419a1704c0a8cdd561a2e3ec7d0017cb618d6b5de6ade7d811e9cc17148dac54

Analysis

max time kernel
146s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 19:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kis21.3.10.391abcdefghijru_26486.exe
Size

2.6MB
MD5

a7c8d18cc2fa514b031db4ba23c5562d
SHA1

ceef6acf33b8ece42cda1cb7cac8f65114519c5d
SHA256

419a1704c0a8cdd561a2e3ec7d0017cb618d6b5de6ade7d811e9cc17148dac54
SHA512

2618ab2f6296d1e469d085f196f2407adceb58b5c89ed39a9ec7d785dffd2f63376048d6c5bfb9de14fd93d4fbc9d8a7aa68666bebef312fb1548bc538d2f9d0
SSDEEP

49152:RMvcUuh3ZLJvDr4EWw6hQzu1ZlIseRNvZxAjqzMp9/dDMVy:RSruh3pJHWDhb1Ze9RxAjqMDM

Score

7^/10

evasion trojan

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2132	kis21.3.10.391abcdefghijru_26486.exe

Checks for any installed AV software in registry 1 TTPs 45 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\KasperskyLab	kis21.3.10.391abcdefghijru_26486.exe
Key created	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\KasperskyLab\IEOverride	kis21.3.10.391abcdefghijru_26486.exe
Key opened	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Software\KasperskyLab\IEOverride	kis21.3.10.391abcdefghijru_26486.exe
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Expand Alt Text	kis21.3.10.391abcdefghijru_26486.exe
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Move System Caret	kis21.3.10.391abcdefghijru_26486.exe
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\KasperskyLab\IEOverride\Main\XDomainRequest	kis21.3.10.391abcdefghijru_26486.exe
Key opened	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\KasperskyLab\IEOverride\International\Scripts\3	kis21.3.10.391abcdefghijru_26486.exe
Key queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\KasperskyLab\IEOverride	kis21.3.10.391abcdefghijru_26486.exe
Key opened	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\KasperskyLab\IEOverride\Main	kis21.3.10.391abcdefghijru_26486.exe
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Print_Background	kis21.3.10.391abcdefghijru_26486.exe
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Q300829	kis21.3.10.391abcdefghijru_26486.exe
Key opened	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\KasperskyLab\IEOverride\Settings	kis21.3.10.391abcdefghijru_26486.exe
Key opened	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\KasperskyLab\IEOverride\AdvancedOptions\DISAMBIGUATION	kis21.3.10.391abcdefghijru_26486.exe
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Play_Animations	kis21.3.10.391abcdefghijru_26486.exe
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Disable Diagnostics Mode	kis21.3.10.391abcdefghijru_26486.exe
Key opened	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\KasperskyLab\IEOverride\Larger Hit Test	kis21.3.10.391abcdefghijru_26486.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\KasperskyLab\IEOverride\Main\UseSWRender = "1"	kis21.3.10.391abcdefghijru_26486.exe
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Disable Script Debugger	kis21.3.10.391abcdefghijru_26486.exe
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\KasperskyLab\IEOverride\Main\DisableScriptDebuggerIE	kis21.3.10.391abcdefghijru_26486.exe
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\KasperskyLab\IEOverride\Main\JScriptProfileCacheEventDelay	kis21.3.10.391abcdefghijru_26486.exe
Key opened	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\KasperskyLab\IEOverride\Text Scaling	kis21.3.10.391abcdefghijru_26486.exe
Key queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\KasperskyLab	kis21.3.10.391abcdefghijru_26486.exe
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\KasperskyLab\IEOverride\RtfConverterFlags	kis21.3.10.391abcdefghijru_26486.exe
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\KasperskyLab\IEOverride\Main\CSS_Compat	kis21.3.10.391abcdefghijru_26486.exe
