Resubmissions
08-01-2025 18:40
250108-xbd17aykfw 808-01-2025 18:37
250108-w9j5esyjhs 708-01-2025 18:34
250108-w7sc1syjbv 708-01-2025 18:21
250108-wze3qaxqc1 808-01-2025 18:16
250108-wwrmcazpgj 808-01-2025 17:08
250108-vnxyqawpbx 708-01-2025 17:05
250108-vl8mfaynhq 708-01-2025 17:02
250108-vj3neawndw 708-01-2025 16:58
250108-vhaw1ayncm 6Analysis
-
max time kernel
141s -
max time network
141s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
-
submitted
08-01-2025 17:02
Errors
General
-
Target
https://malwarewatch.org
Malware Config
Signatures
-
A potential corporate email address has been identified in the URL: [email protected]
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 4 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of FindShellTrayWindow 60 IoCs
-
Suspicious use of SendNotifyMessage 51 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://malwarewatch.org1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff8580d46f8,0x7ff8580d4708,0x7ff8580d47182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,7546564033505636419,2299785928761135461,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,7546564033505636419,2299785928761135461,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,7546564033505636419,2299785928761135461,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7546564033505636419,2299785928761135461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7546564033505636419,2299785928761135461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7546564033505636419,2299785928761135461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,7546564033505636419,2299785928761135461,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6016 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff644655460,0x7ff644655470,0x7ff6446554803⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,7546564033505636419,2299785928761135461,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6016 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7546564033505636419,2299785928761135461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7546564033505636419,2299785928761135461,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7546564033505636419,2299785928761135461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6432 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,7546564033505636419,2299785928761135461,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4248 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7546564033505636419,2299785928761135461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6412 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7546564033505636419,2299785928761135461,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,7546564033505636419,2299785928761135461,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6092 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7546564033505636419,2299785928761135461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2764 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,7546564033505636419,2299785928761135461,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6748 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7546564033505636419,2299785928761135461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7546564033505636419,2299785928761135461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7546564033505636419,2299785928761135461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,7546564033505636419,2299785928761135461,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6224 