hxxps://www[.]mediafire[.]com/file/t9usn5skz63s9p9/Sipari%C5%9F+%C3%96zellikleri+pdf[.]tgz/file

max time kernel
591s
max time network
490s
platform
windows11-21h2_x64
resource
win11-20231129-en
resource tags

arch:x64arch:x86image:win11-20231129-enlocale:en-usos:windows11-21h2-x64system
submitted
05-12-2023 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/t9usn5skz63s9p9/Sipari%C5%9F+%C3%96zellikleri+pdf.tgz/file

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1775518073-212450634-1590692733-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1775518073-212450634-1590692733-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133462498759686503"	chrome.exe

Modifies registry class 7 IoCs

Processes:

explorer.exeMiniSearchHost.exerundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1775518073-212450634-1590692733-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1775518073-212450634-1590692733-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1775518073-212450634-1590692733-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1775518073-212450634-1590692733-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1775518073-212450634-1590692733-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1775518073-212450634-1590692733-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1775518073-212450634-1590692733-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

explorer.exe

pid process

4812 explorer.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

1412 chrome.exe
1412 chrome.exe
228 chrome.exe
228 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

4812 explorer.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

chrome.exe

pid process

1412 chrome.exe
1412 chrome.exe
1412 chrome.exe
1412 chrome.exe
1412 chrome.exe
1412 chrome.exe
1412 chrome.exe
1412 chrome.exe

pid	process
4812	explorer.exe

pid	process
4812	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1412	chrome.exe
Token: SeCreatePagefilePrivilege	1412	chrome.exe
Token: SeShutdownPrivilege	1412	chrome.exe
Token: SeCreatePagefilePrivilege	1412	chrome.exe
Token: SeShutdownPrivilege	1412	chrome.exe
Token: SeCreatePagefilePrivilege	1412	chrome.exe
Token: SeShutdownPrivilege	1412	chrome.exe
Token: SeCreatePagefilePrivilege	1412	chrome.exe
Token: SeShutdownPrivilege	1412	chrome.exe
Token: SeCreatePagefilePrivilege	1412	chrome.exe
Token: SeShutdownPrivilege	1412	chrome.exe
Token: SeCreatePagefilePrivilege	1412	chrome.exe
Token: SeShutdownPrivilege	1412	chrome.exe
Token: SeCreatePagefilePrivilege	1412	chrome.exe
Token: SeShutdownPrivilege	1412	chrome.exe
Token: SeCreatePagefilePrivilege	1412	chrome.exe
Token: SeShutdownPrivilege	1412	chrome.exe
Token: SeCreatePagefilePrivilege	1412	chrome.exe
Token: SeShutdownPrivilege	1412	chrome.exe
Token: SeCreatePagefilePrivilege	1412	chrome.exe
Token: SeShutdownPrivilege	1412	chrome.exe
Token: SeCreatePagefilePrivilege	1412	chrome.exe
Token: SeShutdownPrivilege	1412	chrome.exe
Token: SeCreatePagefilePrivilege	1412	chrome.exe
Token: SeShutdownPrivilege	1412	chrome.exe
Token: SeCreatePagefilePrivilege	1412	chrome.exe
Token: SeShutdownPrivilege	1412	chrome.exe
Token: SeCreatePagefilePrivilege	1412	chrome.exe
Token: SeShutdownPrivilege	1412	chrome.exe
Token: SeCreatePagefilePrivilege	1412	chrome.exe
Token: SeShutdownPrivilege	1412	chrome.exe
Token: SeCreatePagefilePrivilege	1412	chrome.exe
Token: SeShutdownPrivilege	1412	chrome.exe
Token: SeCreatePagefilePrivilege	1412	chrome.exe
Token: SeShutdownPrivilege	1412	chrome.exe
Token: SeCreatePagefilePrivilege	1412	chrome.exe
Token: SeShutdownPrivilege	1412	chrome.exe
Token: SeCreatePagefilePrivilege	1412	chrome.exe
Token: SeShutdownPrivilege	1412	chrome.exe
Token: SeCreatePagefilePrivilege	1412	chrome.exe
Token: SeShutdownPrivilege	1412	chrome.exe
Token: SeCreatePagefilePrivilege	1412	chrome.exe
Token: SeShutdownPrivilege	1412	chrome.exe
Token: SeCreatePagefilePrivilege	1412	chrome.exe
Token: SeShutdownPrivilege	1412	chrome.exe
Token: SeCreatePagefilePrivilege	1412	chrome.exe
Token: SeShutdownPrivilege	1412	chrome.exe
Token: SeCreatePagefilePrivilege	1412	chrome.exe
Token: SeShutdownPrivilege	1412	chrome.exe
Token: SeCreatePagefilePrivilege	1412	chrome.exe
Token: SeShutdownPrivilege	1412	chrome.exe
Token: SeCreatePagefilePrivilege	1412	chrome.exe
Token: SeShutdownPrivilege	1412	chrome.exe
Token: SeCreatePagefilePrivilege	1412	chrome.exe
Token: SeShutdownPrivilege	1412	chrome.exe
Token: SeCreatePagefilePrivilege	1412	chrome.exe
Token: SeShutdownPrivilege	1412	chrome.exe
Token: SeCreatePagefilePrivilege	1412	chrome.exe
Token: SeShutdownPrivilege	1412	chrome.exe
Token: SeCreatePagefilePrivilege	1412	chrome.exe
Token: SeShutdownPrivilege	1412	chrome.exe
Token: SeCreatePagefilePrivilege	1412	chrome.exe
Token: SeShutdownPrivilege	1412	chrome.exe
Token: SeCreatePagefilePrivilege	1412	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

Processes:

chrome.exeexplorer.exe

pid	process
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
4812	explorer.exe
1412	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

chrome.exe

pid	process
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MiniSearchHost.exe

pid process

5028 MiniSearchHost.exe

pid	process
5028	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1412 wrote to memory of 3076	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 3076	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 5052	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 5052	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 5052	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 5052	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 5052	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 5052	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 5052	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 5052	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 5052	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 5052	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 5052	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 5052	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 5052	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 5052	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 5052	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 5052	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 5052	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 5052	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 5052	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 5052	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 5052	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 5052	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 5052	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 5052	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 5052	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 5052	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 5052	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 5052	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 5052	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 5052	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 5052	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 5052	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 5052	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 5052	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 5052	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 5052	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 5052	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 5052	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 3712	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 3712	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 4828	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 4828	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 4828	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 4828	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 4828	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 4828	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 4828	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 4828	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 4828	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 4828	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 4828	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 4828	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 4828	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 4828	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 4828	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 4828	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 4828	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 4828	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 4828	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 4828	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 4828	1412	chrome.exe	chrome.exe
PID 1412 wrote to memory of 4828	1412	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.mediafire.com/file/t9usn5skz63s9p9/Sipari%C5%9F+%C3%96zellikleri+pdf.tgz/file
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff8c2e9758,0x7fff8c2e9768,0x7fff8c2e9778
2⤵
PID:3076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1568 --field-trial-handle=1812,i,2039469463313852744,17765271421666797396,131072 /prefetch:2
2⤵
PID:5052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=1812,i,2039469463313852744,17765271421666797396,131072 /prefetch:8
2⤵
PID:3712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2136 --field-trial-handle=1812,i,2039469463313852744,17765271421666797396,131072 /prefetch:8
2⤵
PID:4828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3028 --field-trial-handle=1812,i,2039469463313852744,17765271421666797396,131072 /prefetch:1
2⤵
PID:4652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3020 --field-trial-handle=1812,i,2039469463313852744,17765271421666797396,131072 /prefetch:1
2⤵
PID:4756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3640 --field-trial-handle=1812,i,2039469463313852744,17765271421666797396,131072 /prefetch:1
2⤵
PID:2340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3028 --field-trial-handle=1812,i,2039469463313852744,17765271421666797396,131072 /prefetch:1
2⤵
PID:1608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4412 --field-trial-handle=1812,i,2039469463313852744,17765271421666797396,131072 /prefetch:8
2⤵
PID:2364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4512 --field-trial-handle=1812,i,2039469463313852744,17765271421666797396,131072 /prefetch:8
2⤵
PID:2856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4024 --field-trial-handle=1812,i,2039469463313852744,17765271421666797396,131072 /prefetch:1
2⤵
PID:3228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2416 --field-trial-handle=1812,i,2039469463313852744,17765271421666797396,131072 /prefetch:1
2⤵
PID:1864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2488 --field-trial-handle=1812,i,2039469463313852744,17765271421666797396,131072 /prefetch:1
2⤵
PID:2220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3052 --field-trial-handle=1812,i,2039469463313852744,17765271421666797396,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4488 --field-trial-handle=1812,i,2039469463313852744,17765271421666797396,131072 /prefetch:1
2⤵
PID:3752

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3936

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5028

C:\Windows\System32\control.exe
"C:\Windows\System32\control.exe" "C:\Windows\system32\appwiz.cpl",
1⤵
PID:4116

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\appwiz.cpl",
2⤵
- Modifies registry class
PID:340

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:496

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:4812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
95eb4a29b03e4c7a114b8a5487ee0a99

SHA1
699c2be4efb696f195a59256c871803ffc1f64e0

SHA256
5942c521bde96f63b32398ac78f78cf894e280dac8a41b8a672e595b1f10a0d8

SHA512
1de52c850c69e904716551a085eb1433b9980b9c0edebf985d24d47e886ad31f88a4f665899f7930a8b414c072c40298c019ba1081c94894e6a1a19ba3af428b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
a0045b482ad89306975408541d60b3d3

SHA1
10f6b824c9c9e6adfdd2cd53c3ee892ae3f70797

SHA256
3963494b0f5f3f182896ddc72b760a1f67d7cefc15460d683f9e0bb76df87cc3

SHA512
f5b6495c8ef372d3f7a0bdb50db8b4af0cbc87b9e134ae25eb47fc8526a5bc6febc22a2df8ee005d963245b9082625df9fb03fb4c8dea9e97e74e8c87a940213

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
d52a1958cdf3ffcc5fe6790019af1232

SHA1
0f5972449d901e6ec9664264a11e3a5b7c077d34

SHA256
f04717ade25ddadc2b1a384e7e3673d698028e2a77bcadc8f2ac6206cdd2692c

SHA512
ae77d950739214f39de730287864bda0326345726e7c57185cb7115c889a480ad1b1e860586ae2b01633899c5cff6624b95657e471870eb8aeedd2d531ef84e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
a9f761c0c3af8dea52674c9ac6998a12

SHA1
ece676579c4ef712f819dcf642c4afbfbc4d532e

SHA256
79f683d4f20a3364a1de4704a2ae6b7c8f2e7776e184392144b05896e09811f8

SHA512
b3fc8c141b6c2a23bb5d3526ab2ec75d03e923e8e2edeb8e4b436c770d1b65636e3f23ca35817d6c945c26ab865aeac6bc40292c42e2c456584da3ae25e28d80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
71f91f46cf6573340f6cf21490ba5b39

SHA1
7e945f7c5876bfacfa4ce4a8b133b00048d56561

SHA256
d780d105db5a50d1719246da2ea1ab5f78bb6baedafe98424995a0b4039add54

SHA512
f39f96c6e33bf7936eaffa887d9471cee9079e324c8695a1af5984643ef2f4590877aad6ed66ba3a817255351885a2c58109a46915f14b6d59655d11086fe7e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
3KB

MD5
fcf254942127e0bc48b4061341730d62

SHA1
d48c5e1803b5c30ec8ad9c648e629eb84987f567

SHA256
7401981ca275cc7e083869bf593cc37c0e4bdb9bd742ac293eb5463ea5064ca5

SHA512
150ecf615d02ba4284128ec8fe75874dde56b1e36192fc6beb59ad15628044eabe2733a4e47d414cffa405d35edcb3aa4a11cf62aeb18e0e92148085c90fed01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
3KB

MD5
3cf00129e0b655194decc24428eb8ddc

SHA1
1026971727d3160af34dd7f0bed7282464599cb0

SHA256
6ad53c05ea772e8860e3a1245f094e8b683e4ea33108b50512722014fe501e87

SHA512
9833d136538d761eb4d3f9fa76837ee6928fbeb633a89b01ce802530d641d6049fb9a33e176da1b0bd4460e9ba2233d5a9fff341c1c133387d4ae2b182c149e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
11b9524d42fa6cc4924edc07fcbcd85a

SHA1
248a07da07846c965ef236fa3d80f97bb58435bc

SHA256
0e79a246698fc1a237f7dcc59842a7c599eb41519b34a3f037099f8d5edbac35

SHA512
d64af508a860e4e866d544bd1abca123e2d10f34fc3dce0f7568379c37e66715b76d66ebf050d6481990fda7901353cae41777ad5624b5894039d5b9da1f59cc

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
9dbab3f78763e67f2131139c441767b6

SHA1
02d2cf67975c72156dd25eafb20eef622e28b9eb

SHA256
0036b9438e6a9d4a1e6815c18a3e4baf8df9feae130914cbaf7e0d2e9b6e8a08

SHA512
574536d6f3e28c81f3c3900c62fee1f3c8bd3a40cde938ce2f34f145c509b9e8d67be5577742f2de908939f876f4db499020d7c26a636425845c92b37a70ea9d

Download Submit
\??\pipe\crashpad_1412_AFOWNETTFCVNYPMW

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit