Resubmissions
18-06-2024 10:26
240618-mglccatcpr 818-06-2024 10:22
240618-mefdbatbrp 418-06-2024 10:17
240618-mblqxsyglg 818-06-2024 10:15
240618-majvyaygje 818-06-2024 10:13
240618-l9cp8stakr 718-06-2024 10:11
240618-l7x86ayfke 818-06-2024 10:08
240618-l6ds5ayenh 818-06-2024 10:05
240618-l4jatssgmp 818-06-2024 10:03
240618-l3pq8aydqc 7Analysis
-
max time kernel
101s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-06-2024 10:26
Static task
static1
Behavioral task
behavioral1
Sample
erdre gdps/erdre GDPS install.exe
Resource
win10v2004-20240508-en
General
-
Target
erdre gdps/erdre GDPS install.exe
-
Size
1.6MB
-
MD5
3d266248c5b1c72bc74474f0dc5faf10
-
SHA1
9462f26700a5c8fa7e4c4529799c8f5a7bd24381
-
SHA256
d628ff4a5c320986919947540a8ac6c453ceefeb3167ec7930e744da77ac3a1d
-
SHA512
2969e21eb6ef4db7eee7b5b4afa3bdff437be0ccc3ca4238847e256e84dd76e539baf991d709fa9a3dac74e3df2c6376bce7094c8e8392978210b24859b41941
-
SSDEEP
24576:sawwKusHwEwSimy1d/v1SnxSGM1aXzV6YjDty+YTUxyVl:MwRED2d/vMxgajVxQ++U4D
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
explorer.exeexplorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Executes dropped EXE 2 IoCs
Processes:
erdre GDPS install.tmperdresem`s GDPS.exepid process 3352 erdre GDPS install.tmp 4228 erdresem`s GDPS.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
erdre GDPS install.tmpexplorer.exedescription ioc process File opened (read-only) \??\A: erdre GDPS install.tmp File opened (read-only) \??\E: erdre GDPS install.tmp File opened (read-only) \??\L: erdre GDPS install.tmp File opened (read-only) \??\T: erdre GDPS install.tmp File opened (read-only) \??\Q: erdre GDPS install.tmp File opened (read-only) \??\X: erdre GDPS install.tmp File opened (read-only) \??\M: erdre GDPS install.tmp File opened (read-only) \??\N: erdre GDPS install.tmp File opened (read-only) \??\R: erdre GDPS install.tmp File opened (read-only) \??\U: erdre GDPS install.tmp File opened (read-only) \??\Y: erdre GDPS install.tmp File opened (read-only) \??\Z: erdre GDPS install.tmp File opened (read-only) \??\G: erdre GDPS install.tmp File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\P: erdre GDPS install.tmp File opened (read-only) \??\I: erdre GDPS install.tmp File opened (read-only) \??\J: erdre GDPS install.tmp File opened (read-only) \??\O: erdre GDPS install.tmp File opened (read-only) \??\S: erdre GDPS install.tmp File opened (read-only) \??\V: erdre GDPS install.tmp File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\B: erdre GDPS install.tmp File opened (read-only) \??\H: erdre GDPS install.tmp File opened (read-only) \??\K: erdre GDPS install.tmp File opened (read-only) \??\W: erdre GDPS install.tmp -
Drops file in Windows directory 1 IoCs
Processes:
mspaint.exedescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 36 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 2820 taskkill.exe 4044 taskkill.exe -
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133631799970066153" chrome.exe -
Modifies registry class 40 IoCs
Processes:
explorer.execalc.execalc.exeexplorer.exeexplorer.exeexplorer.exeexplorer.execalc.exeexplorer.exeexplorer.execalc.exeSearchApp.exeStartMenuExperienceHost.exeexplorer.exeexplorer.exeexplorer.exeexplorer.execalc.execalc.execalc.exeexplorer.exeexplorer.execalc.execalc.exeerdre GDPS install.tmpexplorer.execalc.exeexplorer.execalc.exeexplorer.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings calc.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings calc.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings calc.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings calc.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\MuiCache SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings calc.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings calc.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings calc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings calc.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings calc.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ erdre GDPS install.tmp Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings calc.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1337824034-2731376981-3755436523-1000\{74C5E718-6C6D-4905-A048-8D4C8D7B24FB} explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1337824034-2731376981-3755436523-1000\{F7F8552D-BB08-40A7-BCD3-323921D8F159} explorer.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings calc.exe Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: AddClipboardFormatListener 10 IoCs
Processes:
explorer.exepid process 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
chrome.exeerdre GDPS install.tmpmspaint.exepid process 5032 chrome.exe 5032 chrome.exe 3352 erdre GDPS install.tmp 3352 erdre GDPS install.tmp 744 mspaint.exe 744 mspaint.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
chrome.exepid process 5032 chrome.exe 5032 chrome.exe 5032 chrome.exe 5032 chrome.exe 5032 chrome.exe 5032 chrome.exe 5032 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exetaskkill.exetaskkill.exeexplorer.exeexplorer.exedescription pid process Token: SeShutdownPrivilege 5032 chrome.exe Token: SeCreatePagefilePrivilege 5032 chrome.exe Token: SeShutdownPrivilege 5032 chrome.exe Token: SeCreatePagefilePrivilege 5032 chrome.exe Token: SeShutdownPrivilege 5032 chrome.exe Token: SeCreatePagefilePrivilege 5032 chrome.exe Token: SeShutdownPrivilege 5032 chrome.exe Token: SeCreatePagefilePrivilege 5032 chrome.exe Token: SeShutdownPrivilege 5032 chrome.exe Token: SeCreatePagefilePrivilege 5032 chrome.exe Token: SeShutdownPrivilege 5032 chrome.exe Token: SeCreatePagefilePrivilege 5032 chrome.exe Token: SeShutdownPrivilege 5032 chrome.exe Token: SeCreatePagefilePrivilege 5032 chrome.exe Token: SeShutdownPrivilege 5032 chrome.exe Token: SeCreatePagefilePrivilege 5032 chrome.exe Token: SeShutdownPrivilege 5032 chrome.exe Token: SeCreatePagefilePrivilege 5032 chrome.exe Token: SeShutdownPrivilege 5032 chrome.exe Token: SeCreatePagefilePrivilege 5032 chrome.exe Token: SeShutdownPrivilege 5032 chrome.exe Token: SeCreatePagefilePrivilege 5032 chrome.exe Token: SeShutdownPrivilege 5032 chrome.exe Token: SeCreatePagefilePrivilege 5032 chrome.exe Token: SeShutdownPrivilege 5032 chrome.exe Token: SeCreatePagefilePrivilege 5032 chrome.exe Token: SeShutdownPrivilege 5032 chrome.exe Token: SeCreatePagefilePrivilege 5032 chrome.exe Token: SeShutdownPrivilege 5032 chrome.exe Token: SeCreatePagefilePrivilege 5032 chrome.exe Token: SeShutdownPrivilege 5032 chrome.exe Token: SeCreatePagefilePrivilege 5032 chrome.exe Token: SeShutdownPrivilege 5032 chrome.exe Token: SeCreatePagefilePrivilege 5032 chrome.exe Token: SeShutdownPrivilege 5032 chrome.exe Token: SeCreatePagefilePrivilege 5032 chrome.exe Token: SeShutdownPrivilege 5032 chrome.exe Token: SeCreatePagefilePrivilege 5032 chrome.exe Token: SeShutdownPrivilege 5032 chrome.exe Token: SeCreatePagefilePrivilege 5032 chrome.exe Token: SeShutdownPrivilege 5032 chrome.exe Token: SeCreatePagefilePrivilege 5032 chrome.exe Token: SeShutdownPrivilege 5032 chrome.exe Token: SeCreatePagefilePrivilege 5032 chrome.exe Token: SeShutdownPrivilege 5032 chrome.exe Token: SeCreatePagefilePrivilege 5032 chrome.exe Token: SeShutdownPrivilege 5032 chrome.exe Token: SeCreatePagefilePrivilege 5032 chrome.exe Token: SeShutdownPrivilege 5032 chrome.exe Token: SeCreatePagefilePrivilege 5032 chrome.exe Token: SeDebugPrivilege 2820 taskkill.exe Token: SeDebugPrivilege 4044 taskkill.exe Token: SeShutdownPrivilege 5100 explorer.exe Token: SeCreatePagefilePrivilege 5100 explorer.exe Token: SeShutdownPrivilege 5100 explorer.exe Token: SeCreatePagefilePrivilege 5100 explorer.exe Token: SeShutdownPrivilege 4704 explorer.exe Token: SeCreatePagefilePrivilege 4704 explorer.exe Token: SeShutdownPrivilege 4704 explorer.exe Token: SeCreatePagefilePrivilege 4704 explorer.exe Token: SeShutdownPrivilege 4704 explorer.exe Token: SeCreatePagefilePrivilege 4704 explorer.exe Token: SeShutdownPrivilege 4704 explorer.exe Token: SeCreatePagefilePrivilege 4704 explorer.exe -
Suspicious use of FindShellTrayWindow 45 IoCs
Processes:
chrome.exeerdre GDPS install.tmpexplorer.exepid process 5032 chrome.exe 5032 chrome.exe 5032 chrome.exe 5032 chrome.exe 5032 chrome.exe 5032 chrome.exe 5032 chrome.exe 5032 chrome.exe 5032 chrome.exe 5032 chrome.exe 5032 chrome.exe 5032 chrome.exe 5032 chrome.exe 5032 chrome.exe 5032 chrome.exe 5032 chrome.exe 5032 chrome.exe 5032 chrome.exe 5032 chrome.exe 5032 chrome.exe 5032 chrome.exe 5032 chrome.exe 5032 chrome.exe 5032 chrome.exe 5032 chrome.exe 5032 chrome.exe 5032 chrome.exe 3352 erdre GDPS install.tmp 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe -
Suspicious use of SendNotifyMessage 36 IoCs
Processes:
chrome.exeexplorer.exepid process 5032 chrome.exe 5032 chrome.exe 5032 chrome.exe 5032 chrome.exe 5032 chrome.exe 5032 chrome.exe 5032 chrome.exe 5032 chrome.exe 5032 chrome.exe 5032 chrome.exe 5032 chrome.exe 5032 chrome.exe 5032 chrome.exe 5032 chrome.exe 5032 chrome.exe 5032 chrome.exe 5032 chrome.exe 5032 chrome.exe 5032 chrome.exe 5032 chrome.exe 5032 chrome.exe 5032 chrome.exe 5032 chrome.exe 5032 chrome.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe -
Suspicious use of SetWindowsHookEx 46 IoCs
Processes:
mspaint.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeexplorer.exeOpenWith.exeOpenWith.exeStartMenuExperienceHost.exepid process 744 mspaint.exe 744 mspaint.exe 744 mspaint.exe 744 mspaint.exe 3688 OpenWith.exe 5684 OpenWith.exe 5348 OpenWith.exe 5832 OpenWith.exe 5984 OpenWith.exe 4548 OpenWith.exe 3012 OpenWith.exe 6180 OpenWith.exe 6420 OpenWith.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 4704 explorer.exe 6216 OpenWith.exe 6480 OpenWith.exe 2212 StartMenuExperienceHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
erdre GDPS install.exechrome.exedescription pid process target process PID 376 wrote to memory of 3352 376 erdre GDPS install.exe erdre GDPS install.tmp PID 376 wrote to memory of 3352 376 erdre GDPS install.exe erdre GDPS install.tmp PID 376 wrote to memory of 3352 376 erdre GDPS install.exe erdre GDPS install.tmp PID 5032 wrote to memory of 2456 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 2456 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 4752 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 4752 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 4752 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 4752 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 4752 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 4752 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 4752 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 4752 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 4752 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 4752 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 4752 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 4752 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 4752 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 4752 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 4752 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 4752 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 4752 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 4752 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 4752 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 4752 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 4752 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 4752 