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7546564033505636419,2299785928761135461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,7546564033505636419,2299785928761135461,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\b63c2592-99a9-4295-ae93-eaea12b26a22_MEMZ.zip.a22\[email protected]"C:\Users\Admin\AppData\Local\Temp\b63c2592-99a9-4295-ae93-eaea12b26a22_MEMZ.zip.a22\[email protected]"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\b63c2592-99a9-4295-ae93-eaea12b26a22_MEMZ.zip.a22\[email protected]"C:\Users\Admin\AppData\Local\Temp\b63c2592-99a9-4295-ae93-eaea12b26a22_MEMZ.zip.a22\[email protected]" /watchdog2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\b63c2592-99a9-4295-ae93-eaea12b26a22_MEMZ.zip.a22\[email protected]"C:\Users\Admin\AppData\Local\Temp\b63c2592-99a9-4295-ae93-eaea12b26a22_MEMZ.zip.a22\[email protected]" /watchdog2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\b63c2592-99a9-4295-ae93-eaea12b26a22_MEMZ.zip.a22\[email protected]"C:\Users\Admin\AppData\Local\Temp\b63c2592-99a9-4295-ae93-eaea12b26a22_MEMZ.zip.a22\[email protected]" /watchdog2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\b63c2592-99a9-4295-ae93-eaea12b26a22_MEMZ.zip.a22\[email protected]"C:\Users\Admin\AppData\Local\Temp\b63c2592-99a9-4295-ae93-eaea12b26a22_MEMZ.zip.a22\[email protected]" /watchdog2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\b63c2592-99a9-4295-ae93-eaea12b26a22_MEMZ.zip.a22\[email protected]"C:\Users\Admin\AppData\Local\Temp\b63c2592-99a9-4295-ae93-eaea12b26a22_MEMZ.zip.a22\[email protected]" /watchdog2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\b63c2592-99a9-4295-ae93-eaea12b26a22_MEMZ.zip.a22\[email protected]"C:\Users\Admin\AppData\Local\Temp\b63c2592-99a9-4295-ae93-eaea12b26a22_MEMZ.zip.a22\[email protected]" /main2⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" \note.txt3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=stanky+danky+maymays3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7ff8580d46f8,0x7ff8580d4708,0x7ff8580d47184⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+create+your+own+ransomware3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7ff8580d46f8,0x7ff8580d4708,0x7ff8580d47184⤵
-
-
-
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService1⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /61⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5e8978379b8b4dac705f196c82cddb401
SHA1873169c69e4aaa8c3e1da1c95f3fc6b005f63112
SHA25683528bc9af5e037e40f14bece26788301e4555a6164b31e6010d93d7d18f0afa
SHA5122d73194d03ea51d4154ee9556950dee1e666720c4b53fe671cf2e7647889d480c2941757d6b9b4c60a29a6799478450136f4847b0bec5d4b6aa630d9ca856308
-
Filesize
152B
MD5c8c74ab5c035388c9f8ca42d04225ed8
SHA11bb47394d88b472e3f163c39261a20b7a4aa3dc0
SHA256ea821d15371cdfef9f4c01c71fbe39f9db7bfd61e6a83e09b14886c5756cd9d9
SHA51288922af80d561b3cf10963160d245044554f9011e4aec4fd40c740b06e5e87e9bc16ed309e296f549d9244b6cc93f627d6dd010eb2d325b38cbb1d43d8b95157
-
Filesize
152B
MD55658ff31d231b00e0c37dc560602b600
SHA17372c6eb5d8425372172fde6f9aa7b601415024d
SHA256e5c7112d6fc42f3e052c399056d0da7345325e8f4690baf3a22c019874afdea1
SHA512c1b65e8be6e8964baa6bff259322db9f11951f9f1e0099ce3f8344fea36aeb6c19c5b40ee0d864f083a09db3cd47dbe76a1c0904be1cc290d5a1914194b413f9
-
Filesize
41KB
MD5ca9e4686e278b752e1dec522d6830b1f
SHA11129a37b84ee4708492f51323c90804bb0dfed64
SHA256b36086821f07e11041fc44b05d2cafe3fb756633e72b07da453c28bd4735ed26
SHA512600e5d6e1df68423976b1dcfa99e56cb8b8f5cd008d52482fefb086546256a9822025d75f5b286996b19ee1c7cd254f476abf4de0cf8c6205d9f7d5e49b80671
