hxxps://onedrive[.]live[.]com/?authkey=%21AJbOPF2tnEGLnQ0&cid=A974D3F8C4F36B77&id=A974D3F8C4F36B77%21241&parId=A974D3F8C4F36B77%21106&o=OneUp

Resubmissions

21/02/2024, 16:27

240221-tyk68sbd93 5

21/02/2024, 16:23

240221-twa89aah41 1

Analysis

max time kernel
151s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240220-en
resource tags

arch:x64arch:x86image:win10v2004-20240220-enlocale:en-usos:windows10-2004-x64system
submitted
21/02/2024, 16:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://onedrive.live.com/?authkey=%21AJbOPF2tnEGLnQ0&cid=A974D3F8C4F36B77&id=A974D3F8C4F36B77%21241&parId=A974D3F8C4F36B77%21106&o=OneUp

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4123566616-543693798-272350410-1000_Classes\Local Settings	mspaint.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3216	msedge.exe
3216	msedge.exe
228	msedge.exe
228	msedge.exe
3368	identity_helper.exe
3368	identity_helper.exe
3400	msedge.exe
3400	msedge.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
3808	msedge.exe
1800	mspaint.exe
1800	mspaint.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1960	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3532	taskmgr.exe
Token: SeSystemProfilePrivilege	3532	taskmgr.exe
Token: SeCreateGlobalPrivilege	3532	taskmgr.exe
Token: 33	3532	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3532	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe
3532	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1800	mspaint.exe
1960	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 228 wrote to memory of 2296	228	msedge.exe	56
PID 228 wrote to memory of 2296	228	msedge.exe	56
PID 228 wrote to memory of 4564	228	msedge.exe	89
PID 228 wrote to memory of 4564	228	msedge.exe	89
PID 228 wrote to memory of 4564	228	msedge.exe	89
PID 228 wrote to memory of 4564	228	msedge.exe	89
PID 228 wrote to memory of 4564	228	msedge.exe	89
PID 228 wrote to memory of 4564	228	msedge.exe	89
PID 228 wrote to memory of 4564	228	msedge.exe	89
PID 228 wrote to memory of 4564	228	msedge.exe	89
PID 228 wrote to memory of 4564	228	msedge.exe	89
PID 228 wrote to memory of 4564	228	msedge.exe	89
PID 228 wrote to memory of 4564	228	msedge.exe	89
PID 228 wrote to memory of 4564	228	msedge.exe	89
PID 228 wrote to memory of 4564	228	msedge.exe	89
PID 228 wrote to memory of 4564	228	msedge.exe	89
PID 228 wrote to memory of 4564	228	msedge.exe	89
PID 228 wrote to memory of 4564	228	msedge.exe	89
PID 228 wrote to memory of 4564	228	msedge.exe	89
PID 228 wrote to memory of 4564	228	msedge.exe	89
PID 228 wrote to memory of 4564	228	msedge.exe	89
PID 228 wrote to memory of 4564	228	msedge.exe	89
PID 228 wrote to memory of 4564	228	msedge.exe	89
PID 228 wrote to memory of 4564	228	msedge.exe	89
PID 228 wrote to memory of 4564	228	msedge.exe	89
PID 228 wrote to memory of 4564	228	msedge.exe	89
PID 228 wrote to memory of 4564	228	msedge.exe	89
PID 228 wrote to memory of 4564	228	msedge.exe	89
PID 228 wrote to memory of 4564	228	msedge.exe	89
PID 228 wrote to memory of 4564	228	msedge.exe	89
PID 228 wrote to memory of 4564	228	msedge.exe	89
PID 228 wrote to memory of 4564	228	msedge.exe	89
PID 228 wrote to memory of 4564	228	msedge.exe	89
PID 228 wrote to memory of 4564	228	msedge.exe	89
PID 228 wrote to memory of 4564	228	msedge.exe	89
PID 228 wrote to memory of 4564	228	msedge.exe	89
PID 228 wrote to memory of 4564	228	msedge.exe	89
PID 228 wrote to memory of 4564	228	msedge.exe	89
PID 228 wrote to memory of 4564	228	msedge.exe	89
PID 228 wrote to memory of 4564	228	msedge.exe	89
PID 228 wrote to memory of 4564	228	msedge.exe	89
PID 228 wrote to memory of 4564	228	msedge.exe	89
PID 228 wrote to memory of 3216	228	msedge.exe	90
PID 228 wrote to memory of 3216	228	msedge.exe	90
PID 228 wrote to memory of 2112	228	msedge.exe	91
PID 228 wrote to memory of 2112	228	msedge.exe	91
PID 228 wrote to memory of 2112	228	msedge.exe	91
PID 228 wrote to memory of 2112	228	msedge.exe	91
PID 228 wrote to memory of 2112	228	msedge.exe	91
PID 228 wrote to memory of 2112	228	msedge.exe	91
PID 228 wrote to memory of 2112	228	msedge.exe	91
PID 228 wrote to memory of 2112	228	msedge.exe	91
PID 228 wrote to memory of 2112	228	msedge.exe	91
PID 228 wrote to memory of 2112	228	msedge.exe	91
PID 228 wrote to memory of 2112	228	msedge.exe	91
PID 228 wrote to memory of 2112	228	msedge.exe	91
PID 228 wrote to memory of 2112	228	msedge.exe	91
PID 228 wrote to memory of 2112	228	msedge.exe	91
PID 228 wrote to memory of 2112	228	msedge.exe	91
PID 228 wrote to memory of 2112	228	msedge.exe	91
PID 228 wrote to memory of 2112	228	msedge.exe	91
PID 228 wrote to memory of 2112	228	msedge.exe	91
PID 228 wrote to memory of 2112	228	msedge.exe	91
PID 228 wrote to memory of 2112	228	msedge.exe	91

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://onedrive.live.com/?authkey=%21AJbOPF2tnEGLnQ0&cid=A974D3F8C4F36B77&id=A974D3F8C4F36B77%21241&parId=A974D3F8C4F36B77%21106&o=OneUp
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc0e0946f8,0x7ffc0e094708,0x7ffc0e094718
  2⤵
  PID:2296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,10879938333691767788,2046966772694682667,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,10879938333691767788,2046966772694682667,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,10879938333691767788,2046966772694682667,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
  2⤵
  PID:2112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10879938333691767788,2046966772694682667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10879938333691767788,2046966772694682667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10879938333691767788,2046966772694682667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
  2⤵
  PID:3632
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,10879938333691767788,2046966772694682667,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,10879938333691767788,2046966772694682667,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2152,10879938333691767788,2046966772694682667,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5620 /prefetch:8
  2⤵
  PID:2360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10879938333691767788,2046966772694682667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
  2⤵
  PID:2932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10879938333691767788,2046966772694682667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
  2⤵
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10879938333691767788,2046966772694682667,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
  2⤵
  PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10879938333691767788,2046966772694682667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:3816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10879938333691767788,2046966772694682667,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1
  2⤵
  PID:2856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,10879938333691767788,2046966772694682667,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1804 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,10879938333691767788,2046966772694682667,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4832 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3808

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3816

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3844

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:3532

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2672

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\Batch_Video_Processor_v1.535\Batch_Video_Processor_v1.535\Denoiser\Side-by-Side setup.jpg" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1800

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:1852

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fdf4a759acd43c3d54213b9de2bbe047

SHA1
81da78a0894c8742292af1057383e39588df4e95

SHA256
60ad530f2bdc411f4c0e1437b28896dc9c45a950a93cb3c2cc9e1ae70b629b7d

SHA512
4569267b06df28b47f87d666cad4cc63151ddfbe494a26a8ccbc9375fb333596c329778372d2dce5cb53037ca6b731bc9d0bec52eb18e0899e6555600bb305d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
89cbb20cdb08953be45a7ce57ff680fe

SHA1
8dac492c4f5fdd777f4947d58cc0948664688d9d

SHA256
9b2cf9b97e1df21a5591ea406c579d3d62949a085012b136a06026ba48ce9ff4

SHA512
b32ffc555641fed2fe0afe144dd5470f6eb01fae9f891c43e5217e231ff730a0bf7239030c12e54a7f3ad2c2c43d7322bef5bc5f57e002246fff3d0d5a86a464

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
888B

MD5
bc9358caf3c3c48aa394efdb1fc8bd7a

SHA1
ca0259a182838f48cd0b0c8105f65a0012feda03

SHA256
f6ee729cba78c831d2ece0deaf74f9e5945f8a3d7fb079d61f2e4a1416ef2931

SHA512
6b79f61ca7ddb11fc5d6ed62d4062f2e072e6db5bbfc00c3fe90228e3464d32131f581f4c4329a746345684895e65e32c38f33eaf4a023477109f9fd54027ab3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
660B

MD5
ff1a69b49140952fd1a4f1df6096c5b2

SHA1
c952ada69ffed26695b5b042b85e1d5a0f41dab5

SHA256
c5ea632122f9e2208b8704035e00c9046cbff0cdc64a2d876a134021ad3c59a7

SHA512
660cd1a27d1f2f2feb054a3893351534ecf6ebf108c85d702e06ef9f08efa271bd65342feae18ec1489ab10d672e4152f98b71ea7756f4dc713c66da32c93a0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6da96c8aa8b339c187102d807f1b4d10

SHA1
c53d3b864aa0e8519da515ee7426fbfcf31b6094

SHA256
ab7a89860b4ec3df4ccd1f1c1f2d21715da22c842c47837d4df2e5232142df31

SHA512
a9f2fdfd89a4dbe29657961765cc1ba2000a063ab03d28c3af5a98b3c363890c63f9e1a34e792e783875695c4eb6ca38f7b7d08de0af1c403570b491f5ec9f89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cc07061cfde48d32aa300fca57eeac53

SHA1
38041b3240916bcd523f1eede7060f51f9722e31

SHA256
a62cd4eff72c5fcebc99081146ded81ee7ecfbafe23a013af8b775b35606a012

SHA512
a8c8e41f1b2bdff71ea9f0286726b0526b08c789ff34642d241f8ebb8d95387f009e02d4e9676a0e3c32878ca5bb250c43632e7d7e432673eb51926c142a357e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bb3efc50f7da86abfff5e2008ffd0dc6

SHA1
14bebf135f538c746472cf6ecaa31e579c9c09f5

SHA256
766fc571233f5090ec4f5140a85e5c62ff712b852c19bbdd71eeabd54bdc8279

SHA512
fe11f70e00faf626cd3cac7630b315c24840dcb40533ba7abbd644c254a986811d300b0efd3765780ed243d4173a72b845072b6fc9a048af545425fc71b7f03b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cc38a0c9c3c9c2356e59aec359f63b9d

SHA1
e6b5909b5a014629f5973e66a1f4a145a966b733

SHA256
4ce37b686b043d1fc90c26ca10ae15271c3b3e84b7046be6c9997f1c8ae85209

SHA512
264d1787f6c3cda79351b83354595b21a11f880e0767a4d96cfd82ddbbb957beb0f0787a03d725b9264647ddd4653d03e2e0cd370d89f050e1e5ee9c25194917

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2a2bb37baa927a68efa3539be8a5b202

SHA1
f8d9108752ec57e4f92b404ba4e6afcea8d60320

SHA256
2a0f025ecd640a085f409683dfe8ff57b3088cb7eda787a59d2747d4dbbf5c85

SHA512
939c75c844ba3edf8768431ba01281fa661f31cc4a15ed2575d67578d517fca15018a78fbf364a85060417bfbd2b9676d37623185121161b1c744d4b71164834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57b602.TMP

Filesize
1KB

MD5
00a20673c0c1fc23496f24e5099cbc2a

SHA1
de0e68f6e977a407d7a2270c3c23daa8e5776f26

SHA256
c58c4098e34f4f02cd0a780936a832260350ebbbb7f46041ad7e2126b56c3bd4

SHA512
81bb2c3c5e5afb13a1121938887511f312a7a8db8efb0563991450e5cf23677a844a95849ae2dc369632fbd4acd2c3e7a76ea1cb5f15fc84348d468d7c26165a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b4937d52344b01f07c127735a10d16de

SHA1
c49b5f0cf5a66bb46ee9d5bed95b21ae96249629

SHA256
da77f3ee901d105e1b8e9acfdea59829c293d55419530bf4b16814043391aca2

SHA512
7a0c9b0998eb9592f70b7ea0044c86a9ab2807089013fa3a2517e781bc605ddf6e557e0692f3873b07cfbce159a5556efeb2cf74da21b8e87c5ecc89378812c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
6085ff0b5caec4124aeacd9f5309c3dc

SHA1
7058e61ab26d597370ced9e97e1c54cf385ba158

SHA256
224225bf0063426ca4a11a33505bd66eba8eefb0fea8dd4ee9156540ce4acff8

SHA512
0df90160b09b3e842a0a612b302be498a1258f4f27b028dfaef19c0cc70104a5e2d83c0ab3a3da2707f9b84dba1aa4e4e4087dbf274adae9cabdb4bd32220e82

Download Submit
memory/1852-243-0x0000016D7BE60000-0x0000016D7BE70000-memory.dmp

Filesize
64KB

Download
memory/1852-239-0x0000016D7B5A0000-0x0000016D7B5B0000-memory.dmp

Filesize
64KB

Download
memory/1852-258-0x0000016D7C250000-0x0000016D7C251000-memory.dmp

Filesize
4KB

Download
memory/1852-257-0x0000016D7C250000-0x0000016D7C251000-memory.dmp

Filesize
4KB

Download
memory/1852-256-0x0000016D7C240000-0x0000016D7C241000-memory.dmp

Filesize
4KB

Download
memory/1852-255-0x0000016D7C240000-0x0000016D7C241000-memory.dmp

Filesize
4KB

Download
memory/1852-254-0x0000016D7C1B0000-0x0000016D7C1B1000-memory.dmp

Filesize
4KB

Download
memory/1852-252-0x0000016D7C1B0000-0x0000016D7C1B1000-memory.dmp

Filesize
4KB

Download
memory/1852-250-0x0000016D7C130000-0x0000016D7C131000-memory.dmp

Filesize
4KB

Download
memory/3532-222-0x000001F7DC920000-0x000001F7DC921000-memory.dmp

Filesize
4KB

Download
memory/3532-213-0x000001F7DC920000-0x000001F7DC921000-memory.dmp

Filesize
4KB

Download
memory/3532-225-0x000001F7DC920000-0x000001F7DC921000-memory.dmp

Filesize
4KB

Download
memory/3532-224-0x000001F7DC920000-0x000001F7DC921000-memory.dmp

Filesize
4KB

Download
memory/3532-223-0x000001F7DC920000-0x000001F7DC921000-memory.dmp

Filesize
4KB

Download
memory/3532-221-0x000001F7DC920000-0x000001F7DC921000-memory.dmp

Filesize
4KB

Download
memory/3532-214-0x000001F7DC920000-0x000001F7DC921000-memory.dmp

Filesize
4KB

Download
memory/3532-220-0x000001F7DC920000-0x000001F7DC921000-memory.dmp

Filesize
4KB

Download
memory/3532-219-0x000001F7DC920000-0x000001F7DC921000-memory.dmp

Filesize
4KB

Download
memory/3532-215-0x000001F7DC920000-0x000001F7DC921000-memory.dmp

Filesize
4KB

Download