Resubmissions

18-06-2024 10:26

240618-mglccatcpr 8

18-06-2024 10:22

240618-mefdbatbrp 4

18-06-2024 10:17

240618-mblqxsyglg 8

18-06-2024 10:15

240618-majvyaygje 8

18-06-2024 10:13

240618-l9cp8stakr 7

18-06-2024 10:11

240618-l7x86ayfke 8

18-06-2024 10:08

240618-l6ds5ayenh 8

18-06-2024 10:05

240618-l4jatssgmp 8

18-06-2024 10:03

240618-l3pq8aydqc 7

Analysis

  • max time kernel
    101s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-06-2024 10:26

General

  • Target

    erdre gdps/erdre GDPS install.exe

  • Size

    1.6MB

  • MD5

    3d266248c5b1c72bc74474f0dc5faf10

  • SHA1

    9462f26700a5c8fa7e4c4529799c8f5a7bd24381

  • SHA256

    d628ff4a5c320986919947540a8ac6c453ceefeb3167ec7930e744da77ac3a1d

  • SHA512

    2969e21eb6ef4db7eee7b5b4afa3bdff437be0ccc3ca4238847e256e84dd76e539baf991d709fa9a3dac74e3df2c6376bce7094c8e8392978210b24859b41941

  • SSDEEP

    24576:sawwKusHwEwSimy1d/v1SnxSGM1aXzV6YjDty+YTUxyVl:MwRED2d/vMxgajVxQ++U4D

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 36 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 40 IoCs
  • Suspicious behavior: AddClipboardFormatListener 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 45 IoCs
  • Suspicious use of SendNotifyMessage 36 IoCs
  • Suspicious use of SetWindowsHookEx 46 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe
    "C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:376
    • C:\Users\Admin\AppData\Local\Temp\is-JBEN2.tmp\erdre GDPS install.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-JBEN2.tmp\erdre GDPS install.tmp" /SL5="$7006C,775972,730112,C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      PID:3352
      • C:\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe
        "C:\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe"
        3⤵
        • Executes dropped EXE
        PID:4228
        • C:\Windows\system32\cmd.exe
          "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4C46.tmp\4C47.tmp\4C48.bat "C:\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe""
          4⤵
            PID:2600
            • C:\Windows\system32\chcp.com
              chcp 1251
              5⤵
                PID:1504
              • C:\Windows\system32\taskkill.exe
                Taskkill /f /im explorer.exe
                5⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2820
              • C:\Windows\explorer.exe
                explorer
                5⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Modifies registry class
                • Suspicious use of AdjustPrivilegeToken
                PID:5100
              • C:\Windows\system32\taskkill.exe
                taskkill /f /IM explorer.exe
                5⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4044
              • C:\Windows\system32\calc.exe
                calc
                5⤵
                • Modifies registry class
                PID:2948
              • C:\Windows\system32\calc.exe
                calc
                5⤵
                • Modifies registry class
                PID:1988
              • C:\Windows\system32\calc.exe
                calc
                5⤵
                • Modifies registry class
                PID:4572
              • C:\Windows\explorer.exe
                explorer
                5⤵
                • Boot or Logon Autostart Execution: Active Setup
                • Enumerates connected drives
                • Checks SCSI registry key(s)
                • Modifies Internet Explorer settings
                • Modifies registry class
                • Suspicious behavior: AddClipboardFormatListener
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                • Suspicious use of SetWindowsHookEx
                PID:4704
              • C:\Windows\system32\calc.exe
                calc
                5⤵
                • Modifies registry class
                PID:4788
              • C:\Windows\system32\calc.exe
                calc
                5⤵
                • Modifies registry class
                PID:4720
              • C:\Windows\system32\calc.exe
                calc
                5⤵
                • Modifies registry class
                PID:3004
              • C:\Windows\system32\calc.exe
                calc
                5⤵
                • Modifies registry class
                PID:1804
              • C:\Windows\system32\calc.exe
                calc
                5⤵
                • Modifies registry class
                PID:2452
              • C:\Windows\system32\calc.exe
                calc
                5⤵
                • Modifies registry class
                PID:4492
              • C:\Windows\system32\calc.exe
                calc
                5⤵
                • Modifies registry class
                PID:4980
              • C:\Windows\system32\calc.exe
                calc
                5⤵
                • Modifies registry class
                PID:4496
              • C:\Windows\system32\mspaint.exe
                mspaint
                5⤵
                • Drops file in Windows directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of SetWindowsHookEx
                PID:744
              • C:\Windows\explorer.exe
                explorer
                5⤵
                • Modifies registry class
                PID:2932
              • C:\Windows\explorer.exe
                explorer
                5⤵
                • Modifies registry class
                PID:4020
              • C:\Windows\explorer.exe
                explorer
                5⤵
                • Modifies registry class
                PID:4804
              • C:\Windows\explorer.exe
                explorer
                5⤵
                • Modifies registry class
                PID:3164
              • C:\Windows\explorer.exe
                explorer
                5⤵
                • Modifies registry class
                PID:2160
              • C:\Windows\explorer.exe
                explorer
                5⤵
                • Modifies registry class
                PID:4652
              • C:\Windows\explorer.exe
                explorer
                5⤵
                • Modifies registry class
                PID:3660
              • C:\Windows\explorer.exe
                explorer
                5⤵
                • Modifies registry class
                PID:3928
              • C:\Windows\explorer.exe
                explorer
                5⤵
                • Modifies registry class
                PID:3192
              • C:\Windows\explorer.exe
                explorer
                5⤵
                • Modifies registry class
                PID:5040
              • C:\Windows\explorer.exe
                explorer
                5⤵
                • Modifies registry class
                PID:2620
              • C:\Windows\explorer.exe
                explorer
                5⤵
                • Modifies registry class
                PID:5116
              • C:\Windows\explorer.exe
                explorer
                5⤵
                • Modifies registry class
                PID:4448
              • C:\Windows\explorer.exe
                explorer
                5⤵
                • Modifies registry class
                PID:920
              • C:\Windows\explorer.exe
                explorer
                5⤵
                • Modifies registry class
                PID:452
              • C:\Windows\system32\charmap.exe
                charmap
                5⤵
                  PID:756
                • C:\Windows\system32\charmap.exe
                  charmap
                  5⤵
                    PID:3560
                  • C:\Windows\system32\charmap.exe
                    charmap
                    5⤵
                      PID:4968
                    • C:\Windows\system32\charmap.exe
                      charmap
                      5⤵
                        PID:3352
                      • C:\Windows\system32\charmap.exe
                        charmap
                        5⤵
                          PID:4568
                        • C:\Windows\system32\charmap.exe
                          charmap
                          5⤵
                            PID:3844
                          • C:\Windows\system32\charmap.exe
                            charmap
                            5⤵
                              PID:4328
                            • C:\Windows\system32\charmap.exe
                              charmap
                              5⤵
                                PID:2820
                              • C:\Windows\system32\charmap.exe
                                charmap
                                5⤵
                                  PID:2056
                                • C:\Windows\system32\charmap.exe
                                  charmap
                                  5⤵
                                    PID:3744
                                  • C:\Windows\system32\charmap.exe
                                    charmap
                                    5⤵
                                      PID:4996
                                    • C:\Windows\system32\charmap.exe
                                      charmap
                                      5⤵
                                        PID:4436
                                      • C:\Windows\system32\charmap.exe
                                        charmap
                                        5⤵
                                          PID:2228
                                        • C:\Windows\system32\charmap.exe
                                          charmap
                                          5⤵
                                            PID:3256
                                          • C:\Windows\system32\charmap.exe
                                            charmap
                                            5⤵
                                              PID:3772
                                            • C:\Windows\system32\charmap.exe
                                              charmap
                                              5⤵
                                                PID:4092
                                              • C:\Windows\system32\charmap.exe
                                                charmap
                                                5⤵
                                                  PID:4760
                                                • C:\Windows\system32\charmap.exe
                                                  charmap
                                                  5⤵
                                                    PID:1912
                                                  • C:\Windows\system32\charmap.exe
                                                    charmap
                                                    5⤵
                                                      PID:5176
                                                    • C:\Windows\system32\charmap.exe
                                                      charmap
                                                      5⤵
                                                        PID:5232
                                                      • C:\Windows\system32\charmap.exe
                                                        charmap
                                                        5⤵
                                                          PID:5240
                                                        • C:\Windows\system32\charmap.exe
                                                          charmap
                                                          5⤵
                                                            PID:5368
                                                          • C:\Windows\system32\charmap.exe
                                                            charmap
                                                            5⤵
                                                              PID:5416
                                                            • C:\Windows\system32\charmap.exe
                                                              charmap
                                                              5⤵
                                                                PID:5448
                                                              • C:\Windows\system32\charmap.exe
                                                                charmap
                                                                5⤵
                                                                  PID:5464
                                                                • C:\Windows\system32\charmap.exe
                                                                  charmap
                                                                  5⤵
                                                                    PID:5604
                                                                  • C:\Windows\system32\charmap.exe
                                                                    charmap
                                                                    5⤵
                                                                      PID:5668
                                                                    • C:\Windows\system32\charmap.exe
                                                                      charmap
                                                                      5⤵
                                                                        PID:5748
                                                                      • C:\Windows\system32\charmap.exe
                                                                        charmap
                                                                        5⤵
                                                                          PID:5776
                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe"
                                                                  1⤵
                                                                  • Enumerates system info in registry
                                                                  • Modifies data under HKEY_USERS
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  • Suspicious use of FindShellTrayWindow
                                                                  • Suspicious use of SendNotifyMessage
                                                                  • Suspicious use of WriteProcessMemory
                                                                  PID:5032
                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0x80,0x108,0x7ff8c0e0ab58,0x7ff8c0e0ab68,0x7ff8c0e0ab78
                                                                    2⤵
                                                                      PID:2456
                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=1956,i,13642908579083125414,10076102675326617586,131072 /prefetch:2
                                                                      2⤵
                                                                        PID:4752
                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1956,i,13642908579083125414,10076102675326617586,131072 /prefetch:8
                                                                        2⤵
                                                                          PID:3428
                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2304 --field-trial-handle=1956,i,13642908579083125414,10076102675326617586,131072 /prefetch:8
                                                                          2⤵
                                                                            PID:2992
                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3224 --field-trial-handle=1956,i,13642908579083125414,10076102675326617586,131072 /prefetch:1
                                                                            2⤵
                                                                              PID:4604
                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3256 --field-trial-handle=1956,i,13642908579083125414,10076102675326617586,131072 /prefetch:1
                                                                              2⤵
                                                                                PID:2368
                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4304 --field-trial-handle=1956,i,13642908579083125414,10076102675326617586,131072 /prefetch:1
                                                                                2⤵
                                                                                  PID:5064
                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4604 --field-trial-handle=1956,i,13642908579083125414,10076102675326617586,131072 /prefetch:8
                                                                                  2⤵
                                                                                    PID:3320
                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 --field-trial-handle=1956,i,13642908579083125414,10076102675326617586,131072 /prefetch:8
                                                                                    2⤵
                                                                                      PID:4956
                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4824 --field-trial-handle=1956,i,13642908579083125414,10076102675326617586,131072 /prefetch:1
                                                                                      2⤵
                                                                                        PID:3096
                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5020 --field-trial-handle=1956,i,13642908579083125414,10076102675326617586,131072 /prefetch:1
                                                                                        2⤵
                                                                                          PID:3132
                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4404 --field-trial-handle=1956,i,13642908579083125414,10076102675326617586,131072 /prefetch:1
                                                                                          2⤵
                                                                                            PID:1808
                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5052 --field-trial-handle=1956,i,13642908579083125414,10076102675326617586,131072 /prefetch:1
                                                                                            2⤵
                                                                                              PID:2152
                                                                                          • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
                                                                                            "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
                                                                                            1⤵
                                                                                              PID:3616
                                                                                            • C:\Windows\system32\OpenWith.exe
                                                                                              C:\Windows\system32\OpenWith.exe -Embedding
                                                                                              1⤵
                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                              PID:3688
                                                                                            • C:\Windows\system32\svchost.exe
                                                                                              C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
                                                                                              1⤵
                                                                                                PID:668
                                                                                              • C:\Windows\system32\OpenWith.exe