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 4752 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 4752 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 4752 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 4752 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 4752 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 4752 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 4752 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 4752 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 4752 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 3428 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 3428 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 2992 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 2992 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 2992 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 2992 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 2992 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 2992 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 2992 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 2992 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 2992 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 2992 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 2992 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 2992 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 2992 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 2992 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 2992 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 2992 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 2992 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 2992 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 2992 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 2992 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 2992 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 2992 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 2992 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 2992 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 2992 5032 chrome.exe chrome.exe PID 5032 wrote to memory of 2992 5032 chrome.exe chrome.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe"C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Users\Admin\AppData\Local\Temp\is-JBEN2.tmp\erdre GDPS install.tmp"C:\Users\Admin\AppData\Local\Temp\is-JBEN2.tmp\erdre GDPS install.tmp" /SL5="$7006C,775972,730112,C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:3352 -
C:\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe"C:\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe"3⤵
- Executes dropped EXE
PID:4228 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4C46.tmp\4C47.tmp\4C48.bat "C:\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe""4⤵PID:2600
-
C:\Windows\system32\chcp.comchcp 12515⤵PID:1504
-
C:\Windows\system32\taskkill.exeTaskkill /f /im explorer.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2820 -
C:\Windows\explorer.exeexplorer5⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5100 -
C:\Windows\system32\taskkill.exetaskkill /f /IM explorer.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4044 -
C:\Windows\system32\calc.execalc5⤵
- Modifies registry class
PID:2948 -
C:\Windows\system32\calc.execalc5⤵
- Modifies registry class
PID:1988 -
C:\Windows\system32\calc.execalc5⤵
- Modifies registry class
PID:4572 -
C:\Windows\explorer.exeexplorer5⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4704 -
C:\Windows\system32\calc.execalc5⤵
- Modifies registry class
PID:4788 -
C:\Windows\system32\calc.execalc5⤵
- Modifies registry class
PID:4720 -
C:\Windows\system32\calc.execalc5⤵
- Modifies registry class
PID:3004 -
C:\Windows\system32\calc.execalc5⤵
- Modifies registry class
PID:1804 -
C:\Windows\system32\calc.execalc5⤵
- Modifies registry class
PID:2452 -
C:\Windows\system32\calc.execalc5⤵
- Modifies registry class
PID:4492 -
C:\Windows\system32\calc.execalc5⤵
- Modifies registry class
PID:4980 -
C:\Windows\system32\calc.execalc5⤵
- Modifies registry class
PID:4496 -
C:\Windows\system32\mspaint.exemspaint5⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:744 -
C:\Windows\explorer.exeexplorer5⤵
- Modifies registry class
PID:2932 -
C:\Windows\explorer.exeexplorer5⤵
- Modifies registry class
PID:4020 -
C:\Windows\explorer.exeexplorer5⤵
- Modifies registry class
PID:4804 -
C:\Windows\explorer.exeexplorer5⤵
- Modifies registry class
PID:3164 -
C:\Windows\explorer.exeexplorer5⤵
- Modifies registry class
PID:2160 -
C:\Windows\explorer.exeexplorer5⤵
- Modifies registry class
PID:4652 -
C:\Windows\explorer.exeexplorer5⤵
- Modifies registry class
PID:3660 -
C:\Windows\explorer.exeexplorer5⤵
- Modifies registry class
PID:3928 -
C:\Windows\explorer.exeexplorer5⤵
- Modifies registry class
PID:3192 -
C:\Windows\explorer.exeexplorer5⤵
- Modifies registry class
PID:5040 -
C:\Windows\explorer.exeexplorer5⤵
- Modifies registry class
PID:2620 -
C:\Windows\explorer.exeexplorer5⤵
- Modifies registry class
PID:5116 -
C:\Windows\explorer.exeexplorer5⤵
- Modifies registry class
PID:4448 -
C:\Windows\explorer.exeexplorer5⤵
- Modifies registry class
PID:920 -
C:\Windows\explorer.exeexplorer5⤵
- Modifies registry class
PID:452 -
C:\Windows\system32\charmap.execharmap5⤵PID:756
-
C:\Windows\system32\charmap.execharmap5⤵PID:3560
-
C:\Windows\system32\charmap.execharmap5⤵PID:4968
-
C:\Windows\system32\charmap.execharmap5⤵PID:3352
-
C:\Windows\system32\charmap.execharmap5⤵PID:4568
-
C:\Windows\system32\charmap.execharmap5⤵PID:3844
-
C:\Windows\system32\charmap.execharmap5⤵PID:4328
-
C:\Windows\system32\charmap.execharmap5⤵PID:2820
-
C:\Windows\system32\charmap.execharmap5⤵PID:2056
-
C:\Windows\system32\charmap.execharmap5⤵PID:3744
-
C:\Windows\system32\charmap.execharmap5⤵PID:4996
-
C:\Windows\system32\charmap.execharmap5⤵PID:4436
-
C:\Windows\system32\charmap.execharmap5⤵PID:2228
-
C:\Windows\system32\charmap.execharmap5⤵PID:3256
-
C:\Windows\system32\charmap.execharmap5⤵PID:3772
-
C:\Windows\system32\charmap.execharmap5⤵PID:4092
-
C:\Windows\system32\charmap.execharmap5⤵PID:4760
-
C:\Windows\system32\charmap.execharmap5⤵PID:1912
-
C:\Windows\system32\charmap.execharmap5⤵PID:5176
-
C:\Windows\system32\charmap.execharmap5⤵PID:5232
-
C:\Windows\system32\charmap.execharmap5⤵PID:5240
-
C:\Windows\system32\charmap.execharmap5⤵PID:5368
-
C:\Windows\system32\charmap.execharmap5⤵PID:5416
-
C:\Windows\system32\charmap.execharmap5⤵PID:5448
-
C:\Windows\system32\charmap.execharmap5⤵PID:5464
-
C:\Windows\system32\charmap.execharmap5⤵PID:5604
-
C:\Windows\system32\charmap.execharmap5⤵PID:5668
-
C:\Windows\system32\charmap.execharmap5⤵PID:5748
-
C:\Windows\system32\charmap.execharmap5⤵PID:5776
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0x80,0x108,0x7ff8c0e0ab58,0x7ff8c0e0ab68,0x7ff8c0e0ab782⤵PID:2456
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=1956,i,13642908579083125414,10076102675326617586,131072 /prefetch:22⤵PID:4752
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1956,i,13642908579083125414,10076102675326617586,131072 /prefetch:82⤵PID:3428
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2304 --field-trial-handle=1956,i,13642908579083125414,10076102675326617586,131072 /prefetch:82⤵PID:2992
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3224 --field-trial-handle=1956,i,13642908579083125414,10076102675326617586,131072 /prefetch:12⤵PID:4604
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3256 --field-trial-handle=1956,i,13642908579083125414,10076102675326617586,131072 /prefetch:12⤵PID:2368
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4304 --field-trial-handle=1956,i,13642908579083125414,10076102675326617586,131072 /prefetch:12⤵PID:5064
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4604 --field-trial-handle=1956,i,13642908579083125414,10076102675326617586,131072 /prefetch:82⤵PID:3320
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 --field-trial-handle=1956,i,13642908579083125414,10076102675326617586,131072 /prefetch:82⤵PID:4956
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4824 --field-trial-handle=1956,i,13642908579083125414,10076102675326617586,131072 /prefetch:12⤵PID:3096
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5020 --field-trial-handle=1956,i,13642908579083125414,10076102675326617586,131072 /prefetch:12⤵PID:3132
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4404 --field-trial-handle=1956,i,13642908579083125414,10076102675326617586,131072 /prefetch:12⤵PID:1808
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5052 --field-trial-handle=1956,i,13642908579083125414,10076102675326617586,131072 /prefetch:12⤵PID:2152
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:3616
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:3688
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵PID:668
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:5348
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:5684
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:5832
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:5984
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:4548
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:3012
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:6180
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:6216
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵PID:6244
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:6420
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:6480
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies registry class
PID:7060
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2212
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:6140
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4160
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4860
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257KB
MD5cc8a31821aea4697e3c926d52ba52bb9
SHA116de7e7c2fe2c4798c3a449e64961abc93d1ed83
SHA25698a02160bdeb41049c0291d9e8ea9ee09b77c2c0952660d0165287a349530cf6
SHA5122bcd1a958d721287bee2a0fda94a7aec0055aefbfe14aa6874c6a75b15075a96b3d2010027aed88db001721f9cac111f74382ec29a2191827246d7e4ad81cbec
-
Filesize
810B
MD5b392834dafc4ad44c840c5e889d79528
SHA140bdb9b79e726637a0919df6b09d8097f801f952
SHA256474b9a0a9aed816803afe9f0869f7f66074eab1f7b526da6ecaa7737068a41ea
SHA512e490ff6103c233db1f5b4bca40d2936b35ca84e14544ba8505bf6c9201150e8bec541d234e3c7d0c32491fb8d5fe2206e3b77f136ea5a35dfe0d88fd3110daac
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
7KB
MD53909f644f718c661a6b1df365c59a46e
SHA1cf3e24f74bae8bd62ed16d8378f2b6ade5ba3ff7
SHA256c1a50f693c9ff1f8825353476e449fc5b48ba875197b95ff8f27f32da2724415
SHA51248a0be05e32405c071de9b826fba13cfd92ef46924b526b90a7e32622913ad90fdb9298f54e072059c6195a1f5b0d68ae3fb77ebe5019e482fecbacaff57e7aa
-
Filesize
7KB
MD5306b5cc0a1c6d6075c82307e66b6ff71
SHA1f9c9db0ba60f9d407395f232b6bc0b9eae1ac767
SHA2564fffc460ca7e6263944d4061406df8d5d2487cab8b5f85841e1c2bc517807733
SHA5120d19b257476753f557986aae33886ec3b720a0493fa3d8a6bcb1502bad83809f236bed1be0d2e0aff4d13c2c263908bd91dd92c4e93ccc6d37cc0ebf2b6bdb43
-
Filesize
257KB
MD516fb4c1bf8890c47ec3fcf983193dabd
SHA17cf361dde4f4b60b73f20694d5b235b9b429ec2c
SHA2564c111806bf9e0f4f3ea116a682b0679770dd0fcad01fcd2e492f21a2f82068ff
SHA5121809c385461789360edd32b7b8cb3f9cc2f36dcb684425cfd5c08e979dcc8b3ad5bb42dd23176a812cd409f9acb7e26f52cf806272bea6ad167ee750618b70a9
-
Filesize
257KB
MD5c6376841fbc787c890063cd92df95bc3
SHA119cb8c5852842b8a52248e6271acadceb8b6cd15
SHA256bcd682187df636ee39b334c0e8057b570d392a2bf4b6bf6de06010c262679cf7
SHA5123762048a884cf708b9a77ecff8cd0afa811af638cc2216b5a206cf0370e1adb25e79e228c34674b534ba7b6053723faf061de7e5b7f237d986bf06cce77c3626
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{8716d119-d15d-4f24-bdc9-fa2f805cbda4}\0.1.filtertrie.intermediate.txt
Filesize5B
MD534bd1dfb9f72cf4f86e6df6da0a9e49a
SHA15f96d66f33c81c0b10df2128d3860e3cb7e89563
SHA2568e1e6a3d56796a245d0c7b0849548932fee803bbdb03f6e289495830e017f14c
SHA512e3787de7c4bc70ca62234d9a4cdc6bd665bffa66debe3851ee3e8e49e7498b9f1cbc01294bf5e9f75de13fb78d05879e82fa4b89ee45623fe5bf7ac7e48eda96
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{8716d119-d15d-4f24-bdc9-fa2f805cbda4}\0.2.filtertrie.intermediate.txt
Filesize5B
MD5c204e9faaf8565ad333828beff2d786e
SHA17d23864f5e2a12c1a5f93b555d2d3e7c8f78eec1
SHA256d65b6a3bf11a27a1ced1f7e98082246e40cf01289fd47fe4a5ed46c221f2f73f
SHA512e72f4f79a4ae2e5e40a41b322bc0408a6dec282f90e01e0a8aaedf9fb9d6f04a60f45a844595727539c1643328e9c1b989b90785271cc30a6550bbda6b1909f8
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{8716d119-d15d-4f24-bdc9-fa2f805cbda4}\Apps.index
Filesize1.0MB
MD5c72df53009ad8f7e047b58c2a669736f
SHA1944c643a321992b058f42ffba375d230d810bf9c
SHA25673f2061a3fc63ca7b16907e5edd73632fc0d95afa65c4fe956d79a7e4d8a2e4b
SHA512e4410014d1fcbbb7d4e3eb086f1d2d6f1d987da0dfa634edc60b66ee79b90036aa6a23825a19b1023460e0c7c16f3e8c1c8c39b7f71699cd9fc101b35a8a12e0
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133631800758706756.txt
Filesize77KB
MD5cf9bed7fc74dde84d6b142fb7ae80b8c
SHA10418984d9952275e2aed72472eda10ab1d734959
SHA25676db23c1c0dcdcb6b545683c2c4e912c19b73b5d5c7801199df16a3211b687e4
SHA512e753fa47c4a7899a14c52fb358fd8d27a2623fbbe452577dc6e0b9613433f6d5815afdfc066dd8b7bd95977c9a753e9f1966ea222f4912203e3d604eb39fbb96
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133631800874407303.txt
Filesize76KB
MD5cd626dd8a473d5c7ba298ceb3cf05b70
SHA1c3311e7da1d0ec2ba498db0b3f8561e3de4fd1f3
SHA256575262ebd77dbe56c622414f277c17f3e9e8fb199dad52e13fba8aba9ce6d411
SHA512baf09c2fccd1a800596702b99f4a52fee34df92871663b393be6b508e264ad5071bf2b316f5659288c888fee3bcdc5d66bcf0e70aea22b109b453bd2507f15d8
-
Filesize
100KB
MD51f2cec484d93617fa81ecff025ebd981
SHA12a0e9083aa48236edd47a140380b800dc56579c1
SHA2562aac7fa52b946aaad1e84bf0175a7568d89472e88eda1dc725081288ba2271d8
SHA51257c1b3aa98a0facad57e285d6552de42450df04d8c97a4cb4374bc05df80c9e63a5809a6f2c5735e77c470b2fde438d76b423326819b4c931bec6ea08501e562
-
Filesize
1KB
MD5d46f641fd04723e353e062eff5679ef6
SHA1319637221e4edaf0d59836285d065e58542afbdb
SHA25694c2dac57889d420b04efcc085787c1e82468c1d6a283545f6b73f8989dacb74
SHA5129d166240aa9eb2c0197da3154914f86dd83a7188093a98f13adf8fce60d137bb77355f1f7e182a309fda14897ed76cab7e6beed2a1bc542e4729e38142dc734b
-
Filesize
2.9MB
MD5fe9bea77f231fb8526ce2a8a2ccd58dc
SHA10c502b1e730e1274e90e08b35cb5f62430db3862
SHA2560b91ffec7e9c97010e43860f019ce22f5378efda2b4d9761240290c907a92eb7
SHA512c6cda66ce548c060ba89760edb6790133da38f41c9ab19563ffabd6debab463d71efa1041905acc950e415a2180e95eef63670b1ec81ccd35ea3aae01c3a3855
-
Filesize
1KB
MD5ed4859ef9f4ac0197e6ff2debf0f9cf3
SHA157fa7434e3d27eb96fe420b4071c3097e523e7e8
SHA256249638eeecdb6725d0798c369fd62f2ff09f80ab2e77137b153203fe5ff4b0fc
SHA5126b756d035d62cb9ba5d03aa968eda6ac0bc272d7a785d33ddbec7e72b12dbcb81272d90b4d2ba39f43d08f3ecab1f2eb915a456ef5e04365fdba800098ac127a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\erdre GDPS\Деинсталлировать erdresem`s GDPS.lnk
Filesize1KB
MD558b11fc923f805f09028769acffab276
SHA1e6884ed0c98de1564e9e10268c36c7700d5e4c16
SHA25646279aa0e52bf5862cccc31ddc3864d11bded8589ebbd6f83be1b6d2853b01a1
SHA512fc533b095260d55c7a852be6d2b867f2f0b544bb2d88e0848ee501f2e60fa60f052deb986ab3dc6b5fd8e63715fa1902eb9e832fc6800189f5b065fc7d72756a
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e