Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
-
submitted
03-10-2024 19:20
General
-
Target
https://disk.yandex.ru/d/VXyHfH3CjKxrnA
Malware Config
Extracted
xehook
2.1.5 Stable
https://t.me/+w897k5UK_jIyNDgy
-
id
349
-
token
xehook349969335337456
Signatures
-
Xehook stealer
Xehook is an infostealer written in C#.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 61 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 5 IoCs
-
Modifies Internet Explorer settings 1 TTPs 5 IoCs
-
Modifies registry class 64 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 25 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://disk.yandex.ru/d/VXyHfH3CjKxrnA1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff835d83cb8,0x7ff835d83cc8,0x7ff835d83cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,16458624870616484838,3255223573892455678,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,16458624870616484838,3255223573892455678,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,16458624870616484838,3255223573892455678,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,16458624870616484838,3255223573892455678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,16458624870616484838,3255223573892455678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,16458624870616484838,3255223573892455678,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4752 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,16458624870616484838,3255223573892455678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,16458624870616484838,3255223573892455678,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,16458624870616484838,3255223573892455678,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,16458624870616484838,3255223573892455678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,16458624870616484838,3255223573892455678,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,16458624870616484838,3255223573892455678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,16458624870616484838,3255223573892455678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,16458624870616484838,3255223573892455678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,16458624870616484838,3255223573892455678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1912,16458624870616484838,3255223573892455678,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6288 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,16458624870616484838,3255223573892455678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,16458624870616484838,3255223573892455678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,16458624870616484838,3255223573892455678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,16458624870616484838,3255223573892455678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,16458624870616484838,3255223573892455678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,16458624870616484838,3255223573892455678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,16458624870616484838,3255223573892455678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6496 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1912,16458624870616484838,3255223573892455678,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6976 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,16458624870616484838,3255223573892455678,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,16458624870616484838,3255223573892455678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7024 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,16458624870616484838,3255223573892455678,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6956 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,16458624870616484838,3255223573892455678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6768 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,16458624870616484838,3255223573892455678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6908 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,16458624870616484838,3255223573892455678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7172 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1912,16458624870616484838,3255223573892455678,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7352 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,16458624870616484838,3255223573892455678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,16458624870616484838,3255223573892455678,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,16458624870616484838,3255223573892455678,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=7200 /prefetch:22⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x00000000000004C81⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\wild reborn crack\" -spe -an -ai#7zMap19327:96:7zEvent7441⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\wild reborn crack\Инструкция.txt1⤵
-
C:\Users\Admin\Downloads\wild reborn crack\wild reborn crack.exe"C:\Users\Admin\Downloads\wild reborn crack\wild reborn crack.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /02⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD52ee16858e751901224340cabb25e5704
SHA124e0d2d301f282fb8e492e9df0b36603b28477b2
SHA256e9784fcff01f83f4925f23e3a24bce63314ea503c2091f7309c014895fead33c
SHA512bd9994c2fb4bf097ce7ffea412a2bed97e3af386108ab6aab0df9472a92d4bd94489bb9c36750a92f9818fa3ea6d1756497f5364611e6ebd36de4cd14e9a0fba
-
Filesize
152B
MD5ea667b2dedf919487c556b97119cf88a
SHA10ee7b1da90be47cc31406f4dba755fd083a29762
SHA2569e7e47ebf490ba409eab3be0314fa695bf28f4764f4875c7568a54337f2df70f
SHA512832391afcac34fc6c949dee8120f2a5f83ca68c159ff707751d844b085c7496930f0c8fd8313fd8f10a5f5725138be651953934aa79b087ba3c6dd22eaa49c72
-
Filesize
53KB
MD51b9b8eb0b0d1e2b64063aebeb65209b4
SHA18fd43d93a74e88305ac6b7368e719d58adb3169a
SHA256cb149503c3a08e781f7a00b85b342b63406ab7183b0d8a4da1304420be12385d
SHA512c9c75ec29601593a09de6b6f2b38b4c19a59904f2be85632e14913838012c8ac9499157546e17fe1378cf927a7919e7a8e83cde210fa4119a64f95e91035de58
-
Filesize
64KB
MD5d6b36c7d4b06f140f860ddc91a4c659c
SHA1ccf16571637b8d3e4c9423688c5bd06167bfb9e9
SHA25634013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92
SHA5122a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487
-
Filesize
70KB
MD54308671e9d218f479c8810d2c04ea6c6
SHA1dd3686818bc62f93c6ab0190ed611031f97fdfcf
SHA2565addbdd4fe74ff8afc4ca92f35eb60778af623e4f8b5911323ab58a9beed6a9a
SHA5125936b6465140968acb7ad7f7486c50980081482766002c35d493f0bdd1cc648712eebf30225b6b7e29f6f3123458451d71e62d9328f7e0d9889028bff66e2ad2
-
Filesize
19KB
MD52e86a72f4e82614cd4842950d2e0a716
SHA1d7b4ee0c9af735d098bff474632fc2c0113e0b9c
SHA256c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f
SHA5127a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1
-
Filesize
63KB
MD5710d7637cc7e21b62fd3efe6aba1fd27
SHA18645d6b137064c7b38e10c736724e17787db6cf3
SHA256c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b
SHA51219aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44
-
Filesize
2KB
MD5f9aff010ff5d9c7250c0b2abb9ab421d
SHA15c2b1ddc25ce628d8f0c5924c6f7bb392ac16349
SHA256d574aea76e965754348d3b22e8772dd25e5f10d554b4a5fda6c82f2da3a6bb4e
SHA5127f18bf5373b41964867ebd1696a34ae4992dde323ce22bd771a66dd4f9ed8648f30fdb769bc1e429db26cce9e3c34849b8620c744af67d1e488835c4e3e7cf1f
-
Filesize
3KB
MD5fbb782b7480a426b90bd3d30e90e5dee
SHA112c90ceb4227d1505ed80c7a54623da151d29ee4
SHA256b3bdc852a66f47eca2d78ad5a80bbe05e00add1838aa4dbef1e01198a072086e
SHA512b8e175268e6897147c8cfbc5b31bfc17413fdd8db13e29f3d96fa468ab58ebd03fbac7adc20833532b574572eba673806d28dd0a7d414433eb94bdd780e746c6
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
542KB
MD5a0b8b5f06a3a1e260a6665250f2dec1f
SHA12cddfb4e61e5ba55472e69e72a189715b3e65fe8
SHA256de15d182693caced6b2fd62e8d7032f78164b0b74278664d1d557ddba3efacac
SHA51299b3c35667b32b5463ebed4edb67c41c1edd8ed8bcb4f3e30bd4c5059bbf751398e6fe1a2b6e369eeb643f327154b0ec962e363dc43677d1d3bd67e45cd03208
-
Filesize
3KB
MD5c07a429070bd4d473bcb20b3012a0ce0
SHA1ba097e96ba93b08a32fd3f68bdafe7b80ff7d2f3
SHA256ca8f96b4c6d23747b69bc84cd7d92ebd5522a27cc09296790fd7138a81a927a2
SHA512664af9b2205be7ed258bfe846a62d30e056057b2b1663415cfe02c319d1d815d1d3792e36da14b5966da8de756d2f1abfae5356fcd8713c1d444eaeb923b60fb
-
Filesize
5KB
MD5eb3bb68945cd5467eb035758f72feb58
SHA18c7b89ad35002d7e776aec567dcc585d11a78448
SHA256eb12edfaa7f156718d45197e45ea4a41d17975e3a4fff8aaf46e9e29ab108f9f
SHA512a80c0df681c4a72adb79bdddeca4cbe20998138b08a7bd14270e41a349374021e59eb7d97cf1a7885ae10768700a968bbe43f58a358bfc5b9c9776c15c57e1b6
-
Filesize
7KB
MD5219ea642c49ddbcc5acd2a10173ab093
SHA1d317c1bb218fd34013fd93423c7cce863be044ba
SHA25627cde936f8670adc3f724629da12854d696db5b687649b520b43cc4a34a443e0
SHA512d2f0e3fc9a4b75be8877850f0f2f933785ca7ebc0db7c54aa430701ff0b01487c87065ae5f4ef26dad7d51faa9e1147ef4e487913aa1449fbe60f8dfffbffdd7
-
Filesize
8KB
MD52ceea614324d40fb83977f0e1d5b7aaa
SHA124537f84832cc57d4c40d2ebe471b6fec2e72327
SHA256c8e6adde8c52bc8dff56bf5aff42837f1fbb7af6cb40af8050f458976ffdc45e
SHA512904414c57e0e47937f60800ec100ebb89bd14a4d4db32ff1fc750cce9803de71c6962ad74fb043a6264fb379bb5961853088a5290052bf14462e0c59fab24ef2
-
Filesize
8KB
MD507edee86f24f33532d533220e8852430
SHA1fbf2bc2a683d37f24886fab02e7b513c6145c7c9
SHA256901a37bb5262c33ae0d37d910811b9faf50409ea09e728314f7f8a8240e08930
SHA512cc9922674c38d87e5c8970e573b54f8aa5e1a099b109aa2950d6193bbfbded0eee99a9cedb16127279e61a0c378477b6d5b47cb9ac629fcd8f9b7c8c64609318
-
Filesize
8KB
MD546fb55c65434770f71ad68117874f1f5
SHA18bdb9f7dc162b7f53497bdf78a828ec832fc1a53
SHA256d8bcf820585081f09f82ae3fb438290601b1250c1fac28cb83b543d1b42cd001
SHA512d9b4d81681187aa38c46f07921fd411ec964810ddd2f5916252a10f98aaede3c7a7c3e1a6ac0b0634f570086719bac95b709b20b5b4bcad89f35124b006594bc
-
Filesize
6KB
MD587f42404db680bed5fcbf051ca2a7bb1
SHA175cd79d5b3c3a5eb4f6be2228fbabb09588abdb1
SHA256ccc38d9d2227a1190fa9f1fc5079dc9cac413f6e41049aa8b96a81863aea47f3
SHA512fc8abda12786187f3e5ae34c540c2505f4990a456615516b433b337154ccc8fd3be48bb777c9f8390f2d76b95e98e9bb809e92e256c625d59be89d594dadb6cf
-
Filesize
1KB
MD572cd6702779481d3dc54a45363157da1
SHA1162be054e2be0f2ebe225f013c69cb2276a788c1
SHA25627ecdc233d573c44d539476bfa936a5b9057033f0da4fb99f4b737d9051f1413
SHA51281f88392d8259f29bb37117b585c75d0abe8efd10c5cc57a02c80f40036f3d4f6fc66fd725097442d1ade993fd8886f18ac9930509db986671c149e97cf5ab56
-
Filesize
1KB
MD562f03b9bf4a7b0c8eca3d5bd3637bcff
SHA1d0a775cb5739e8051c8b5ae26dc8684db5ef5ee5
SHA256171a2b8cab7e099fe02c2c6eccb1d8a136532fa262fecf69bf6907f55f872e2e
SHA512e1e148aedc78a38d6ce4c94af5fcdfb4655fa7581238a274a258b3771424b38f4c953d46f4fb3e37297c73f0d98f72f1b3aeef3ea834e679ff64e487154f9855
-
Filesize
1KB
MD57fd6a81456db32e4f1849a5a411e3190
SHA10b931dd7e1cb3b6bb92dd0126518b8ee2c806bd7
SHA2562f1450e42a710c48b64052d67945035d28220a55204cae015b473604e458ded1
SHA512395d727d87c31e7f63f56e108e17f9a967469685aa6fa4756726f772bb27f835a85103369dcff06742717ed7c2389daefffc02d8b4369bb15a8f75f5d7409a9e
-
Filesize
2KB
MD54764821161f87a12c7acdd0108cc23e0
SHA1504bf404f887d2c692b24f8fbe430b179ddbdd39
SHA256753a4a1235e23e3ddc8e2be0e35b2cc2471bb4f947b2b4389c3f5fe7effa1f2b
SHA5127b1eaa8dbcbd811ab5720f60e348b6a1289a6621e3914e24589a4ca980f5501927f26dfb5a86fb22ae5deda95fc16ddca34047f120e3ab6f56b52e6d901c3b5c
-
Filesize
1KB
MD5826c16003ac83d66aae7759bc5272382
SHA173602b28c42a8f0943805d08a646b0f5d3fea621
SHA256f2a5fb516c6d7a58286a88d13ab741be0ed61913ad882cbcad45f4ab4703211e
SHA51260a4b262cf6bf72fd3823551f47d54476142beb2c15a666d3ad29780d9fa7bbdc1a90cb138fceb926b3536dd0139dbbf746809c4e3b68f9fcb903c452f68c209
-
Filesize
112KB
MD58ade0461cc1d2eae4d5da8dc16013825
SHA1b6326f2ac8fdd45db7003c8aa5ba3bb2334a1823
SHA2568f52c6bc94b3f5df232a0a2ef558295c3464bdbc7ab759e20bf43f8c3627f525
SHA51244d9c5b76db0b850e03c1aef1c1030f884aa2e23873b7f98b69f46a07d2add666c8be3e4cf0b1307ad394106ff4c7abf7ea3f9dfcafc602508fc277fd75cedef
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11B
MD5b29bcf9cd0e55f93000b4bb265a9810b
SHA1e662b8c98bd5eced29495dbe2a8f1930e3f714b8
SHA256f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4
SHA512e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011
-
Filesize
10KB
MD5721cb0f2a52e928aa58e58ecf6337f6a
SHA165a797ecb0e0d005f5f077761f6dfcd754d342c5
SHA256de308f848cc9f61a23c2b406201850f0bd33959d5ff98995358728598627a715
SHA512851f021bd9908508069c46ed93cfc8a80beab5655302982eae1135db4382c5b386cc7d45dfcde2cf85f9c33fe69fef2cf7b1ed7e63b154173c29a8fd033228e3
-
Filesize
10KB
MD5b85d7219bf3584ea21bdde01be31249d
SHA1026f4cee5ed29bf20fb231b1e69503ecdaf29b61
SHA2568718cd96df6f22b58e08321c6a97d17510ad4e343335dcc5e6483f768bca3ca3
SHA512eb927c27039375962beb34a200f93c82bcd973dffb82196b4b994e8d93418b767df6212427a25f32c7129db92c598b1125efffd5d2e1c7a574ec28e17a76f14b
-
Filesize
11KB
MD5fb5ee321f0b1bb0ef94264c833e7e0b5
SHA188b7a2555bf6b35107d7d457208bbb8efbaaaebe
SHA25670e266c55ad7b3ab52fa83b2bdac4c313ccc56c413db0b213304996068828cc2
SHA512b758af5cb065f2385305163244ea73e1163f1aef1402b62ea62876de220185fe01d1efe37e1f0ef4f50441fd50c54119c3993cab177543eba90475fe2d1d908d
-
Filesize
11KB
MD5354debd2d5e273cccb0b71985ad274dc
SHA1ab92fbd8f8ba8b81329ae7a132ff65c60ff8239c
SHA2560dadb21413b81124a78c18a7e6f74ff09c3c8b93b0a8c6dda45c89d2d66a484a
SHA512b4ed3462b065736ff8683ddaf61974a9fb76e3d85db04302e43bcb6b6b2317d9e93b1b7d1b944e26eb31fa719eb79fd348ddde014de9b0b633c5b425eeb48525
-
Filesize
28KB
MD58ac6884dfdc045d032e4fd4a928bb457
SHA1255e239fac42ee08aeb700ea94475c42dea61cba
SHA256a63c4a22e772445673f08c0df632ebf4550e91a02831675e2d7b700db909fa3b
SHA51215c9042a8f7d1d4f93e04f80f762627b5f35615be2cf5ff117fd4d5ba59ef82e17ee0df599c56b6b6ea8ef808a30cafe2a2041c2a4b871339e4d2a942a940315
-
Filesize
17KB
MD5d3036cb0c0fec2ff3c7187279da56a43
SHA1c942b03b35d04425a8fdddafc6086ae347ad2260
SHA25652121310cfd914ee7a799523e161e7c3d036272bacf98772981a06c95c5323d9
SHA512053dda178d23242c004ba3e9e7757cf283d843ee0d7094f1798ffd10cd9ce9be27f5c31e86bbe4c56325d26ba07de012d77ea14e9b5aec363385606d4e5d267c
-
Filesize
19KB
MD579a1b1510f76e17b3ca0efbe80bee182
SHA1392ad7b6d623d49d09e03d7345af9143e51e4d14
SHA256d854cea8bad69e4d20b66210a9260d542dc29fb16a350f177ac0ab987bb6abaa
SHA5125e71037ea915dcf415a992ae1b5c791c96e0c211fd15c60e4ddfcf3446c56c18737aa2535cd07ec1ff437f7f361a17078ec39db169a33720a2ef71d396108144
-
Filesize
10KB
MD5e6478bab2cbb6b14c3c6a121195a1f66
SHA1a6f5186fd7f26065ceac5a3d75dabc9fe2cf2c65
SHA256e674e6d4facfc061c801b4206fef7b748ae0e29591c1a7091c371da364b3822b
SHA512c92e55556533382ef3667a0f706079d20ad87eb61f64e3815a7509b02da50af441ecce49db479d5f3631fefff2a5bd4f1d2271c316729a28f96c22a4cfc55454
-
Filesize
10KB
MD579920bd818470463424d1d137188e62b
SHA18bde1dd40760c9797eceb9072ef3b24a178e4628
SHA25675f21fabed86202575868bd01ba87dc5788c050c379d7feb82571b5b73dc6e7b
SHA512643ee5743f38c82f446508aa49eecdd5c6ab054b05040a4e997cb46c55ab07c04d052336f034e5f72db2d464d7287de9d8ba82b051bcbf077313dc3e023f9ec4
-
Filesize
352KB
MD57232434b3dfc7148e75afd4bd12b2f22
SHA1d038e425da0d6b5864e9ca264b32eb81aa33abdf
SHA2567c3e669899d884dbba44ab98df10d04ade5a1520165396d6fc9b9bbfdcb415f9
SHA512497ea954201102543b74f3915c7bae9cc43147354b225898937b271a1cc00996f9e8853919a5ed2087f4ee21be4d8ee44fd2e6b9168867291a26244b5162ed91
-
Filesize
35.9MB
MD57c49e1dcd77cd7adcdcdd8b8f47c215e
SHA18faef92754753d911f8902339a30399d89f251cb
SHA256e46397573bf1378796799030875d4ec6dd0a76cbd2bb3408b74550c58ef72a5b
SHA51293d98688ef03fae84a3850ed31848d21ec045f4cc76a0223a129fcc30d3cce4151786c7a645e7c0c25243cd21984285ffd21c8bcd26329561f2af6e861985514
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
227KB
MD553f9ed2ce7b7c208786772833c52a90c
SHA1867bc9ab7f8eba3101db0758959315c087be7965
SHA25699a756b1720df27bcb8e7479800f848db3909dd7ea275b143b92e9bd22c3def6
SHA51294726c6d6cf1473b6e6d3ffd4f0b4d4385697f4fe7db836c2a7388cafc92a5f697178d74c74887232593170d7d4477a029473d09c000be3ddda69b895536feba
-
Filesize
728B
MD5b3fa02c1cd910bfe14df58154137fae0
SHA1e6b679c9435ff7e8eeee7912a2c2d948de1fef7b
SHA25624dd238a2b1bfe86868494b42eede1986fb4073b7f5985c309db3fa653d96a71
SHA512fa28ea5e740a4cdd9f25d2e85f8723435ab79c516291b7a35be88706b65dfeb0a8381930099d68683f65d66a47460954bdac0f9799e4bfdc8ccef184d62343d8
-
Filesize
256KB
-
Filesize
24KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
1024KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
408KB
-
Filesize
176KB
-
Filesize
2.1MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB