Analysis Overview
Threat Level: Likely malicious
The file http:// was found to be: Likely malicious.
Malicious Activity Summary
Manipulates Digital Signatures
Possible privilege escalation attempt
Drops file in Drivers directory
Modifies file permissions
Boot or Logon Autostart Execution: Print Processors
Drops file in System32 directory
Modifies termsrv.dll
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Opens file in notepad (likely ransom note)
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-30 12:43
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-30 12:43
Reported
2024-06-30 12:49
Platform
win10v2004-20240508-en
Max time kernel
313s
Max time network
315s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\pnpmem.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\rasacd.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\BthHfEnum.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\mpsdrv.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\pciide.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\scfilter.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\cldflt.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\en-US\cxwmbclass.sys.mui | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\en-US\ataport.sys.mui | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\umpass.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\usbehci.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\en-US\acpi.sys.mui | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\en-US\wfplwfs.sys.mui | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\gpuenergydrv.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\ksthunk.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\ntfs.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\ramdisk.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\tdx.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\Dumpata.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\en-US\dmvsc.sys.mui | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\en-US\hidclass.sys.mui | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\en-US\tsusbflt.sys.mui | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\intelide.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\vmstorfl.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\wof.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\pcmcia.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\condrv.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\en-US\cdrom.sys.mui | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\en-US\EhStorTcgDrv.sys.mui | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\en-US\modem.sys.mui | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\en-US\volsnap.sys.mui | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\mshidkmdf.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\ndis.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\rteth.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\en-US\scmbus.sys.mui | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\FWPKCLNT.SYS | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\refsv1.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\usbprint.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\netbios.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\rdbss.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\BtaMPM.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\en-US\serial.sys.mui | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\en-US\usbhub.sys.mui | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\en-US\ws2ifsl.sys.mui | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\rdpdr.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\rdpvideominiport.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\terminpt.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\1394ohci.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\bthmodem.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\null.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\storqosflt.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\UcmUcsiAcpiClient.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\UMDF\usbdr.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\ataport.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\fvevol.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\en-US\IndirectKmd.sys.mui | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\en-US\mouclass.sys.mui | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\videoprt.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\dumpsd.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\en-US\wudfpf.sys.mui | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\mspqm.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\rasl2tp.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\acpitime.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\en-US\mup.sys.mui | C:\Windows\System32\cmd.exe | N/A |
Manipulates Digital Signatures
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\wintrust.dll | C:\Windows\System32\cmd.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Boot or Logon Autostart Execution: Print Processors
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\spool\prtprocs\x64\winprint.dll | C:\Windows\System32\cmd.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\en-US\clip.exe.mui | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\it-IT\ngckeyenum.dll.mui | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\it-IT\SensorsCpl.dll.mui | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\pcl.sep | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\downlevel\api-ms-win-security-base-l1-1-0.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\es-ES\hidi2c.inf_loc | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\microsoft_bluetooth_a2dp_src.inf_amd64_0bdbb11733d87f9a\microsoft_bluetooth_a2dp_src.inf | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\fr-FR\Microsoft_Bluetooth_AvrcpTransport.inf_loc | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\fr-FR\BthpanContextHandler.dll.mui | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\HdcpHandler.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\uk-UA\SettingsHandlers_Geolocation.dll.mui | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\wmerror.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\DeviceMetadataRetrievalClient.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\de-DE\xboxgip.inf_loc | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\b57nd60a.inf_amd64_77a731ab08be20a5\b57nd60a.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\it-IT\iaLPSS2i_GPIO2_GLK.inf_loc | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\en-US\c_ucm.inf_loc | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\en-US\forfiles.exe.mui | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\vbscript.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\WindowsPowerShell\v1.0\Modules\NetEventPacketCapture\NetEventPacketCapture.Types.ps1xml | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\es-ES\wkssvc.dll.mui | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\it-IT\mimefilt.dll.mui | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_UserResource\it-IT\MSFT_UserResource.strings.psd1 | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\it-IT\ipconfig.exe.mui | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\de-DE\c_smrdisk.inf_loc | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\en-US\multiprt.inf_loc | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\es-ES\lmhsvc.dll.mui | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\fr-FR\VaultCli.dll.mui | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\wbem\WMIPICMP.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\es-ES\netathr10x.INF_loc | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\es-ES\DeviceProperties.exe.mui | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\uk-UA\WSCollect.exe.mui | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\wbem\en-US\NetTCPIP.dll.mui | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\it-IT\mrinfo.exe.mui | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\ja-jp\openfiles.exe.mui | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\fr-FR\BthLCPen.inf_loc | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\fr-FR\ChargeArbitration.inf_loc | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\en-US\eappgnui.dll.mui | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\es-ES\SrTasks.exe.mui | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\it-IT\RpcEpMap.dll.mui | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\MixedReality.Broker.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\netutils.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\spp\tokens\skus\ENTERP~1\Enterprise-Volume-GVLK-1-ul-rtm.xrm-ms | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\DialogBlockingManager.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\mssmbios.inf_amd64_9fc7fe03de136fc1\mssmbios.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\es-ES\defragsvc.dll.mui | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\it-IT\regsvr32.exe.mui | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\ApplicationControlCSP.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\wbem\en-US\pcsvDevice_Uninstall.mfl | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\WlanRadioManager.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\C_20278.NLS | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\de-DE\netbtugc.exe.mui | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\de-DE\runas.exe.mui | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\AuthFWGP.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\de-DE\ComputerDefaults.exe.mui | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\de-DE\rhproxy.inf_loc | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\it-IT\cmlua.dll.mui | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\spp\tokens\skus\PROFES~1\Professional-Retail-4-pl-rtm.xrm-ms | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\uk-UA\sndvolsso.dll.mui | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\WindowsPowerShell\v1.0\Modules\NetAdapter\MSFT_NetAdapterUso.Format.ps1xml | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\config\SYSTEM~1.LOG | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\DragDropExperienceCommon.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\ja-JP\AcpiDev.inf_loc | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\fr-FR\rasmbmgr.dll.mui | C:\Windows\System32\cmd.exe | N/A |
Modifies termsrv.dll
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\termsrv.dll | C:\Windows\System32\cmd.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "237" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\NOTEPAD.EXE | N/A |
| N/A | N/A | C:\Windows\System32\NOTEPAD.EXE | N/A |
| N/A | N/A | C:\Windows\System32\NOTEPAD.EXE | N/A |
| N/A | N/A | C:\Windows\System32\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa087846f8,0x7ffa08784708,0x7ffa08784718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,7000350716331620678,11072985010717811159,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,7000350716331620678,11072985010717811159,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,7000350716331620678,11072985010717811159,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,7000350716331620678,11072985010717811159,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,7000350716331620678,11072985010717811159,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,7000350716331620678,11072985010717811159,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,7000350716331620678,11072985010717811159,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3768 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,7000350716331620678,11072985010717811159,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4588 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,7000350716331620678,11072985010717811159,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4588 /prefetch:8
C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ss.bat
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\ss.bat"
C:\Windows\system32\takeown.exe
takeown C:\Windows\System32\*
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\*
C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ss.bat
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\ss.bat"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\ss.bat"
C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ss.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\ss.bat" "
C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ss.bat
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\ss.bat"
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39f9055 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 612a6c4247ef652299b376221c984213 |
| SHA1 | d306f3b16bde39708aa862aee372345feb559750 |
| SHA256 | 9d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a |
| SHA512 | 34a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973 |
\??\pipe\LOCAL\crashpad_3564_QMXROVLGOVFMKKGB
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 56641592f6e69f5f5fb06f2319384490 |
| SHA1 | 6a86be42e2c6d26b7830ad9f4e2627995fd91069 |
| SHA256 | 02d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455 |
| SHA512 | c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 5948165f8ed59d3485398b8222f49939 |
| SHA1 | ec086106272a57f384240a870dafa62466035009 |
| SHA256 | 023a895eddbad14f2918c45de8f1ede485749b0b3ef38fb147b7b1284d8b453b |
| SHA512 | 8930373458faa90431308642c0f54efce7f7c0131a2693d9b60c2af511c5787ea403255141540cd2e4691e589de56e7a670de5d58eee944bbd5da440fe124448 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | f52042df80a15d8fa06e00264020a515 |
| SHA1 | 6d58f7048341c1b99d1266902abcd76b42cf56ae |
| SHA256 | b4831b6efeeeb441efaa5cd8aca334cc7e04665cf315da7b5e3caaeb99f96e20 |
| SHA512 | aa68f76e78b16b72d693bf258ded910f18bfcb51cc84c8b01c3834daf810e5d7b6a9c3ff698f166f4bbd371153afb885983c5b27517fb8589596f43756c7b732 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 43da7c92cb55983737642fadcee306d5 |
| SHA1 | 07e99a5d64605619136b42498413096ef9d7b1a1 |
| SHA256 | 4b5c52243cdc19319fbc9f66fa8d40c1f42bb39e77ffe6ad6289dc756175d514 |
| SHA512 | 31f50f086ffcf1fa21d06bb394848ef4af2a8e534c468d48b008cb7e3dd004cec627d010f5206e2010821055178e1d56f347f9b017e43c63716da3b586287ae5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\Desktop\ss.bat
| MD5 | 3d11bc6b0fe2196c2188d0e05ad4d33e |
| SHA1 | e231a665becff3938d428a3cead603fff36d5c29 |
| SHA256 | 8848120f4bfc807f73eb8e8211ffd9c9c6fef06ca1369523795323f34da762b1 |
| SHA512 | 42555f44a6c154d14d0a5a734769e36fa65694f700feea72d8f623a9a14dabbf33323bd1a45178ae5777a9f2d82119e7334013a2b0e550c601a6cc9bc052aa46 |
C:\Users\Admin\Desktop\ss.bat
| MD5 | 67ce02841f86b07da1a983f24d5a0ee4 |
| SHA1 | a79fcc660b46cd80cf7aaac666c482ffb5b77a91 |
| SHA256 | 35ade8238f00005ab089cda97210da573ae1408152ab8a3070f221e31a6e2b55 |
| SHA512 | 1e111b854d201430a0de486b0c2db241931567b323a710a4297fd3c6df5bf2791dbc905766e133fef232c5c3e3345aff7526fa7492a16fc78be4eaf8a5411708 |
C:\Users\Admin\Desktop\ss.bat
| MD5 | 16e25fa495c6a742f816929a5c8fbb77 |
| SHA1 | dd5e01c47b8ec5d0111375b109c6f76fce8f4a23 |
| SHA256 | 58e201048a7b856a957fd9e5066208d094c70e804128b487ec98dfea0a10ff68 |
| SHA512 | 8e1ea967211c67524f15d6ac8f7c8b6dd203c81a5ff990259a55bbdd624941f84ef9dbb7ce88708e2a277b8a21c9fb5cff1120677bc06ccbef432b9d17ddafdb |
C:\Users\Admin\Desktop\ss.bat
| MD5 | 64bdae31156537beb24e536b6224806b |
| SHA1 | f728e44e3a84adb489c2afc68eb47333a312c9bd |
| SHA256 | ad9bb313f91ed8b22a9ccfa24819dc6df7de69f71289b0720ac22f280086a988 |
| SHA512 | 438006824b39b6e1367af2cbfdeb2ee308322913ff4929a8191f09beded9f4427b568034f48f286b4ba0bf9862bbf2affdc65c4fb7447f2b555164179b5fe12b |