Analysis
-
max time kernel
361s -
max time network
274s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2024 13:17
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://drive.google.com/file/d/1ffD1rFoAotXLVN39Ws4JvLEiwaixrBFx/view?usp=drive_link
Resource
win10v2004-20241007-en
Errors
General
-
Target
https://drive.google.com/file/d/1ffD1rFoAotXLVN39Ws4JvLEiwaixrBFx/view?usp=drive_link
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation TrojanXD.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 1 IoCs
pid Process 2132 TrojanXD.exe -
Modifies system executable filetype association 2 TTPs 47 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\OpenContainingFolderMenu reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\DefaultIcon reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\CLSID reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DropHandler reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\IconHandler reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\IconHandler reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\PintoStartScreen reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\Compatibility reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command reg.exe Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\lnkfile\shellex\ContextMenuHandlers reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\DropHandler reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Compatibility reg.exe Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex\DropHandler reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\tabsets reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\DropHandler reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 8 drive.google.com 11 drive.google.com -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 TrojanXD.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "5" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe -
Modifies registry class 64 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.fpx\shellex reg.exe Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0024-ABCDEFFEDCBB}\InprocServer32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\HNetCfg.NATUPnP\CurVer reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{914934F3-5A91-11CF-8700-00AA0060263B}\TypeLib reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.avi\shell reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.docm\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.SlideShow.8\shell\ViewProtected reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.avifs\Shell\print\DropTarget reg.exe Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\.thumb reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00020889-0000-0000-C000-000000000046}\ProxyStubClsid32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83E5EAE8-3887-599E-BEBF-8C51362DB44C} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0002E157-0000-0000-C000-000000000046}\5.3\HelpDir reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.csv\PersistentHandler reg.exe Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0368-ABCDEFFEDCBA}\InprocServer32 reg.exe Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0254-ABCDEFFEDCBB} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00024464-0000-0000-C000-000000000046}\TypeLib reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.fileTypeAssociation\.3gp\AppXk0g4vb8gvt7b93tg50ybcy892pge6jmt reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.Win32WebViewHost_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.aif\OpenWithProgIds reg.exe Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0350-ABCDEFFEDCBC}\InprocServer32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassSvc.1.0\CLSID reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{36E5139D-9C09-339B-9D9A-AEF97CFE086B}\15.0.0.0 reg.exe Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.ECApp_10.0.19041.1023_neutral__8wekyb3d8bbwe\ActivatableClassId reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C077C833-476C-11D2-B73C-0000F87572EF} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Media Type\Extensions\.m3u reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Word.TemplateMacroEnabled.12\shell\OnenotePrintto\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA8A9780-280D-11CF-A24D-444553540000}\ToolboxBitmap32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CID\7d0f09da-7043-4051-82e9-e3c6ac24524d\Protocol reg.exe Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0337-ABCDEFFEDCBA}\InprocServer32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F822F34-B003-55C5-B0F9-891743128CF3} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6F9D1F68-06F7-49EF-8902-185E54EB5E87} reg.exe Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{CAFEEFAC-0014-0002-0021-ABCDEFFEDCBA}\InprocServer32 reg.exe Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0337-ABCDEFFEDCBC} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB453AD8-2EF4-44D3-98A8-8C6474E63CE4}\MiscStatus reg.exe Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0062-ABCDEFFEDCBA} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7847EC01-2BEC-11D0-82B4-00A0C90C29C5} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83919262-ACD6-11D2-9028-00C04FA302A1}\ProxyStubClsid32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3COMClassService.1.0\CLSID reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DF2BBE39-40A8-433B-A279-073F48DA94B6}\1.0\FLAGS reg.exe Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0085-ABCDEFFEDCBC} reg.exe Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0319-ABCDEFFEDCBC} reg.exe Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0104-ABCDEFFEDCBB} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset\windows-1252 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{EDC0F462-DD4C-3B7E-854D-08A904C8C9C1} reg.exe Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0087-ABCDEFFEDCBB}\InprocServer32 reg.exe Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0138-ABCDEFFEDCBB}\InprocServer32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\ProgIDs\AppXmgw6pxxs62rbgfp9petmdyb4fx7rnd4k reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020821-0000-0000-C000-000000000046}\InprocServer32\15.0.0.0 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6E182020-F460-11CE-9BCD-00AA00608E01}\DefaultIcon reg.exe Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0277-ABCDEFFEDCBC} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EA7BAE71-FB3B-11CD-A903-00AA00510EA3}\Insertable reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Package2\protocol\StdFileEditing\verb\0 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21277446-C556-5FCF-8D2D-F2CD061F2603}\ProxyStubClsid32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{51973C2E-CB0C-11D0-B5C9-00A0244A0E7A} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{04082FC6-E032-49F2-A263-FE64E9DA1FA3}\Version reg.exe Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{CAFEEFAC-0014-0002-0097-ABCDEFFEDCBA}\InprocServer32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\OLEScript reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C987A3FC-A6E7-4ED2-AED8-A08C3E1CC6DE} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{1643E180-90F5-11CE-97D5-00AA0055595A} reg.exe Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0086-ABCDEFFEDCBC} reg.exe Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0110-ABCDEFFEDCBC}\InprocServer32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DC020317-E6E2-4A62-B9FA-B3EFE16626F4}\InprocHandler32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{9ACD172F-3D05-35A1-B935-A87578569EA1} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020821-0000-0000-C000-000000000046}\DataFormats reg.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 319699.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 31341.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3924 msedge.exe 3924 msedge.exe 2328 msedge.exe 2328 msedge.exe 2840 identity_helper.exe 2840 identity_helper.exe 3704 msedge.exe 3704 msedge.exe 3704 msedge.exe 3704 msedge.exe 4924 msedge.exe 4924 msedge.exe 2284 msedge.exe 2284 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs
pid Process 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2132 TrojanXD.exe Token: SeDebugPrivilege 2132 TrojanXD.exe -
Suspicious use of FindShellTrayWindow 46 IoCs
