Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
299s -
max time network
299s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
12/02/2023, 15:25
Static task
static1
Behavioral task
behavioral1
Sample
ghj.exe
Resource
win10-20220901-en
windows10-1703-x64
26 signatures
300 seconds
General
-
Target
ghj.exe
-
Size
66KB
-
MD5
e6a1a7e9749c2e730a115db0d2322e0f
-
SHA1
8dcaa44b6cb950507f953ebd8046f1c01ada02bf
-
SHA256
0ff1a35e3ee55f9eb7523aa75999adf1208ffda8e318b411d00f81ae7db6d2e8
-
SHA512
b5a8f515feaf26145a4ded31285f936934b1748f431aae66b4f03d94f6e58547c717ba46029c6eec2cbd67f6f4fb188e1f74407a1f115ce46088c492aab3751d
-
SSDEEP
1536:vASM0a6LpfCejYAZQEdZbGYBuP7oCFo16AfG3OBf/Cs/LY:vASM0a6NfC/AZDdZbGYtrJfG3OBf/Y
Score
10/10
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\SelectApprove.png.ENC ghj.exe File opened for modification C:\Users\Admin\Pictures\CompressMount.png.ENC ghj.exe File opened for modification C:\Users\Admin\Pictures\ExitInitialize.crw.ENC ghj.exe File opened for modification C:\Users\Admin\Pictures\FindPublish.png.ENC ghj.exe File opened for modification C:\Users\Admin\Pictures\InitializeProtect.crw.ENC ghj.exe File opened for modification C:\Users\Admin\Pictures\MergeUnblock.raw.ENC ghj.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Control Panel\International\Geo\Nation ghj.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ghj.lnk ghj.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ghj.lnk ghj.exe -
Executes dropped EXE 5 IoCs
pid Process 3780 ghj.exe 4708 ghj.exe 3348 ghj.exe 4648 ghj.exe 2488 ghj.exe -
Loads dropped DLL 1 IoCs
pid Process 3044 ghj.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\ghj = "C:\\ProgramData\\ghj.exe" ghj.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce ghj.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\D: ghj.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp" ghj.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\2717123927\3950266016.pri explorer.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\rescache\_merged\1601268389\3877292338.pri SearchUI.exe File created C:\Windows\rescache\_merged\4032412167\2900507189.pri explorer.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri explorer.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 26 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4012 schtasks.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchUI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchUI.exe -
Kills process with taskkill 1 IoCs
pid Process 5104 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.pornhub.org\ = "0" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 63c56c94f63ed901 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CacheLimit = "1" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "262144" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 0100000068f519178a5e40801a6f23b45d59a79aa84604b0be7ae3e687ea532835770891313d49f231a71b553235d64e242723999b7cd5f893f76b2e7d13cb22f81d51928ce964f6d9c005a93c88e0ce153d06ba73e5ede07eff895ca5bc MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "262144" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" SearchUI.exe Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState\EdpState = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\SharedCookie_MRACMigrationDone = "1" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 2b0c0b8ff63ed901 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\pornhub.org\NumberOfSubdomai = "0" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\Order = 0c0000000a000000000000000c0000000100000000000000 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "5" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.pornhub.org MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\pornhub.org\Total = "32" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0" MicrosoftEdge.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 4740 powershell.exe 4740 powershell.exe 4740 powershell.exe 3636 powershell.exe 3636 powershell.exe 3636 powershell.exe 4636 powershell.exe 4636 powershell.exe 4636 powershell.exe 3044 ghj.exe 3044 ghj.exe 3044 ghj.exe 3044 ghj.exe 3044 ghj.exe 3044 ghj.exe 3044 ghj.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4884 explorer.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 2916 MicrosoftEdgeCP.exe 2916 MicrosoftEdgeCP.exe 3328 MicrosoftEdgeCP.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3044 ghj.exe Token: SeDebugPrivilege 4740 powershell.exe Token: SeIncreaseQuotaPrivilege 4740 powershell.exe Token: SeSecurityPrivilege 4740 powershell.exe Token: SeTakeOwnershipPrivilege 4740 powershell.exe Token: SeLoadDriverPrivilege 4740 powershell.exe Token: SeSystemProfilePrivilege 4740 powershell.exe Token: SeSystemtimePrivilege 4740 powershell.exe Token: SeProfSingleProcessPrivilege 4740 powershell.exe Token: SeIncBasePriorityPrivilege 4740 powershell.exe Token: SeCreatePagefilePrivilege 4740 powershell.exe Token: SeBackupPrivilege 4740 powershell.exe Token: SeRestorePrivilege 4740 powershell.exe Token: SeShutdownPrivilege 4740 powershell.exe Token: SeDebugPrivilege 4740 powershell.exe Token: SeSystemEnvironmentPrivilege 4740 powershell.exe Token: SeRemoteShutdownPrivilege 4740 powershell.exe Token: SeUndockPrivilege 4740 powershell.exe Token: SeManageVolumePrivilege 4740 powershell.exe Token: 33 4740 powershell.exe Token: 34 4740 powershell.exe Token: 35 4740 powershell.exe Token: 36 4740 powershell.exe Token: SeDebugPrivilege 3636 powershell.exe Token: SeIncreaseQuotaPrivilege 3636 powershell.exe Token: SeSecurityPrivilege 3636 powershell.exe Token: SeTakeOwnershipPrivilege 3636 powershell.exe Token: SeLoadDriverPrivilege 3636 powershell.exe Token: SeSystemProfilePrivilege 3636 powershell.exe Token: SeSystemtimePrivilege 3636 powershell.exe Token: SeProfSingleProcessPrivilege 3636 powershell.exe Token: SeIncBasePriorityPrivilege 3636 powershell.exe Token: SeCreatePagefilePrivilege 3636 powershell.exe Token: SeBackupPrivilege 3636 powershell.exe Token: SeRestorePrivilege 3636 powershell.exe Token: SeShutdownPrivilege 3636 powershell.exe Token: SeDebugPrivilege 3636 powershell.exe Token: SeSystemEnvironmentPrivilege 3636 powershell.exe Token: SeRemoteShutdownPrivilege 3636 powershell.exe Token: SeUndockPrivilege 3636 powershell.exe Token: SeManageVolumePrivilege 3636 powershell.exe Token: 33 