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\KasperskyLab\IEOverride\Main\SmoothScroll	kis21.3.10.391abcdefghijru_26486.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Enable Browser Extensions = "no"	kis21.3.10.391abcdefghijru_26486.exe
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Play_Background_Sounds	kis21.3.10.391abcdefghijru_26486.exe
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Show image placeholders	kis21.3.10.391abcdefghijru_26486.exe
Key opened	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\KasperskyLab\IEOverride\International	kis21.3.10.391abcdefghijru_26486.exe
Key opened	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\KasperskyLab\IEOverride\Viewport	kis21.3.10.391abcdefghijru_26486.exe
Key opened	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\KasperskyLab\IEOverride\MenuExt	kis21.3.10.391abcdefghijru_26486.exe
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Use_DlgBox_Colors	kis21.3.10.391abcdefghijru_26486.exe
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Display Inline Images	kis21.3.10.391abcdefghijru_26486.exe
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Display Inline Videos	kis21.3.10.391abcdefghijru_26486.exe
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Enable AutoImageResize	kis21.3.10.391abcdefghijru_26486.exe
Key opened	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\KasperskyLab\IEOverride\International\Scripts	kis21.3.10.391abcdefghijru_26486.exe
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\KasperskyLab\IEOverride\Main\DOMStorage	kis21.3.10.391abcdefghijru_26486.exe
Key created	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Software\KasperskyLab\IEOverride\Main	kis21.3.10.391abcdefghijru_26486.exe
Key created	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\KasperskyLab\IEOverride\Main	kis21.3.10.391abcdefghijru_26486.exe
Key queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\KasperskyLab\IEOverride\Main	kis21.3.10.391abcdefghijru_26486.exe
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Anchor Underline	kis21.3.10.391abcdefghijru_26486.exe
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\KasperskyLab\IEOverride\Main\XMLHTTP	kis21.3.10.391abcdefghijru_26486.exe
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\KasperskyLab\IEOverride\Main\UseHR	kis21.3.10.391abcdefghijru_26486.exe
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Cleanup HTCs	kis21.3.10.391abcdefghijru_26486.exe
Key opened	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\KasperskyLab\IEOverride\Styles	kis21.3.10.391abcdefghijru_26486.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	kis21.3.10.391abcdefghijru_26486.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-100#immutable1 = "Mouse"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sdcpl.dll,-101#immutable1 = "Backup and Restore (Windows 7)"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\Speech\SpeechUX\speechuxcpl.dll,-1#immutable1 = "Speech Recognition"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\netcenter.dll,-1#immutable1 = "Network and Sharing Center"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3000#immutable1 = "Sync Center"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\LogicalViewMode = "3"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\intl.cpl,-2#immutable1 = "Customize settings for the display of languages, numbers, times, and dates."	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\LogicalViewMode = "2"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\FirewallControlPanel.dll,-12122#immutable1 = "Windows Defender Firewall"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\DiagCpl.dll,-15#immutable1 = "Troubleshoot and fix common computer problems."	