9c86db6d0ae8e413e1784733199947eb1fc53a0595111577dbdde6605d4eb662

Analysis

max time kernel
149s
max time network
151s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
20/08/2024, 16:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1111.bat
Size

848B
MD5

de107e1d88fa5ca1ab3e991f4e259655
SHA1

4fa14a0dfaf3fe574f99efc34b2f76952a12cfca
SHA256

9c86db6d0ae8e413e1784733199947eb1fc53a0595111577dbdde6605d4eb662
SHA512

c1f8d7625f0afc8057b65bd5487b82268555ac9605e5494dfc44b73be4d595a21aad080f6c3ff7407b27e5d50d63ce7d1c1a7b5762e93d0433eedf7aadda0831

Score

5^/10

ransomware

Malware Config

Signatures

Sets desktop wallpaper using registry 2 TTPs 23 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Desktop\Wallpaper = "https://qph.cf2.quoracdn.net/main-qimg-dfc75407870ab73afee98dbc23839416-lq"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Desktop\Wallpaper = "https://www.google.com/url?sa=i&url=httpsAFFtwitter.comFdanslumpFstatusF1363004847927160832&psig=AOvVaw0wBRZHVKKV6i_EK811ORpT&ust=1724257042983000&source=images&cd=vfe&opi=89978449&ved=0CBQQjRxqFwoTCLj4mJr8g4gDFQAAAAAdAAAAABAK"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Desktop\Wallpaper = "https://www.google.com/url?sa=i&url=httpsAFFtwitter.comFdanslumpFstatusF1363004847927160832&psig=AOvVaw0wBRZHVKKV6i_EK811ORpT&ust=1724257042983000&source=images&cd=vfe&opi=89978449&ved=0CBQQjRxqFwoTCLj4mJr8g4gDFQAAAAAdAAAAABAK"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Desktop\Wallpaper = "https://qph.cf2.quoracdn.net/main-qimg-dfc75407870ab73afee98dbc23839416-lq"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Desktop\Wallpaper = "https://www.google.com/url?sa=i&url=httpsAFFtwitter.comFdanslumpFstatusF1363004847927160832&psig=AOvVaw0wBRZHVKKV6i_EK811ORpT&ust=1724257042983000&source=images&cd=vfe&opi=89978449&ved=0CBQQjRxqFwoTCLj4mJr8g4gDFQAAAAAdAAAAABAK"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Desktop\Wallpaper = "https://qph.cf2.quoracdn.net/main-qimg-dfc75407870ab73afee98dbc23839416-lq"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Desktop\Wallpaper = "https://qph.cf2.quoracdn.net/main-qimg-dfc75407870ab73afee98dbc23839416-lq"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Desktop\Wallpaper = "https://qph.cf2.quoracdn.net/main-qimg-dfc75407870ab73afee98dbc23839416-lq"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Desktop\Wallpaper = "https://qph.cf2.quoracdn.net/main-qimg-dfc75407870ab73afee98dbc23839416-lq"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Desktop\Wallpaper = "https://qph.cf2.quoracdn.net/main-qimg-dfc75407870ab73afee98dbc23839416-lq"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Desktop\Wallpaper = "https://www.google.com/url?sa=i&url=httpsAFFtwitter.comFdanslumpFstatusF1363004847927160832&psig=AOvVaw0wBRZHVKKV6i_EK811ORpT&ust=1724257042983000&source=images&cd=vfe&opi=89978449&ved=0CBQQjRxqFwoTCLj4mJr8g4gDFQAAAAAdAAAAABAK"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Desktop\Wallpaper = "https://www.google.com/url?sa=i&url=httpsAFFtwitter.comFdanslumpFstatusF1363004847927160832&psig=AOvVaw0wBRZHVKKV6i_EK811ORpT&ust=1724257042983000&source=images&cd=vfe&opi=89978449&ved=0CBQQjRxqFwoTCLj4mJr8g4gDFQAAAAAdAAAAABAK"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Desktop\Wallpaper = "https://www.google.com/url?sa=i&url=httpsAFFtwitter.comFdanslumpFstatusF1363004847927160832&psig=AOvVaw0wBRZHVKKV6i_EK811ORpT&ust=1724257042983000&source=images&cd=vfe&opi=89978449&ved=0CBQQjRxqFwoTCLj4mJr8g4gDFQAAAAAdAAAAABAK"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Desktop\Wallpaper = "https://www.google.com/url?sa=i&url=httpsAFFtwitter.comFdanslumpFstatusF1363004847927160832&psig=AOvVaw0wBRZHVKKV6i_EK811ORpT&ust=1724257042983000&source=images&cd=vfe&opi=89978449&ved=0CBQQjRxqFwoTCLj4mJr8g4gDFQAAAAAdAAAAABAK"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Desktop\Wallpaper = "https://www.google.com/url?sa=i&url=httpsAFFtwitter.comFdanslumpFstatusF1363004847927160832&psig=AOvVaw0wBRZHVKKV6i_EK811ORpT&ust=1724257042983000&source=images&cd=vfe&opi=89978449&ved=0CBQQjRxqFwoTCLj4mJr8g4gDFQAAAAAdAAAAABAK"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Desktop\Wallpaper = "https://www.google.com/url?sa=i&url=httpsAFFtwitter.comFdanslumpFstatusF1363004847927160832&psig=AOvVaw0wBRZHVKKV6i_EK811ORpT&ust=1724257042983000&source=images&cd=vfe&opi=89978449&ved=0CBQQjRxqFwoTCLj4mJr8g4gDFQAAAAAdAAAAABAK"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Desktop\Wallpaper = "https://qph.cf2.quoracdn.net/main-qimg-dfc75407870ab73afee98dbc23839416-lq"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Desktop\Wallpaper = "https://qph.cf2.quoracdn.net/main-qimg-dfc75407870ab73afee98dbc23839416-lq"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Desktop\Wallpaper = "https://www.google.com/url?sa=i&url=httpsAFFtwitter.comFdanslumpFstatusF1363004847927160832&psig=AOvVaw0wBRZHVKKV6i_EK811ORpT&ust=1724257042983000&source=images&cd=vfe&opi=89978449&ved=0CBQQjRxqFwoTCLj4mJr8g4gDFQAAAAAdAAAAABAK"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Desktop\Wallpaper = "https://www.google.com/url?sa=i&url=httpsAFFtwitter.comFdanslumpFstatusF1363004847927160832&psig=AOvVaw0wBRZHVKKV6i_EK811ORpT&ust=1724257042983000&source=images&cd=vfe&opi=89978449&ved=0CBQQjRxqFwoTCLj4mJr8g4gDFQAAAAAdAAAAABAK"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Desktop\Wallpaper = "https://qph.cf2.quoracdn.net/main-qimg-dfc75407870ab73afee98dbc23839416-lq"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Desktop\Wallpaper = "https://qph.cf2.quoracdn.net/main-qimg-dfc75407870ab73afee98dbc23839416-lq"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Desktop\Wallpaper = "https://qph.cf2.quoracdn.net/main-qimg-dfc75407870ab73afee98dbc23839416-lq"	reg.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe

Delays execution with timeout.exe 22 IoCs

evasion

pid	Process
1860	timeout.exe
980	timeout.exe
4704	timeout.exe
3900	timeout.exe
4224	timeout.exe
4116	timeout.exe
3488	timeout.exe
4040	timeout.exe
4340	timeout.exe
4160	timeout.exe
4520	timeout.exe
2640	timeout.exe
4616	timeout.exe
3392	timeout.exe
4376	timeout.exe
1584	timeout.exe
4312	timeout.exe
196	timeout.exe
1800	timeout.exe
4596	timeout.exe
4964	timeout.exe
1424	timeout.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 287082171df3da01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\EdpDomStorage\msn.com	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = cccffd151df3da01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\Total\ = "846"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\bing.com\Total = "9004"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\bing.com\NumberOfSubdomains = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Next Rating Prompt = b07e8c22f905db01	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$blogger	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\CIStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\www.msn.com\ = "189"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = cd364b2a1df3da01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CRLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Rating Prompt Shown = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\Total\ = "786"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000194cd658795e25c6436336b6b2a0f879a904027fbd84651a8e006c361299b50e81abf1db42e062a00dfe4e03ca128eb2c6c6672d6860966b840b	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\bing.com\Total = "657"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "395205405"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\NextUpdateDate = "430935880"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Telligent	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\EdpDomStorage\bing.com	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$MediaWiki	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 7f8fb60d1df3da01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\www.bing.com\ = "548"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History	MicrosoftEdgeCP.exe

Suspicious behavior: MapViewOfSection 10 IoCs

pid	Process
4668	MicrosoftEdgeCP.exe
4668	MicrosoftEdgeCP.exe
4668	MicrosoftEdgeCP.exe
4668	MicrosoftEdgeCP.exe
4668	MicrosoftEdgeCP.exe
4668	MicrosoftEdgeCP.exe
4668	MicrosoftEdgeCP.exe
4668	MicrosoftEdgeCP.exe
4668	MicrosoftEdgeCP.exe
4668	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2472	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2472	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2472	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2472	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4208	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4208	MicrosoftEdgeCP.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4860	MicrosoftEdge.exe
4668	MicrosoftEdgeCP.exe
2472	MicrosoftEdgeCP.exe
4996	MicrosoftEdgeCP.exe
4668	MicrosoftEdgeCP.exe
4996	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 1752	2084	cmd.exe	74
PID 2084 wrote to memory of 1752	2084	cmd.exe	74
PID 2084 wrote to memory of 3776	2084	cmd.exe	76
PID 2084 wrote to memory of 3776	2084	cmd.exe	76
PID 1752 wrote to memory of 2684	1752	cmd.exe	77
PID 1752 wrote to memory of 2684	1752	cmd.exe	77
PID 2084 wrote to memory of 3872	2084	cmd.exe	78
PID 2084 wrote to memory of 3872	2084	cmd.exe	78
PID 2084 wrote to memory of 484	2084	cmd.exe	79
PID 2084 wrote to memory of 484	2084	cmd.exe	79
PID 2084 wrote to memory of 1220	2084	cmd.exe	80
PID 2084 wrote to memory of 1220	2084	cmd.exe	80
PID 2084 wrote to memory of 2640	2084	cmd.exe	81
PID 2084 wrote to memory of 2640	2084	cmd.exe	81
PID 2084 wrote to memory of 4376	2084	cmd.exe	82
PID 2084 wrote to memory of 4376	2084	cmd.exe	82
PID 2084 wrote to memory of 2704	2084	cmd.exe	83
PID 2084 wrote to memory of 2704	2084	cmd.exe	83
PID 2084 wrote to memory of 5108	2084	cmd.exe	85
PID 2084 wrote to memory of 5108	2084	cmd.exe	85
PID 4376 wrote to memory of 292	4376	cmd.exe	86
PID 4376 wrote to memory of 292	4376	cmd.exe	86
PID 2084 wrote to memory of 4952	2084	cmd.exe	87
PID 2084 wrote to memory of 4952	2084	cmd.exe	87
PID 2084 wrote to memory of 212	2084	cmd.exe	88
PID 2084 wrote to memory of 212	2084	cmd.exe	88
PID 2084 wrote to memory of 196	2084	cmd.exe	89
PID 2084 wrote to memory of 196	2084	cmd.exe	89
PID 2084 wrote to memory of 4868	2084	cmd.exe	90
PID 2084 wrote to memory of 4868	2084	cmd.exe	90
PID 2084 wrote to memory of 3048	2084	cmd.exe	91
PID 2084 wrote to memory of 3048	2084	cmd.exe	91
PID 2084 wrote to memory of 948	2084	cmd.exe	93
PID 2084 wrote to memory of 948	2084	cmd.exe	93
PID 4868 wrote to memory of 4584	4868	cmd.exe	94
PID 4868 wrote to memory of 4584	4868	cmd.exe	94
PID 2084 wrote to memory of 1364	2084	cmd.exe	95
PID 2084 wrote to memory of 1364	2084	cmd.exe	95
PID 2084 wrote to memory of 3932	2084	cmd.exe	96
PID 2084 wrote to memory of 3932	2084	cmd.exe	96
PID 2084 wrote to memory of 4964	2084	cmd.exe	97
PID 2084 wrote to memory of 4964	2084	cmd.exe	97
PID 2084 wrote to memory of 200	2084	cmd.exe	98
PID 2084 wrote to memory of 200	2084	cmd.exe	98
PID 2084 wrote to memory of 1260	2084	cmd.exe	99
PID 2084 wrote to memory of 1260	2084	cmd.exe	99
PID 2084 wrote to memory of 2920	2084	cmd.exe	101
PID 2084 wrote to memory of 2920	2084	cmd.exe	101
PID 200 wrote to memory of 1092	200	cmd.exe	102
PID 200 wrote to memory of 1092	200	cmd.exe	102
PID 2084 wrote to memory of 1100	2084	cmd.exe	103
PID 2084 wrote to memory of 1100	2084	cmd.exe	103
PID 2084 wrote to memory of 4004	2084	cmd.exe	104
PID 2084 wrote to memory of 4004	2084	cmd.exe	104
PID 2084 wrote to memory of 1800	2084	cmd.exe	105
PID 2084 wrote to memory of 1800	2084	cmd.exe	105
PID 2084 wrote to memory of 4284	2084	cmd.exe	106
PID 2084 wrote to memory of 4284	2084	cmd.exe	106
PID 2084 wrote to memory of 4900	2084	cmd.exe	108
PID 2084 wrote to memory of 4900	2084	cmd.exe	108
PID 2084 wrote to memory of 3420	2084	cmd.exe	109
PID 2084 wrote to memory of 3420	2084	cmd.exe	109
PID 4284 wrote to memory of 5044	4284	cmd.exe	110
PID 4284 wrote to memory of 5044	4284	cmd.exe	110

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1111.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\system32\cmd.exe
  cmd /c mode 100
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\system32\mode.com
    mode 100
    3⤵
    PID:2684
- C:\Windows\system32\certutil.exe
  certutil -urlcache -f -split -quiet "%images[0]"
  2⤵
  PID:3776
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "https://qph.cf2.quoracdn.net/main-qimg-dfc75407870ab73afee98dbc23839416-lq" /f
  2⤵
  - Sets desktop wallpaper using registry
  PID:3872
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
  2⤵
  PID:484
- C:\Windows\system32\rundll32.exe
  RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
  2⤵
  PID:1220
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2640
- C:\Windows\system32\cmd.exe
  cmd /c mode 100
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4376
- - C:\Windows\system32\mode.com
    mode 100
    3⤵
    PID:292
- C:\Windows\system32\certutil.exe
  certutil -urlcache -f -split -quiet "%images[1]"
  2⤵
  PID:2704
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "https://www.google.com/url?sa=i&url=httpsAFFtwitter.comFdanslumpFstatusF1363004847927160832&psig=AOvVaw0wBRZHVKKV6i_EK811ORpT&ust=1724257042983000&source=images&cd=vfe&opi=89978449&ved=0CBQQjRxqFwoTCLj4mJr8g4gDFQAAAAAdAAAAABAK" /f
  2⤵
  - Sets desktop wallpaper using registry
  PID:5108
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
  2⤵
  PID:4952
- C:\Windows\system32\rundll32.exe
  RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
  2⤵
  PID:212
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:196
- C:\Windows\system32\cmd.exe
  cmd /c mode 100
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Windows\system32\mode.com
    mode 100
    3⤵
    PID:4584
- C:\Windows\system32\certutil.exe
  certutil -urlcache -f -split -quiet "%images[0]"
  2⤵
  PID:3048
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "https://qph.cf2.quoracdn.net/main-qimg-dfc75407870ab73afee98dbc23839416-lq" /f
  2⤵
  - Sets desktop wallpaper using registry
  PID:948
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
  2⤵
  PID:1364
- C:\Windows\system32\rundll32.exe
  RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
  2⤵
  PID:3932
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4964
- C:\Windows\system32\cmd.exe
  cmd /c mode 100
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:200
- - C:\Windows\system32\mode.com
    mode 100
    3⤵
    PID:1092
- C:\Windows\system32\certutil.exe
  certutil -urlcache -f -split -quiet "%images[1]"
  2⤵
  PID:1260
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "https://www.google.com/url?sa=i&url=httpsAFFtwitter.comFdanslumpFstatusF1363004847927160832&psig=AOvVaw0wBRZHVKKV6i_EK811ORpT&ust=1724257042983000&source=images&cd=vfe&opi=89978449&ved=0CBQQjRxqFwoTCLj4mJr8g4gDFQAAAAAdAAAAABAK" /f
  2⤵
  - Sets desktop wallpaper using registry
  PID:2920
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
  2⤵
  PID:1100
- C:\Windows\system32\rundll32.exe
  RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
  2⤵
  PID:4004
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1800
- C:\Windows\system32\cmd.exe
  cmd /c mode 100
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4284
- - C:\Windows\system32\mode.com
    mode 100
    3⤵
    PID:5044
- C:\Windows\system32\certutil.exe
  certutil -urlcache -f -split -quiet "%images[0]"
  2⤵
  PID:4900
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "https://qph.cf2.quoracdn.net/main-qimg-dfc75407870ab73afee98dbc23839416-lq" /f
  2⤵
  - Sets desktop wallpaper using registry
  PID:3420
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
  2⤵
  PID:4912
- C:\Windows\system32\rundll32.exe
  RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
  2⤵
  PID:3248
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3900
- C:\Windows\system32\cmd.exe
  cmd /c mode 100
  2⤵
  PID:3476
- - C:\Windows\system32\mode.com
    mode 100
    3⤵
    PID:3032
- C:\Windows\system32\certutil.exe
  certutil -urlcache -f -split -quiet "%images[1]"
  2⤵
  PID:5076
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "https://www.google.com/url?sa=i&url=httpsAFFtwitter.comFdanslumpFstatusF1363004847927160832&psig=AOvVaw0wBRZHVKKV6i_EK811ORpT&ust=1724257042983000&source=images&cd=vfe&opi=89978449&ved=0CBQQjRxqFwoTCLj4mJr8g4gDFQAAAAAdAAAAABAK" /f
  2⤵
  - Sets desktop wallpaper using registry
  PID:4128
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
  2⤵
  PID:1452
- C:\Windows\system32\rundll32.exe
  RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
  2⤵
  PID:2656
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4616
- C:\Windows\system32\cmd.exe
  cmd /c mode 100
  2⤵
  PID:4872
- - C:\Windows\system32\mode.com
    mode 100
    3⤵
    PID:516
- C:\Windows\system32\certutil.exe
  certutil -urlcache -f -split -quiet "%images[0]"
  2⤵
  PID:4676
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "https://qph.cf2.quoracdn.net/main-qimg-dfc75407870ab73afee98dbc23839416-lq" /f
  2⤵
  - Sets desktop wallpaper using registry
  PID:4624
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
  2⤵
  PID:4132
- C:\Windows\system32\rundll32.exe
  RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
  2⤵
  PID:1580
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4116
- C:\Windows\system32\cmd.exe
  cmd /c mode 100
  2⤵
  PID:4944
- - C:\Windows\system32\mode.com
    mode 100
    3⤵
    PID:2912
- C:\Windows\system32\certutil.exe
  certutil -urlcache -f -split -quiet "%images[1]"
  2⤵
  PID:4188
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "https://www.google.com/url?sa=i&url=httpsAFFtwitter.comFdanslumpFstatusF1363004847927160832&psig=AOvVaw0wBRZHVKKV6i_EK811ORpT&ust=1724257042983000&source=images&cd=vfe&opi=89978449&ved=0CBQQjRxqFwoTCLj4mJr8g4gDFQAAAAAdAAAAABAK" /f
  2⤵
  - Sets desktop wallpaper using registry
  PID:1308
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
  2⤵
  PID:1600
- C:\Windows\system32\rundll32.exe
  RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
  2⤵
  PID:5008
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3488
- C:\Windows\system32\cmd.exe
  cmd /c mode 100
  2⤵
  PID:3536
- - C:\Windows\system32\mode.com
    mode 100
    3⤵
    PID:2216
- C:\Windows\system32\certutil.exe
  certutil -urlcache -f -split -quiet "%images[0]"
  2⤵
  PID:2180
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "https://qph.cf2.quoracdn.net/main-qimg-dfc75407870ab73afee98dbc23839416-lq" /f
  2⤵
  - Sets desktop wallpaper using registry
  PID:708
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
  2⤵
  PID:4816
- C:\Windows\system32\rundll32.exe
  RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
  2⤵
  PID:304
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1424
- C:\Windows\system32\cmd.exe
  cmd /c mode 100
  2⤵
  PID:3864
- - C:\Windows\system32\mode.com
    mode 100
    3⤵
    PID:2052
- C:\Windows\system32\certutil.exe
  certutil -urlcache -f -split -quiet "%images[1]"
  2⤵
  PID:4848
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "https://www.google.com/url?sa=i&url=httpsAFFtwitter.comFdanslumpFstatusF1363004847927160832&psig=AOvVaw0wBRZHVKKV6i_EK811ORpT&ust=1724257042983000&source=images&cd=vfe&opi=89978449&ved=0CBQQjRxqFwoTCLj4mJr8g4gDFQAAAAAdAAAAABAK" /f
  2⤵
  - Sets desktop wallpaper using registry
  PID:1384
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
  2⤵
  PID:4196
- C:\Windows\system32\rundll32.exe
  RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
  2⤵
  PID:2220
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4224
- C:\Windows\system32\cmd.exe
  cmd /c mode 100
  2⤵
  PID:3716
- - C:\Windows\system32\mode.com
    mode 100
    3⤵
    PID:1444
- C:\Windows\system32\certutil.exe
  certutil -urlcache -f -split -quiet "%images[0]"
  2⤵
  PID:2964
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "https://qph.cf2.quoracdn.net/main-qimg-dfc75407870ab73afee98dbc23839416-lq" /f
  2⤵
  - Sets desktop wallpaper using registry
  PID:4240
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
  2⤵
  PID:1460
- C:\Windows\system32\rundll32.exe
  RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
  2⤵
  PID:3280
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3392
- C:\Windows\system32\cmd.exe
  cmd /c mode 100
  2⤵
  PID:3908
- - C:\Windows\system32\mode.com
    mode 100
    3⤵
    PID:3872
- C:\Windows\system32\certutil.exe
  certutil -urlcache -f -split -quiet "%images[1]"
  2⤵
  PID:4924
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "https://www.google.com/url?sa=i&url=httpsAFFtwitter.comFdanslumpFstatusF1363004847927160832&psig=AOvVaw0wBRZHVKKV6i_EK811ORpT&ust=1724257042983000&source=images&cd=vfe&opi=89978449&ved=0CBQQjRxqFwoTCLj4mJr8g4gDFQAAAAAdAAAAABAK" /f
  2⤵
  - Sets desktop wallpaper using registry
  PID:3172
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
  2⤵
  PID:4700
- C:\Windows\system32\rundll32.exe
  RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
  2⤵
  PID:1484
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4596
- C:\Windows\system32\cmd.exe
  cmd /c mode 100
  2⤵
  PID:3480
- - C:\Windows\system32\mode.com
    mode 100
    3⤵
    PID:588
- C:\Windows\system32\certutil.exe
  certutil -urlcache -f -split -quiet "%images[0]"
  2⤵
  PID:3112
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "https://qph.cf2.quoracdn.net/main-qimg-dfc75407870ab73afee98dbc23839416-lq" /f
  2⤵
  - Sets desktop wallpaper using registry
  PID:3124
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
  2⤵
  PID:168
- C:\Windows\system32\rundll32.exe
  RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
  2⤵
  PID:1656
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4376
- C:\Windows\system32\cmd.exe
  cmd /c mode 100
  2⤵
  PID:4404
- - C:\Windows\system32\mode.com
    mode 100
    3⤵
    PID:1184
- C:\Windows\system32\certutil.exe
  certutil -urlcache -f -split -quiet "%images[1]"
  2⤵
  PID:4860
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "https://www.google.com/url?sa=i&url=httpsAFFtwitter.comFdanslumpFstatusF1363004847927160832&psig=AOvVaw0wBRZHVKKV6i_EK811ORpT&ust=1724257042983000&source=images&cd=vfe&opi=89978449&ved=0CBQQjRxqFwoTCLj4mJr8g4gDFQAAAAAdAAAAABAK" /f
  2⤵
  - Sets desktop wallpaper using registry
  PID:2708
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
  2⤵
  PID:2372
- C:\Windows\system32\rundll32.exe
  RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
  2⤵
  PID:1848
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4040
- C:\Windows\system32\cmd.exe
  cmd /c mode 100
  2⤵
  PID:4588
- - C:\Windows\system32\mode.com
    mode 100
    3⤵
    PID:1260
- C:\Windows\system32\certutil.exe
  certutil -urlcache -f -split -quiet "%images[0]"
  2⤵
  PID:4980
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "https://qph.cf2.quoracdn.net/main-qimg-dfc75407870ab73afee98dbc23839416-lq" /f
  2⤵
  - Sets desktop wallpaper using registry
  PID:1508
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
  2⤵
  PID:1328
- C:\Windows\system32\rundll32.exe
  RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
  2⤵
  PID:1144
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1860
- C:\Windows\system32\cmd.exe
  cmd /c mode 100
  2⤵
  PID:364
- - C:\Windows\system32\mode.com
    mode 100
    3⤵
    PID:4900
- C:\Windows\system32\certutil.exe
  certutil -urlcache -f -split -quiet "%images[1]"
  2⤵
  PID:2676
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "https://www.google.com/url?sa=i&url=httpsAFFtwitter.comFdanslumpFstatusF1363004847927160832&psig=AOvVaw0wBRZHVKKV6i_EK811ORpT&ust=1724257042983000&source=images&cd=vfe&opi=89978449&ved=0CBQQjRxqFwoTCLj4mJr8g4gDFQAAAAAdAAAAABAK" /f
  2⤵
  - Sets desktop wallpaper using registry
  PID:644
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
  2⤵
  PID:4144
- C:\Windows\system32\rundll32.exe
  RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
  2⤵
  PID:4112
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4340
- C:\Windows\system32\cmd.exe
  cmd /c mode 100
  2⤵
  PID:4708
- - C:\Windows\system32\mode.com
    mode 100
    3⤵
    PID:4492
- C:\Windows\system32\certutil.exe
  certutil -urlcache -f -split -quiet "%images[0]"
  2⤵
  PID:372
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "https://qph.cf2.quoracdn.net/main-qimg-dfc75407870ab73afee98dbc23839416-lq" /f
  2⤵
  - Sets desktop wallpaper using registry
  PID:5012
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
  2⤵
  PID:3024
- C:\Windows\system32\rundll32.exe
  RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
  2⤵
  PID:2264
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4160
- C:\Windows\system32\cmd.exe
  cmd /c mode 100
  2⤵
  PID:3476
- - C:\Windows\system32\mode.com
    mode 100
    3⤵
    PID:436
- C:\Windows\system32\certutil.exe
  certutil -urlcache -f -split -quiet "%images[1]"
  2⤵
  PID:1264
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "https://www.google.com/url?sa=i&url=httpsAFFtwitter.comFdanslumpFstatusF1363004847927160832&psig=AOvVaw0wBRZHVKKV6i_EK811ORpT&ust=1724257042983000&source=images&cd=vfe&opi=89978449&ved=0CBQQjRxqFwoTCLj4mJr8g4gDFQAAAAAdAAAAABAK" /f
  2⤵
  - Sets desktop wallpaper using registry
  PID:2240
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
  2⤵
  PID:4460
- C:\Windows\system32\rundll32.exe
  RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
  2⤵
  PID:424
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1584
- C:\Windows\system32\cmd.exe
  cmd /c mode 100
  2⤵
  PID:4872
- - C:\Windows\system32\mode.com
    mode 100
    3⤵
    PID:4188
- C:\Windows\system32\certutil.exe
  certutil -urlcache -f -split -quiet "%images[0]"
  2⤵
  PID:356
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "https://qph.cf2.quoracdn.net/main-qimg-dfc75407870ab73afee98dbc23839416-lq" /f
  2⤵
  - Sets desktop wallpaper using registry
  PID:4932
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
  2⤵
  PID:4996
- C:\Windows\system32\rundll32.exe
  RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
  2⤵
  PID:1828
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4520
- C:\Windows\system32\cmd.exe
  cmd /c mode 100
  2⤵
  PID:4944
- - C:\Windows\system32\mode.com
    mode 100
    3⤵
    PID:1928
- C:\Windows\system32\certutil.exe
  certutil -urlcache -f -split -quiet "%images[1]"
  2⤵
  PID:1420
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "https://www.google.com/url?sa=i&url=httpsAFFtwitter.comFdanslumpFstatusF1363004847927160832&psig=AOvVaw0wBRZHVKKV6i_EK811ORpT&ust=1724257042983000&source=images&cd=vfe&opi=89978449&ved=0CBQQjRxqFwoTCLj4mJr8g4gDFQAAAAAdAAAAABAK" /f
  2⤵
  - Sets desktop wallpaper using registry
  PID:4184
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
  2⤵
  PID:556
- C:\Windows\system32\rundll32.exe
  RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
  2⤵
  PID:2216
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4312
- C:\Windows\system32\cmd.exe
  cmd /c mode 100
  2⤵
  PID:4336
- - C:\Windows\system32\mode.com
    mode 100
    3⤵
    PID:1384
- C:\Windows\system32\certutil.exe
  certutil -urlcache -f -split -quiet "%images[0]"
  2⤵
  PID:2820
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "https://qph.cf2.quoracdn.net/main-qimg-dfc75407870ab73afee98dbc23839416-lq" /f
  2⤵
  - Sets desktop wallpaper using registry
  PID:776
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
  2⤵
  PID:3036
- C:\Windows\system32\rundll32.exe
  RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
  2⤵
  PID:4208
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:980
- C:\Windows\system32\cmd.exe
  cmd /c mode 100
  2⤵
  PID:2248
- - C:\Windows\system32\mode.com
    mode 100
    3⤵
    PID:5032
- C:\Windows\system32\certutil.exe
  certutil -urlcache -f -split -quiet "%images[1]"
  2⤵
  PID:4736
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "https://www.google.com/url?sa=i&url=httpsAFFtwitter.comFdanslumpFstatusF1363004847927160832&psig=AOvVaw0wBRZHVKKV6i_EK811ORpT&ust=1724257042983000&source=images&cd=vfe&opi=89978449&ved=0CBQQjRxqFwoTCLj4mJr8g4gDFQAAAAAdAAAAABAK" /f
  2⤵
  - Sets desktop wallpaper using registry
  PID:5016
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
  2⤵
  PID:4240
- C:\Windows\system32\rundll32.exe
  RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
  2⤵
  PID:3288
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4704
- C:\Windows\system32\cmd.exe
  cmd /c mode 100
  2⤵
  PID:3432
- - C:\Windows\system32\mode.com
    mode 100
    3⤵
    PID:1752
- C:\Windows\system32\certutil.exe
  certutil -urlcache -f -split -quiet "%images[0]"
  2⤵
  PID:3716
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "https://qph.cf2.quoracdn.net/main-qimg-dfc75407870ab73afee98dbc23839416-lq" /f
  2⤵
  - Sets desktop wallpaper using registry
  PID:4924
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
  2⤵
  PID:4576

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4860

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1260

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4668

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2472

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4996

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:556

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:3904

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4208

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:3084

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:776

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E49JWOHD\edgecompatviewlist[1].xml

Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\0HLEFOQ9\xvEz2IbMlyghPZ3oNAHr9N-xMOA.br[1].js

Filesize
6KB

MD5
dc221228e109f89b8b10c48f2678fb46

SHA1
1bfc85cba5c424136941ac1dfd779a563b5beed4

SHA256
f4fb7234959f48c2b2ca73fd6c35d36eaf65d8c431d982a1ba208f5cdc766419

SHA512
46f49e5ac18436251778d1f50c027729a2442ed6541c3162d878720703e37797b6028d96eb1568c23ec5006fb022c8e05855e250d6a1a590f41e890866529cd2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\IP9T6A0Z\fRSNKQanUHk53F1a1Bi8UA71Qt4.br[1].js

Filesize
289B

MD5
9085e17b6172d9fc7b7373762c3d6e74

SHA1
dab3ca26ec7a8426f034113afa2123edfaa32a76

SHA256
586d8f94486a8116af00c80a255cba96c5d994c5864e47deac5a7f1ae1e24b0d

SHA512
b27b776cb4947eef6d9e2a33b46e87796a6d4c427f4759c08cf5aa0ee410a5f12e89ca6ab9cddd86c8471037e3c505f43c8b7fc6d8417f97f9fe3c5c47216bc4

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
4KB

MD5
1bfe591a4fe3d91b03cdf26eaacd8f89

SHA1
719c37c320f518ac168c86723724891950911cea

SHA256
9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8

SHA512
02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\1LO7OU9X\favicon[2].png

Filesize
7KB

MD5
9e3fe8db4c9f34d785a3064c7123a480

SHA1
0f77f9aa982c19665c642fa9b56b9b20c44983b6

SHA256
4d755ac02a070a1b4bb1b6f1c88ab493440109a8ac1e314aaced92f94cdc98e9

SHA512
20d8b416bd34f3d80a77305c6fcd597e9c2d92ab1db3f46ec5ac84f5cc6fb55dfcdccd03ffdc5d5de146d0add6d19064662ac3c83a852f3be8b8f650998828d1

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\C2PY32FZ\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\V30I90SG\favicon[1].ico

Filesize
758B

MD5
84cc977d0eb148166481b01d8418e375

SHA1
00e2461bcd67d7ba511db230415000aefbd30d2d

SHA256
bbf8da37d92138cc08ffeec8e3379c334988d5ae99f4415579999bfbbb57a66c

SHA512
f47a507077f9173fb07ec200c2677ba5f783d645be100f12efe71f701a74272a98e853c4fab63740d685853935d545730992d0004c9d2fe8e1965445cab509c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\WSIBNSKS\favicon-trans-bg-blue-mg[1].ico

Filesize
4KB

MD5
30967b1b52cb6df18a8af8fcc04f83c9

SHA1
aaf67cd84fcd64fb2d8974d7135d6f1e4fc03588

SHA256
439b6089e45ef1e0c37ef88764d5c99a3b2752609c4e2af3376480d7ffcfaf2e

SHA512
7cb3c09a81fbd301741e7cf5296c406baf1c76685d354c54457c87f6471867390a1aeed9f95701eb9361d7dfacce31afd1d240841037fc1de4a120c66c1b088c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
064f0852c2c8b2305d305a7c35752c40

SHA1
2cc0c70401cba3db156121508676439f1e804d48

SHA256
4b07740f809b29f43f048c558ef309fd1983835c69b9e08014add366cfd82130

SHA512
3049f2e2d8f4c9305bb57cc69bd138f431d1c7db2d7a80846ea48f710dfc42af8d8d2ff891c9e4c8c9fdf809c86ab61b742b1ef94a55a3903cbdefc043ca5fb5

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
62a753ccea169b67a64a4f6192e8d060

SHA1
4959c0d08b68ae333be2617a8e02b9b6ccc5e4b8

SHA256
dcbafdaa333d089309da4ebe93c3172e1e993aae8e1797a73e657ae157ed2452

SHA512
def52240562970f85ae71e8c780ef5f43f1109e04e0cfd82b4b2c8082bd11d67ec051e6477cc020ac8878b7fc548202f07f495278d0d052e6ca6f40214773232

Download Submit
memory/3084-362-0x000001ADB9E60000-0x000001ADB9E62000-memory.dmp

Filesize
8KB

Download
memory/3084-354-0x000001ADA9110000-0x000001ADA9210000-memory.dmp

Filesize
1024KB

Download
memory/3904-207-0x0000020ED2830000-0x0000020ED2832000-memory.dmp

Filesize
8KB

Download
memory/3904-331-0x0000020ED2CF0000-0x0000020ED2CF2000-memory.dmp

Filesize
8KB

Download
memory/3904-203-0x0000020ED27D0000-0x0000020ED27D2000-memory.dmp

Filesize
8KB

Download
memory/3904-205-0x0000020ED27F0000-0x0000020ED27F2000-memory.dmp

Filesize
8KB

Download
memory/3904-201-0x0000020ED26A0000-0x0000020ED26A2000-memory.dmp

Filesize
8KB

Download
memory/3904-209-0x0000020ED2850000-0x0000020ED2852000-memory.dmp

Filesize
8KB

Download
memory/3904-211-0x0000020ED2970000-0x0000020ED2972000-memory.dmp

Filesize
8KB

Download
memory/3904-333-0x0000020ED35D0000-0x0000020ED35D2000-memory.dmp

Filesize
8KB

Download
memory/4860-137-0x0000024C83530000-0x0000024C83531000-memory.dmp

Filesize
4KB

Download
memory/4860-0-0x0000024CF8E20000-0x0000024CF8E30000-memory.dmp

Filesize
64KB

Download
memory/4860-35-0x0000024CF6330000-0x0000024CF6332000-memory.dmp

Filesize
8KB

Download
memory/4860-16-0x0000024CF8F20000-0x0000024CF8F30000-memory.dmp

Filesize
64KB

Download
memory/4860-136-0x0000024C83520000-0x0000024C83521000-memory.dmp

Filesize
4KB

Download
memory/4996-104-0x0000027FFAE40000-0x0000027FFAE60000-memory.dmp

Filesize
128KB

Download
memory/4996-286-0x0000027FFC6D0000-0x0000027FFC6F0000-memory.dmp

Filesize
128KB

Download
memory/4996-98-0x0000027FFB1E0000-0x0000027FFB2E0000-memory.dmp

Filesize
1024KB

Download
memory/4996-93-0x0000027FFB0C0000-0x0000027FFB1C0000-memory.dmp

Filesize
1024KB

Download
memory/4996-84-0x0000027FE9C00000-0x0000027FE9D00000-memory.dmp

Filesize
1024KB

Download
memory/4996-81-0x0000027FFA1A0000-0x0000027FFA1C0000-memory.dmp

Filesize
128KB

Download
memory/4996-69-0x0000027FFA1A0000-0x0000027FFA1C0000-memory.dmp

Filesize
128KB

Download
memory/4996-241-0x0000027FFC100000-0x0000027FFC200000-memory.dmp

Filesize
1024KB

Download
memory/4996-291-0x0000027FFC980000-0x0000027FFC9A0000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads