Analysis
-
max time kernel
1792s -
max time network
1685s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
18/08/2024, 00:11
Static task
static1
URLScan task
urlscan1
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Krucus.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Krucus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Krucus.exe -
resource yara_rule behavioral1/memory/1924-647-0x00000000005F0000-0x00000000014AA000-memory.dmp themida behavioral1/memory/1924-648-0x00000000005F0000-0x00000000014AA000-memory.dmp themida -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1924 Krucus.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Krucus.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff dnSpy.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" dnSpy.exe Set value (data) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202 dnSpy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" dnSpy.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" dnSpy.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell dnSpy.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" dnSpy.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" dnSpy.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" dnSpy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\TV_FolderType = "{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}" dnSpy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}" dnSpy.exe Set value (data) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff dnSpy.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" dnSpy.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg dnSpy.exe Set value (data) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff dnSpy.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} dnSpy.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" dnSpy.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} dnSpy.exe Set value (data) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = df021f006502d5dfa3235702040000000000530200003153505305d5cdd59c2e1b10939708002b2cf9ae9301000012000000004100750074006f004c006900730074000000420000001e000000700072006f0070003400320039003400390036003700320039003500000000004c010000aea54e38e1ad8a4e8a9b7bea78fff1e9060000800000000001000000020000800100000001000000020000002000000000000000500014001f50e04fd020ea3a6910a2d808002b30309d3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000f3c2f877f0e4da01d3375894f3e4da014f9a5a94f3e4da0114000000000000000000000000000000000000000000000001000000010000800100000004006900740065006d00000000000000000000000000000000000000000000000000000000000000000000000000000000001e1ade7f318ba54993b86be14cfa4943ffffffffffffffffffffffff00000000010000001900530065006100720063006800200052006500730075006c0074007300200069006e0020004400650073006b0074006f007000000000000000000000000000000000000000000000000000000000003900000024000000004100750074006f006c0069007300740043006100630068006500540069006d006500000014000000c8dc68ec100000006b00000022000000004100750074006f006c00690073007400430061006300680065004b006500790000001f0000001b000000530065006100720063006800200052006500730075006c0074007300200069006e0020004400650073006b0074006f00700030000000000000000000000000000000741a595e96dfd3488d671733bcee28ba671b730433d90a4590e64acd2e9408fe2a0000001300efbe00000020000000000000000000000000000000000000000000000000010000008b022a0000001900efbe1e1ade7f318ba54993b86be14cfa49436f73bebdf5342948abe8b550e65146c48b020000 dnSpy.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\GroupByKey:PID = "0" dnSpy.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 dnSpy.exe Set value (data) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 dnSpy.exe Set value (data) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 dnSpy.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" dnSpy.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 dnSpy.exe Set value (data) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff dnSpy.exe Set value (data) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 000000000200000001000000ffffffff dnSpy.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" dnSpy.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 dnSpy.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" dnSpy.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" dnSpy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" dnSpy.exe Set value (data) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 dnSpy.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" dnSpy.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" dnSpy.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" dnSpy.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" dnSpy.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" dnSpy.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} dnSpy.exe Set value (data) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 dnSpy.exe Set value (data) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202 dnSpy.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg dnSpy.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" dnSpy.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0 dnSpy.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 dnSpy.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags dnSpy.exe Set value (data) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = ffffffff dnSpy.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1 dnSpy.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193" dnSpy.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell dnSpy.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell dnSpy.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 dnSpy.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" dnSpy.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" dnSpy.exe Set value (data) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 dnSpy.exe Set value (data) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000f3c2f877f0e4da01d3375894f3e4da014f9a5a94f3e4da0114000000 dnSpy.exe Set value (data) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff dnSpy.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8 dnSpy.exe Set value (data) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 dnSpy.exe Set value (str) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic" dnSpy.exe Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} dnSpy.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" dnSpy.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\IconSize = "32" dnSpy.exe Set value (int) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\FFlags = "1" dnSpy.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Krucus.zip:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\dnSpy-net-win64.zip:Zone.Identifier msedge.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 3524 msedge.exe 3524 msedge.exe 2772 msedge.exe 2772 msedge.exe 3520 msedge.exe 3520 msedge.exe 2220 identity_helper.exe 2220 identity_helper.exe 3656 msedge.exe 3656 msedge.exe 1756 msedge.exe 1756 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 3800 msedge.exe 1924 Krucus.exe 1924 Krucus.exe 772 msedge.exe 772 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3044 dnSpy.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs
pid Process 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1924 Krucus.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe 2772 msedge.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3044 dnSpy.exe 3044 dnSpy.exe 3044 dnSpy.exe 3044 dnSpy.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2772 wrote to memory of 2288 2772 msedge.exe 80 PID 2772 wrote to memory of 2288 2772 msedge.exe 80 PID 2772 wrote to memory of 4888 2772 msedge.exe 81 PID 2772 wrote to memory of 4888 2772 msedge.exe 81 PID 2772 wrote to memory of 4888 2772 msedge.exe 81 PID 2772 wrote to memory of 4888 2772 msedge.exe 81 PID 2772 wrote to memory of 4888 2772 msedge.exe 81 PID 2772 wrote to memory of 4888 2772 msedge.exe 81 PID 2772 wrote to memory of 4888 2772 msedge.exe 81 PID 2772 wrote to memory of 4888 2772 msedge.exe 81 PID 2772 wrote to memory of 4888 2772 msedge.exe 81 PID 2772 wrote to memory of 4888 2772 msedge.exe 81 PID 2772 wrote to memory of 4888 2772 msedge.exe 81 PID 2772 wrote to memory of 4888 2772 msedge.exe 81 PID 2772 wrote to memory of 4888 2772 msedge.exe 81 PID 2772 wrote to memory of 4888 2772 msedge.exe 81 PID 2772 wrote to memory of 4888 2772 msedge.exe 81 PID 2772 wrote to memory of 4888 2772 msedge.exe 81 PID 2772 wrote to memory of 4888 2772 msedge.exe 81 PID 2772 wrote to memory of 4888 2772 msedge.exe 81 PID 2772 wrote to memory of 4888 2772 msedge.exe 81 PID 2772 wrote to memory of 4888 2772 msedge.exe 81 PID 2772 wrote to memory of 4888 2772 msedge.exe 81 PID 2772 wrote to memory of 4888 2772 msedge.exe 81 PID 2772 wrote to memory of 4888 2772 msedge.exe 81 PID 2772 wrote to memory of 4888 2772 msedge.exe 81 PID 2772 wrote to memory of 4888 2772 msedge.exe 81 PID 2772 wrote to memory of 4888 2772 msedge.exe 81 PID 2772 wrote to memory of 4888 2772 msedge.exe 81 PID 2772 wrote to memory of 4888 2772 msedge.exe 81 PID 2772 wrote to memory of 4888 2772 msedge.exe 81 PID 2772 wrote to memory of 4888 2772 msedge.exe 81 PID 2772 wrote to memory of 4888 2772 msedge.exe 81 PID 2772 wrote to memory of 4888 2772 msedge.exe 81 PID 2772 wrote to memory of 4888 2772 msedge.exe 81 PID 2772 wrote to memory of 4888 2772 msedge.exe 81 PID 2772 wrote to memory of 4888 2772 msedge.exe 81 PID 2772 wrote to memory of 4888 2772 msedge.exe 81 PID 2772 wrote to memory of 4888 2772 msedge.exe 81 PID 2772 wrote to memory of 4888 2772 msedge.exe 81 PID 2772 wrote to memory of 4888 2772 msedge.exe 81 PID 2772 wrote to memory of 4888 2772 msedge.exe 81 PID 2772 wrote to memory of 3524 2772 msedge.exe 82 PID 2772 wrote to memory of 3524 2772 msedge.exe 82 PID 2772 wrote to memory of 4076 2772 msedge.exe 83 PID 2772 wrote to memory of 4076 2772 msedge.exe 83 PID 2772 wrote to memory of 4076 2772 msedge.exe 83 PID 2772 wrote to memory of 4076 2772 msedge.exe 83 PID 2772 wrote to memory of 4076 2772 msedge.exe 83 PID 2772 wrote to memory of 4076 2772 msedge.exe 83 PID 2772 wrote to memory of 4076 2772 msedge.exe 83 PID 2772 wrote to memory of 4076 2772 msedge.exe 83 PID 2772 wrote to memory of 4076 2772 msedge.exe 83 PID 2772 wrote to memory of 4076 2772 msedge.exe 83 PID 2772 wrote to memory of 4076 2772 msedge.exe 83 PID 2772 wrote to memory of 4076 2772 msedge.exe 83 PID 2772 wrote to memory of 4076 2772 msedge.exe 83 PID 2772 wrote to memory of 4076 2772 msedge.exe 83 PID 2772 wrote to memory of 4076 2772 msedge.exe 83 PID 2772 wrote to memory of 4076 2772 msedge.exe 83 PID 2772 wrote to memory of 4076 2772 msedge.exe 83 PID 2772 wrote to memory of 4076 2772 msedge.exe 83 PID 2772 wrote to memory of 4076 2772 msedge.exe 83 PID 2772 wrote to memory of 4076 2772 msedge.exe 83
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://Google.com1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe57513cb8,0x7ffe57513cc8,0x7ffe57513cd82⤵PID:2288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:22⤵PID:4888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:82⤵PID:4076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:12⤵PID:2632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:12⤵PID:2900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4392 /prefetch:12⤵PID:3128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5556 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5948 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4168 /prefetch:12⤵PID:1644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4428 /prefetch:12⤵PID:248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:12⤵PID:1112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1792 /prefetch:12⤵PID:4120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:12⤵PID:1124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:12⤵PID:1272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:12⤵PID:3336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:12⤵PID:3308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:12⤵PID:2584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3696 /prefetch:12⤵PID:3412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:12⤵PID:1508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3320 /prefetch:82⤵PID:552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3480 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:12⤵PID:1316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:12⤵PID:4968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:12⤵PID:464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3444 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6608 /prefetch:12⤵PID:3940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4916 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:772
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2148
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3592
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4352
-
C:\Users\Admin\Downloads\Krucus\Krucus\Krucus.exe"C:\Users\Admin\Downloads\Krucus\Krucus\Krucus.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1924
-
C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe"C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe"1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3044
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD59828ffacf3deee7f4c1300366ec22fab
SHA19aff54b57502b0fc2be1b0b4b3380256fb785602
SHA256a3d21f0fb6563a5c9d0f7a6e9c125ec3faaa86ff43f37cb85a8778abc87950f7
SHA5122e73ea4d2fcd7c8d52487816110f5f4a808ed636ae87dd119702d1cd1ae315cbb25c8094a9dddf18f07472b4deaed3e7e26c9b499334b26bdb70d4fa7f84168d
-
Filesize
152B
MD56fdbe80e9fe20761b59e8f32398f4b14
SHA1049b1f0c6fc4e93a4ba6b3c992f1d6cecf3ada1f
SHA256b7f0d9ece2307bdc4f05a2d814c947451b007067ff8af977f77f06c3d5706942
SHA512cf25c7fd0d6eccc46e7b58949c16d17ebeefb7edd6c76aa62f7ab5da52d1c6fc88bde620be40396d336789bd0d62b2162209a947d7ab69389e8c03682e880234
-
Filesize
209KB
MD53e552d017d45f8fd93b94cfc86f842f2
SHA1dbeebe83854328e2575ff67259e3fb6704b17a47
SHA25627d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6
SHA512e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize144B
MD5bb733d07aa76cd719430b6d15bf07a9f
SHA1b817b72d1c1d3374eafcb5c6710921e2d4156ace
SHA2569d9b6ae6e0f264c1f16b8365870a83c23d67e1392dca23e997221e65e6eab125
SHA5127445c6a3a61d3ecb7c625f78b5d2538159e4e6db369fef5076d0d7a688ce5ca1c0e17cfce9dfde648d5f4502682413f921c821c0b923385d78ce4c843a87d768
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD576547b66c008f455a917d9923b70bd85
SHA1e2785ddec73e590d32931cbbd59a7a9143e9177e
SHA256db71299e8f6719f927c6656401059a2d3e503c54a78df3074d37636ba76da89b
SHA512244fb087ffbcb66312b9682a69dcb4da100d6c40bcdd298478331dca058ccc596b427498ef7fae00922a71c5aff5a199efc35fee3854cd6485327ad0799a9d4b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize144B
MD537aac153f0c64a758d0c6b0432c94b00
SHA19519f3925c8a1894b2c1d13d3b8f6573582e0b69
SHA2563b596a5c9ba392dc80ede4d424481c61a5f80edba0dd70c38031a73f0d4d9a99
SHA51259c183c72ffc0e3af5b0a2969e513582f30f2c512240eed273b808986a3dce0adca4e9fe8f2e8bf9acf50375621d559cb3365f6a86f5ebbb07c68dba5c9baae0
-
Filesize
3KB
MD5e511a394d4819a92ad834786a1df435a
SHA138f96f90ec0ccdb66035c59afabdb89f2674dff0
SHA25694d249a3d2cc55c80e5230ed26580dfd47209a29b9f6d2cae2f7ee07289d43bf
