fbc77548e8938bbf771cae6cfa3eea095d35ddc2e0026dbe460488d06ec7cc43

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	OneDriveSetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	S0larD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	S0larD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	S0larD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	S0larD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	S0larD.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 13 IoCs

pid	Process
3456	Silver.pif
916	RegAsm.exe
4284	RegAsm.exe
4340	RegAsm.exe
2344	RegAsm.exe
4420	OneDriveSetup.exe
656	OneDriveSetup.exe
740	FileSyncConfig.exe
4304	OneDrive.exe
4344	Silver.pif
3576	Silver.pif
4564	Silver.pif
5096	Silver.pif

Loads dropped DLL 39 IoCs

pid	Process
740	FileSyncConfig.exe
740	FileSyncConfig.exe
740	FileSyncConfig.exe
740	FileSyncConfig.exe
740	FileSyncConfig.exe
4304	OneDrive.exe
4304	OneDrive.exe
4304	OneDrive.exe
4304	OneDrive.exe
4304	OneDrive.exe
4304	OneDrive.exe
4304	OneDrive.exe
4304	OneDrive.exe
4304	OneDrive.exe
4304	OneDrive.exe
4304	OneDrive.exe
4304	OneDrive.exe
4304	OneDrive.exe
4304	OneDrive.exe
4304	OneDrive.exe
4304	OneDrive.exe
4304	OneDrive.exe
4304	OneDrive.exe
4304	OneDrive.exe
4304	OneDrive.exe
4304	OneDrive.exe
4304	OneDrive.exe
4304	OneDrive.exe
4304	OneDrive.exe
4304	OneDrive.exe
4304	OneDrive.exe
4304	OneDrive.exe
4304	OneDrive.exe
4304	OneDrive.exe
4304	OneDrive.exe
4304	OneDrive.exe
4304	OneDrive.exe
4304	OneDrive.exe
4304	OneDrive.exe

Modifies system executable filetype association 2 TTPs 7 IoCs

persistence

Modify Registry

Change Default File Association

T1546.001

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Standalone Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\""	OneDriveSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks system information in the registry 2 TTPs 6 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OneDriveSetup.exe

Enumerates processes with tasklist 1 TTPs 10 IoCs

discovery

Process Discovery

T1057

pid	Process
3316	tasklist.exe
520	tasklist.exe
3000	tasklist.exe
1984	tasklist.exe
1520	tasklist.exe
2032	tasklist.exe
3732	tasklist.exe
740	tasklist.exe
2632	tasklist.exe
4368	tasklist.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SellersWrong	S0larD.exe
File opened for modification	C:\Windows\OrdersMiss	S0larD.exe
File opened for modification	C:\Windows\MitchellGotten	S0larD.exe
File opened for modification	C:\Windows\PersonalsLibrarian	S0larD.exe
File opened for modification	C:\Windows\MitchellGotten	S0larD.exe
File opened for modification	C:\Windows\UseFrom	S0larD.exe
File opened for modification	C:\Windows\UseFrom	S0larD.exe
File opened for modification	C:\Windows\MitchellGotten	S0larD.exe
File opened for modification	C:\Windows\CanadaChemicals	S0larD.exe
File opened for modification	C:\Windows\VolvoReservations	S0larD.exe
File opened for modification	C:\Windows\MostPosters	S0larD.exe
File opened for modification	C:\Windows\OutcomesPaperbacks	S0larD.exe
File opened for modification	C:\Windows\PersonalsLibrarian	S0larD.exe
File opened for modification	C:\Windows\TacticsVictims	S0larD.exe
File opened for modification	C:\Windows\OrdersMiss	S0larD.exe
File opened for modification	C:\Windows\ReturnProject	S0larD.exe
File opened for modification	C:\Windows\MitchellGotten	S0larD.exe
File opened for modification	C:\Windows\FlightsChoir	S0larD.exe
File opened for modification	C:\Windows\UseFrom	S0larD.exe
File opened for modification	C:\Windows\SoughtCuisine	S0larD.exe
File opened for modification	C:\Windows\BassRelease	S0larD.exe
File opened for modification	C:\Windows\BassRelease	S0larD.exe
File opened for modification	C:\Windows\OrdersMiss	S0larD.exe
File opened for modification	C:\Windows\PersonalsLibrarian	S0larD.exe
File opened for modification	C:\Windows\FlightsChoir	S0larD.exe
File opened for modification	C:\Windows\BicycleDaniel	S0larD.exe
File opened for modification	C:\Windows\LogicalDefining	S0larD.exe
File opened for modification	C:\Windows\LogicalDefining	S0larD.exe
File opened for modification	C:\Windows\RestrictionsBurner	S0larD.exe
File opened for modification	C:\Windows\VisitsEdinburgh	S0larD.exe
File opened for modification	C:\Windows\TacticsVictims	S0larD.exe
File opened for modification	C:\Windows\ReturnProject	S0larD.exe
File opened for modification	C:\Windows\MostPosters	S0larD.exe
File opened for modification	C:\Windows\TacticsVictims	S0larD.exe
File opened for modification	C:\Windows\CookbookJenny	S0larD.exe
File opened for modification	C:\Windows\SellersWrong	S0larD.exe
File opened for modification	C:\Windows\BicycleDaniel	S0larD.exe
File opened for modification	C:\Windows\MostPosters	S0larD.exe
File opened for modification	C:\Windows\CanadaChemicals	S0larD.exe
File opened for modification	C:\Windows\OutcomesPaperbacks	S0larD.exe
File opened for modification	C:\Windows\OutcomesPaperbacks	S0larD.exe
File opened for modification	C:\Windows\LogicalDefining	S0larD.exe
File opened for modification	C:\Windows\PlatinumTrainer	S0larD.exe
File opened for modification	C:\Windows\PersonalsLibrarian	S0larD.exe
File opened for modification	C:\Windows\FlightsChoir	S0larD.exe
File opened for modification	C:\Windows\MostPosters	S0larD.exe
File opened for modification	C:\Windows\MitchellGotten	S0larD.exe
File opened for modification	C:\Windows\LogicalDefining	S0larD.exe
File opened for modification	C:\Windows\FlightsChoir	S0larD.exe
File opened for modification	C:\Windows\VisitsEdinburgh	S0larD.exe
File opened for modification	C:\Windows\BicycleDaniel	S0larD.exe
File opened for modification	C:\Windows\BassRelease	S0larD.exe
File opened for modification	C:\Windows\VolvoReservations	S0larD.exe
File opened for modification	C:\Windows\RestrictionsBurner	S0larD.exe
File opened for modification	C:\Windows\OutcomesPaperbacks	S0larD.exe
File opened for modification	C:\Windows\CanadaChemicals	S0larD.exe
File opened for modification	C:\Windows\UseFrom	S0larD.exe
File opened for modification	C:\Windows\PersonalsLibrarian	S0larD.exe
File opened for modification	C:\Windows\MostPosters	S0larD.exe
File opened for modification	C:\Windows\PlatinumTrainer	S0larD.exe
File opened for modification	C:\Windows\VisitsEdinburgh	S0larD.exe
File opened for modification	C:\Windows\ReturnProject	S0larD.exe
File opened for modification	C:\Windows\OutcomesPaperbacks	S0larD.exe
File opened for modification	C:\Windows\VolvoReservations	S0larD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 61 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S0larD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileSyncConfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S0larD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Silver.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OneDrive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S0larD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Silver.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OneDriveSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Silver.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OneDrive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S0larD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OneDriveSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Silver.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S0larD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Silver.pif

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OneDrive.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	OneDrive.exe

Delays execution with timeout.exe 5 IoCs

evasion

pid	Process
3024	timeout.exe
2656	timeout.exe
2032	timeout.exe
4336	timeout.exe
3144	timeout.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Microsoft\Internet Explorer\IESettingSync	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	OneDrive.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\WOW6432Node\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\ = "SyncEngineCOMServer Class"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\" /autoplay"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Interface\{F062BA81-ADFE-4A92-886A-23FD851D6406}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\WOW6432Node\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_CLASSES\TYPELIB\{F904F88C-E60D-4327-9FA2-865AD075B400}\1.0\0\WIN32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileCoAuth.exe\""	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\ProxyStubClsid32	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17}\ProxyStubClsid32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\mssharepointclient\shell\open\command	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\TypeLib\ = "{082D3FEC-D0D0-4DF6-A988-053FECE7B884}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Interface\{b5c25645-7426-433f-8a5f-42b7ff27a7b2}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\WOW6432Node\Interface\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755}\ProxyStubClsid32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}\ = "IFileUploader"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\SyncEngineStorageProviderHandlerProxy.SyncEngineStorageProviderHandlerProxy\CLSID\ = "{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\WOW6432Node\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Interface\{0776ae27-5ab9-4e18-9063-1836da63117a}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\WOW6432Node\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\WOW6432Node\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\TypeLib\{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}\1.0\HELPDIR	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\WOW6432Node\Interface\{B05D37A9-03A2-45CF-8850-F660DF0CBF07}\ = "IOneDriveInfoProvider"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\AppID\OneDrive.EXE	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\BannerNotificationHandler.BannerNotificationHandler\CLSID\ = "{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\WOW6432Node\Interface\{8D3F8F15-1DE1-4662-BF93-762EABE988B2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Interface\{B54E7079-90C9-4C62-A6B8-B2834C33A04A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\TypeLib\{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}\1.0	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Interface\{B05D37A9-03A2-45CF-8850-F660DF0CBF07}\ProxyStubClsid32\ = "{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\ = "ReadOnlyOverlayHandler Class"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\WOW6432Node\Interface\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Interface\{8D3F8F15-1DE1-4662-BF93-762EABE988B2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\WOW6432Node\Interface\{9E1CD0DF-72E7-4284-9598-342C0A46F96B}\ProxyStubClsid32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_CLASSES\WOW6432NODE\INTERFACE\{944903E8-B03F-43A0-8341-872200D2DA9C}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\VersionIndependentProgID\ = "FileSyncClient.FileSyncClient"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\WOW6432Node\Interface\{0f872661-c863-47a4-863f-c065c182858a}\TypeLib	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\WOW6432Node\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\ = "IDeviceHeroShotCallback"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\WOW6432Node\Interface\{0776ae27-5ab9-4e18-9063-1836da63117a}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\TypeLib\Version = "1.0"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\WOW6432Node\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\ProxyStubClsid32	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_CLASSES\NUCLEUSNATIVEMESSAGING.NUCLEUSNATIVEMESSAGING\CURVER	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Interface\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Interface\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\FileSyncShell.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\BannerNotificationHandler.BannerNotificationHandler\CurVer	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Interface\{466F31F7-9892-477E-B189-FA5C59DE3603}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\WOW6432Node\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\WOW6432Node\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}\ProxyStubClsid32	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_CLASSES\INTERFACE\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\WOW6432Node\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_CLASSES\WOW6432NODE\CLSID\{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}\LOCALSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\WOW6432Node\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\ = "IGetSelectiveSyncInformationCallback"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\TypeLib	OneDrive.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2576	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1912	OneDrive.exe
4304	OneDrive.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3456	Silver.pif
3456	Silver.pif
3456	Silver.pif
3456	Silver.pif
3456	Silver.pif
3456	Silver.pif
3456	Silver.pif
3456	Silver.pif
3456	Silver.pif
3456	Silver.pif
916	RegAsm.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1912	OneDrive.exe
1912	OneDrive.exe
4420	OneDriveSetup.exe
4420	OneDriveSetup.exe
4420	OneDriveSetup.exe
4420	OneDriveSetup.exe
656	OneDriveSetup.exe
656	OneDriveSetup.exe
656	OneDriveSetup.exe
656	OneDriveSetup.exe
656	OneDriveSetup.exe
656	OneDriveSetup.exe
656	OneDriveSetup.exe
656	OneDriveSetup.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5024	OpenWith.exe
3592	taskmgr.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
436	Process not Found
2076	Process not Found
4568	Process not Found
3004	Process not Found
2132	Process not Found
4048	Process not Found
5036	Process not Found
2052	Process not Found
1424	Process not Found
4288	Process not Found
3744	Process not Found
1540	Process not Found
2444	Process not Found
4912	Process not Found
3456	Process not Found
4548	Process not Found
1020	Process not Found
2448	Process not Found
4412	Process not Found
392	Process not Found
1588	Process not Found
4388	Process not Found
1088	Process not Found
2500	Process not Found
1528	Process not Found
1748	Process not Found
912	Process not Found
4052	Process not Found
3524	Process not Found
704	Process not Found
1768	Process not Found
2748	Process not Found
3012	Process not Found
3788	Process not Found
2032	Process not Found
1660	Process not Found
2068	Process not Found
1696	Process not Found
2816	Process not Found
1704	Process not Found
4552	Process not Found
2992	Process not Found
1148	Process not Found
2676	Process not Found
1916	Process not Found
5092	Process not Found
396	Process not Found
5112	Process not Found
4588	Process not Found
3136	Process not Found
1144	Process not Found
2608	Process not Found
4368	Process not Found
4960	Process not Found
488	Process not Found
4252	Process not Found
4652	Process not Found
2108	Process not Found
2716	Process not Found
3144	Process not Found
5004	Process not Found
3808	Process not Found
3280	Process not Found
1776	Process not Found

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	1520	tasklist.exe
Token: SeDebugPrivilege	3316	tasklist.exe
Token: SeDebugPrivilege	916	RegAsm.exe
Token: SeBackupPrivilege	916	RegAsm.exe
Token: SeSecurityPrivilege	916	RegAsm.exe
Token: SeSecurityPrivilege	916	RegAsm.exe
Token: SeSecurityPrivilege	916	RegAsm.exe
Token: SeSecurityPrivilege	916	RegAsm.exe
Token: SeDebugPrivilege	1828	taskmgr.exe
Token: SeSystemProfilePrivilege	1828	taskmgr.exe
Token: SeCreateGlobalPrivilege	1828	taskmgr.exe
Token: 33	1828	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1828	taskmgr.exe
Token: SeIncreaseQuotaPrivilege	4420	OneDriveSetup.exe
Token: SeIncreaseQuotaPrivilege	656	OneDriveSetup.exe
Token: SeDebugPrivilege	2032	tasklist.exe
Token: SeDebugPrivilege	520	tasklist.exe
Token: SeDebugPrivilege	3000	tasklist.exe
Token: SeDebugPrivilege	3732	tasklist.exe
Token: SeDebugPrivilege	740	tasklist.exe
Token: SeDebugPrivilege	2632	tasklist.exe
Token: SeDebugPrivilege	1984	tasklist.exe
Token: SeDebugPrivilege	4368	tasklist.exe
Token: SeDebugPrivilege	3592	taskmgr.exe
Token: SeSystemProfilePrivilege	3592	taskmgr.exe
Token: SeCreateGlobalPrivilege	3592	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3456	Silver.pif
3456	Silver.pif
3456	Silver.pif
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3456	Silver.pif
3456	Silver.pif
3456	Silver.pif
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe
1828	taskmgr.exe

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
5024	OpenWith.exe
5024	OpenWith.exe
5024	OpenWith.exe
5024	OpenWith.exe
5024	OpenWith.exe
5024	OpenWith.exe
5024	OpenWith.exe
5024	OpenWith.exe
5024	OpenWith.exe
5024	OpenWith.exe
5024	OpenWith.exe
5024	OpenWith.exe
5024	OpenWith.exe
5024	OpenWith.exe
5024	OpenWith.exe
5024	OpenWith.exe
5024	OpenWith.exe
5024	OpenWith.exe
5024	OpenWith.exe
5024	OpenWith.exe
5024	OpenWith.exe
5024	OpenWith.exe
5024	OpenWith.exe
5024	OpenWith.exe
5024	OpenWith.exe
5024	OpenWith.exe
5024	OpenWith.exe
1912	OneDrive.exe
4304	OneDrive.exe
4304	OneDrive.exe
4304	OneDrive.exe
3916	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3788 wrote to memory of 3584	3788	S0larD.exe	86
PID 3788 wrote to memory of 3584	3788	S0larD.exe	86
PID 3788 wrote to memory of 3584	3788	S0larD.exe	86
PID 3584 wrote to memory of 1520	3584	cmd.exe	89
PID 3584 wrote to memory of 1520	3584	cmd.exe	89
PID 3584 wrote to memory of 1520	3584	cmd.exe	89
PID 3584 wrote to memory of 4152	3584	cmd.exe	90
PID 3584 wrote to memory of 4152	3584	cmd.exe	90
PID 3584 wrote to memory of 4152	3584	cmd.exe	90
PID 3584 wrote to memory of 3316	3584	cmd.exe	92
PID 3584 wrote to memory of 3316	3584	cmd.exe	92
PID 3584 wrote to memory of 3316	3584	cmd.exe	92
PID 3584 wrote to memory of 3868	3584	cmd.exe	93
PID 3584 wrote to memory of 3868	3584	cmd.exe	93
PID 3584 wrote to memory of 3868	3584	cmd.exe	93
PID 3584 wrote to memory of 1660	3584	cmd.exe	94
PID 3584 wrote to memory of 1660	3584	cmd.exe	94
PID 3584 wrote to memory of 1660	3584	cmd.exe	94
PID 3584 wrote to memory of 1088	3584	cmd.exe	95
PID 3584 wrote to memory of 1088	3584	cmd.exe	95
PID 3584 wrote to memory of 1088	3584	cmd.exe	95
PID 3584 wrote to memory of 3288	3584	cmd.exe	96
PID 3584 wrote to memory of 3288	3584	cmd.exe	96
PID 3584 wrote to memory of 3288	3584	cmd.exe	96
PID 3584 wrote to memory of 3456	3584	cmd.exe	97
PID 3584 wrote to memory of 3456	3584	cmd.exe	97
PID 3584 wrote to memory of 3456	3584	cmd.exe	97
PID 3584 wrote to memory of 3144	3584	cmd.exe	98
PID 3584 wrote to memory of 3144	3584	cmd.exe	98
PID 3584 wrote to memory of 3144	3584	cmd.exe	98
PID 3456 wrote to memory of 916	3456	Silver.pif	105
PID 3456 wrote to memory of 916	3456	Silver.pif	105
PID 3456 wrote to memory of 916	3456	Silver.pif	105
PID 3456 wrote to memory of 916	3456	Silver.pif	105
PID 3456 wrote to memory of 916	3456	Silver.pif	105
PID 5024 wrote to memory of 2588	5024	OpenWith.exe	132
PID 5024 wrote to memory of 2588	5024	OpenWith.exe	132
PID 1912 wrote to memory of 4420	1912	OneDrive.exe	138
PID 1912 wrote to memory of 4420	1912	OneDrive.exe	138
PID 1912 wrote to memory of 4420	1912	OneDrive.exe	138
PID 656 wrote to memory of 740	656	OneDriveSetup.exe	143
PID 656 wrote to memory of 740	656	OneDriveSetup.exe	143
PID 656 wrote to memory of 740	656	OneDriveSetup.exe	143
PID 2500 wrote to memory of 3524	2500	S0larD.exe	155
PID 2500 wrote to memory of 3524	2500	S0larD.exe	155
PID 2500 wrote to memory of 3524	2500	S0larD.exe	155
PID 3524 wrote to memory of 2032	3524	cmd.exe	158
PID 3524 wrote to memory of 2032	3524	cmd.exe	158
PID 3524 wrote to memory of 2032	3524	cmd.exe	158
PID 3524 wrote to memory of 3232	3524	cmd.exe	159
PID 3524 wrote to memory of 3232	3524	cmd.exe	159
PID 3524 wrote to memory of 3232	3524	cmd.exe	159
PID 3524 wrote to memory of 520	3524	cmd.exe	161
PID 3524 wrote to memory of 520	3524	cmd.exe	161
PID 3524 wrote to memory of 520	3524	cmd.exe	161
PID 3524 wrote to memory of 1424	3524	cmd.exe	162
PID 3524 wrote to memory of 1424	3524	cmd.exe	162
PID 3524 wrote to memory of 1424	3524	cmd.exe	162
PID 3524 wrote to memory of 4288	3524	cmd.exe	163
PID 3524 wrote to memory of 4288	3524	cmd.exe	163
PID 3524 wrote to memory of 4288	3524	cmd.exe	163
PID 3524 wrote to memory of 1540	3524	cmd.exe	164
PID 3524 wrote to memory of 1540	3524	cmd.exe	164
PID 3524 wrote to memory of 1540	3524	cmd.exe	164

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3548
- C:\Users\Admin\AppData\Local\Temp\S0laradD\S0larD.exe
  "C:\Users\Admin\AppData\Local\Temp\S0laradD\S0larD.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3788
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Xxx Xxx.cmd & Xxx.cmd & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3584
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1520
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4152
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3316
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3868
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 378062
      4⤵
      System Location Discovery: System Language Discovery
      PID:1660
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "FacesStadiumMsgidSep" Greensboro
      4⤵
      System Location Discovery: System Language Discovery
      PID:1088
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Venezuela + Boob + Forget + Wonderful + Del 378062\E
      4⤵
      System Location Discovery: System Language Discovery
      PID:3288
  - - C:\Users\Admin\AppData\Local\Temp\378062\Silver.pif
      378062\Silver.pif 378062\E
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3456
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 5
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:3144
- C:\Users\Admin\AppData\Local\Temp\378062\RegAsm.exe
  C:\Users\Admin\AppData\Local\Temp\378062\RegAsm.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:916
- C:\Users\Admin\AppData\Local\Temp\378062\RegAsm.exe
  "C:\Users\Admin\AppData\Local\Temp\378062\RegAsm.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4284
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /0
  2⤵
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1828
- C:\Users\Admin\AppData\Local\Temp\378062\RegAsm.exe
  "C:\Users\Admin\AppData\Local\Temp\378062\RegAsm.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4340
- C:\Users\Admin\AppData\Local\Temp\378062\RegAsm.exe
  "C:\Users\Admin\AppData\Local\Temp\378062\RegAsm.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2344
- C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
  "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
  2⤵
  - Modifies system executable filetype association
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
    "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" /update /restart
    3⤵
    - Executes dropped EXE
    - Checks system information in the registry
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4420
  - - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
      C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe /update /restart /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies system executable filetype association
      Adds Run key to start application
      Checks system information in the registry
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:656
    - - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:740
    - - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
        
        /updateInstalled /background
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system executable filetype association
        Checks system information in the registry
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious behavior: AddClipboardFormatListener
        Suspicious use of SetWindowsHookEx
        
        PID:4304
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2010_x86.log-MSI_vc_red.msi.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2576
- C:\Users\Admin\AppData\Local\Temp\S0laradD\S0larD.exe
  "C:\Users\Admin\AppData\Local\Temp\S0laradD\S0larD.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Xxx Xxx.cmd & Xxx.cmd & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3524
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2032
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3232
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:520
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1424
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 378062
      4⤵
      System Location Discovery: System Language Discovery
      PID:4288
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "FacesStadiumMsgidSep" Greensboro
      4⤵
      System Location Discovery: System Language Discovery
      PID:1540
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Venezuela + Boob + Forget + Wonderful + Del 378062\E
      4⤵
      System Location Discovery: System Language Discovery
      PID:2340
  - - C:\Users\Admin\AppData\Local\Temp\378062\Silver.pif
      378062\Silver.pif 378062\E
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4344
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 5
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:3024
- C:\Users\Admin\AppData\Local\Temp\S0laradD\S0larD.exe
  "C:\Users\Admin\AppData\Local\Temp\S0laradD\S0larD.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3368
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Xxx Xxx.cmd & Xxx.cmd & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1596
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3000
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2016
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3732
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:452
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 378062
      4⤵
      System Location Discovery: System Language Discovery
      PID:4688
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Venezuela + Boob + Forget + Wonderful + Del 378062\E
      4⤵
      System Location Discovery: System Language Discovery
      PID:4728
  - - C:\Users\Admin\AppData\Local\Temp\378062\Silver.pif
      378062\Silver.pif 378062\E
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3576
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 5
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2656
- C:\Users\Admin\AppData\Local\Temp\S0laradD\S0larD.exe
  "C:\Users\Admin\AppData\Local\Temp\S0laradD\S0larD.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:4052
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Xxx Xxx.cmd & Xxx.cmd & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1704
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:740
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2572
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2632
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3004
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 378062
      4⤵
      System Location Discovery: System Language Discovery
      PID:4804
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Venezuela + Boob + Forget + Wonderful + Del 378062\E
      4⤵
      System Location Discovery: System Language Discovery
      PID:1276
  - - C:\Users\Admin\AppData\Local\Temp\378062\Silver.pif
      378062\Silver.pif 378062\E
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4564
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 5
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2032
- C:\Users\Admin\AppData\Local\Temp\S0laradD\S0larD.exe
  "C:\Users\Admin\AppData\Local\Temp\S0laradD\S0larD.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:4788
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Xxx Xxx.cmd & Xxx.cmd & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4188
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1984
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2068
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4368
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4216
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 378062
      4⤵
      System Location Discovery: System Language Discovery
      PID:4652
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Venezuela + Boob + Forget + Wonderful + Del 378062\E
      4⤵
      System Location Discovery: System Language Discovery
      PID:4948
  - - C:\Users\Admin\AppData\Local\Temp\378062\Silver.pif
      378062\Silver.pif 378062\E
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5096
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 5
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:4336
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /0
  2⤵
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:3592

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2872

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5024
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Boob
  2⤵
  PID:2588

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3916

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3116

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:1140

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:1120

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2240

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4360

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4416

Network

DNS

13.86.106.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.86.106.20.in-addr.arpa

IN PTR

Response
DNS

240.143.123.92.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.143.123.92.in-addr.arpa

IN PTR

Response

240.143.123.92.in-addr.arpa

IN PTR

a92-123-143-240deploystaticakamaitechnologiescom
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0a60d7674dd4429887951fa281d4398a&localId=w:5BC0C033-2656-131B-E22B-41EC383E9388&deviceId=6966568097755002&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0a60d7674dd4429887951fa281d4398a&localId=w:5BC0C033-2656-131B-E22B-41EC383E9388&deviceId=6966568097755002&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=01FB7B9161276B320D1E6F5860C76AEF; domain=.bing.com; expires=Thu, 21-Aug-2025 09:51:38 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 68248FA55A254AEA8F2752ED82B95658 Ref B: LON04EDGE1209 Ref C: 2024-07-27T09:51:38Z
date: Sat, 27 Jul 2024 09:51:38 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=0a60d7674dd4429887951fa281d4398a&localId=w:5BC0C033-2656-131B-E22B-41EC383E9388&deviceId=6966568097755002&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=0a60d7674dd4429887951fa281d4398a&localId=w:5BC0C033-2656-131B-E22B-41EC383E9388&deviceId=6966568097755002&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=01FB7B9161276B320D1E6F5860C76AEF

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=Ftj38gLwKpZM4buKXpxZnIfjWmA7V6Qo-OXjuo7zTWg; domain=.bing.com; expires=Thu, 21-Aug-2025 09:51:38 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 3A53A986632349C7887C7C93917464B7 Ref B: LON04EDGE1209 Ref C: 2024-07-27T09:51:38Z
date: Sat, 27 Jul 2024 09:51:38 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0a60d7674dd4429887951fa281d4398a&localId=w:5BC0C033-2656-131B-E22B-41EC383E9388&deviceId=6966568097755002&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0a60d7674dd4429887951fa281d4398a&localId=w:5BC0C033-2656-131B-E22B-41EC383E9388&deviceId=6966568097755002&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=01FB7B9161276B320D1E6F5860C76AEF; MSPTC=Ftj38gLwKpZM4buKXpxZnIfjWmA7V6Qo-OXjuo7zTWg

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 1A2A8FDC373244DFB9884FFAF0395A63 Ref B: LON04EDGE1209 Ref C: 2024-07-27T09:51:38Z
date: Sat, 27 Jul 2024 09:51:38 GMT
DNS

2.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.159.190.20.in-addr.arpa

IN PTR

Response
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
DNS

SOZWdBazzmmNXTFzCHz.SOZWdBazzmmNXTFzCHz

Silver.pif

Remote address:

8.8.8.8:53

Request

SOZWdBazzmmNXTFzCHz.SOZWdBazzmmNXTFzCHz

IN A

Response
DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

157.123.68.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

157.123.68.40.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

6.9.196.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

6.9.196.185.in-addr.arpa

IN PTR

Response
DNS

43.58.199.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.58.199.20.in-addr.arpa

IN PTR

Response
DNS

205.47.74.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

205.47.74.20.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.28.10

ax-0001.ax-msedge.net

IN A

150.171.27.10
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301721_1Y64UM4ZK2VT4MVP3&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239317301721_1Y64UM4ZK2VT4MVP3&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 468734
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 3B574545EE8B4D1E813B03760AAD0516 Ref B: LON04EDGE0810 Ref C: 2024-07-27T09:53:21Z
date: Sat, 27 Jul 2024 09:53:20 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301274_1PA1BJMKSSMY4Z5BP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239317301274_1PA1BJMKSSMY4Z5BP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 729137
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: CA216E1202B84491B250970807FC6A92 Ref B: LON04EDGE0810 Ref C: 2024-07-27T09:53:21Z
date: Sat, 27 Jul 2024 09:53:20 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418575_1DFGQU5CLQUV7W36O&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239340418575_1DFGQU5CLQUV7W36O&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 608336
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 4E68090AD6344C93AA0465DB5E5FEDC9 Ref B: LON04EDGE0810 Ref C: 2024-07-27T09:53:21Z
date: Sat, 27 Jul 2024 09:53:20 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301312_1T9ZATUOGPW0HJ7P7&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239317301312_1T9ZATUOGPW0HJ7P7&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 767131
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: ECE183B9BAE44361A4497165CD6AE0C4 Ref B: LON04EDGE0810 Ref C: 2024-07-27T09:53:21Z
date: Sat, 27 Jul 2024 09:53:20 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418576_1P0LP58U9FRUO4PCP&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239340418576_1P0LP58U9FRUO4PCP&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 468841
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 98F2D1CDB2BF4DE8A3E2DEC7776D9EC8 Ref B: LON04EDGE0810 Ref C: 2024-07-27T09:53:21Z
date: Sat, 27 Jul 2024 09:53:20 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301683_1HSDAIPF7ZNRJKYTI&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239317301683_1HSDAIPF7ZNRJKYTI&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 592206
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 8680DEF12E1D4BA382E96E5913A22A35 Ref B: LON04EDGE0810 Ref C: 2024-07-27T09:53:22Z
date: Sat, 27 Jul 2024 09:53:22 GMT
DNS

10.28.171.150.in-addr.arpa

Remote address:

8.8.8.8:53

Request

10.28.171.150.in-addr.arpa

IN PTR

Response
DNS

131.72.42.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

131.72.42.20.in-addr.arpa

IN PTR

Response
DNS

92.129.74.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

92.129.74.13.in-addr.arpa

IN PTR

Response
DNS

21.69.22.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

21.69.22.2.in-addr.arpa

IN PTR

Response

21.69.22.2.in-addr.arpa

IN PTR

a2-22-69-21deploystaticakamaitechnologiescom
DNS

132.194.113.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

132.194.113.52.in-addr.arpa

IN PTR

Response
DNS

73.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

73.159.190.20.in-addr.arpa

IN PTR

Response
DNS

SOZWdBazzmmNXTFzCHz.SOZWdBazzmmNXTFzCHz

Silver.pif

Remote address:

8.8.8.8:53

Request

SOZWdBazzmmNXTFzCHz.SOZWdBazzmmNXTFzCHz

IN A

Response
DNS

SOZWdBazzmmNXTFzCHz.SOZWdBazzmmNXTFzCHz

Silver.pif

Remote address:

8.8.8.8:53

Request

SOZWdBazzmmNXTFzCHz.SOZWdBazzmmNXTFzCHz

IN A

Response
DNS

SOZWdBazzmmNXTFzCHz.SOZWdBazzmmNXTFzCHz

Silver.pif

Remote address:

8.8.8.8:53

Request

SOZWdBazzmmNXTFzCHz.SOZWdBazzmmNXTFzCHz

IN A

Response
DNS

SOZWdBazzmmNXTFzCHz.SOZWdBazzmmNXTFzCHz

Silver.pif

Remote address:

8.8.8.8:53

Request

SOZWdBazzmmNXTFzCHz.SOZWdBazzmmNXTFzCHz

IN A

Response

204.79.197.237:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0a60d7674dd4429887951fa281d4398a&localId=w:5BC0C033-2656-131B-E22B-41EC383E9388&deviceId=6966568097755002&anid=

tls, http2

2.0kB
9.3kB
21
19

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0a60d7674dd4429887951fa281d4398a&localId=w:5BC0C033-2656-131B-E22B-41EC383E9388&deviceId=6966568097755002&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=0a60d7674dd4429887951fa281d4398a&localId=w:5BC0C033-2656-131B-E22B-41EC383E9388&deviceId=6966568097755002&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0a60d7674dd4429887951fa281d4398a&localId=w:5BC0C033-2656-131B-E22B-41EC383E9388&deviceId=6966568097755002&anid=

HTTP Response

204
185.196.9.6:43164

RegAsm.exe

3.0MB
47.4kB
2329
613
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.28.10:443

https://tse1.mm.bing.net/th?id=OADD2.10239317301683_1HSDAIPF7ZNRJKYTI&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

tls, http2

130.2kB
3.8MB
2734
2730

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301721_1Y64UM4ZK2VT4MVP3&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301274_1PA1BJMKSSMY4Z5BP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418575_1DFGQU5CLQUV7W36O&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301312_1T9ZATUOGPW0HJ7P7&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418576_1P0LP58U9FRUO4PCP&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301683_1HSDAIPF7ZNRJKYTI&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13

8.8.8.8:53

13.86.106.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

13.86.106.20.in-addr.arpa
8.8.8.8:53

240.143.123.92.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

240.143.123.92.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

2.159.190.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

2.159.190.20.in-addr.arpa
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

SOZWdBazzmmNXTFzCHz.SOZWdBazzmmNXTFzCHz

dns

Silver.pif

85 B
160 B
1
1

DNS Request

SOZWdBazzmmNXTFzCHz.SOZWdBazzmmNXTFzCHz
8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

157.123.68.40.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

157.123.68.40.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

6.9.196.185.in-addr.arpa

dns

70 B
130 B
1
1

DNS Request

6.9.196.185.in-addr.arpa
8.8.8.8:53

43.58.199.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

43.58.199.20.in-addr.arpa
8.8.8.8:53

205.47.74.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

205.47.74.20.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
170 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

150.171.28.10

150.171.27.10
8.8.8.8:53

10.28.171.150.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

10.28.171.150.in-addr.arpa
8.8.8.8:53

131.72.42.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

131.72.42.20.in-addr.arpa
8.8.8.8:53

92.129.74.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

92.129.74.13.in-addr.arpa
8.8.8.8:53

21.69.22.2.in-addr.arpa

dns

69 B
131 B
1
1

DNS Request

21.69.22.2.in-addr.arpa
8.8.8.8:53

132.194.113.52.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

132.194.113.52.in-addr.arpa
8.8.8.8:53

73.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

73.159.190.20.in-addr.arpa
8.8.8.8:53

SOZWdBazzmmNXTFzCHz.SOZWdBazzmmNXTFzCHz

dns

Silver.pif

85 B
160 B
1
1

DNS Request

SOZWdBazzmmNXTFzCHz.SOZWdBazzmmNXTFzCHz
8.8.8.8:53

SOZWdBazzmmNXTFzCHz.SOZWdBazzmmNXTFzCHz

dns

Silver.pif

85 B
160 B
1
1

DNS Request

SOZWdBazzmmNXTFzCHz.SOZWdBazzmmNXTFzCHz
8.8.8.8:53

SOZWdBazzmmNXTFzCHz.SOZWdBazzmmNXTFzCHz

dns

Silver.pif

85 B
160 B
1
1

DNS Request

SOZWdBazzmmNXTFzCHz.SOZWdBazzmmNXTFzCHz
8.8.8.8:53

SOZWdBazzmmNXTFzCHz.SOZWdBazzmmNXTFzCHz

dns

Silver.pif

85 B
160 B
1
1

DNS Request

SOZWdBazzmmNXTFzCHz.SOZWdBazzmmNXTFzCHz

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

System Information Discovery