5db66b8f102b6914e752c404aebb2fe6af5a31ded5494a6a844c22077a8c75e0

Analysis

max time kernel
250s
max time network
252s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
20-04-2023 02:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GeometryDash.exe
Size

6.5MB
MD5

47b4e0d8ab93a33cd20f902a387ac7e7
SHA1

89187e3a148e8ca063d0e0b008f3c7cd6a0a4729
SHA256

5db66b8f102b6914e752c404aebb2fe6af5a31ded5494a6a844c22077a8c75e0
SHA512

9fe8c85d3097162389a22cc0c204ca84c7c864fa4dbfc52988883dc2456f8474ceb81e95350a32d90520654bcb0c3596044ba5fae6d9a7eacdb9a38e61d0a547
SSDEEP

49152:Bug8dPHi2XXq8dWlHIuKO77iX+4LVoVNG+w6xfS+w6xfSExfSRaTQAYjzDTjE:QDnq8W9KO7epGVNVVxfS+VxfSgfSR

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4183903823\810424605.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	taskmgr.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4560	5064	WerFault.exe	83

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 63 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\SearchScopes\Version = "5"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1414998448"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000997a23a2ecd7164cbfc0800bd950d66200000000020000000000106600000001000020000000cda01c3ed17fea52086c9f073657f667460c029101feec3085ab2f0a7a064bd1000000000e8000000002000020000000fea5040aa485766ecc33e37b80a2e8770db43d331761b2485be1907aebac90ab100000009fca86e4bfa8e6046b6cbf979a94668940000000fcd7903dadbe24280364298d4fd048b37f88861429346346c1be4e5b7a2462242a496db89bcdcd5c1d64a34a3aa803993860e9dabbd3f2ffc0715d52b1b5258b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\User Preferences	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "388729324"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoURL = "http://go.microsoft.com/fwlink/?LinkID=403856&language={language}&scale={scalelevel}&contrast={contrast}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1398903879"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTSR"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1398903879"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7E8C17A4-DF32-11ED-A853-5260AB3644B7} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\LowRegistry	PaintStudio.View.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\SearchScopes\UpgradeTime = 43f289759c45d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "388745918"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTSuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&market={language}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IENTSS"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\LowRegistry\Shell Extensions	PaintStudio.View.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000997a23a2ecd7164cbfc0800bd950d662000000000200000000001066000000010000200000006126beae9ca4a931c1e9ce50c92bc9bb79963a5bf63ce0f93c4944cf830d3b13000000000e8000000002000020000000664feedab78a90c740765726072c73f73f8e05bfa8fda676142aaad81a3a3a6850000000bde2da2ac2560295dbda52acf6e42ce2611f0efc6c48915cf143a898f544a8941371899187c04b745090a2c3bd43e502dd95d98f943825f7f82dfd1f9ad0646542bbd42c8d5937f51bfc5223a750f0e840000000a1f6f2d6ebc5c4e25457a4fec0d072c5743037adc7782a5f550c6b9842cf046ac236adc4156187209957509f55fae2e9fb2ff766a3e554d5a91dd677e35d18fb	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31028031"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31028031"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31028031"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURL = "http://www.bing.com/favicon.ico"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "388777909"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\LowRegistry\Shell Extensions\Cached	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTTopResultURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTTR"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe

Modifies registry class 12 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings	PaintStudio.View.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	PaintStudio.View.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	PaintStudio.View.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	PaintStudio.View.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "51200"	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	PaintStudio.View.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content	PaintStudio.View.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
308	EXCEL.EXE
5064	PaintStudio.View.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4988	mspaint.exe
4988	mspaint.exe
5064	PaintStudio.View.exe
5064	PaintStudio.View.exe
5064	PaintStudio.View.exe
5064	PaintStudio.View.exe
5064	PaintStudio.View.exe
5064	PaintStudio.View.exe
5064	PaintStudio.View.exe
5064	PaintStudio.View.exe
5064	PaintStudio.View.exe
5064	PaintStudio.View.exe
5064	PaintStudio.View.exe
5064	PaintStudio.View.exe
5064	PaintStudio.View.exe
5064	PaintStudio.View.exe
5064	PaintStudio.View.exe
5064	PaintStudio.View.exe
5064	PaintStudio.View.exe
5064	PaintStudio.View.exe
5064	PaintStudio.View.exe
5064	PaintStudio.View.exe
5064	PaintStudio.View.exe
5064	PaintStudio.View.exe
5064	PaintStudio.View.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2776	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	5064	PaintStudio.View.exe
Token: SeDebugPrivilege	5064	PaintStudio.View.exe
Token: SeDebugPrivilege	5064	PaintStudio.View.exe
Token: SeDebugPrivilege	2776	taskmgr.exe
Token: SeSystemProfilePrivilege	2776	taskmgr.exe
Token: SeCreateGlobalPrivilege	2776	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
308	EXCEL.EXE
308	EXCEL.EXE
1280	iexplore.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe
2776	taskmgr.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
308	EXCEL.EXE
308	EXCEL.EXE
308	EXCEL.EXE
308	EXCEL.EXE
308	EXCEL.EXE
308	EXCEL.EXE
308	EXCEL.EXE
308	EXCEL.EXE
308	EXCEL.EXE
308	EXCEL.EXE
308	EXCEL.EXE
4988	mspaint.exe
4940	AcroRd32.exe
5016	AcroRd32.exe
4940	AcroRd32.exe
4940	AcroRd32.exe
1568	AcroRd32.exe
4940	AcroRd32.exe
1280	iexplore.exe
1280	iexplore.exe
5064	PaintStudio.View.exe
2100	IEXPLORE.EXE
2100	IEXPLORE.EXE
2100	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 2100	1280	iexplore.exe	80
PID 1280 wrote to memory of 2100	1280	iexplore.exe	80
PID 1280 wrote to memory of 2100	1280	iexplore.exe	80
PID 4940 wrote to memory of 2248	4940	AcroRd32.exe	84
PID 4940 wrote to memory of 2248	4940	AcroRd32.exe	84
PID 4940 wrote to memory of 2248	4940	AcroRd32.exe	84
PID 2248 wrote to memory of 4168	2248	RdrCEF.exe	85
PID 2248 wrote to memory of 4168	2248	RdrCEF.exe	85
PID 2248 wrote to memory of 4168	2248	RdrCEF.exe	85
PID 2248 wrote to memory of 4168	2248	RdrCEF.exe	85
PID 2248 wrote to memory of 4168	2248	RdrCEF.exe	85
PID 2248 wrote to memory of 4168	2248	RdrCEF.exe	85
PID 2248 wrote to memory of 4168	2248	RdrCEF.exe	85
PID 2248 wrote to memory of 4168	2248	RdrCEF.exe	85
PID 2248 wrote to memory of 4168	2248	RdrCEF.exe	85
PID 2248 wrote to memory of 4168	2248	RdrCEF.exe	85
PID 2248 wrote to memory of 4168	2248	RdrCEF.exe	85
PID 2248 wrote to memory of 4168	2248	RdrCEF.exe	85
PID 2248 wrote to memory of 4168	2248	RdrCEF.exe	85
PID 2248 wrote to memory of 4168	2248	RdrCEF.exe	85
PID 2248 wrote to memory of 4168	2248	RdrCEF.exe	85
PID 2248 wrote to memory of 4168	2248	RdrCEF.exe	85
PID 2248 wrote to memory of 4168	2248	RdrCEF.exe	85
PID 2248 wrote to memory of 4168	2248	RdrCEF.exe	85
PID 2248 wrote to memory of 4168	2248	RdrCEF.exe	85
PID 2248 wrote to memory of 4168	2248	RdrCEF.exe	85
PID 2248 wrote to memory of 4168	2248	RdrCEF.exe	85
PID 2248 wrote to memory of 4168	2248	RdrCEF.exe	85
PID 2248 wrote to memory of 4168	2248	RdrCEF.exe	85
PID 2248 wrote to memory of 4168	2248	RdrCEF.exe	85
PID 2248 wrote to memory of 4168	2248	RdrCEF.exe	85
PID 2248 wrote to memory of 4168	2248	RdrCEF.exe	85
PID 2248 wrote to memory of 4168	2248	RdrCEF.exe	85
PID 2248 wrote to memory of 4168	2248	RdrCEF.exe	85
PID 2248 wrote to memory of 4168	2248	RdrCEF.exe	85
PID 2248 wrote to memory of 4168	2248	RdrCEF.exe	85
PID 2248 wrote to memory of 4168	2248	RdrCEF.exe	85
PID 2248 wrote to memory of 4168	2248	RdrCEF.exe	85
PID 2248 wrote to memory of 4168	2248	RdrCEF.exe	85
PID 2248 wrote to memory of 4168	2248	RdrCEF.exe	85
PID 2248 wrote to memory of 4168	2248	RdrCEF.exe	85
PID 2248 wrote to memory of 4168	2248	RdrCEF.exe	85
PID 2248 wrote to memory of 4168	2248	RdrCEF.exe	85
PID 2248 wrote to memory of 4168	2248	RdrCEF.exe	85
PID 2248 wrote to memory of 4168	2248	RdrCEF.exe	85
PID 2248 wrote to memory of 4168	2248	RdrCEF.exe	85
PID 2248 wrote to memory of 4168	2248	RdrCEF.exe	85
PID 2248 wrote to memory of 4392	2248	RdrCEF.exe	86
PID 2248 wrote to memory of 4392	2248	RdrCEF.exe	86
PID 2248 wrote to memory of 4392	2248	RdrCEF.exe	86
PID 2248 wrote to memory of 4392	2248	RdrCEF.exe	86
PID 2248 wrote to memory of 4392	2248	RdrCEF.exe	86
PID 2248 wrote to memory of 4392	2248	RdrCEF.exe	86
PID 2248 wrote to memory of 4392	2248	RdrCEF.exe	86
PID 2248 wrote to memory of 4392	2248	RdrCEF.exe	86
PID 2248 wrote to memory of 4392	2248	RdrCEF.exe	86
PID 2248 wrote to memory of 4392	2248	RdrCEF.exe	86
PID 2248 wrote to memory of 4392	2248	RdrCEF.exe	86
PID 2248 wrote to memory of 4392	2248	RdrCEF.exe	86
PID 2248 wrote to memory of 4392	2248	RdrCEF.exe	86
PID 2248 wrote to memory of 4392	2248	RdrCEF.exe	86
PID 2248 wrote to memory of 4392	2248	RdrCEF.exe	86
PID 2248 wrote to memory of 4392	2248	RdrCEF.exe	86
PID 2248 wrote to memory of 4392	2248	RdrCEF.exe	86

C:\Users\Admin\AppData\Local\Temp\GeometryDash.exe
"C:\Users\Admin\AppData\Local\Temp\GeometryDash.exe"
1⤵
PID:2920

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\EnableRequest.ods"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:308

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\CompressTest.pdf"
1⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:5016

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\CompressTest.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F56C589BB02446AC1A251E208C5EF3FD --mojo-platform-channel-handle=1596 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4168
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=7BBD0B6CE77DFA4E58D4706DC920D239 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=7BBD0B6CE77DFA4E58D4706DC920D239 --renderer-client-id=2 --mojo-platform-channel-handle=1664 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4392
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3AF665B559F1EF3EF82EC00C8F36AB59 --mojo-platform-channel-handle=2168 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4776
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=20EF70D3205B1CC60730A7052CE0A7DA --mojo-platform-channel-handle=2200 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4516
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C7ED530FE2BF7C71DDAB26FD86F70AED --mojo-platform-channel-handle=1712 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4488
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  PID:3784

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\ClearSave.png" /ForceBootstrapPaint3D
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4988

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"
1⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:1568

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1280 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2100

C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
"C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" -ServerName:Microsoft.MSPaint.AppX437q68k2qc2asvaagas2prv9tjej6ja9.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5064
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5064 -s 2764
  2⤵
  - Program crash
  PID:4560

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6RO0PN6W\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\6VFNBFMV.cookie

Filesize
243B

MD5
33fd2643ed2c940555e697623a0dc4b0

SHA1
5c14dc996691245a49070f2977fc3c9763ce4599

SHA256
86a7c413501801a59b9da20314ef4256f00a48c48f7c8875a7d5a7645e943406

SHA512
f769ae1d18b5b3fb483d3d35f2ff1fd6354bf46b35c37f3919459638b79e1dde9ae2e93bcc82fa815192f124dc8817c4b4a978c3a636c3f0828eb3c3e027951a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\VAH0KDGR.cookie

Filesize
614B

MD5
182966d1487f7bcf85435e64015c45b2

SHA1
d9145b716c9c7f5c93dc1af44396653020066561

SHA256
df9bf5e5ef9eff2da370e314414026292ac0f5989e10004876f7c5424208ff46

SHA512
90c4b669b4bb8909c1857eb6f53db935b4108153fcf18d245d69f88b21789f0f5312ab01272ef2e498d303ceefb58eb948d67bba62a5e67d7578a6ca3919787e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\cloudCommunitySettings.json

Filesize
2KB

MD5
404a3ec24e3ebf45be65e77f75990825

SHA1
1e05647cf0a74cedfdeabfa3e8ee33b919780a61

SHA256
cc45905af3aaa62601a69c748a06a2fa48eca3b28d44d8ec18764a7e8e4c3da2

SHA512
a55382b72267375821b0a229d3529ed54cef0f295f550d1e95661bafccec606aa1cd72e059d37d78e7d2927ae72e2919941251d233152f5eeb32ffdfc96023e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\KnoB486.tmp

Filesize
88KB

MD5
002d5646771d31d1e7c57990cc020150

SHA1
a28ec731f9106c252f313cca349a68ef94ee3de9

SHA256
1e2e25bf730ff20c89d57aa38f7f34be7690820e8279b20127d0014dd27b743f

SHA512
689e90e7d83eef054a168b98ba2b8d05ab6ff8564e199d4089215ad3fe33440908e687aa9ad7d94468f9f57a4cc19842d53a9cd2f17758bdadf0503df63629c6

Download Submit
memory/308-121-0x00007FF8A6CD0000-0x00007FF8A6CE0000-memory.dmp

Filesize
64KB

Download
memory/308-122-0x00007FF8A6CD0000-0x00007FF8A6CE0000-memory.dmp

Filesize
64KB

Download
memory/308-123-0x00007FF8A6CD0000-0x00007FF8A6CE0000-memory.dmp

Filesize
64KB

Download
memory/308-124-0x00007FF8A6CD0000-0x00007FF8A6CE0000-memory.dmp

Filesize
64KB

Download
memory/308-133-0x00007FF8A4180000-0x00007FF8A4190000-memory.dmp

Filesize
64KB

Download
memory/308-134-0x00007FF8A4180000-0x00007FF8A4190000-memory.dmp

Filesize
64KB

Download