                                                                                                C:\Windows\system32\OpenWith.exe -Embedding
                                                                                                1⤵
                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                PID:5348
                                                                                              • C:\Windows\system32\OpenWith.exe
                                                                                                C:\Windows\system32\OpenWith.exe -Embedding
                                                                                                1⤵
                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                PID:5684
                                                                                              • C:\Windows\system32\OpenWith.exe
                                                                                                C:\Windows\system32\OpenWith.exe -Embedding
                                                                                                1⤵
                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                PID:5832
                                                                                              • C:\Windows\system32\OpenWith.exe
                                                                                                C:\Windows\system32\OpenWith.exe -Embedding
                                                                                                1⤵
                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                PID:5984
                                                                                              • C:\Windows\system32\OpenWith.exe
                                                                                                C:\Windows\system32\OpenWith.exe -Embedding
                                                                                                1⤵
                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                PID:4548
                                                                                              • C:\Windows\system32\OpenWith.exe
                                                                                                C:\Windows\system32\OpenWith.exe -Embedding
                                                                                                1⤵
                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                PID:3012
                                                                                              • C:\Windows\system32\OpenWith.exe
                                                                                                C:\Windows\system32\OpenWith.exe -Embedding
                                                                                                1⤵
                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                PID:6180
                                                                                              • C:\Windows\system32\OpenWith.exe
                                                                                                C:\Windows\system32\OpenWith.exe -Embedding
                                                                                                1⤵
                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                PID:6216
                                                                                              • C:\Windows\System32\rundll32.exe
                                                                                                C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
                                                                                                1⤵
                                                                                                  PID:6244
                                                                                                • C:\Windows\system32\OpenWith.exe
                                                                                                  C:\Windows\system32\OpenWith.exe -Embedding
                                                                                                  1⤵
                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                  PID:6420
                                                                                                • C:\Windows\system32\OpenWith.exe
                                                                                                  C:\Windows\system32\OpenWith.exe -Embedding
                                                                                                  1⤵
                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                  PID:6480
                                                                                                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                  1⤵
                                                                                                  • Modifies registry class
                                                                                                  PID:7060
                                                                                                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                  1⤵
                                                                                                  • Modifies registry class
                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                  PID:2212
                                                                                                • C:\Windows\explorer.exe
                                                                                                  explorer.exe
                                                                                                  1⤵
                                                                                                    PID:6140
                                                                                                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                    1⤵
                                                                                                      PID:4160
                                                                                                    • C:\Windows\explorer.exe
                                                                                                      explorer.exe
                                                                                                      1⤵
                                                                                                        PID:4860