3636 powershell.exe Token: 34 3636 powershell.exe Token: 35 3636 powershell.exe Token: 36 3636 powershell.exe Token: SeDebugPrivilege 4636 powershell.exe Token: SeIncreaseQuotaPrivilege 4636 powershell.exe Token: SeSecurityPrivilege 4636 powershell.exe Token: SeTakeOwnershipPrivilege 4636 powershell.exe Token: SeLoadDriverPrivilege 4636 powershell.exe Token: SeSystemProfilePrivilege 4636 powershell.exe Token: SeSystemtimePrivilege 4636 powershell.exe Token: SeProfSingleProcessPrivilege 4636 powershell.exe Token: SeIncBasePriorityPrivilege 4636 powershell.exe Token: SeCreatePagefilePrivilege 4636 powershell.exe Token: SeBackupPrivilege 4636 powershell.exe Token: SeRestorePrivilege 4636 powershell.exe Token: SeShutdownPrivilege 4636 powershell.exe Token: SeDebugPrivilege 4636 powershell.exe Token: SeSystemEnvironmentPrivilege 4636 powershell.exe Token: SeRemoteShutdownPrivilege 4636 powershell.exe Token: SeUndockPrivilege 4636 powershell.exe Token: SeManageVolumePrivilege 4636 powershell.exe Token: 33 4636 powershell.exe -
Suspicious use of FindShellTrayWindow 49 IoCs
pid Process 3044 ghj.exe 3044 ghj.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 3044 ghj.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe 4884 explorer.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 3044 ghj.exe 1800 MicrosoftEdge.exe 2916 MicrosoftEdgeCP.exe 2916 MicrosoftEdgeCP.exe 4056 SearchUI.exe 4884 explorer.exe 5088 MicrosoftEdge.exe 3328 MicrosoftEdgeCP.exe 3328 MicrosoftEdgeCP.exe -
Suspicious use of WriteProcessMemory 46 IoCs
description pid Process procid_target PID 3044 wrote to memory of 4740 3044 ghj.exe 67 PID 3044 wrote to memory of 4740 3044 ghj.exe 67 PID 3044 wrote to memory of 3636 3044 ghj.exe 70 PID 3044 wrote to memory of 3636 3044 ghj.exe 70 PID 3044 wrote to memory of 4636 3044 ghj.exe 72 PID 3044 wrote to memory of 4636 3044 ghj.exe 72 PID 3044 wrote to memory of 4012 3044 ghj.exe 74 PID 3044 wrote to memory of 4012 3044 ghj.exe 74 PID 2916 wrote to memory of 2488 2916 MicrosoftEdgeCP.exe 83 PID 2916 wrote to memory of 2488 2916 MicrosoftEdgeCP.exe 83 PID 2916 wrote to memory of 2488 2916 MicrosoftEdgeCP.exe 83 PID 2916 wrote to memory of 2488 2916 MicrosoftEdgeCP.exe 83 PID 2916 wrote to memory of 2488 2916 MicrosoftEdgeCP.exe 83 PID 2916 wrote to memory of 2488 2916 MicrosoftEdgeCP.exe 83 PID 2916 wrote to memory of 2488 2916 MicrosoftEdgeCP.exe 83 PID 2916 wrote to memory of 2488 2916 MicrosoftEdgeCP.exe 83 PID 2916 wrote to memory of 2488 2916 MicrosoftEdgeCP.exe 83 PID 2916 wrote to memory of 2488 2916 MicrosoftEdgeCP.exe 83 PID 2916 wrote to memory of 2488 2916 MicrosoftEdgeCP.exe 83 PID 2916 wrote to memory of 2488 2916 MicrosoftEdgeCP.exe 83 PID 2916 wrote to memory of 2488 2916 MicrosoftEdgeCP.exe 83 PID 2916 wrote to memory of 2488 2916 MicrosoftEdgeCP.exe 83 PID 2916 wrote to memory of 2488 2916 MicrosoftEdgeCP.exe 83 PID 2916 wrote to memory of 2488 2916 MicrosoftEdgeCP.exe 83 PID 2916 wrote to memory of 2488 2916 MicrosoftEdgeCP.exe 83 PID 2916 wrote to memory of 2488 2916 MicrosoftEdgeCP.exe 83 PID 2916 wrote to memory of 2488 2916 MicrosoftEdgeCP.exe 83 PID 2916 wrote to memory of 2488 2916 MicrosoftEdgeCP.exe 83 PID 2916 wrote to memory of 2488 2916 MicrosoftEdgeCP.exe 83 PID 2916 wrote to memory of 2488 2916 MicrosoftEdgeCP.exe 83 PID 2916 wrote to memory of 2488 2916 MicrosoftEdgeCP.exe 83 PID 2916 wrote to memory of 2488 2916 MicrosoftEdgeCP.exe 83 PID 2916 wrote to memory of 2488 2916 MicrosoftEdgeCP.exe 83 PID 2916 wrote to memory of 2488 2916 MicrosoftEdgeCP.exe 83 PID 2916 wrote to memory of 2488 2916 MicrosoftEdgeCP.exe 83 PID 2916 wrote to memory of 2488 2916 MicrosoftEdgeCP.exe 83 PID 2916 wrote to memory of 2488 2916 MicrosoftEdgeCP.exe 83 PID 2916 wrote to memory of 2488 2916 MicrosoftEdgeCP.exe 83 PID 3044 wrote to memory of 5104 3044 ghj.exe 88 PID 3044 wrote to memory of 5104 3044 ghj.exe 88 PID 3044 wrote to memory of 4884 3044 ghj.exe 92 PID 3044 wrote to memory of 4884 3044 ghj.exe 92 PID 3328 wrote to memory of 4368 3328 MicrosoftEdgeCP.exe 104 PID 3328 wrote to memory of 4368 3328 MicrosoftEdgeCP.exe 104 PID 3328 wrote to memory of 4368 3328 MicrosoftEdgeCP.exe 104 PID 3328 wrote to memory of 4368 3328 MicrosoftEdgeCP.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\ghj.exe"C:\Users\Admin\AppData\Local\Temp\ghj.exe"1⤵
- Modifies extensions of user files
- Checks computer location settings
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ghj.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4740
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ghj.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3636
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\ghj.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4636
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "ghj" /tr "C:\ProgramData\ghj.exe"2⤵
- Creates scheduled task(s)
PID:4012
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /F /IM explorer.exe2⤵
- Kills process with taskkill
PID:5104
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4884
-
-
C:\ProgramData\ghj.exeC:\ProgramData\ghj.exe1⤵
- Executes dropped EXE
PID:3780
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1800
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:1184
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2916
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:2488
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:2804
-
C:\ProgramData\ghj.exeC:\ProgramData\ghj.exe1⤵
- Executes dropped EXE
PID:4708
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3dc1⤵PID:2892
-
C:\ProgramData\ghj.exeC:\ProgramData\ghj.exe1⤵
- Executes dropped EXE
PID:3348
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4056
-
C:\ProgramData\ghj.exeC:\ProgramData\ghj.exe1⤵
- Executes dropped EXE
PID:4648
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5088
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:4660
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3328
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:4368
-
C:\ProgramData\ghj.exeC:\ProgramData\ghj.exe1⤵
- Executes dropped EXE
PID:2488
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD5e6a1a7e9749c2e730a115db0d2322e0f
SHA18dcaa44b6cb950507f953ebd8046f1c01ada02bf
SHA2560ff1a35e3ee55f9eb7523aa75999adf1208ffda8e318b411d00f81ae7db6d2e8
SHA512b5a8f515feaf26145a4ded31285f936934b1748f431aae66b4f03d94f6e58547c717ba46029c6eec2cbd67f6f4fb188e1f74407a1f115ce46088c492aab3751d
-
Filesize
66KB
MD5e6a1a7e9749c2e730a115db0d2322e0f
SHA18dcaa44b6cb950507f953ebd8046f1c01ada02bf
SHA2560ff1a35e3ee55f9eb7523aa75999adf1208ffda8e318b411d00f81ae7db6d2e8
SHA512b5a8f515feaf26145a4ded31285f936934b1748f431aae66b4f03d94f6e58547c717ba46029c6eec2cbd67f6f4fb188e1f74407a1f115ce46088c492aab3751d
-
Filesize
66KB
MD5e6a1a7e9749c2e730a115db0d2322e0f
SHA18dcaa44b6cb950507f953ebd8046f1c01ada02bf
SHA2560ff1a35e3ee55f9eb7523aa75999adf1208ffda8e318b411d00f81ae7db6d2e8
SHA512b5a8f515feaf26145a4ded31285f936934b1748f431aae66b4f03d94f6e58547c717ba46029c6eec2cbd67f6f4fb188e1f74407a1f115ce46088c492aab3751d
-
Filesize
66KB
MD5e6a1a7e9749c2e730a115db0d2322e0f
SHA18dcaa44b6cb950507f953ebd8046f1c01ada02bf
SHA2560ff1a35e3ee55f9eb7523aa75999adf1208ffda8e318b411d00f81ae7db6d2e8
SHA512b5a8f515feaf26145a4ded31285f936934b1748f431aae66b4f03d94f6e58547c717ba46029c6eec2cbd67f6f4fb188e1f74407a1f115ce46088c492aab3751d
-
Filesize
66KB
MD5e6a1a7e9749c2e730a115db0d2322e0f
SHA18dcaa44b6cb950507f953ebd8046f1c01ada02bf
SHA2560ff1a35e3ee55f9eb7523aa75999adf1208ffda8e318b411d00f81ae7db6d2e8
SHA512b5a8f515feaf26145a4ded31285f936934b1748f431aae66b4f03d94f6e58547c717ba46029c6eec2cbd67f6f4fb188e1f74407a1f115ce46088c492aab3751d
-
Filesize
66KB
MD5e6a1a7e9749c2e730a115db0d2322e0f
SHA18dcaa44b6cb950507f953ebd8046f1c01ada02bf
SHA2560ff1a35e3ee55f9eb7523aa75999adf1208ffda8e318b411d00f81ae7db6d2e8
SHA512b5a8f515feaf26145a4ded31285f936934b1748f431aae66b4f03d94f6e58547c717ba46029c6eec2cbd67f6f4fb188e1f74407a1f115ce46088c492aab3751d
-
Filesize
654B
MD516c5fce5f7230eea11598ec11ed42862
SHA175392d4824706090f5e8907eee1059349c927600
SHA25687ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151
SHA512153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc
-
Filesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
Filesize
1KB
MD59fceaa8f38c649b2e22774fae18c3a57
SHA15fd53df1613ba5450c0b8efd46825db0d9b524e3
SHA256fd1439be9ac2c7e9657901542c04521cea486ac10ba40144cfd20183b18e51c5
SHA51245846475ef49c7fe0b7ccca1c18404f963f689c73ff4bd29add0fc49ce3872bceb230d5a45782731c4161888d853671253231c23e13b05b0739a4b835ff0c52a
-
Filesize
1KB
MD5f4a7ad860775bc17b23ccf6c7aab0acc
SHA141f4c2e19ebc93b119673cbc2779720ff9f3e800
SHA25652d325252adb32e6d62f798535de41227b7d16ac4cbf91bfcb66c5fd162b94fb
SHA512eea7fb7580a958379d9bbe59ec7ca80e53c7b0227009ffbb7efa3ab093eaa6d1a65aa123d863435da659e2f704dfb7f4bc60edf75d3fd693621ac71b81c37f70
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.log
Filesize512KB
MD584e6ffb04c555095d0930b410f6edd52
SHA14a980303042076e62196e0b7b93f125ca8193434
SHA256c5f8b740b3026175542b541be2a451df76187c9082af268ee4deaae07c4b084b
SHA5120ddc3ae53e89f374f5bb9fe66e212f665f4e21e819363ab71701032f737bc2e7e97d58985ccbcaba2338e7cde2482e8b247fb4d04193f218c314c401bae835f3
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\edb.chk
Filesize8KB
MD52ffc860e991c482ed33902cd9df292e9
SHA19f6e9d2222a599ce4a1c7ce51f8a5e90887339fd
SHA256c7298f85e1edd4fb6f7c3389f9f763c6cdfaea2bbed2547ec87afa8922eb962c
SHA512716b98f7e0f38e6c89068d33b601674fc748c6defa853c004d98d782812d39d9198a19e1cee6a878ce809b728c7e85a2961849555fc537cbb3aa98432ef33398
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb
Filesize2.0MB
MD574081765b6f01ff691217b77bcc8a95d
SHA1b0e55b85aaca423e3343679be8a7c22afa090e49
SHA2569e46a6d5a841d5d39a69d25a5607b3196037d0ef09ed229449a5f0ec50f512d0
SHA512e2342405c69b0605b42f46a4f43567836fb0a6af12d193a846aa9f3bf65b20df53b2159e4d16c5d930620eddc0e8678870c6dc1cedb17bb517a8448380163d0c
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.jfm
Filesize16KB
MD52bfa4ec28d39ee30a25a20542681fe66
SHA1539e61bf2b5b1f0fe2745e3f013eefd0f1223678
SHA2564433a563ced16c8f7e15d54b7f1d42a89b0208698d14471f20733d0f245fc1e6
SHA512ad40e91c52d16cced9f87883b9968599511ea05af868d7656ff2af964e54efa3564805ed19dab91ceee61dbc86c6deb13576ee7f017274c5208baf4d702a5d11
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\ImageStore\z6nqo42\imagestore.dat
Filesize1KB
MD5d91d08c2bba7b1432933efd050382d01
SHA15cd9ec3cc3dc654b063c2c4eea958bc165e9fc91
SHA256ec5fe5c545b846a9b9254e950cd3cf418ce40dee7103efe4adb25392fab66af0
SHA5120906335f4eded7d8d68312382029aab0983e4817df96c6d33d717bd9d03fcc07aeef183ca4d843addd033c1a468e21cac296607a1f1c2210373abc20a83d1116
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\RecoveryStore.{4E8CE229-A57B-46FB-B633-26E2CFC6FE64}.dat
Filesize4KB
MD5b5a6f44140ed5776f8f39af849ab1207
SHA18d43cb68b163d26f4ff3e057a5d3498f4314055a
SHA25657dcfc48a9da75c181abcc84a844c693877afd2ab2be131affa4d731033ca3ab
SHA512f4629004b703c60d6e4fe56430e229d35cf718edff678d4d7d1e236e738135f938677e878afa7bde9e1d4f6424a938117941765c4b24f12e1d4ac98eb932dfaa
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{A413E448-CEB9-4540-9871-C9D4736EBCD7}.dat
Filesize40KB
MD505de975c96582443d55da5dc77ae21c5
SHA150653daf3b9548016a649ee33e69d65b48b1e554
SHA25671646d3b27dc68387872b5508b5a5efb95009f16c42d7555df968ab05db8ef19
SHA512e6789fd55ed4566a7d3ce1bf341362c9446d287e953039e06da2e2e00e5a57490c8ff7b263ddc9707b6b6f1dde7a76b1b4780d6d496645d0a6522ad1e3f0bc37
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\Microsoft\Windows\3720402701\2219095117.pri
Filesize207KB
MD5e2b88765ee31470114e866d939a8f2c6
SHA1e0a53b8511186ff308a0507b6304fb16cabd4e1f
SHA256523e419d2fa2e780239812d36caa37e92f8c3e6a5cd9f18f0d807c593effa45e
SHA512462e8e6b4e63fc6781b6a9935b332a1dc77bfb88e1de49134f86fd46bd1598d2e842902dd9415a328e325bd7cdee766bd9473f2695acdfa769ffe7ba9ae1953d
-
Filesize
2.5MB
MD5d63f77374f84c4d7bb6107e86ee3c8c5
SHA11e70f0e5b530d0c1cc8c5aebc6e4e6e2c1b16a0e
SHA25694dcb0e20d29d28f95bcba1d96c59a4ad83fc1ac0df98185c28685a66f08a1da
SHA512ceadc5c63c03563e43ec9a421b9afbf6df9278c03d77aa8badd26fecdcacdebcd6a8ca41b82b860e8441db563a449166fb725dfb65e844c93947b369f1f2da2b
-
Filesize
710B
MD51bf77fad285dfe924484528612d0dc13
SHA12d54cb983ff333a3f0b90a80327a7e0da0dab91b
SHA256d16a34e7eca0d34e39ffb2ace22bddf093a641f91738869e5d3b306bcd0f4983
SHA51299eb012ceeb92c8af4582d725ed6ddd3b300452086c16d3f63f9268279eefb2357d76f0e5c001131323ed7096607a2d77b1bfd543ab4a4f4e608098e89ec4ab7
-
Filesize
100KB
MD51b942faa8e8b1008a8c3c1004ba57349
SHA1cd99977f6c1819b12b33240b784ca816dfe2cb91
SHA256555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc
SHA5125aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43