-
Filesize
215KB
MD5d79b35ccf8e6af6714eb612714349097
SHA1eb3ccc9ed29830df42f3fd129951cb8b791aaf98
SHA256c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365
SHA512f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a
-
Filesize
48B
MD582a3095d03f65d0875e7ac012d2fce32
SHA1608c646e0507d73980f62eea7f1e0c573d3ee2d3
SHA25635910b0c7d56bdbb6a82b2fe42c574cf401e6078738789099e91e606d575d85c
SHA512225b5977e691fe3c4e195be85929cb6ff5c6b1be22659134525e74fd0eb6a3250c3e09cee471ca719a594adcd7687f44cef3cc0e5827ba6b2a1c267e0a6834f4
-
Filesize
2KB
MD586968ca5154960db2fbeac791dcd8bc4
SHA137fc03b881e3a5a00e9dac180ea31a75564f0f27
SHA256089548fae8451b52d51b6153cdfd04a5e7fb7d052edec018059cb664479154bc
SHA512eefcac542978975e4ef47f0f174450a333f3a8b9495a24ff7b1c90973d9e8beba9644f43aa5d2fe90c5f237352927a0bab175856c8386c6ee8027f7235312bd3
-
Filesize
2KB
MD5f9ecd062e9bd4e812a37c7f99d4434c4
SHA14bc363ffb49aadae1c1d525b5790e03e99c5ae04
SHA2563315cd236bee97843648baa059f352caef43e3d0bfb886535c869f68fbcc20cd
SHA512b799e210d2c8f250f05a5544db3c3598b671bc1d5dcc1fb16d4dc8763de2bf416a85d77abd98f0d185c2bbeb45e5af94691c490dc05df8ddfe9bbe9c9923a5ee
-
Filesize
2KB
MD55325c188473102c1a2c07d052700d3ae
SHA1d225e89f92e580a62542f8626de57a44858d29ef
SHA256fe10b49b9f3a926385ec77fd8a5d231ce560a54237058a8092f621c1ce9a6610
SHA51243509f62c6429a4c0deb5eb30e287fa4dd0951a27b7ebdac45fb3ae2dfa5ea3a2b0155e84bd321f47b0da8cec10824a8e4fc02f332e977ccd58317869285c982
-
Filesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
3KB
MD56d88c7c89603c9c306c3142e6e981848
SHA1122e1f2d50b6c526479ac6d4700002393f91bc03
SHA2562a6d9be4ccf7bdaf49db7edba24502419a2a6e859167b6a7ceaa003cbcff945a
SHA512b2cfb52ee2b86fedc4418cf4fa3d509131cd5259ed6a535f32572efa1d9500e5a12fa89b49d4c71a64e5c9c7035a0ee95116597413eea36bc7a057810e7f0faf
-
Filesize
59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
Filesize
7KB
MD570be2cd3878393dee8fe28875cb81b45
SHA1d1d19f31d309836b4f0f0314977b5889d1237fcb
SHA256d15fe186035e9f3ec59b1a745522fa6d386c0bf55f09a77684a9d08dd5c84af3
SHA51268fb5fb89a9792fa10f23afd862e1c9ae969b60b28dc1fc30df969b651847d7588a7350effb5407033749b315cd97a37e61cc40119230f84d732a03ed05fee0a
-
Filesize
5KB
MD5f85462c930e6b9b5d9304751485fc27c
SHA1c933249aee825731ebeae004f79f1a642770f70e
SHA256dfe13814d01c7c570d14e0deb243509de629a7500565c69e5c8cf15e596cce3c
SHA512e42434772b8e1801b2b4476b3b169784f0cf67d29b3b867853cac15eeca096d15c9f7907c31a89f0671f3ae977ec7547620ea0721e08f43c13fe26fe47c48599
-
Filesize
6KB
MD575006d42b92b98babbdda1e78b6446d1
SHA15df037a1c753773ff4ec635608d99c0a4b09f4e1
SHA256ebbdb4bd678d2b613a1a267948ec10d6b41c3f24cf01eefe0692a8d2a264a120
SHA51209b8a8726d82ef45dd84b66e81af3c45fd51bc4a954fbed03bb888dc713f59131ea61e2bf004f9ffd9f02c23ab3428d0677ae8dcb0430961918590085d5e5fe5
-
Filesize
7KB
MD5b0f3b955990f33551e3a38097adc2687
SHA196a2a903d306a8c517373d3fcee50508f88f6cfa
SHA256f29ed6b56e9bc41d88c282155759e7ea53c2d3de6a8b0302d694b91db40eaf5d
SHA512c8edc775b709b04374091463d104a321be4df543290be2d31b0fb820d4a0582882d6fa5598821c177a8d80a6de0c168f225f6475cfec446c252cb377cb038673
-
Filesize
24KB
MD555182d891d98ec9d988cec04bac8752d
SHA1e18a06e1498ff69c1c2697df7e195cf922a92e01
SHA25608dc082566b36f693f93e341a5eb4e93a95d5bfed35b952f5ddcf4a5d51e963d
SHA51235b9bf0c05da26bcebb4e259deca27c84e28521aff5a27af8205624581d1b0a7da6350ee7de0a2329c9cbc1d8cf205c1487638196232cbe794aaa91b0d86d0f7
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
1KB
MD59f3e28dd2c29f73a175111bb79552381
SHA1973f691f22c14e0fe1f19f141395ddf56fab4580
