  PID:2300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,17951269493494165612,2507226960225996496,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4488 /prefetch:8
  2⤵
  PID:3116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,17951269493494165612,2507226960225996496,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4596 /prefetch:8
  2⤵
  PID:3156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,17951269493494165612,2507226960225996496,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4724 /prefetch:8
  2⤵
  PID:1344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,17951269493494165612,2507226960225996496,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4756 /prefetch:8
  2⤵
  PID:2412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,17951269493494165612,2507226960225996496,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4556 /prefetch:8
  2⤵
  PID:2072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,17951269493494165612,2507226960225996496,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4568 /prefetch:8
  2⤵
  PID:2596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,17951269493494165612,2507226960225996496,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4860 /prefetch:8
  2⤵
  PID:2076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,17951269493494165612,2507226960225996496,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4508 /prefetch:8
  2⤵
  PID:1500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,17951269493494165612,2507226960225996496,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:1
  2⤵
  PID:828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1572,17951269493494165612,2507226960225996496,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4540 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1572,17951269493494165612,2507226960225996496,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4884 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,17951269493494165612,2507226960225996496,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5032 /prefetch:8
  2⤵
  PID:1340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,17951269493494165612,2507226960225996496,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4864 /prefetch:8
  2⤵
  PID:3116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,17951269493494165612,2507226960225996496,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:4288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,17951269493494165612,2507226960225996496,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4488 /prefetch:1
  2⤵
  PID:1500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,17951269493494165612,2507226960225996496,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:1
  2⤵
  PID:1260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,17951269493494165612,2507226960225996496,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3000 /prefetch:1
  2⤵
  PID:4204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,17951269493494165612,2507226960225996496,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3824 /prefetch:8
  2⤵
  PID:4080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1572,17951269493494165612,2507226960225996496,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1572,17951269493494165612,2507226960225996496,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3272 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1572,17951269493494165612,2507226960225996496,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1116 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,17951269493494165612,2507226960225996496,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1560 /prefetch:8
  2⤵
  PID:996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1572,17951269493494165612,2507226960225996496,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3964 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1572,17951269493494165612,2507226960225996496,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4972 /prefetch:8
  2⤵
  PID:3784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1572,17951269493494165612,2507226960225996496,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:912

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1260

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2800

C:\Users\Admin\Downloads\Ms-P-1A-master\Ms-P-1A-master\Setup Ms P-1A.EXE
"C:\Users\Admin\Downloads\Ms-P-1A-master\Ms-P-1A-master\Setup Ms P-1A.EXE"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:1500

C:\Users\Admin\Desktop\Ms P-1A47.exe
"C:\Users\Admin\Desktop\Ms P-1A47.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
PID:4660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\is64.bat" "
  2⤵
  PID:2156

C:\Users\Admin\Desktop\Ms P-1A47.exe
"C:\Users\Admin\Desktop\Ms P-1A47.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
PID:3516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\is64.bat" "
  2⤵
  PID:4876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\50CD3D75D026C82E2E718570BD6F44D0_60E83F2095C16CA099C94596E7B8AA5D

Filesize
312B

MD5
028676d8de81ab721462c7438f002ec9

SHA1
a2abdf89a292ab667d1d8fe78001a72d496f99b6

SHA256
9184d5a60bcae3843817d00eed57b5e0c40b6639b89dd5bd8422a78a9ca800eb

SHA512
2f9b483af23a51c0823b24e17c956a17ae22e52d8d08ea5d5f4182a493c71b348651dea8da6cb5670e127ee78df41388a78800d8fc4f7e4638ff7de2a025f30e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
53c42b70e0cb733bdd116eb57c817db4

SHA1
dd4cec8273ece07b776f2e67e8bcb3c625fc7188

SHA256
8e8c03a9808c3207049fd5eb462af3a715fef5f8718aec09536a0edef8bb5e8b

SHA512
8ad73d9df2d476f8482f5eb86b2ace7a7583974b790c999e43980c583400f3a332d7e5a8031c7664966445b75a867465dbf8db8d380b22524db42c9bd734a560

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565

Filesize
471B

MD5
e0c679f33e2f14a5c2b948b9b7e2b1ed

SHA1
16ae688c318112a8a4022d1b0fc869aac25ce849

SHA256
2b6d8c67f744a29fc439c1d5785779d83a3c153d553c002af0b1e817b656332b

SHA512
331082fc0a2a8c2c5af5ff785d4d6a0d4c92e3a914a53ee0b2a6f40dc228b5ba27401fe6c06b0e8cc6e632da67683f95ef7871d0ddda9d581afe677fe9857948

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\50CD3D75D026C82E2E718570BD6F44D0_60E83F2095C16CA099C94596E7B8AA5D

Filesize
434B

MD5
e0ef4139672da1fba095340e28839399

SHA1
679c7ef20a2b04df39baf355a336c011fc157ec3

SHA256
f7c84f12e4fa405f7573ddea64d4168e27aff3ae887b56078f110202292ce59b

SHA512
ddc1ff37f5437cf273ab5c0587847cc37bced74efd6d8dd16a076c7cb3d12c22321e31f321d2ac304c5bc88ed93baeeca339b3ee33e65f5828185f78951783fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
733d518c6c78a8c24177f540a977b091

SHA1
d18f914eaf3dcb04263827096aad3ba1336c8bb6

SHA256
f2602b896c86eb8bbb4c294bb9867992e3be3b481084359ffdd989698484a5bc

SHA512
72c00b1213f0a812a13f4cf0e24567e5f58b06bd610b0066356d798e1f357194eca5612648876ad438c030a2b744c3f63b163167ac1367b7071ab3ccf5060433

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565

Filesize
404B

MD5
89ec8415b878b4d5f155549ac981ae31

SHA1
91c6dac230d5f9e0a41cbc2a5e13c6d1c419b335

SHA256
09e13d2c2fd2f5da2ebd528b410d7c734021d33de8cee9271490a0eef55acaf5

SHA512
78a7d6b7dafc8ac6a898552fab2e47d7e3fb79091bf2f0a255ae484f7d31923c39839d293f18caace7f97e0590f59468fdc4b9993f7eb23db1abbd521ffdc20b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\xyoggsx\imagestore.dat

Filesize
1KB

MD5
c5c31153c1eb67f1150ab87e1b3e4c58

SHA1
9056fcd6d6817a79ba8a5f138de5dd573f937e84

SHA256
75d8a8f2d15e35077889cde46cb75a56caa3318e39688e88548eee53e5ae9fb8

SHA512
ffb70f697ed5c6f7980ff4f5cd82e95e594a472ab4a5bfdcc55c5a42e9fde122a24863bb2ea33b71564bc24310d9e703b80538a85ae3f4dde68c1aae31705482

Download Submit
C:\Users\Admin\AppData\Local\Temp\is64.bat

Filesize
181B

MD5
225edee1d46e0a80610db26b275d72fb

SHA1
ce206abf11aaf19278b72f5021cc64b1b427b7e8

SHA256
e1befb57d724c9dc760cf42d7e0609212b22faeb2dc0c3ffe2fbd7134ff69559

SHA512
4f01a2a248a1322cb690b7395b818d2780e46f4884e59f1ab96125d642b6358eea97c7fad6023ef17209b218daa9c88d15ea2b92f124ecb8434c0c7b4a710504

Download Submit
C:\Users\Admin\AppData\Local\Temp\is64.bat

Filesize
181B

MD5
225edee1d46e0a80610db26b275d72fb

SHA1
ce206abf11aaf19278b72f5021cc64b1b427b7e8

SHA256
e1befb57d724c9dc760cf42d7e0609212b22faeb2dc0c3ffe2fbd7134ff69559

SHA512
4f01a2a248a1322cb690b7395b818d2780e46f4884e59f1ab96125d642b6358eea97c7fad6023ef17209b218daa9c88d15ea2b92f124ecb8434c0c7b4a710504

Download Submit
C:\Users\Admin\AppData\Local\Temp\is64.fil

Filesize
32B

MD5
d406619e40f52369e12ae4671b16a11a

SHA1
9c5748148612b1eefaacf368fbf5dbcaa8dea6d0

SHA256
2e340d2b9ced6ad419c031400fb974feed427cfabd0c167dea26ec732d8579be

SHA512
4d9792a6427e4a48553318b4c2bac19ff729a9c0a635bc9196c33d2be5d1a224d1bac30da5f881bad6340b0235894ff020f32061a64125629848e21c879c5264

Download Submit
C:\Users\Admin\AppData\Local\Temp\is64.txt

Filesize
3B

MD5
a5ea0ad9260b1550a14cc58d2c39b03d

SHA1
f0aedf295071ed34ab8c6a7692223d22b6a19841

SHA256
f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04

SHA512
7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74

Download Submit
C:\Users\Admin\AppData\Local\Temp\is64.txt

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\Desktop\Ms P-1A47.exe

Filesize
84KB

MD5
2b1db4f575fa541949c4d0eb39b571d4

SHA1
7c3fbf372e1f6458854e536ef0efdcccf1043fda

SHA256
a9d166e4ff883b0d0ec7ba0de14844f5acf2a11d2f5e5bd935556ab5bbcc9a68

SHA512
d0c416858066d730d117aa19e3a2661fe1134ca9b15cb2a4e798d22dcd9489524538350144aee41e95ccce2bd1a7cbcce089742a060b25d7d57308bb255a6e96

Download Submit
C:\Users\Admin\Desktop\Ms P-1A47.exe

Filesize
84KB

MD5
2b1db4f575fa541949c4d0eb39b571d4

SHA1
7c3fbf372e1f6458854e536ef0efdcccf1043fda

SHA256
a9d166e4ff883b0d0ec7ba0de14844f5acf2a11d2f5e5bd935556ab5bbcc9a68

SHA512
d0c416858066d730d117aa19e3a2661fe1134ca9b15cb2a4e798d22dcd9489524538350144aee41e95ccce2bd1a7cbcce089742a060b25d7d57308bb255a6e96

Download Submit
C:\Users\Admin\Desktop\Ms P-1A47.exe

Filesize
84KB

MD5
2b1db4f575fa541949c4d0eb39b571d4

SHA1
7c3fbf372e1f6458854e536ef0efdcccf1043fda

SHA256
a9d166e4ff883b0d0ec7ba0de14844f5acf2a11d2f5e5bd935556ab5bbcc9a68

SHA512
d0c416858066d730d117aa19e3a2661fe1134ca9b15cb2a4e798d22dcd9489524538350144aee41e95ccce2bd1a7cbcce089742a060b25d7d57308bb255a6e96

Download Submit