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WinPos1280x720x96(1).left = "294"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WinPos1280x720x96(1).top = "57"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\GroupView = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sud.dll,-1#immutable1 = "Default Programs"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sud.dll,-10#immutable1 = "Choose which programs you want Windows to use for activities like web browsing, editing photos, sending e-mail, and playing music."	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\usercpl.dll,-2#immutable1 = "Change user account settings and passwords for people who share this computer."	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\MinPos1280x720x96(1).y = "4294967295"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "2"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\GroupByDirection = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "3"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\powercpl.dll,-1#immutable1 = "Power Options"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\telephon.cpl,-2#immutable1 = "Configure your telephone dialing rules and modem settings."	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\GroupView = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WinPos1280x720x96(1).right = "1094"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\appwiz.cpl,-160#immutable1 = "Uninstall or change programs on your computer."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\netcenter.dll,-2#immutable1 = "Check network status, change network settings and set preferences for sharing files and printers."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fvecpl.dll,-1#immutable1 = "BitLocker Drive Encryption"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\FFlags = "18874369"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "18874369"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\srchadmin.dll,-602#immutable1 = "Change how Windows indexes to search faster"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\inetcpl.cpl,-4313#immutable1 = "Configure your Internet display and connection settings."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\accessibilitycpl.dll,-45#immutable1 = "Make your computer easier to use."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\mmsys.cpl,-300#immutable1 = "Sound"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\Rev = "0"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\DeviceCenter.dll,-2000#immutable1 = "View and manage devices, printers, and print jobs"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\systemcpl.dll,-1#immutable1 = "System"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\Vid = "{0057D0E0-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\devmgr.dll,-5#immutable1 = "View and update your device hardware settings and driver software."	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\FFlags = "18874369"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\FFlags = "18874385"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\IconSize = "48"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\DeviceCenter.dll,-1000#immutable1 = "Devices and Printers"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\Vault.dll,-2#immutable1 = "Manage your Windows credentials."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\Speech\SpeechUX\speechuxcpl.dll,-2#immutable1 = "Configure how speech recognition works on your computer."	explorer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2792	explorer.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2132	kis21.3.10.391abcdefghijru_26486.exe
2132	kis21.3.10.391abcdefghijru_26486.exe
2132	kis21.3.10.391abcdefghijru_26486.exe
2132	kis21.3.10.391abcdefghijru_26486.exe
784	msedge.exe
784	msedge.exe
3408	msedge.exe
3408	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: 33	4760	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4760	AUDIODG.EXE
Token: SeManageVolumePrivilege	2332	svchost.exe
Token: SeShutdownPrivilege	2792	explorer.exe
Token: SeCreatePagefilePrivilege	2792	explorer.exe
Token: SeShutdownPrivilege	2792	explorer.exe
Token: SeCreatePagefilePrivilege	2792	explorer.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2132	kis21.3.10.391abcdefghijru_26486.exe
2132	kis21.3.10.391abcdefghijru_26486.exe
2132	kis21.3.10.391abcdefghijru_26486.exe
2132	kis21.3.10.391abcdefghijru_26486.exe
2132	kis21.3.10.391abcdefghijru_26486.exe
2132	kis21.3.10.391abcdefghijru_26486.exe
2132	kis21.3.10.391abcdefghijru_26486.exe
2132	kis21.3.10.391abcdefghijru_26486.exe
2132	kis21.3.10.391abcdefghijru_26486.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3408 wrote to memory of 864	3408	msedge.exe	91
PID 3408 wrote to memory of 864	3408	msedge.exe	91
PID 3408 wrote to memory of 5080	3408	msedge.exe	92
PID 3408 wrote to memory of 5080	3408	msedge.exe	92
PID 3408 wrote to memory of 5080	3408	msedge.exe	92
PID 3408 wrote to memory of 5080	3408	msedge.exe	92
PID 3408 wrote to memory of 5080	3408	msedge.exe	92
PID 3408 wrote to memory of 5080	3408	msedge.exe	92
PID 3408 wrote to memory of 5080	3408	msedge.exe	92
PID 3408 wrote to memory of 5080	3408	msedge.exe	92
PID 3408 wrote to memory of 5080	3408	msedge.exe	92
PID 3408 wrote to memory of 5080	3408	msedge.exe	92
PID 3408 wrote to memory of 5080	3408	msedge.exe	92
PID 3408 wrote to memory of 5080	3408	msedge.exe	92
PID 3408 wrote to memory of 5080	3408	msedge.exe	92
PID 3408 wrote to memory of 5080	3408	msedge.exe	92
PID 3408 wrote to memory of 5080	3408	msedge.exe	92
PID 3408 wrote to memory of 5080	3408	msedge.exe	92
PID 3408 wrote to memory of 5080	3408	msedge.exe	92
PID 3408 wrote to memory of 5080	3408	msedge.exe	92
PID 3408 wrote to memory of 5080	3408	msedge.exe	92
PID 3408 wrote to memory of 5080	3408	msedge.exe	92
PID 3408 wrote to memory of 5080	3408	msedge.exe	92
PID 3408 wrote to memory of 5080	3408	msedge.exe	92
PID 3408 wrote to memory of 5080	3408	msedge.exe	92
PID 3408 wrote to memory of 5080	3408	msedge.exe	92
PID 3408 wrote to memory of 5080	3408	msedge.exe	92
PID 3408 wrote to memory of 5080	3408	msedge.exe	92
PID 3408 wrote to memory of 5080	3408	msedge.exe	92
PID 3408 wrote to memory of 5080	3408	msedge.exe	92
PID 3408 wrote to memory of 5080	3408	msedge.exe	92
PID 3408 wrote to memory of 5080	3408	msedge.exe	92
PID 3408 wrote to memory of 5080	3408	msedge.exe	92
PID 3408 wrote to memory of 5080	3408	msedge.exe	92
PID 3408 wrote to memory of 5080	3408	msedge.exe	92
PID 3408 wrote to memory of 5080	3408	msedge.exe	92
PID 3408 wrote to memory of 5080	3408	msedge.exe	92
PID 3408 wrote to memory of 5080	3408	msedge.exe	92
PID 3408 wrote to memory of 5080	3408	msedge.exe	92
PID 3408 wrote to memory of 5080	3408	msedge.exe	92
PID 3408 wrote to memory of 5080	3408	msedge.exe	92
PID 3408 wrote to memory of 5080	3408	msedge.exe	92
PID 3408 wrote to memory of 784	3408	msedge.exe	93
PID 3408 wrote to memory of 784	3408	msedge.exe	93
PID 3408 wrote to memory of 2044	3408	msedge.exe	94
PID 3408 wrote to memory of 2044	3408	msedge.exe	94
PID 3408 wrote to memory of 2044	3408	msedge.exe	94
PID 3408 wrote to memory of 2044	3408	msedge.exe	94
PID 3408 wrote to memory of 2044	3408	msedge.exe	94
PID 3408 wrote to memory of 2044	3408	msedge.exe	94
PID 3408 wrote to memory of 2044	3408	msedge.exe	94
PID 3408 wrote to memory of 2044	3408	msedge.exe	94
PID 3408 wrote to memory of 2044	3408	msedge.exe	94
PID 3408 wrote to memory of 2044	3408	msedge.exe	94
PID 3408 wrote to memory of 2044	3408	msedge.exe	94
PID 3408 wrote to memory of 2044	3408	msedge.exe	94
PID 3408 wrote to memory of 2044	3408	msedge.exe	94
PID 3408 wrote to memory of 2044	3408	msedge.exe	94
PID 3408 wrote to memory of 2044	3408	msedge.exe	94
PID 3408 wrote to memory of 2044	3408	msedge.exe	94
PID 3408 wrote to memory of 2044	3408	msedge.exe	94
PID 3408 wrote to memory of 2044	3408	msedge.exe	94
PID 3408 wrote to memory of 2044	3408	msedge.exe	94
PID 3408 wrote to memory of 2044	3408	msedge.exe	94

C:\Users\Admin\AppData\Local\Temp\kis21.3.10.391abcdefghijru_26486.exe
"C:\Users\Admin\AppData\Local\Temp\kis21.3.10.391abcdefghijru_26486.exe"
1⤵
- Loads dropped DLL
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe7d3646f8,0x7ffe7d364708,0x7ffe7d364718
  2⤵
  PID:864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,15119554334593366829,12627562491015220044,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
  2⤵
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,15119554334593366829,12627562491015220044,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,15119554334593366829,12627562491015220044,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15119554334593366829,12627562491015220044,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:3364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15119554334593366829,12627562491015220044,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15119554334593366829,12627562491015220044,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:2968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15119554334593366829,12627562491015220044,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:1528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,15119554334593366829,12627562491015220044,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3140 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3544

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1160

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3524

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4b4 0x4f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2332

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2792

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:4544

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\213b2f9717c04433b0e305a2a93f68e5 /t 2340 /p 2132
1⤵
PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2579d07b98bbefadc929d80fb3dbd32a

SHA1
1ceb57c4b81f0f23500e118a4b9a225116a467de

SHA256
b8443c289ad36568a2bf794ac9ec1f259a9dd930c36680dafc8d0cb4de81feb6

SHA512
53522ad5e8e2a272d5b1bff9b9226b7d976d47413891c60d7efebd4365baff12b6891e3f79b20e14892ec7c654ad2d437941014290c428c6b1bd78a7b3e557de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8c91c8582b0c918416d14bd7eedd686e

SHA1
b2ff8149bc21144fdcec64111afda492965c6621

SHA256
1e839706b748c04adf8efa2790564ca1efd707fdf6451e71af6862e07123717e

SHA512
a93be868d9f08097bff39069378a0bfa0f5c78e74e9e8df820be9b0426cbfe84e03e9638b329b6142279ed140a120c4c4c21857f410fc4789a370445c3919dcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5fd8b8f18e70e63d48e9bea7eee66e30

SHA1
685805214bc99eb239e97e49ff9c69744ed2bf49

SHA256
5e3e59445935a4f0d3d63b17fc68ffbf7b116269c04403e2732e34dc68165f7a

SHA512
2c2d0c05f49a043291b7a52a3aea2b065586ad834633073cc72edb9107ac2daa86429c7c040a882b3e8be8ac5fde813c0e0ce4c210dc80625edbc2ccca2ba7dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5770bba4d546f1fb164c3ece59600025

SHA1
c816dd0390947c37ead007c49e60d38d5d43fbd3

SHA256
84c7014f63a76b4ab72919381ba9c5e53810e57c1685a7913e1b0a8cf4c26bb6

SHA512
b125242d18727a603e9ae69a14826e5c48a0745f1ad9103ef8c8005894c049cb17d2b18a524f708b67638b4cba4f567f337ba6e994476ad0ec0116512d9b5b91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5716f0ce6bca7245d723b7d2d034a04f

SHA1
e75cda58c3622587451feef195218a5cf31cf0cf

SHA256
d3db0369d5967f666a75465a56a239a4f94890f25450a09302f77c50662fc198

SHA512
c818afec23032b248f3dd1118208bb02b4b93dea18c9dbdc2483fde1f0c8d34f326cea50277419e5a59dfc3680dc554b221b597367dde88f1af3ae5b5e347749

Download Submit
C:\Users\Admin\AppData\Local\Temp\D789F0731FCFEE115B672632DA6ADA33\setup.dll

Filesize
5.1MB

MD5
f033ece2b58db6320da7b6855db976a7

SHA1
de508aa8fbbc77a983b7aeabf3b89d682d91f847

SHA256
400b6987fc6e20154063006ef0fc77a353f026e3d92c9b83653d51c876509505

SHA512
fac2131aeb07a6bd7cb206223e36f3c0199ab0fac8525674a62f99e95192b1cf5ac8f4936a4ef46301afc24f4de17d35e34eb532a75cfbf5b446e925dd00bf3c

Download Submit
memory/2132-0-0x00000000772B0000-0x00000000772C0000-memory.dmp

Filesize
64KB

Download
memory/2132-3-0x0000000077172000-0x0000000077173000-memory.dmp

Filesize
4KB

Download
memory/2132-1-0x00000000772B0000-0x00000000772C0000-memory.dmp

Filesize
64KB

Download
memory/2132-2-0x00000000772B0000-0x00000000772C0000-memory.dmp

Filesize
64KB

Download
memory/2332-64-0x0000016D9D840000-0x0000016D9D850000-memory.dmp

Filesize
64KB

Download
memory/2332-80-0x0000016D9D940000-0x0000016D9D950000-memory.dmp

Filesize
64KB

Download
memory/2332-96-0x0000016DA5C40000-0x0000016DA5C41000-memory.dmp

Filesize
4KB

Download
memory/2332-98-0x0000016DA5C70000-0x0000016DA5C71000-memory.dmp

Filesize
4KB

Download
memory/2332-99-0x0000016DA5C70000-0x0000016DA5C71000-memory.dmp

Filesize
4KB

Download
memory/2332-100-0x0000016DA5D80000-0x0000016DA5D81000-memory.dmp

Filesize
4KB

Download