                                                                                                      Network

                                                                                                      MITRE ATT&CK Enterprise v15

                                                                                                      Replay Monitor

                                                                                                      Loading Replay Monitor...

                                                                                                      Downloads

                                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\053c7373-1552-4861-bb3b-d0b57310de09.tmp

                                                                                                        Filesize

                                                                                                        257KB

                                                                                                        MD5

                                                                                                        cc8a31821aea4697e3c926d52ba52bb9

                                                                                                        SHA1

                                                                                                        16de7e7c2fe2c4798c3a449e64961abc93d1ed83

                                                                                                        SHA256

                                                                                                        98a02160bdeb41049c0291d9e8ea9ee09b77c2c0952660d0165287a349530cf6

                                                                                                        SHA512

                                                                                                        2bcd1a958d721287bee2a0fda94a7aec0055aefbfe14aa6874c6a75b15075a96b3d2010027aed88db001721f9cac111f74382ec29a2191827246d7e4ad81cbec

                                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                                                                        Filesize

                                                                                                        810B

                                                                                                        MD5

                                                                                                        b392834dafc4ad44c840c5e889d79528

                                                                                                        SHA1

                                                                                                        40bdb9b79e726637a0919df6b09d8097f801f952

                                                                                                        SHA256

                                                                                                        474b9a0a9aed816803afe9f0869f7f66074eab1f7b526da6ecaa7737068a41ea

                                                                                                        SHA512

                                                                                                        e490ff6103c233db1f5b4bca40d2936b35ca84e14544ba8505bf6c9201150e8bec541d234e3c7d0c32491fb8d5fe2206e3b77f136ea5a35dfe0d88fd3110daac

                                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                                                                                                        Filesize

                                                                                                        2B

                                                                                                        MD5

                                                                                                        d751713988987e9331980363e24189ce

                                                                                                        SHA1

                                                                                                        97d170e1550eee4afc0af065b78cda302a97674c

                                                                                                        SHA256

                                                                                                        4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                                                                        SHA512

                                                                                                        b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                        Filesize

                                                                                                        7KB

                                                                                                        MD5

                                                                                                        3909f644f718c661a6b1df365c59a46e

                                                                                                        SHA1

                                                                                                        cf3e24f74bae8bd62ed16d8378f2b6ade5ba3ff7

                                                                                                        SHA256

                                                                                                        c1a50f693c9ff1f8825353476e449fc5b48ba875197b95ff8f27f32da2724415

                                                                                                        SHA512

                                                                                                        48a0be05e32405c071de9b826fba13cfd92ef46924b526b90a7e32622913ad90fdb9298f54e072059c6195a1f5b0d68ae3fb77ebe5019e482fecbacaff57e7aa

                                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                                                        Filesize

                                                                                                        7KB

                                                                                                        MD5

                                                                                                        306b5cc0a1c6d6075c82307e66b6ff71

                                                                                                        SHA1

                                                                                                        f9c9db0ba60f9d407395f232b6bc0b9eae1ac767

                                                                                                        SHA256

                                                                                                        4fffc460ca7e6263944d4061406df8d5d2487cab8b5f85841e1c2bc517807733

                                                                                                        SHA512

                                                                                                        0d19b257476753f557986aae33886ec3b720a0493fa3d8a6bcb1502bad83809f236bed1be0d2e0aff4d13c2c263908bd91dd92c4e93ccc6d37cc0ebf2b6bdb43

                                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                                                                        Filesize

                                                                                                        257KB

                                                                                                        MD5

                                                                                                        16fb4c1bf8890c47ec3fcf983193dabd

                                                                                                        SHA1

                                                                                                        7cf361dde4f4b60b73f20694d5b235b9b429ec2c

                                                                                                        SHA256

                                                                                                        4c111806bf9e0f4f3ea116a682b0679770dd0fcad01fcd2e492f21a2f82068ff

                                                                                                        SHA512

                                                                                                        1809c385461789360edd32b7b8cb3f9cc2f36dcb684425cfd5c08e979dcc8b3ad5bb42dd23176a812cd409f9acb7e26f52cf806272bea6ad167ee750618b70a9

                                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                                                                        Filesize

                                                                                                        257KB

                                                                                                        MD5

                                                                                                        c6376841fbc787c890063cd92df95bc3

                                                                                                        SHA1

                                                                                                        19cb8c5852842b8a52248e6271acadceb8b6cd15

                                                                                                        SHA256

                                                                                                        bcd682187df636ee39b334c0e8057b570d392a2bf4b6bf6de06010c262679cf7

                                                                                                        SHA512

                                                                                                        3762048a884cf708b9a77ecff8cd0afa811af638cc2216b5a206cf0370e1adb25e79e228c34674b534ba7b6053723faf061de7e5b7f237d986bf06cce77c3626

                                                                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

                                                                                                        Filesize

                                                                                                        264KB

                                                                                                        MD5

                                                                                                        f50f89a0a91564d0b8a211f8921aa7de

                                                                                                        SHA1

                                                                                                        112403a17dd69d5b9018b8cede023cb3b54eab7d

                                                                                                        SHA256

                                                                                                        b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                                                                                        SHA512

                                                                                                        bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                                                                                      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{8716d119-d15d-4f24-bdc9-fa2f805cbda4}\0.1.filtertrie.intermediate.txt

                                                                                                        Filesize

                                                                                                        5B

                                                                                                        MD5

                                                                                                        34bd1dfb9f72cf4f86e6df6da0a9e49a

                                                                                                        SHA1

                                                                                                        5f96d66f33c81c0b10df2128d3860e3cb7e89563

                                                                                                        SHA256

                                                                                                        8e1e6a3d56796a245d0c7b0849548932fee803bbdb03f6e289495830e017f14c

                                                                                                        SHA512

                                                                                                        e3787de7c4bc70ca62234d9a4cdc6bd665bffa66debe3851ee3e8e49e7498b9f1cbc01294bf5e9f75de13fb78d05879e82fa4b89ee45623fe5bf7ac7e48eda96

                                                                                                      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{8716d119-d15d-4f24-bdc9-fa2f805cbda4}\0.2.filtertrie.intermediate.txt

                                                                                                        Filesize

                                                                                                        5B

                                                                                                        MD5

                                                                                                        c204e9faaf8565ad333828beff2d786e

                                                                                                        SHA1

                                                                                                        7d23864f5e2a12c1a5f93b555d2d3e7c8f78eec1

                                                                                                        SHA256

                                                                                                        d65b6a3bf11a27a1ced1f7e98082246e40cf01289fd47fe4a5ed46c221f2f73f

                                                                                                        SHA512

                                                                                                        e72f4f79a4ae2e5e40a41b322bc0408a6dec282f90e01e0a8aaedf9fb9d6f04a60f45a844595727539c1643328e9c1b989b90785271cc30a6550bbda6b1909f8

                                                                                                      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{8716d119-d15d-4f24-bdc9-fa2f805cbda4}\Apps.index

                                                                                                        Filesize

                                                                                                        1.0MB

                                                                                                        MD5

                                                                                                        c72df53009ad8f7e047b58c2a669736f

                                                                                                        SHA1

                                                                                                        944c643a321992b058f42ffba375d230d810bf9c

                                                                                                        SHA256

                                                                                                        73f2061a3fc63ca7b16907e5edd73632fc0d95afa65c4fe956d79a7e4d8a2e4b

                                                                                                        SHA512

                                                                                                        e4410014d1fcbbb7d4e3eb086f1d2d6f1d987da0dfa634edc60b66ee79b90036aa6a23825a19b1023460e0c7c16f3e8c1c8c39b7f71699cd9fc101b35a8a12e0

                                                                                                      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133631800758706756.txt

                                                                                                        Filesize

                                                                                                        77KB

                                                                                                        MD5

                                                                                                        cf9bed7fc74dde84d6b142fb7ae80b8c

                                                                                                        SHA1

                                                                                                        0418984d9952275e2aed72472eda10ab1d734959

                                                                                                        SHA256

                                                                                                        76db23c1c0dcdcb6b545683c2c4e912c19b73b5d5c7801199df16a3211b687e4

                                                                                                        SHA512

                                                                                                        e753fa47c4a7899a14c52fb358fd8d27a2623fbbe452577dc6e0b9613433f6d5815afdfc066dd8b7bd95977c9a753e9f1966ea222f4912203e3d604eb39fbb96

                                                                                                      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133631800874407303.txt

                                                                                                        Filesize

                                                                                                        76KB

                                                                                                        MD5

                                                                                                        cd626dd8a473d5c7ba298ceb3cf05b70

                                                                                                        SHA1

                                                                                                        c3311e7da1d0ec2ba498db0b3f8561e3de4fd1f3

                                                                                                        SHA256

                                                                                                        575262ebd77dbe56c622414f277c17f3e9e8fb199dad52e13fba8aba9ce6d411

                                                                                                        SHA512

                                                                                                        baf09c2fccd1a800596702b99f4a52fee34df92871663b393be6b508e264ad5071bf2b316f5659288c888fee3bcdc5d66bcf0e70aea22b109b453bd2507f15d8

                                                                                                      • C:\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe

                                                                                                        Filesize

                                                                                                        100KB

                                                                                                        MD5

                                                                                                        1f2cec484d93617fa81ecff025ebd981

                                                                                                        SHA1

                                                                                                        2a0e9083aa48236edd47a140380b800dc56579c1

                                                                                                        SHA256

                                                                                                        2aac7fa52b946aaad1e84bf0175a7568d89472e88eda1dc725081288ba2271d8

                                                                                                        SHA512

                                                                                                        57c1b3aa98a0facad57e285d6552de42450df04d8c97a4cb4374bc05df80c9e63a5809a6f2c5735e77c470b2fde438d76b423326819b4c931bec6ea08501e562

                                                                                                      • C:\Users\Admin\AppData\Local\Temp\4C46.tmp\4C47.tmp\4C48.bat

                                                                                                        Filesize

                                                                                                        1KB

                                                                                                        MD5

                                                                                                        d46f641fd04723e353e062eff5679ef6

                                                                                                        SHA1

                                                                                                        319637221e4edaf0d59836285d065e58542afbdb

                                                                                                        SHA256

                                                                                                        94c2dac57889d420b04efcc085787c1e82468c1d6a283545f6b73f8989dacb74

                                                                                                        SHA512

                                                                                                        9d166240aa9eb2c0197da3154914f86dd83a7188093a98f13adf8fce60d137bb77355f1f7e182a309fda14897ed76cab7e6beed2a1bc542e4729e38142dc734b

                                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-JBEN2.tmp\erdre GDPS install.tmp

                                                                                                        Filesize

                                                                                                        2.9MB

                                                                                                        MD5

                                                                                                        fe9bea77f231fb8526ce2a8a2ccd58dc

                                                                                                        SHA1

                                                                                                        0c502b1e730e1274e90e08b35cb5f62430db3862

                                                                                                        SHA256

                                                                                                        0b91ffec7e9c97010e43860f019ce22f5378efda2b4d9761240290c907a92eb7

                                                                                                        SHA512

                                                                                                        c6cda66ce548c060ba89760edb6790133da38f41c9ab19563ffabd6debab463d71efa1041905acc950e415a2180e95eef63670b1ec81ccd35ea3aae01c3a3855

                                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\erdre GDPS\erdresem`s GDPS.lnk

                                                                                                        Filesize

                                                                                                        1KB

                                                                                                        MD5

                                                                                                        ed4859ef9f4ac0197e6ff2debf0f9cf3

                                                                                                        SHA1

                                                                                                        57fa7434e3d27eb96fe420b4071c3097e523e7e8

                                                                                                        SHA256

                                                                                                        249638eeecdb6725d0798c369fd62f2ff09f80ab2e77137b153203fe5ff4b0fc

                                                                                                        SHA512

                                                                                                        6b756d035d62cb9ba5d03aa968eda6ac0bc272d7a785d33ddbec7e72b12dbcb81272d90b4d2ba39f43d08f3ecab1f2eb915a456ef5e04365fdba800098ac127a

                                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\erdre GDPS\Деинсталлировать erdresem`s GDPS.lnk

                                                                                                        Filesize

                                                                                                        1KB

                                                                                                        MD5

                                                                                                        58b11fc923f805f09028769acffab276

                                                                                                        SHA1

                                                                                                        e6884ed0c98de1564e9e10268c36c7700d5e4c16

                                                                                                        SHA256

                                                                                                        46279aa0e52bf5862cccc31ddc3864d11bded8589ebbd6f83be1b6d2853b01a1

                                                                                                        SHA512

                                                                                                        fc533b095260d55c7a852be6d2b867f2f0b544bb2d88e0848ee501f2e60fa60f052deb986ab3dc6b5fd8e63715fa1902eb9e832fc6800189f5b065fc7d72756a

                                                                                                      • \??\pipe\crashpad_5032_HJQCAVSAJBUKLNLZ

                                                                                                        MD5

                                                                                                        d41d8cd98f00b204e9800998ecf8427e

                                                                                                        SHA1

                                                                                                        da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                                                        SHA256

                                                                                                        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                                                        SHA512

                                                                                                        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                                                      • memory/376-2-0x0000000000401000-0x00000000004A9000-memory.dmp

                                                                                                        Filesize

                                                                                                        672KB

                                                                                                      • memory/376-157-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                        Filesize

                                                                                                        768KB

                                                                                                      • memory/376-0-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                        Filesize

                                                                                                        768KB

                                                                                                      • memory/376-36-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                        Filesize

                                                                                                        768KB

                                                                                                      • memory/376-181-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                        Filesize

                                                                                                        768KB

                                                                                                      • memory/3352-160-0x0000000000400000-0x00000000006F3000-memory.dmp

                                                                                                        Filesize

                                                                                                        2.9MB

                                                                                                      • memory/3352-179-0x0000000000400000-0x00000000006F3000-memory.dmp

                                                                                                        Filesize

                                                                                                        2.9MB

                                                                                                      • memory/3352-158-0x0000000000400000-0x00000000006F3000-memory.dmp

                                                                                                        Filesize

                                                                                                        2.9MB

                                                                                                      • memory/3352-155-0x0000000000400000-0x00000000006F3000-memory.dmp

                                                                                                        Filesize

                                                                                                        2.9MB

                                                                                                      • memory/3352-37-0x0000000000400000-0x00000000006F3000-memory.dmp

                                                                                                        Filesize

                                                                                                        2.9MB

                                                                                                      • memory/3352-6-0x0000000000400000-0x00000000006F3000-memory.dmp

                                                                                                        Filesize

                                                                                                        2.9MB

                                                                                                      • memory/4704-297-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                      • memory/4860-414-0x0000000004440000-0x0000000004441000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                      • memory/7060-203-0x0000023A2D540000-0x0000023A2D640000-memory.dmp

                                                                                                        Filesize

                                                                                                        1024KB

                                                                                                      • memory/7060-202-0x0000023A2D540000-0x0000023A2D640000-memory.dmp

                                                                                                        Filesize

                                                                                                        1024KB

                                                                                                      • memory/7060-207-0x0000023A2E0A0000-0x0000023A2E0C0000-memory.dmp

                                                                                                        Filesize

                                                                                                        128KB

                                                                                                      • memory/7060-226-0x0000023A2E060000-0x0000023A2E080000-memory.dmp

                                                                                                        Filesize

                                                                                                        128KB

                                                                                                      • memory/7060-232-0x0000023A2E700000-0x0000023A2E720000-memory.dmp

                                                                                                        Filesize

                                                                                                        128KB