SHA2564e74061ca0f153240c851b5a476d8b607971e2d83a23848c2ad2e18b249ee83d
SHA5121ef60f2cbb39f6e178a097ce2d2b8c184effb8cfaff4e0f147239f87e4d040ee45d644bcce25ddb7e26df676e47f73d66d26319e3c6891981ae99bc6606acd38
-
Filesize
1KB
MD543c828bf2746321c3fb24426a5a6699e
SHA12c5127cc4b082d6f1bc09a24deee02f3596066af
SHA256f396a215c962fac4dd58e30dd0dd16f4f27b83ee60ee34607c3cadac2bd698af
SHA512a22ed82f665c74084dc862dce34c046deb17483817632b17047ffc80139752757f0ce55b5a5d5e314485caeae4b0687b9785249c9b49ce1a984e9f50225272ad
-
Filesize
1KB
MD5abffa16a5fd3be82f6c9c1a75642b350
SHA1a5376e7b8ea63057056c5905381437c5ab994d81
SHA256e59f57be4d9c5f8964835479752d0c9e8321be9dec79a5b803669d8efb04f1c0
SHA5129b764729d2d99766a6886ad6bf00535c1dbc998fcb940525b6bacddad7028a64090a6a72310fcd3c9ae247f0b96491fdc568c0df4cbdac7339cd309e1873b8fd
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
1KB
MD5e351f819fb66b1e30e3c1ddc155beec4
SHA1e35aec1e099d9d48971e545dfab55b314b47514b
SHA256569b49dda68e0817b8112d6d75a651cc1b3096db44a56b99fcc26536e131442f
SHA512c891735534d87b6b948c92439c8e611c7564bef9491b5030a9757def42f49bba3efbfb341fa0ab899e6ee3710c382967f786bf39d1c10333e25d54f90fc33aa3
-
Filesize
24KB
MD5671cfbd0275770e681ef4ede37140969
SHA1ac145dd046e86ab6aff6340664c509c4fd5f1746
SHA256dfafdb318c177ff96d9b85ed518f229398c3f5161f0ca48ff427516292b9d823
SHA512d76a8d3a91d1e5e84b35cfa815736c1d0bd7252381f4e540a8d7102385224167b995f698559c95fa18ed3a50e14a58fb0a96bcedb57d4770df50f98c6d331faf
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
11KB
MD54892a9eeb7c66800a7b35e3657f71ad9
SHA16b3be55ec5c6175eaba019effeb7c978e31fc601
SHA2564063578fcd8bb882a7cc9b141551037558c7ebf79724e2369437d60f27d71de3
SHA5127e716540837113cf6ba5edb4e69bbfaa5c8284b75f0c5133a734099601c69c5432e8eba9d60a2b469642cbe117cb56d545febc86131cd7e38677d8189f34cf29
-
Filesize
8KB
MD5c37b91c1aeb28eaf0bbf17517ebf53d2
SHA18074751aae339da34b1cd544b4d9548997ff0963
SHA256bae98672ddc1c57f31a514d1d8561e2ef36a15199412ccfdfa5ebfda25534b0a
SHA5124eeed826ada6d9f147a31e42f29aa59cd3b700ce4d925a831efba90646b7c145403c33b89d8830d8331b94e5db40fb1f60f36bf9b8c56aeca0b26a3b5ca9cedd
-
Filesize
10KB
MD59bc4d1094b2d229a5e69a818805c0b24
SHA1ac2308ef8c03682aac2f19f7c6d75a489c919353
SHA256bba3f56de4e67bbe3a4d6ea199f1cad60a6bb0688a20cca6550f828bf04f32a8
SHA512cf2a5328b5fba1f1424622ea4257a2d1f4fc036563c5ed414cac4776c7edc3d210991c8fa4fc8b12a72fa06bcf75e63d46e9ad50dcedda1491ca636aaa89450a
-
Filesize
3KB
MD5f20a0ba0544e3aad8e6cb3b78f2d5f3f
SHA11df9c25682f47b02f4ced601be55acb379d00308
SHA256b5f3729ee592df01938a59225e6a184ba401904c56ee4977f6c961d4f4447a55
SHA512618e2630a7ca5beb8e678a31006479cda88b5d449e40b42abc2ca58fdc5344db276d1b58f036b55eef48489aee824af60f47e622061b206aa87f8397945a593e
-
Filesize
3KB
MD532203dd712796ae959c03a68cf5b68a7
SHA1e06f0da4726a76a1d70c072d222e07c640605dd7
SHA256c1366c098ab6b1d851da4b4d212e827c9faffde3ee79e6e1f10d7252f2cbb9c2
SHA512d22f421445a6b911de45df006754988f556aba8640c60ac0f38bea5221622fd97f473bd541b52ba0fc5c37e8d70d94310581cc38fc17d1e99e8cd6ed575f2961
-
Filesize
8KB
MD569977a5d1c648976d47b69ea3aa8fcaa
SHA14630cc15000c0d3149350b9ecda6cfc8f402938a
SHA25661ca4d8dd992c763b47bebb9b5facb68a59ff0a594c2ff215aa4143b593ae9dc
SHA512ba0671c72cd4209fabe0ee241b71e95bd9d8e78d77a893c94f87de5735fd10ea8b389cf4c48462910042c312ddff2f527999cd2f845d0c19a8673dbceda369fd
-
Filesize
218B
MD5afa6955439b8d516721231029fb9ca1b
SHA1087a043cc123c0c0df2ffadcf8e71e3ac86bbae9
SHA2568e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270
SHA5125da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB