Analysis
-
max time kernel
186s -
max time network
215s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
24-02-2024 07:15
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://drive.google.com/file/d/12kR1UzD6iJ423jxMUj8R4eS2E9CGnt-e/view
Resource
win10v2004-20240221-en
General
-
Target
https://drive.google.com/file/d/12kR1UzD6iJ423jxMUj8R4eS2E9CGnt-e/view
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Enumerates connected drives 3 TTPs 6 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 9 drive.google.com 11 drive.google.com 12 drive.google.com -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName explorer.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 33 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\MuiCache SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe Key created \REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3538781373-1545967067-4263767959-1000\{1C68E469-A199-4CA7-852E-02E912777257} explorer.exe Key created \REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3538781373-1545967067-4263767959-1000\{20C6CC07-0D70-4A3C-A4FB-CC8726B96A21} explorer.exe Key created \REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe Key created \REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3538781373-1545967067-4263767959-1000\{08720BCC-3224-46EC-A228-6F176B9B5A76} explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 4792 msedge.exe 4792 msedge.exe 4780 msedge.exe 4780 msedge.exe 4920 identity_helper.exe 4920 identity_helper.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe 1192 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 4780 msedge.exe 4780 msedge.exe 4780 msedge.exe 4780 msedge.exe 4780 msedge.exe 4780 msedge.exe 4780 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4476 explorer.exe Token: SeCreatePagefilePrivilege 4476 explorer.exe Token: SeShutdownPrivilege 4476 explorer.exe Token: SeCreatePagefilePrivilege 4476 explorer.exe Token: SeShutdownPrivilege 4476 explorer.exe Token: SeCreatePagefilePrivilege 4476 explorer.exe Token: SeShutdownPrivilege 4476 explorer.exe Token: SeCreatePagefilePrivilege 4476 explorer.exe Token: SeShutdownPrivilege 4476 explorer.exe Token: SeCreatePagefilePrivilege 4476 explorer.exe Token: SeShutdownPrivilege 4476 explorer.exe Token: SeCreatePagefilePrivilege 4476 explorer.exe Token: SeShutdownPrivilege 4476 explorer.exe Token: SeCreatePagefilePrivilege 4476 explorer.exe Token: SeShutdownPrivilege 4476 explorer.exe Token: SeCreatePagefilePrivilege 4476 explorer.exe Token: SeShutdownPrivilege 4476 explorer.exe Token: SeCreatePagefilePrivilege 4476 explorer.exe Token: SeShutdownPrivilege 4476 explorer.exe Token: SeCreatePagefilePrivilege 4476 explorer.exe Token: SeShutdownPrivilege 4476 explorer.exe Token: SeCreatePagefilePrivilege 4476 explorer.exe Token: SeShutdownPrivilege 4476 explorer.exe Token: SeCreatePagefilePrivilege 4476 explorer.exe Token: SeShutdownPrivilege 4476 explorer.exe Token: SeCreatePagefilePrivilege 4476 explorer.exe Token: SeShutdownPrivilege 4476 explorer.exe Token: SeCreatePagefilePrivilege 4476 explorer.exe Token: SeShutdownPrivilege 4476 explorer.exe Token: SeCreatePagefilePrivilege 4476 explorer.exe Token: SeShutdownPrivilege 4476 explorer.exe Token: SeCreatePagefilePrivilege 4476 explorer.exe Token: SeShutdownPrivilege 4476 explorer.exe Token: SeCreatePagefilePrivilege 4476 explorer.exe Token: SeShutdownPrivilege 2956 explorer.exe Token: SeCreatePagefilePrivilege 2956 explorer.exe Token: SeShutdownPrivilege 2956 explorer.exe Token: SeCreatePagefilePrivilege 2956 explorer.exe Token: SeShutdownPrivilege 2956 explorer.exe Token: SeCreatePagefilePrivilege 2956 explorer.exe Token: SeShutdownPrivilege 2956 explorer.exe Token: SeCreatePagefilePrivilege 2956 explorer.exe Token: SeShutdownPrivilege 2956 explorer.exe Token: SeCreatePagefilePrivilege 2956 explorer.exe Token: SeShutdownPrivilege 2956 explorer.exe Token: SeCreatePagefilePrivilege 2956 explorer.exe Token: SeShutdownPrivilege 2956 explorer.exe Token: SeCreatePagefilePrivilege 2956 explorer.exe Token: SeShutdownPrivilege 2956 explorer.exe Token: SeCreatePagefilePrivilege 2956 explorer.exe Token: SeShutdownPrivilege 2956 explorer.exe Token: SeCreatePagefilePrivilege 2956 explorer.exe Token: SeShutdownPrivilege 2956 explorer.exe Token: SeCreatePagefilePrivilege 2956 explorer.exe Token: SeShutdownPrivilege 2956 explorer.exe Token: SeCreatePagefilePrivilege 2956 explorer.exe Token: SeShutdownPrivilege 2956 explorer.exe Token: SeCreatePagefilePrivilege 2956 explorer.exe Token: SeShutdownPrivilege 2956 explorer.exe Token: SeCreatePagefilePrivilege 2956 explorer.exe Token: SeShutdownPrivilege 2956 explorer.exe Token: SeCreatePagefilePrivilege 2956 explorer.exe Token: SeShutdownPrivilege 2956 explorer.exe Token: SeCreatePagefilePrivilege 2956 explorer.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4476 explorer.exe 4476 explorer.exe 4476 explorer.exe 4476 explorer.exe 4476 explorer.exe 4476 explorer.exe 4476 explorer.exe 4780 msedge.exe 4780 msedge.exe 4780 msedge.exe 4780 msedge.exe 4476 explorer.exe 4476 explorer.exe 4780 msedge.exe 4780 msedge.exe 4780 msedge.exe 4780 msedge.exe 4780 msedge.exe 4780 msedge.exe 4780 msedge.exe 4780 msedge.exe 4780 msedge.exe 4780 msedge.exe 4780 msedge.exe 4780 msedge.exe 4780 msedge.exe 4780 msedge.exe 4780 msedge.exe 4780 msedge.exe 4780 msedge.exe 4780 msedge.exe 4780 msedge.exe 4780 msedge.exe 4780 msedge.exe 4476 explorer.exe 4476 explorer.exe 4476 explorer.exe 4476 explorer.exe 4476 explorer.exe 4476 explorer.exe 4476 explorer.exe 4476 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2920 explorer.exe 2920 explorer.exe 2920 explorer.exe 2920 explorer.exe 2920 explorer.exe -
Suspicious use of SendNotifyMessage 57 IoCs
pid Process 4476 explorer.exe 4476 explorer.exe 4476 explorer.exe 4476 explorer.exe 4476 explorer.exe 4476 explorer.exe 4476 explorer.exe 4476 explorer.exe 4476 explorer.exe 4780 msedge.exe 4780 msedge.exe 4780 msedge.exe 4476 explorer.exe 4780 msedge.exe 4780 msedge.exe 4780 msedge.exe 4780 msedge.exe 4780 msedge.exe 4780 msedge.exe 4780 msedge.exe 4780 msedge.exe 4780 msedge.exe 4780 msedge.exe 4780 msedge.exe 4780 msedge.exe 4780 msedge.exe 4780 msedge.exe 4780 msedge.exe 4780 msedge.exe 4780 msedge.exe 4780 msedge.exe 4780 msedge.exe 4780 msedge.exe 4780 msedge.exe 4476 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2956 explorer.exe 2920 explorer.exe 2920 explorer.exe 2920 explorer.exe 2920 explorer.exe 2920 explorer.exe 2920 explorer.exe 2920 explorer.exe 2920 explorer.exe 2920 explorer.exe 2920 explorer.exe 2920 explorer.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4476 explorer.exe 5060 StartMenuExperienceHost.exe 4932 StartMenuExperienceHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4780 wrote to memory of 4692 4780 msedge.exe 90 PID 4780 wrote to memory of 4692 4780 msedge.exe 90 PID 4780 wrote to memory of 3404 4780 msedge.exe 93 PID 4780 wrote to memory of 3404 4780 msedge.exe 93 PID 4780 wrote to memory of 3404 4780 msedge.exe 93 PID 4780 wrote to memory of 3404 4780 msedge.exe 93 PID 4780 wrote to memory of 3404 4780 msedge.exe 93 PID 4780 wrote to memory of 3404 4780 msedge.exe 93 PID 4780 wrote to memory of 3404 4780 msedge.exe 93 PID 4780 wrote to memory of 3404 4780 msedge.exe 93 PID 4780 wrote to memory of 3404 4780 msedge.exe 93 PID 4780 wrote to memory of 3404 4780 msedge.exe 93 PID 4780 wrote to memory of 3404 4780 msedge.exe 93 PID 4780 wrote to memory of 3404 4780 msedge.exe 93 PID 4780 wrote to memory of 3404 4780 msedge.exe 93 PID 4780 wrote to memory of 3404 4780 msedge.exe 93 PID 4780 wrote to memory of 3404 4780 msedge.exe 93 PID 4780 wrote to memory of 3404 4780 msedge.exe 93 PID 4780 wrote to memory of 3404 4780 msedge.exe 93 PID 4780 wrote to memory of 3404 4780 msedge.exe 93 PID 4780 wrote to memory of 3404 4780 msedge.exe 93 PID 4780 wrote to memory of 3404 4780 msedge.exe 93 PID 4780 wrote to memory of 3404 4780 msedge.exe 93 PID 4780 wrote to memory of 3404 4780 msedge.exe 93 PID 4780 wrote to memory of 3404 4780 msedge.exe 93 PID 4780 wrote to memory of 3404 4780 msedge.exe 93 PID 4780 wrote to memory of 3404 4780 msedge.exe 93 PID 4780 wrote to memory of 3404 4780 msedge.exe 93 PID 4780 wrote to memory of 3404 4780 msedge.exe 93 PID 4780 wrote to memory of 3404 4780 msedge.exe 93 PID 4780 wrote to memory of 3404 4780 msedge.exe 93 PID 4780 wrote to memory of 3404 4780 msedge.exe 93 PID 4780 wrote to memory of 3404 4780 msedge.exe 93 PID 4780 wrote to memory of 3404 4780 msedge.exe 93 PID 4780 wrote to memory of 3404 4780 msedge.exe 93 PID 4780 wrote to memory of 3404 4780 msedge.exe 93 PID 4780 wrote to memory of 3404 4780 msedge.exe 93 PID 4780 wrote to memory of 3404 4780 msedge.exe 93 PID 4780 wrote to memory of 3404 4780 msedge.exe 93 PID 4780 wrote to memory of 3404 4780 msedge.exe 93 PID 4780 wrote to memory of 3404 4780 msedge.exe 93 PID 4780 wrote to memory of 3404 4780 msedge.exe 93 PID 4780 wrote to memory of 4792 4780 msedge.exe 94 PID 4780 wrote to memory of 4792 4780 msedge.exe 94 PID 4780 wrote to memory of 4368 4780 msedge.exe 95 PID 4780 wrote to memory of 4368 4780 msedge.exe 95 PID 4780 wrote to memory of 4368 4780 msedge.exe 95 PID 4780 wrote to memory of 4368 4780 msedge.exe 95 PID 4780 wrote to memory of 4368 4780 msedge.exe 95 PID 4780 wrote to memory of 4368 4780 msedge.exe 95 PID 4780 wrote to memory of 4368 4780 msedge.exe 95 PID 4780 wrote to memory of 4368 4780 msedge.exe 95 PID 4780 wrote to memory of 4368 4780 msedge.exe 95 PID 4780 wrote to memory of 4368 4780 msedge.exe 95 PID 4780 wrote to memory of 4368 4780 msedge.exe 95 PID 4780 wrote to memory of 4368 4780 msedge.exe 95 PID 4780 wrote to memory of 4368 4780 msedge.exe 95 PID 4780 wrote to memory of 4368 4780 msedge.exe 95 PID 4780 wrote to memory of 4368 4780 msedge.exe 95 PID 4780 wrote to memory of 4368 4780 msedge.exe 95 PID 4780 wrote to memory of 4368 4780 msedge.exe 95 PID 4780 wrote to memory of 4368 4780 msedge.exe 95 PID 4780 wrote to memory of 4368 4780 msedge.exe 95 PID 4780 wrote to memory of 4368 4780 msedge.exe 95
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/12kR1UzD6iJ423jxMUj8R4eS2E9CGnt-e/view1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9e19346f8,0x7ff9e1934708,0x7ff9e19347182⤵PID:4692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,17165412874277352663,5752317545022625380,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:22⤵PID:3404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,17165412874277352663,5752317545022625380,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4792
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,17165412874277352663,5752317545022625380,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2540 /prefetch:82⤵PID:4368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17165412874277352663,5752317545022625380,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:12⤵PID:3612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17165412874277352663,5752317545022625380,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:12⤵PID:3700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17165412874277352663,5752317545022625380,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:12⤵PID:2144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17165412874277352663,5752317545022625380,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:12⤵PID:1300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17165412874277352663,5752317545022625380,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:12⤵PID:3408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17165412874277352663,5752317545022625380,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:12⤵PID:3748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,17165412874277352663,5752317545022625380,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4800 /prefetch:82⤵PID:1836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,17165412874277352663,5752317545022625380,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4800 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17165412874277352663,5752317545022625380,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:12⤵PID:3528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,17165412874277352663,5752317545022625380,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4272 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1192
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4476
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies registry class
PID:3192
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3780
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1388
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5060
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2956
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4932
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2920
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4992
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4200
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3096
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:1448
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5f4db60c9bb06ea5452df26771fa873ac
SHA1c118183a1315a285606f81da05fc19367a2cdfe1
SHA256f168242e74bfde18bacb9e18945a39bb447188eba916c7adf0f342ed8d82281e
SHA512180ed98f9d5a14a22687a099c4a0ba6b586610f7b8b4c8de89f3b91713b07a2ef3726fcd318cb4e270b1745213b898037d29cca4b490d0c91833b797d69ac406
-
Filesize
152B
MD5f5b0bf4edca2187f7715ddd49777a1b2
SHA1eb78099013d0894a11c48d496f48973585f0c7c0
SHA256562016f9159ef363fcbe62ed13ee26052b31d4f67dc5ea6d60864a7d5dfa50a1
SHA5121039b98cffd32ca4c9e37486b96e01b167d76b19dd8440a21da4932d677c463f4c5ce2260239e8337f59bd61ff3111905e23ab71d3ca5b20e7d2935fea7952c9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\0dba479d-2495-4643-aa0e-dca1e299453a.tmp
Filesize6KB
MD52d567a0f972c33e34fac65e530513264
SHA1a49761649c5544020c28c9e440900158875e4445
SHA256cdb5eba77194813b0bcfb7ebe44acfe17f69ab4a319c568c5b8244b409402f86
SHA512fc26ee7c8daca86141d4351c12d1dfa2f3c7a7a468b1e845ac1de6ba8bd98c7095697dc28a1661778f6a83e8a360084260e371043716dfa3560b7fbecc1b0f34
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize408B
MD596ca1cadc38088f888e144fb260667a1
SHA16ad479d54eec9bd37e4926ce2a8cf455a6d81aab
SHA256944f0575922a80f5937237255c96f4dfa2d3078c0151553e1b7346d00c0a8731
SHA5127cc595f6c428d98639d735b6f7e6c302b17bceb46f25ea6b14f96337727d43d26f09104b8d3f31546033dcfef0c7b4b6b8aa39e6fbc0397c62f7c5d98fe2e5f1
-
Filesize
2KB
MD57c1458848ac158f06e72a25077c54576
SHA168ec02c52102f1d2e99cc66a30c24f1c2681885c
SHA256649d1b97320f5d21946ad11d93512c5093cb044595d0bd0463175466e7596fd8
SHA5129878b9ac846c2fa46d2521813ff4df8ee22d7cca37b6bb877b547749d60f3521ff88ebbe4ee4b3467d4d2c955b38d85fe83756df61e280c51acbfbe522c48a0e
-
Filesize
6KB
MD522a28dd94d4a026e24630ca9cce58961
SHA1f0317141fb322bae24da50ca375be1e1fb210c57
SHA25636d9aafb232c10777c145066257b05249fe6e2fba61c62e600779618f92107b0
SHA512c7c8f526b6720ce5470617b1f1bae8880d15ae75ecf2924ad40094381f8bd1559203b2440e3e146b39b6045474b1e5a30153ff033af2811b30bec9e94c010785
-
Filesize
6KB
MD58ad9b8624e0713836a9edf7b8af94d1f
SHA11ab256b1f7a8b4137b91cc15b8059785b383eee6
SHA25691c55c6dfb14118862d6443a0c3ebe3ed6942d7f12340b7a44ebae05755fd3a4
SHA512bafcd1584361b7ce468c36bbc1e8c4c605244a3ecd7295fde9e24f1ddeaefe7e7574e3535f28bb0ca0993d5e0dd041c102db9ee275219805952b266ed4b30779
-
Filesize
6KB
MD51d46f5d5f081b1a90eb34c8d2b3e832d
SHA14f303cbebc1b17fffd6b553f78c296afe928f752
SHA2561495ff73ebc068a21d518d0117b5885d2642a11ab8d8cb0a3c1cf27d8bc5ee55
SHA512b550a8a1821e5851da5d25a52dd6927cba68b2af6d48ab14e9c366fa485fbd8136c6d9c7d0c34f0181654bf8dd13208d30d5caaf7190474af123ab602cd23952
-
Filesize
6KB
MD50b9bd428033715698e5c7fce1f445852
SHA124f65bea3db40495bc9824744dd780e4d3702cd4
SHA256096499c8558a9241f62cfe5444343f1557a66ad73ba160143cc829fbda2e42ce
SHA512d43115fd8949c7bb99b078e3c92f6025019cf9213cbd0f72a5cd684f36309450ce78a3bae6a3084cfd32d7bd6e6ba54d2107bf62e9274cb18a51851ada789405
-
Filesize
539B
MD574fffbc281380da44472bda95307ae98
SHA1f549b8a363d28ed9c95a0d1e78c3a6e65a4a6467
SHA256d170ada5fcebdd2410a32f4919ecadb78a736a7725f9edaa6ede9fcfd4de7cd9
SHA51256c0c18369f4f7c10b7290b3667e1d0cdc7ddeac8e8aad224f9d93cf9ea88340756d6a81a23126e23ec03ade0e0ca0dd4bf6029269173612e52d4e7f6f960b39
-
Filesize
1KB
MD5d859acb175b7fe8be30033e9a6676a60
SHA1f82ef95a3b744c24bb4fe85c27ea956d7dc092c7
SHA256cb2d7e38f18be50acfc0ecbe4417a8634e6e717753f834f51d13f92f13eccfa6
SHA512be538b6178f72dfc1fb9f0814bd68f77e37268e9d305f12ba4a070d0c4f7717971bd452b42b4839fa5b20e23133b946db3f4eb01e5946f81e193daab48840729
-
Filesize
707B
MD5b541263defc699de09df4eb702f5b817
SHA134cf89a1bcab29a2a5f36a16b562a00246d73193
SHA25634bfc65fea67be6b148a10fa0f7fe0c6756e18d676d6a283d6f1a8e9c2605a13
SHA512d9015704d29565a1ff344d3255cfa37fab31aa93b9d482f9b49de12e5bb59d18dbf2b50bc470f4f03400a6759624631b42731c8f4f0d5fce6eb9bfeef8ded123
-
Filesize
204B
MD52545dc702aadfcd07a46a4e2b726d1dd
SHA14bde70756f3e7f51de95ba42ebe774c9b0ab522a
SHA256c9dfa9be0eb85132d8db2891d481870f8ef69efe4bd5c2d1edb7763a6193df4b
SHA512c7eec13e71bf71b1cb0b19bda7387ea886c65d9764370f260a7c1f20bc7a679ff6c2ba224d70ee29e11a491ed3b95b1af08c9cee49b29d2603f736d4ff9c5dae
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
8KB
MD54d15707ebf4ade9f284a30dfac6940fe
SHA111400ee353610822bc8cd0793fa04e018580b2db
SHA256b8ca01e752740869ddb3b5546ccd65e9de53a5820810600c441b5d43f571a814
SHA512a83902058c7bae18878f1f0c2514e679c07436d22bea668024bc3302ae82c0cf367d56b9102dab00dd83fb6b84b0d6f825c9637219c8248d26299499e183a8d0
-
Filesize
11KB
MD551236676185680ef093b1f133373f2bf
SHA1878a62305b046245c8b96f7e9ce9f2c54c2fa704
SHA25643a7b01f823a1db5fee0ceaa967778ee592f8dc868157b59e50f1df11dc0e246
SHA51243c6a0d5b84113b68cf51a77ae7aa7203f20693bae2f1c293b1b9307dc1ad906f3ad9d6f4967772a9c8db873a2116be9acaa129f6d436885b5ce352d21041872
-
Filesize
12KB
MD51b3aa8ca33e2573bf6a4441119babb6f
SHA169ea5adb13791a91ab72b1b2e5447466f2538384
SHA25653d51830fb7fc92409ed60599046d31040a017560c737f64559fae57bb9fecfd
SHA512e5747bbd51b458dd6af4c7683746248df7caa1b87dd9e38be006b6e6460051777e7a1c7566a2ca26e0a08f5eedc0fd15b5a6837f4a3153af4dc7e0d00abbfee1
-
Filesize
12KB
MD511c7b9e1f3d25e6208b415689ea78a8e
SHA146ac5fa7924aa44372dcdf47456632b22ae199db
SHA256afc44164bd155679114542e25b67ce00653099f71bc1605f7d2dd1a9f488cada
SHA512de5e0a382ed61c27e041ae7f1d7324eadc3effbbdaf7806632b159bc64cf970e4a17a7cbecfbf0a989ca477ba527e4091227901723fcb1576d8bbdc21ca81c74
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133532326189553998.txt
Filesize74KB
MD5b98cdb070ea557f909749f0582056331
SHA1e9f70e380ce8853264fdb4ff302c98d9809eb0e8
SHA256d8a6d9b4d632ce889c8147253c581995909bd39831cf09cfdf0589bfd559bf64
SHA512d5b7a4f3003f2f7f481e52116e6031d6e03e47353e963d334c3815b97d09e7e1ee0e390034a6dfa638eae2b43b1d349d7e48ae16447ca85cf027feb09b628925