pid Process 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe 2328 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2128 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2328 wrote to memory of 3156 2328 msedge.exe 82 PID 2328 wrote to memory of 3156 2328 msedge.exe 82 PID 2328 wrote to memory of 2248 2328 msedge.exe 83 PID 2328 wrote to memory of 2248 2328 msedge.exe 83 PID 2328 wrote to memory of 2248 2328 msedge.exe 83 PID 2328 wrote to memory of 2248 2328 msedge.exe 83 PID 2328 wrote to memory of 2248 2328 msedge.exe 83 PID 2328 wrote to memory of 2248 2328 msedge.exe 83 PID 2328 wrote to memory of 2248 2328 msedge.exe 83 PID 2328 wrote to memory of 2248 2328 msedge.exe 83 PID 2328 wrote to memory of 2248 2328 msedge.exe 83 PID 2328 wrote to memory of 2248 2328 msedge.exe 83 PID 2328 wrote to memory of 2248 2328 msedge.exe 83 PID 2328 wrote to memory of 2248 2328 msedge.exe 83 PID 2328 wrote to memory of 2248 2328 msedge.exe 83 PID 2328 wrote to memory of 2248 2328 msedge.exe 83 PID 2328 wrote to memory of 2248 2328 msedge.exe 83 PID 2328 wrote to memory of 2248 2328 msedge.exe 83 PID 2328 wrote to memory of 2248 2328 msedge.exe 83 PID 2328 wrote to memory of 2248 2328 msedge.exe 83 PID 2328 wrote to memory of 2248 2328 msedge.exe 83 PID 2328 wrote to memory of 2248 2328 msedge.exe 83 PID 2328 wrote to memory of 2248 2328 msedge.exe 83 PID 2328 wrote to memory of 2248 2328 msedge.exe 83 PID 2328 wrote to memory of 2248 2328 msedge.exe 83 PID 2328 wrote to memory of 2248 2328 msedge.exe 83 PID 2328 wrote to memory of 2248 2328 msedge.exe 83 PID 2328 wrote to memory of 2248 2328 msedge.exe 83 PID 2328 wrote to memory of 2248 2328 msedge.exe 83 PID 2328 wrote to memory of 2248 2328 msedge.exe 83 PID 2328 wrote to memory of 2248 2328 msedge.exe 83 PID 2328 wrote to memory of 2248 2328 msedge.exe 83 PID 2328 wrote to memory of 2248 2328 msedge.exe 83 PID 2328 wrote to memory of 2248 2328 msedge.exe 83 PID 2328 wrote to memory of 2248 2328 msedge.exe 83 PID 2328 wrote to memory of 2248 2328 msedge.exe 83 PID 2328 wrote to memory of 2248 2328 msedge.exe 83 PID 2328 wrote to memory of 2248 2328 msedge.exe 83 PID 2328 wrote to memory of 2248 2328 msedge.exe 83 PID 2328 wrote to memory of 2248 2328 msedge.exe 83 PID 2328 wrote to memory of 2248 2328 msedge.exe 83 PID 2328 wrote to memory of 2248 2328 msedge.exe 83 PID 2328 wrote to memory of 3924 2328 msedge.exe 84 PID 2328 wrote to memory of 3924 2328 msedge.exe 84 PID 2328 wrote to memory of 1972 2328 msedge.exe 85 PID 2328 wrote to memory of 1972 2328 msedge.exe 85 PID 2328 wrote to memory of 1972 2328 msedge.exe 85 PID 2328 wrote to memory of 1972 2328 msedge.exe 85 PID 2328 wrote to memory of 1972 2328 msedge.exe 85 PID 2328 wrote to memory of 1972 2328 msedge.exe 85 PID 2328 wrote to memory of 1972 2328 msedge.exe 85 PID 2328 wrote to memory of 1972 2328 msedge.exe 85 PID 2328 wrote to memory of 1972 2328 msedge.exe 85 PID 2328 wrote to memory of 1972 2328 msedge.exe 85 PID 2328 wrote to memory of 1972 2328 msedge.exe 85 PID 2328 wrote to memory of 1972 2328 msedge.exe 85 PID 2328 wrote to memory of 1972 2328 msedge.exe 85 PID 2328 wrote to memory of 1972 2328 msedge.exe 85 PID 2328 wrote to memory of 1972 2328 msedge.exe 85 PID 2328 wrote to memory of 1972 2328 msedge.exe 85 PID 2328 wrote to memory of 1972 2328 msedge.exe 85 PID 2328 wrote to memory of 1972 2328 msedge.exe 85 PID 2328 wrote to memory of 1972 2328 msedge.exe 85 PID 2328 wrote to memory of 1972 2328 msedge.exe 85 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/file/d/1ffD1rFoAotXLVN39Ws4JvLEiwaixrBFx/view?usp=drive_link1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9264246f8,0x7ff926424708,0x7ff9264247182⤵PID:3156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,15076476873936008243,6014151470283294757,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:22⤵PID:2248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,15076476873936008243,6014151470283294757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,15076476873936008243,6014151470283294757,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:82⤵PID:1972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15076476873936008243,6014151470283294757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵PID:4060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15076476873936008243,6014151470283294757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:12⤵PID:4708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,15076476873936008243,6014151470283294757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4048 /prefetch:82⤵PID:3320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,15076476873936008243,6014151470283294757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4048 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15076476873936008243,6014151470283294757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:12⤵PID:936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15076476873936008243,6014151470283294757,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:12⤵PID:4484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15076476873936008243,6014151470283294757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:12⤵PID:2976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15076476873936008243,6014151470283294757,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:12⤵PID:3208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15076476873936008243,6014151470283294757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:12⤵PID:3388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15076476873936008243,6014151470283294757,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:12⤵PID:3196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15076476873936008243,6014151470283294757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:12⤵PID:1232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,15076476873936008243,6014151470283294757,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1884 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15076476873936008243,6014151470283294757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:12⤵PID:1084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15076476873936008243,6014151470283294757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1708 /prefetch:12⤵PID:4416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15076476873936008243,6014151470283294757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:12⤵PID:4392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15076476873936008243,6014151470283294757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:12⤵PID:2252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15076476873936008243,6014151470283294757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:12⤵PID:824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,15076476873936008243,6014151470283294757,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6128 /prefetch:82⤵PID:2356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15076476873936008243,6014151470283294757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:12⤵PID:1684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2128,15076476873936008243,6014151470283294757,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6520 /prefetch:82⤵PID:2388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15076476873936008243,6014151470283294757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6536 /prefetch:12⤵PID:2024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2128,15076476873936008243,6014151470283294757,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5876 /prefetch:82⤵PID:4672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15076476873936008243,6014151470283294757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:12⤵PID:2632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15076476873936008243,6014151470283294757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:12⤵PID:3196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,15076476873936008243,6014151470283294757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6116 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,15076476873936008243,6014151470283294757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6116 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2284
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3264
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3572
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2040
-
C:\Users\Admin\Downloads\TrojanXD.exe"C:\Users\Admin\Downloads\TrojanXD.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:2132 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k reg delete HKCR /f2⤵PID:4608
-
C:\Windows\system32\reg.exereg delete HKCR /f3⤵
- Modifies system executable filetype association
- Modifies registry class
PID:4924
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa394c055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2128
Network
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5fab8d8d865e33fe195732aa7dcb91c30
SHA12637e832f38acc70af3e511f5eba80fbd7461f2c
SHA2561b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea
SHA51239a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43
-
Filesize
152B
MD536988ca14952e1848e81a959880ea217
SHA1a0482ef725657760502c2d1a5abe0bb37aebaadb
SHA256d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6
SHA512d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\19f1c688-2141-493d-b477-6cc8b075d8af.tmp
Filesize6KB
MD55e3d61cc48d2a5ce7f117dc0b2fd9b59
SHA10fbee612bfba3b463a6f7b430ca2ce887b348ed1
SHA2562572ad69c7b27adf6bc907533a2958349dbf52cdfdfe6d9c048961b6d7b4e5f9
SHA512df077bdd9956ad886c2b78bb05739d80ed7e6ad47f4e6332cb7ccef1135bb8ef555adb0a756c990543c5ce90cf143c92306348d6cf4a6fe9ec3a73cda6505961
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize480B
MD571e38a384bad4bc6b71ad4e31ec8185f
SHA1ae045f56acd0cfa87f51faadb8a1204ac94612d3
SHA256900547b35dff0cfaab67d6a0bff863362e83dc5e10dd43b91b71d63d8bb8e868
SHA512b639c5b793f288d9c5990e06e2d2c83709675d2885d2056feeae45cebbf86cd508062a3ce8154ae83a09f56f5f167d67df1faeb097334fce76d3390c970671b3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize336B
MD508ec6040c1ae5caf2792ea69225c4334
SHA15c1dc1cd0928044d2b7b3e70e1a29cd122b39cb4
SHA256f4e84383d4c788399cd1c0fddde90e49d608703f552dcd7e8e98375cf3977248
SHA5125d60be74363edd19847aba502c9793668c1086f3212a459e7ad364bae6907a17c6fb6575ef97b79b60c0842448a03d9face633d9598ec1e1da00edf21964dd42
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize864B
MD59508bf3cc94f04138444dc806e517237
SHA1f1676d4617a9a6526c715fb88b68cb959108a86a
SHA256bcb1747f7b009eaae9bb1f4fb2c78c1efdea731c90265ad1a5576975e1d6c72c
SHA512c1153de4cfdb0d0cdfe5f0b8c633c3af833952639420d0bcdf31c0a12889c7e0ff2c13e3832cc9d214bc70477c239c5e68b5f5d6781a2ee16b027bf0badbce33
-
Filesize
1KB
MD512eb70283d8a070e3434914204ed0edf
SHA1b80cc1cf4784f5f5f3afe9e254cb7d61ba3c5809
SHA2568ac72e8bfb64ab9639405dfba8fb9378c37f6f7d54d6fa391bcc5ceb5c9fbc55
SHA512bacf6f4bcf748334a2449948dfa4e2c2b7bd50acce00b80584b1bad92deb1369fc24a537ec504261ad3581c926d2fee5b8b0db41c94bde9ff0e52c19ecff6be3
-
Filesize
3KB
MD5b73747f5f5a6445ee5cb8b80c80cf98b
SHA14a0b2428477151d3e8316887c5e44819a494569b
SHA256a65631668bcb3386f37c11106af6f4c643d9830a7f97ae323686667b9b9f6855
SHA51218ca7cd2ff43fbcb942c8962f94f00c0441f8e4c8f7d199e6952bce4377e89903e16d73b5a6aa75869df7f5677253c6606f79f04bd69470c8dbf1c5327da7488
-
Filesize
8KB
MD50d8428999579ab6467cde666bc320359
SHA1975b63ca8d9e61b66501643f4d9f4d72d99c7ad7
SHA2565196369f778fa253c22a17c7ac6c635874d640d6429031244e0fa58215d2833e
SHA51203f5b27a0da9fbdd59118b41ec1373033d18cf56272b99a5dfeab66f818672ffef188769072e799de418722aa640cb26c27dc48db7920a2d227f6ce742247c46
-
Filesize
7KB
MD5f69d4d7446493186216cce91b5ad7519
SHA197e4ce35167ebb1a8a1827177abd3fb7eedee1a6
SHA25620078208c963234f8767ab465db56cf80691aaba9e004611bdf6938c8ce24f62
SHA512e6e81165b1ae81b50fcbe7865e8cce819562ec7e73bc9f5ec6a652cad7d91293e961c87d23d0c5777de2d12538a173800f6eeb940d4b965808af5b35728b4beb
-
Filesize
8KB
MD5726d462dd329656fb3fc7e98988bbf28
SHA1924639d9574e9eeb83d66cd7ce05ccace97f5030
SHA256a5ab0ae3ec08c81a747cfda6c17c6cd72e680f445574b17312ac4eff72cd0a34
SHA51278b45b6fb943fa0002601a0cba435209ca4339a533652f4ec692fa2a299fb638cf15f3a05adf96a8325586dfcf0e57b5be4898adfdcd8769f14434a9b7ec9730
-
Filesize
7KB
MD53a1bf1728e0627b55a8dc50d83a79d1a
SHA1fa7a1739422e7a5bd620fa1dcd67091a185017f2
SHA2561b024e687e10aeef47a22bbf868096d7f06afda617d041453e1cd7825a67eb69
SHA51207cd248b9b39b2d02ad0935cbb47f10c5268084cb81a23cdb1714a170b667b4cb0873346388ff17db6ca6a79528ddce2e27a577cb4899dc673caac3ff9d15e71
-
Filesize
5KB
MD51f7293b36bbc5e30ed40e7a21f4e6d14
SHA11b038329b8571e9c02caacec8ea744011c289106
SHA256448e91aaec9dc1c1d0c037ef60b521a8e019a01b08fd26d07261642c328703f4
SHA512371624c84240ef5d18abbbb954642472434632eb2714289bf0b0aae77d27dcdfc3a371a230557aac4b3557ccb73961a5114e4a190107e6a112aefb14dd4922c0
-
Filesize
8KB
MD504e8048370645c6a21af5c57ada39d93
SHA1f8773eae503c4dc418a7b9bc120c8cdd409d13c9
SHA256f9b9d99257088e7285171898d89a3c174b85c3c95eeec78a6c8fa3295e678151
SHA5126a8fdff9f9b06b32c5f5daa2697e37fe607e85f8557b00944c26b878fcd5fcf451100e7144d922b24bf50e45beedc99a149918c08e7cb926d8783ce1b8f69fba
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD565ec1a65a5cb51fc7fc24f39932062be
SHA18a33a4c9964a655ef696339dfd62722855cc9958
SHA2565e14fbd55a640a61fb44071c30dd09909e476d808d180bc633adea0591b0ccf4
SHA5123754be6de0d145adaec30055e2d4ce73619da0f40cde3e21f4029970642b5e4f2d97b3e1acdb4d2585d0e6791e25aca08f83e0d7350527f86cc5bc27511a0fd0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5a34cd.TMP
Filesize48B
MD5e3cca977dab0ca2dc9491096154dd491
SHA1ba6391e8c1cdd1dce6332fa313635d8a37423ae2
SHA2565abef295e91837f895e01745bf8a773b5d8107377aa572060c5ea1dbc7a446ab
SHA5120bf093c10603e271b2e4bd69134ed5760a64582c58c9d333cad07224f511579fd5f6719c86daec09a94bddeeb1b990426da9926d6f45edeae3ee63ee56962a62
-
Filesize
203B
MD54a59d28b08eb6b78cf87c8db38d4b1e4
SHA1a526ace6810fa1dc2e26286a8d9b221bb5259960
SHA256d3bf456d4ec44f67ef661b5461e96d821c8c97e576598f2ba4d87de1d7908a3d
SHA512f626b020a961aca462de492bab2d5dff60e103535c1ff8b2d701ff73c01bb248ccf8c2493431da9920985a4089eebe9a50b4ff7d605679339ce1396adf9339d2
-
Filesize
203B
MD568f833c9377b8150a41924d8a443a935
SHA147410ded508df320024c448e7a51c49c618f9cb7
SHA256144e01b632e31f38fe50ddea59d22770d38e9c9825914d21c757664e4c0d4e8e
SHA512d2c65e49f622892a47da5c75ff8e4414d18711e71fb9630e5aee8e8122ec62ede89aad35bd38d24a5047be7a2beaa2d8ce4d923fb63244f3b9ed3d6557037bae
-
Filesize
370B
MD51018b0482387e7c692928dae8fcccdf3
SHA149c8914e83fb66a98f1944e6e9070fd28808eaf6
SHA25650c4fb9d80d897be648b94e79e456f228b0672e6ac778b8f96454f33a76e8e68
SHA5127b00a65048dd42f2bdbedd4ebda6c4bfffb3d7f1442c7aee24345b75168b1b9be879125d71af71bc468c7a65de919f4998918e0558eb651d57cc3f2dec8efd19
-
Filesize
203B
MD57372d0a5a11b99b02ed564aa16f046dd
SHA17838678f1587e4d5a3381e4a2c45371115efe640
SHA2560490d7b7cafaf475947bedb2f9e688833e71be89b7de8202b65672484ef1f3ac
SHA51202d1552717ff578fe6fbe54436601452394ba52b72383f06c9cab93a013547e232956633eb20c9a5098dc7ab0e3dd5f3b1476b10842409aad6565a54d0aa04f2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\b4e6dcd7-743d-4719-9fd9-fa30e95910be.tmp
Filesize6KB
MD5ee226c4336bb6935644cf67cf2f2d800
SHA1cac74bf37062916478a85da7f981dfdc00a3e610
SHA2562268ed701200885c643ccabeada4e99118d4c956fb93b433f97781e583b7840e
SHA512695ff402178bb1a8bd535b7ca619b3f75655c3078686cadcf8f0828633d3346d0b235a3a975b37f36b707460963a8ad47044e3594b83bde3fa75f1fb9606c3ee
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\fb4ff223-deeb-4a8b-a9f9-139c7aa844e2.tmp
Filesize1KB
MD54168e79f7fbd8e59e778ca2b8c07b341
SHA1c2e5c433a08c3ac4a777d87c5bd67922b3d179da
SHA256a3d3f2180314d630ce67f534a647c5125abde0998f90b9a3ee270c27403093ab
SHA512526c4c66d73fed388f0bf27331ff2a6201540a363ca4c6a48c70c20555254a1063ac69356a1be8dbd8db8cffdd029d98a6c0d70742291c96b2a9873ee2f4dd1b
-
Filesize
11KB
MD54c1b3fbf3d3f92fe43e39c1b8a5b6fad
SHA1700c043d4e882535d4c9e4e2acfbba161d01bef4
SHA25683840f7c1a0ffab97e6238ea680f97e3932d469d5d519c7de60fdaa512593d40
SHA512dad5f561b9d875ecec64a9a71838110b13b38aab5bdb56bd87e0663e1b13805ba46f8aecc2722de7752d35786db6a9a7300957fe96e9ed77fb5ef7a58323b073
-
Filesize
11KB
MD525cb4c3a165cfc8226e42b03807f00f5
SHA1ca62f0790039c4fbaa199581285cbfe54f5b73fa
SHA256399a8d9dd5d6d11f5c5b2a08bd8d69bb58ec564de3286547825598aee2aebf15
SHA512304cbdd1e503c072fadfc3070ae564c5593e5dbfc0efdf46eb4528723dd8c44e21367cad461d2c3425e60525853be2bfbd708576dd35d1b68722bfbff6f4c033
-
Filesize
10KB
MD5da4d939d870d0becb4d6569bd5b059bf
SHA19413129c56088887ba17aef6d2207d2a0a84e16a
SHA2561cd13bfe481ed73a717d55fcf350304160b66e7519cfb8b4885e582e8474dad6
SHA512ceaa461b9607c30ad576f6e29e0cc746bd20cf1ead3fd7825c4d6747b1d81846b37263deae49444ed97d2bf557499a982eb52e316eeb789bc93c3231108e6676
-
Filesize
65KB
MD5daf8e657594e3508092305d9de8d3c4c
SHA10d621eb9e050603b0984ab89ed0d65f0a0c0d815
SHA2564b6950450ebfa04424f3a228a2d3a0a1bb09f4b008fce1819801047495d7d628
SHA5122e7a7b0d571ba25cf5a298c0e4ccfb05cec12205b71c296e7e3cd33265367dc4c8035748f6f13095510f2f377fa012b6c47b28cd88b1092af497a961a812f518
-
Filesize
14KB
MD55d378dd85c69005b9d53fddf53d3b679
SHA10e4fa453f1f1895398dd6679c7c911d5156048c9
SHA256f58a21eced86f6434208da0994abaec74bcf14c90721478b4c9eeaca5b95830c
SHA5124b3b3b587bf0f84336672d78b6191539ba68046fc016d35fed052ef90ba36ef93904ffcadd2fd9192b26f29952f98dbbc72a5f90a789e5cb87758ef19d30fd20