SHA512601ff2acdc9f5d3dd44ccbf520afa3f91c7960c44f8329c17dafe23fd703bdb796139bb4cb863c37fa91b7404e9b9a494bb8b3c69dcafdcd6a84091532d88418
-
Filesize
815B
MD5359900b90f13d7362de1ad8c5f7ddf49
SHA1f37d10f0e35ad536741e07a2a2527e1cb6699bd4
SHA256b4d70a258fda5f8329dacb7c697316996fa69d2de69e5e6c627da47bbb898939
SHA512fc8c1b89190fd6e933b2b902289ac4519f20949f86cb131dfac46f777db942b7f37a83ddab0707344edede3d369b2838b4aaa759c66c7d7ce7d214534054287f
-
Filesize
5KB
MD553389f959f0cef27bb065ed995a20623
SHA1fdc1efd9cf996e241e522761ce6c1ee463b2c1ba
SHA2567556ce42910bb1649abda565ae532ec779db9a220470354b47103595c5b5025b
SHA512e01b7017f7b74bc96580e7b18a42c028cd39ae84a81ca058237ae2369d06cc8be8211774498cad09ec303aa018cd531c5c5a989936d854aa00ee2dff0ec1db10
-
Filesize
7KB
MD5340ad36e05d7ea11897cdf975fa3378a
SHA177f47ce1a202cfbb20a98f4f4303ff62a27fe3ce
SHA256eb77c45b4c16236f4161ffaf4128907d827bc6daf08b22d7b3d7642753a1bec2
SHA512248d7ddf75a2f8c9c3086b80354ea9db9768e58011465b7432d973ff374fa6f337b6ba1edb7d7c627aea4ef8b5bd4d97da492a2017ec651107f2b04bd5218a86
-
Filesize
7KB
MD59515eafa03716d140e210139d82400a9
SHA1b5c9a68d40363d2b9029e5f76a64366574ef229d
SHA256f9c55eb783576cf0fe394c54cf3c3e935b1222cf4710709d890ac453b62bf365
SHA5122d162b9b29ef15a0951bdbc64e2d68b3b128c5f85e4a1b68a243cb54341873b5c089b7d589cdd98e789afbe5a3c9d65a9cd32a5b2a611d1021b080aa62579bbf
-
Filesize
6KB
MD51977750e6fb6d87c4f33e13389544d5a
SHA18c43827bb170d1aa7d14dacfd76c3b9e52ae8c7a
SHA25608dde0591016611390f9470f5586dbe9b6334366b2b1a0c623bcf1b60d725d01
SHA5125ef0f9fce26278051f834d04a79c69837e12701f2d9849444c46c425bdb49b84947c24d6b435bc0ce92213963ef4ee749a247318177170c4753a541f0cb162c3
-
Filesize
372B
MD5c041e208ca9608fe3f59290eb65b3cb7
SHA159d5ff62b556849492179b4b4e4d41e541e11910
SHA25611326c635b2dcde800cf698d8970d034ad6bf1ad2002d960a41a2ddc9e14d8df
SHA512f60b2b6defe13d76e40bceea14c7b77c236c2428581867299df27e054c59664fa922bca26702bdfb48cb038bfd6c919fe0999469f18cb19900345ee822ade1b0
-
Filesize
2KB
MD5a34c340a1d1e64241608aa3095ad3ae8
SHA10e8ddd2c10bd7fce6e5b16e0e8fb279a4a10e9bb
SHA2560c6eb6b0d4199988ec97e79814bc30175c021cdd5d2445abe4c841595d61adc2
SHA51268665d754c677d048eafa104dbc549809d0f25ec15d191a8494691d569d36a75ccc409bf8fb0ae89146c737d4170aa5d8b5d46c363496d2727128433542de9dd
-
Filesize
1KB
MD54a7e0f47b4435e7861c7c98aff1882a3
SHA122036a8a969619416394fb684e6a959bd1de21b3
SHA25642d256b205b47d6e15410fb1e6b8fa461e0e4ed8a58b8751a0d80f15d0459cdb
SHA5125cec6d105880b7b6952078c41dacc5bb72b7d2e062860eee5ffe71185ace6c984aca85f3da81585eb2cbd3fa45fdef6403fd9744f316322cb3af8e2ccae2e5e3
-
Filesize
2KB
MD58240709a5cabf79f694721617ae3d571
SHA1f87c0b38329e7c1ccd33b26ff5ff9867c077c08e
SHA256b384a93015e9b5b71ea5d8a16c8f84689a76b4e4977e1eadf3d47ff7426142d1
SHA51278df68791b762eaacfa26ef7c1becbdca7ddd8ddaacc690c38719b3b0c1a9edcf49f6692843dcc9bb66873cf94aeaa794c76238b092b1975d831f8d0cc76b77b
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD53afb1b6ebeaa31bfe248c64a695d1ba7
SHA14f1add2cd6106d60723e14174d999ed133cf1ec4
SHA256b29587eea4c9b1d2be2a2541b1020882717421f7e85cc0b8cbf46f8ad163bdb5
SHA5123f6349e582b5845f82d9a95bae37064d55eda21e922ba7d229d157deaec02b99ff3053017285b58c844c893169f5633c64278019bf6af0608f0bac60d4d5563b
-
Filesize
11KB
MD5f8dc26ff340a102675bdf4b831df3be7
SHA19c714ee8c113cff400122025c1d1ae4e0fa14fd2
SHA256dbc5455f11433af6247b7864448e33bb86eb119c9c4693520baf901a34e0ffa6
SHA5120c329a4a00dd6578ae11c2de5d68d0c5e7749e2ac2530668f3694576e94364035b7e5ed90b8cd0af2dfe147320b25f738c227fa6a9617edf2d42d956def8e847
-
Filesize
10.5MB
MD5bd1a3cd7e906a47af34fd08bd830de0c
SHA147a590d6e85acd5c998e11578ef1d62970eab68a
SHA256063ff076d9ec49d52cdf439a0f8ebd68c4185762d19bedd62adf4cfc2784ef7a
SHA5122a82b0e4ae1c5b372f9ce0f2b214a7c5bf5ff9fe28b5771b10aafa0424ef13b6dd8bfe576d7821988e8c4080676d9c145bb2c312e4f69a2d8a80aff2ff2e776d
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98