Analysis
-
max time kernel
550s -
max time network
533s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
29/03/2025, 12:14
Behavioral task
behavioral1
Sample
Kaspersky.exe
Resource
win10v2004-20250314-en
General
-
Target
Kaspersky.exe
-
Size
93KB
-
MD5
3060fc299e17c7783df72a4e5f031f39
-
SHA1
2b1a867cf9dd435670d3c638974b4ad3c4a6ac87
-
SHA256
cc3766508cfe6674d7c5a3008353ad24aa7e50c576a77b31e26985bd7aee5aa0
-
SHA512
490a2728a54d021e2834332b8a1cc37475486794a2eef27c974a587ede72e1ca4672e3d0f05c646c954f4f4760c12a13f9cd901b816436ca20690ad14f904aa2
-
SSDEEP
1536:HV/r7EkrjaFIs7E5OxzJn8njEwzGi1dDjDzgS:HV7jau5OVVLi1drs
Malware Config
Signatures
-
Detected Nirsoft tools 3 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral1/memory/1688-185-0x0000000000820000-0x0000000000896000-memory.dmp Nirsoft behavioral1/files/0x000b000000024053-196.dat Nirsoft behavioral1/files/0x0007000000024064-201.dat Nirsoft -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/1688-185-0x0000000000820000-0x0000000000896000-memory.dmp WebBrowserPassView behavioral1/files/0x0007000000024064-201.dat WebBrowserPassView -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 3 IoCs
pid Process 632 netsh.exe 1464 netsh.exe 2260 netsh.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation Kaspersky.exe Key value queried \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation server.exe -
Executes dropped EXE 6 IoCs
pid Process 4624 server.exe 1688 tmp2AB0.tmp.exe 4268 ProduKey.exe 5096 WebBrowserPassView.exe 1824 tmp575E.tmp.bat 2768 tmp6F2A.tmp.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 29 7.tcp.eu.ngrok.io 93 7.tcp.eu.ngrok.io -
Drops file in System32 directory 11 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ProduKey.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WebBrowserPassView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp575E.tmp.bat Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp2AB0.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp6F2A.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaspersky.exe -
Checks SCSI registry key(s) 3 TTPs 36 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 PaintStudio.View.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A PaintStudio.View.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName PaintStudio.View.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C PaintStudio.View.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 PaintStudio.View.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName PaintStudio.View.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier msedge.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry msedge.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133877245708442462" msedge.exe -
Modifies registry class 18 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" PaintStudio.View.exe Set value (int) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheVersion = "1" PaintStudio.View.exe Set value (int) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1" PaintStudio.View.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies PaintStudio.View.exe Set value (int) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheVersion = "1" PaintStudio.View.exe Set value (int) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1" PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache PaintStudio.View.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix PaintStudio.View.exe Set value (int) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheVersion = "1" PaintStudio.View.exe Set value (int) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "51200" PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History PaintStudio.View.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3218366390-1258052702-4267193707-1000\{2BBBADFD-ED37-4654-A06F-7C8F95FEE9C8} msedge.exe Key created \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings\MuiCache PaintStudio.View.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2392 PaintStudio.View.exe 1312 vlc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4624 server.exe 1312 vlc.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
pid Process 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4624 server.exe Token: 33 4624 server.exe Token: SeIncBasePriorityPrivilege 4624 server.exe Token: 33 4624 server.exe Token: SeIncBasePriorityPrivilege 4624 server.exe Token: 33 4624 server.exe Token: SeIncBasePriorityPrivilege 4624 server.exe Token: 33 4624 server.exe Token: SeIncBasePriorityPrivilege 4624 server.exe Token: SeDebugPrivilege 2392 PaintStudio.View.exe Token: SeDebugPrivilege 2392 PaintStudio.View.exe Token: SeDebugPrivilege 2392 PaintStudio.View.exe Token: 33 4624 server.exe Token: SeIncBasePriorityPrivilege 4624 server.exe Token: 33 4624 server.exe Token: SeIncBasePriorityPrivilege 4624 server.exe Token: 33 4624 server.exe Token: SeIncBasePriorityPrivilege 4624 server.exe Token: 33 4624 server.exe Token: SeIncBasePriorityPrivilege 4624 server.exe Token: 33 4624 server.exe Token: SeIncBasePriorityPrivilege 4624 server.exe Token: 33 4624 server.exe Token: SeIncBasePriorityPrivilege 4624 server.exe Token: 33 4624 server.exe Token: SeIncBasePriorityPrivilege 4624 server.exe Token: 33 4624 server.exe Token: SeIncBasePriorityPrivilege 4624 server.exe Token: 33 4624 server.exe Token: SeIncBasePriorityPrivilege 4624 server.exe Token: 33 4624 server.exe Token: SeIncBasePriorityPrivilege 4624 server.exe Token: 33 4624 server.exe Token: SeIncBasePriorityPrivilege 4624 server.exe Token: 33 4624 server.exe Token: SeIncBasePriorityPrivilege 4624 server.exe Token: 33 4624 server.exe Token: SeIncBasePriorityPrivilege 4624 server.exe Token: 33 4624 server.exe Token: SeIncBasePriorityPrivilege 4624 server.exe Token: 33 4624 server.exe Token: SeIncBasePriorityPrivilege 4624 server.exe Token: 33 4624 server.exe Token: SeIncBasePriorityPrivilege 4624 server.exe Token: 33 4624 server.exe Token: SeIncBasePriorityPrivilege 4624 server.exe Token: 33 4624 server.exe Token: SeIncBasePriorityPrivilege 4624 server.exe Token: 33 4624 server.exe Token: SeIncBasePriorityPrivilege 4624 server.exe Token: 33 4624 server.exe Token: SeIncBasePriorityPrivilege 4624 server.exe Token: 33 4624 server.exe Token: SeIncBasePriorityPrivilege 4624 server.exe Token: 33 4624 server.exe Token: SeIncBasePriorityPrivilege 4624 server.exe Token: 33 4624 server.exe Token: SeIncBasePriorityPrivilege 4624 server.exe Token: 33 4624 server.exe Token: SeIncBasePriorityPrivilege 4624 server.exe Token: 33 4624 server.exe Token: SeIncBasePriorityPrivilege 4624 server.exe Token: 33 4624 server.exe Token: SeIncBasePriorityPrivilege 4624 server.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 1312 vlc.exe 1312 vlc.exe 1312 vlc.exe 1312 vlc.exe 1312 vlc.exe 1312 vlc.exe 1312 vlc.exe 1312 vlc.exe 1312 vlc.exe 1312 vlc.exe 1312 vlc.exe 1312 vlc.exe 1312 vlc.exe 1312 vlc.exe 1312 vlc.exe 1312 vlc.exe 1312 vlc.exe 1312 vlc.exe 1312 vlc.exe 1312 vlc.exe 1312 vlc.exe 4624 server.exe 4624 server.exe 4624 server.exe 4624 server.exe 4964 msedge.exe 4964 msedge.exe 4964 msedge.exe -
Suspicious use of SendNotifyMessage 20 IoCs
pid Process 1312 vlc.exe 1312 vlc.exe 1312 vlc.exe 1312 vlc.exe 1312 vlc.exe 1312 vlc.exe 1312 vlc.exe 1312 vlc.exe 1312 vlc.exe 1312 vlc.exe 1312 vlc.exe 1312 vlc.exe 1312 vlc.exe 1312 vlc.exe 1312 vlc.exe 1312 vlc.exe 1312 vlc.exe 1312 vlc.exe 1312 vlc.exe 1312 vlc.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3892 mspaint.exe 2392 PaintStudio.View.exe 1312 vlc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4628 wrote to memory of 4624 4628 Kaspersky.exe 89 PID 4628 wrote to memory of 4624 4628 Kaspersky.exe 89 PID 4628 wrote to memory of 4624 4628 Kaspersky.exe 89 PID 4624 wrote to memory of 632 4624 server.exe 90 PID 4624 wrote to memory of 632 4624 server.exe 90 PID 4624 wrote to memory of 632 4624 server.exe 90 PID 4624 wrote to memory of 2260 4624 server.exe 100 PID 4624 wrote to memory of 2260 4624 server.exe 100 PID 4624 wrote to memory of 2260 4624 server.exe 100 PID 4624 wrote to memory of 1464 4624 server.exe 101 PID 4624 wrote to memory of 1464 4624 server.exe 101 PID 4624 wrote to memory of 1464 4624 server.exe 101 PID 4624 wrote to memory of 1688 4624 server.exe 123 PID 4624 wrote to memory of 1688 4624 server.exe 123 PID 4624 wrote to memory of 1688 4624 server.exe 123 PID 1688 wrote to memory of 4268 1688 tmp2AB0.tmp.exe 124 PID 1688 wrote to memory of 4268 1688 tmp2AB0.tmp.exe 124 PID 1688 wrote to memory of 4268 1688 tmp2AB0.tmp.exe 124 PID 1688 wrote to memory of 5096 1688 tmp2AB0.tmp.exe 125 PID 1688 wrote to memory of 5096 1688 tmp2AB0.tmp.exe 125 PID 1688 wrote to memory of 5096 1688 tmp2AB0.tmp.exe 125 PID 4624 wrote to memory of 1824 4624 server.exe 126 PID 4624 wrote to memory of 1824 4624 server.exe 126 PID 4624 wrote to memory of 1824 4624 server.exe 126 PID 4624 wrote to memory of 2768 4624 server.exe 129 PID 4624 wrote to memory of 2768 4624 server.exe 129 PID 4624 wrote to memory of 2768 4624 server.exe 129 PID 4624 wrote to memory of 4964 4624 server.exe 132 PID 4624 wrote to memory of 4964 4624 server.exe 132 PID 4964 wrote to memory of 3172 4964 msedge.exe 133 PID 4964 wrote to memory of 3172 4964 msedge.exe 133 PID 4964 wrote to memory of 2908 4964 msedge.exe 134 PID 4964 wrote to memory of 2908 4964 msedge.exe 134 PID 4964 wrote to memory of 2060 4964 msedge.exe 135 PID 4964 wrote to memory of 2060 4964 msedge.exe 135 PID 4964 wrote to memory of 2060 4964 msedge.exe 135 PID 4964 wrote to memory of 2060 4964 msedge.exe 135 PID 4964 wrote to memory of 2060 4964 msedge.exe 135 PID 4964 wrote to memory of 2060 4964 msedge.exe 135 PID 4964 wrote to memory of 2060 4964 msedge.exe 135 PID 4964 wrote to memory of 2060 4964 msedge.exe 135 PID 4964 wrote to memory of 2060 4964 msedge.exe 135 PID 4964 wrote to memory of 2060 4964 msedge.exe 135 PID 4964 wrote to memory of 2060 4964 msedge.exe 135 PID 4964 wrote to memory of 2060 4964 msedge.exe 135 PID 4964 wrote to memory of 2060 4964 msedge.exe 135 PID 4964 wrote to memory of 2060 4964 msedge.exe 135 PID 4964 wrote to memory of 2060 4964 msedge.exe 135 PID 4964 wrote to memory of 2060 4964 msedge.exe 135 PID 4964 wrote to memory of 2060 4964 msedge.exe 135 PID 4964 wrote to memory of 2060 4964 msedge.exe 135 PID 4964 wrote to memory of 2060 4964 msedge.exe 135 PID 4964 wrote to memory of 2060 4964 msedge.exe 135 PID 4964 wrote to memory of 2060 4964 msedge.exe 135 PID 4964 wrote to memory of 2060 4964 msedge.exe 135 PID 4964 wrote to memory of 2060 4964 msedge.exe 135 PID 4964 wrote to memory of 2060 4964 msedge.exe 135 PID 4964 wrote to memory of 2060 4964 msedge.exe 135 PID 4964 wrote to memory of 2060 4964 msedge.exe 135 PID 4964 wrote to memory of 2060 4964 msedge.exe 135 PID 4964 wrote to memory of 2060 4964 msedge.exe 135 PID 4964 wrote to memory of 2060 4964 msedge.exe 135 PID 4964 wrote to memory of 2060 4964 msedge.exe 135 PID 4964 wrote to memory of 2060 4964 msedge.exe 135
Processes
-
C:\Users\Admin\AppData\Local\Temp\Kaspersky.exe"C:\Users\Admin\AppData\Local\Temp\Kaspersky.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Users\Admin\server.exe"C:\Users\Admin\server.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:632
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\server.exe"3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2260
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1464
-
-
C:\Users\Admin\AppData\Local\Temp\tmp2AB0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2AB0.tmp.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Users\Admin\AppData\Local\Temp\ProduKey.exeC:\Users\Admin\AppData\Local\Temp\\ProduKey.exe /stext C:\Users\Admin\AppData\Local\Temp\pass5.txt4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4268
-
-
C:\Users\Admin\AppData\Local\Temp\WebBrowserPassView.exeC:\Users\Admin\AppData\Local\Temp\\WebBrowserPassView.exe /stext C:\Users\Admin\AppData\Local\Temp\pass6.txt4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5096
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp575E.tmp.bat"C:\Users\Admin\AppData\Local\Temp\tmp575E.tmp.bat"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1824
-
-
C:\Users\Admin\AppData\Local\Temp\tmp6F2A.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp6F2A.tmp.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.roblox.com/3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x2f0,0x7ff84577f208,0x7ff84577f214,0x7ff84577f2204⤵PID:3172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1916,i,14700210533194221925,14596344160102216506,262144 --variations-seed-version --mojo-platform-channel-handle=2260 /prefetch:34⤵PID:2908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2132,i,14700210533194221925,14596344160102216506,262144 --variations-seed-version --mojo-platform-channel-handle=2128 /prefetch:24⤵PID:2060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1808,i,14700210533194221925,14596344160102216506,262144 --variations-seed-version --mojo-platform-channel-handle=2468 /prefetch:84⤵PID:3628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3540,i,14700210533194221925,14596344160102216506,262144 --variations-seed-version --mojo-platform-channel-handle=3584 /prefetch:14⤵PID:820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3560,i,14700210533194221925,14596344160102216506,262144 --variations-seed-version --mojo-platform-channel-handle=3612 /prefetch:14⤵PID:4892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4236,i,14700210533194221925,14596344160102216506,262144 --variations-seed-version --mojo-platform-channel-handle=4248 /prefetch:14⤵PID:1588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4284,i,14700210533194221925,14596344160102216506,262144 --variations-seed-version --mojo-platform-channel-handle=4388 /prefetch:24⤵PID:2284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5200,i,14700210533194221925,14596344160102216506,262144 --variations-seed-version --mojo-platform-channel-handle=5220 /prefetch:84⤵PID:5076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=5364,i,14700210533194221925,14596344160102216506,262144 --variations-seed-version --mojo-platform-channel-handle=5384 /prefetch:14⤵PID:4556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4596,i,14700210533194221925,14596344160102216506,262144 --variations-seed-version --mojo-platform-channel-handle=5396 /prefetch:84⤵PID:1468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5332,i,14700210533194221925,14596344160102216506,262144 --variations-seed-version --mojo-platform-channel-handle=5240 /prefetch:84⤵PID:4580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5320,i,14700210533194221925,14596344160102216506,262144 --variations-seed-version --mojo-platform-channel-handle=5260 /prefetch:84⤵PID:4660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5984,i,14700210533194221925,14596344160102216506,262144 --variations-seed-version --mojo-platform-channel-handle=6012 /prefetch:84⤵PID:1636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5984,i,14700210533194221925,14596344160102216506,262144 --variations-seed-version --mojo-platform-channel-handle=6012 /prefetch:84⤵PID:3652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6252,i,14700210533194221925,14596344160102216506,262144 --variations-seed-version --mojo-platform-channel-handle=6240 /prefetch:84⤵PID:3620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6456,i,14700210533194221925,14596344160102216506,262144 --variations-seed-version --mojo-platform-channel-handle=6136 /prefetch:84⤵PID:1952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3680,i,14700210533194221925,14596344160102216506,262144 --variations-seed-version --mojo-platform-channel-handle=3624 /prefetch:84⤵PID:2444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3660,i,14700210533194221925,14596344160102216506,262144 --variations-seed-version --mojo-platform-channel-handle=3836 /prefetch:84⤵PID:4536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6540,i,14700210533194221925,14596344160102216506,262144 --variations-seed-version --mojo-platform-channel-handle=6568 /prefetch:84⤵PID:3212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6544,i,14700210533194221925,14596344160102216506,262144 --variations-seed-version --mojo-platform-channel-handle=6560 /prefetch:84⤵PID:3332
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6744,i,14700210533194221925,14596344160102216506,262144 --variations-seed-version --mojo-platform-channel-handle=6868 /prefetch:84⤵PID:1952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6504,i,14700210533194221925,14596344160102216506,262144 --variations-seed-version --mojo-platform-channel-handle=6892 /prefetch:84⤵PID:1032
-
-
-
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\CloseUnpublish.png" /ForceBootstrapPaint3D1⤵
- Suspicious use of SetWindowsHookEx
PID:3892
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc1⤵
- Drops file in System32 directory
PID:1148
-
C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe"C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe"1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2392
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\RepairProtect.AAC"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1312
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4a0 0x3dc1⤵PID:1424
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:3980
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5fed4ab68611c6ce720965bcb5dfbf546
SHA1af33fc71721625645993be6fcba5c5852e210864
SHA256c41acdf5d0a01d5e9720ef9f6d503099950791b6f975ba698ccd013c4defa8c4
SHA512f9ab23b3b4052f7fda6c9a3e8cd68056f21da5d0fcf28061331900cac6f31ef081705804d9a9d4103ee7d9c9bdb6aa4237987b7e821d2d96cd52da24219e55ee
-
Filesize
280B
MD54013ebc7b496bf70ecf9f6824832d4ae
SHA1cfdcdac5d8c939976c11525cf5e79c6a491c272a
SHA256fb1a67bdc2761f1f9e72bbc41b6fc0bf89c068205ffd0689e4f7e2c34264b22a
SHA51296822252f121fb358aa43d490bb5f5ce3a81c65c8de773c170f1d0e91da1e6beb83cb1fb9d4d656230344cd31c3dca51a6c421fda8e55598c364092232e0ad22
-
Filesize
280B
MD5859a39c21e4a25af34dc40b9f9d91016
SHA16de65dff5bc13850f7c939a419fa55ff4e02ab69
SHA256ff00cd39998c50fd99104b4735c7e2e53c9eb43e63961f0253e3dca51c4cf711
SHA512457be17eacfa236ff2997ef75730c911f20b5ea477225f0c6dc89bd92ef526d901897b998aa0e20596b7db2338aa92e1b6f9a848c8dc5c2ef93d7261788672fc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize5KB
MD549eac5f2bf787c89a93bbd1803775829
SHA1b62048fec966ef6d4253f2529e33b841e657e8da
SHA256130c8b3cd59a31e096d540eb0d40ae1e6e8de654efba12f8949fb0efb264532a
SHA5120830082b67c4295d716d66e116ad75c933cc96c77dea34c924d482a87f1899485d6e0f61522a1f724ab104325830dc7a91ba0f902b269cc91582df1adcf8d8a4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5f1cf7.TMP
Filesize3KB
MD589de021a1572630fc4a7533759f5f24b
SHA1723ffcbfc4f7fa9a843afc2739fd1a0e47cd14f3
SHA256516cc326047e1f7512d392ccfc399c0414e9f67148c82bfefb06c8c91adf91ec
SHA512795767304a3cf4e7437c83462771f3ef8458da492f709a8671a7e8a6e6e8ac464f46151aaf0dbe23534ebd17f9beb1de51e493937d896349f489f41ebb6320d1
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
69KB
MD5164a788f50529fc93a6077e50675c617
SHA1c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48
SHA256b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17
SHA512ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_0\content.js
Filesize9KB
MD53d20584f7f6c8eac79e17cca4207fb79
SHA13c16dcc27ae52431c8cdd92fbaab0341524d3092
SHA2560d40a5153cb66b5bde64906ca3ae750494098f68ad0b4d091256939eea243643
SHA512315d1b4cc2e70c72d7eb7d51e0f304f6e64ac13ae301fd2e46d585243a6c936b2ad35a0964745d291ae9b317c316a29760b9b9782c88cc6a68599db531f87d59
-
Filesize
107KB
MD540e2018187b61af5be8caf035fb72882
SHA172a0b7bcb454b6b727bf90da35879b3e9a70621e
SHA256b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5
SHA512a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12
-
Filesize
2KB
MD5d014a699fc06d3c4acf4dd1e67b7ac0d
SHA18d07f8654d5c93115a8f7c1f3b1629c52714202a
SHA256f3d833ad1ebfda512f45c22c1f64164c07b75f3d842a83309e7139a19e04e399
SHA512cfe5b654e5d5e07d1c0cddfb4255d66c4c56fd4d3cf53366b418db58bf6ff568749d2c0d99a9adaf4671ceac85642fa97a4a243c1718d83429bf372cbc7498ae
-
Filesize
14KB
MD500f7c800e6983e67c1c4f2795fcb8ab9
SHA1d4a8dbf8546da73bc449cc6234110fd5a109c97a
SHA25667d4f1ecebf4cbf7d5860083945f79dd1031276900a08ab34f8a639163aae5c4
SHA51262a39a5e8d9b3cf47e4b16a86b52496aebf215ccf11cefb61f4c862d37bbe5653763b9116cd3b43be7a5b20b39917a307b070424ef039a2addb452c049ac4b4b
-
Filesize
36KB
MD5888ee3bd6ae1d78d17dfabb2fd90ba0c
SHA1c7ed808f9cf25cb88b82ef73ec9061ef931a914c
SHA2561f84b3f3180b99d23056248dd3e75d35726b35f08dc1dae68f22086cb2f810fb
SHA5125c28c252df7a4b10cd27200b134b03882dbba516cc7be55f6ebf13486621704b8e0410389a05a361e6d6b58277b9bfa6f77bf17ff6e5975e9d24bd6ae651010d
-
Filesize
4KB
MD56039af11d60f92d941a3d0de873f091a
SHA1119b45b15df0196bd81fcc07dbb0f4c4ef8145ba
SHA25695459a3760e921787d404a58011d0c51a963fb6b33c7ec08f52f0f2f4a60099c
SHA512f300cf914eff1b21e92272a616c855aa563f2223b058bb1560caa529a6f10dde64cbd8f038c0fed0bb52416837b681983c2fc7471ccbd8fc4b70d6b3d54ae152
-
Filesize
36KB
MD5adf1ae22beeb54fe61e0d748370881d8
SHA12641f92cc55ad03dc8fa6d325b310643259b250b
SHA256ecd3240d0a5425cf54dc35266e63541675ae7ba1d5583deb7de1785c2ac42815
SHA512e91e7baccbb43cf0752454c0358627d61a0ab3cbe91ed70c7f42e95a25e5d3dafbe86a92c07faede68bb47fb71c2a4c26d44ee2b3bf10a74272012863a4ce59e
-
Filesize
6KB
MD572e203dc5505f99afefa83b08ca68bf7
SHA1adc8ef5ce3df7e1f2e13cdd7f179d22f8c016f75
SHA256d90fb7a0883010b8c7bd938910afcf28c35fd90b024a2d858002e14318f2ad1b
SHA512573c0b4ff0feab2821ce732f08535bbfbc70acd87a6be7a96a55a2bbdb0169fabd9980c1260bcaa0ee6afe126082d6da90bca3b47f23bf220812987b2a85a720
-
Filesize
7KB
MD5099cb100785c597cee9ee8472ab5a72a
SHA14d7320b3ece76b06e206b5c07910220e9e33e267
SHA2565f07326c1831c753b276acb05286c61e1220d1830eaa9073c1fab4b56eb42acb
SHA51265426b4b7485b72fd2a8949f9b34cc14ecbd856f812475941f95f28c0cc2e06dffdc74d1129c3cebd7b73d07da0368a9185d9f5f8a61a390fe812b1a8814a998
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres
Filesize2KB
MD57d2c208153c87fa807b4bd0d9573b3f5
SHA11188c404e2db45aaa627712f22500f523b0a5a6d
SHA256bf5996be971e836b6b74f7b0e5f4c1953bf8febbc5be4a9963b4614fac8cfa29
SHA512340fbc88852cc5134be3b455aa9d8ec9abefc66de85b767b34f87d1000673c0b560b7321e742ffb1f4114656a8d6cd24c5c68f0628fb6fa6e2ae1ca05c05c0c4
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json
Filesize238B
MD56f218a1e689d272e6c92876483a9d650
SHA10d8f453f469f205a710e21d7f33e36e4b144961a
SHA25694aa29b0d86a04b73525cd9fe959a7ebebf953adfa7451f5c092a79b8192c21e
SHA5125f18572bc1c72d3946d2a4436a43c53bc16d6a2b6e009ddb8e34dac613edfd55ccbd02b8beb0194c2a27d35c40edb0bec026461a3db73bea9a449c669b27319a
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json
Filesize2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json
Filesize238B
MD507ba8764214aeda112d0d21aad217c40
SHA1e54ee9e842bfc5bdd2ae649361366b8d612cf794
SHA25651e24a6427432b64c2794a22c78da35d54075eab2236195100d67c501d94baae
SHA5125b065a4500f726365ce8db15d0aee4b7a15a4135f5c7b82f7a3ca97303056598026f604ca5362b2f36e47e32ab82e149d53f16948b72cd4be4f269241c363412
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\cloudCommunitySettings.json
Filesize2KB
MD5f4e4a03ebd0ab3a953c56a300d61d223
SHA197a9acf22c3bdd6989d7c120c21077c4d5a9a80e
SHA25652bfb22aa2d7b0ce083d312fb8fa8dcda3063207186f99fc259aebd9064cbedc
SHA51212aa71eea45720a4d7d057da0b662635671e4cd165ad2e0d30a3d2a43950b47dd60c26c1bbbe049418f815850e571b8d93e4c8b8cbbd686abc3cf7926ba719c2
-
Filesize
1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
79KB
MD524ce2a2f94f0fe572973f5389bedaaeb
SHA10cb2e3a4e662a57264d588440b303054e5c17516
SHA25633da091e5a972e184d0ad313398d7ee52afbcee5f5ba8af8f871ec9850a5a5ea
SHA512e724cf8b66a0a890b63598a156ad743556a616702854687b3b8655622fd9df0878eca66f72397fb7f6a4d60d466f961e319fb68a76ab0c47f725ed94a8e22810
-
Filesize
343KB
MD5e8151c3940b5fa3e788d4ba14e7a8dc0
SHA16e7ab63b1dfaaac4b4ec27684fa0e1ca5c2b1963
SHA2567d005098e2d422ac97a3d0497f0c4238d9fdcbb4cf3fdc3264cd784e66485806
SHA5125823460ca60d62e472ff11fd307c182c5d30114953e09cd182a7aab2b2331f88e9984ec3c95a42d4697d10be2b3dff953517066a018de635cf81630f3bf2d5a3
-
Filesize
10KB
MD578e47dda17341bed7be45dccfd89ac87
SHA11afde30e46997452d11e4a2adbbf35cce7a1404f
SHA25667d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550
SHA5129574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5
-
Filesize
725B
MD53416b0d3d7a19e0eaf4972757b7c4a8f
SHA1d79d2c24fef7991e5c2a5247dfedc01d6b92c060
SHA2563df82f448f0fafb48f29e180edb3f5328e6915fe20f495f0f213a2cb4d20b1dc
SHA512e33aa672a6796b7a7848665c114cebd4e2135739d8fd8f5e65235f0ca7d55362cb21331c435a3bb0af6ab1512c90219177157dd00ae8ab47cf536d65cba2ec56
-
Filesize
3KB
MD5b9daf88205e7429feaceda806bd561d2
SHA11893c80e74cfea9914343c6e4213393804a92dd1
SHA256efa03262d4c3f5a46ab526946b8c7450d37eff4b5f8d53b43468655eea8cc027
SHA512649ba70698611bd66aa91e40aaa81327a60efc098c1705729f9eb316c18e9bcca6af2363b24f8ac4aea5d25f12303833aedaada6fd26f1eebb86711a4e9baaf1
-
C:\Users\Admin\AppData\Local\Temp\scoped_dir4964_1138383361\24b9f9ab-d439-4d2e-88c8-21360e0ce597.tmp
Filesize152KB
MD5dd9bf8448d3ddcfd067967f01e8bf6d7
SHA1d7829475b2bd6a3baa8fabfaf39af57c6439b35e
SHA256fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72
SHA51265347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de
-
Filesize
403KB
MD5b8cb1a1d76fe3fd71ac5b5fc175b699d
SHA1611589181cb1bb72a279e44116fa3ed7c1256ded
SHA2566d0b37a62e1d2215e2fd8936d3d1d13cd1d620d7678c773e013e70ccf55a674d
SHA512280d2dbb4702498e11879c1fbf62c6eac8a2c97c2cc520f310e658ee5162329e24ba23d752ba8f549c0ffc85d5c83781ea1c10788ad6546258f83ed9c3c2cc25
-
Filesize
100KB
MD56032ce8ceea46af873b78c1f323547da
SHA18c5bd4a70e0f21aeba41c07976ace2919b64fd80
SHA25619dc8c66d04d1a1d781e59107e2a1db5fd6288761c9dfd0c6909e533e79d04e7
SHA5123ada1663cb730f43b44e32ceade5d0b9cae20d1c20001691a1d226d99c82510e001581f67f5131d6c21e0e0cf98e5089c3d0f22a6a1e3347053ed73304ccc6fe
-
Filesize
29KB
MD59cc05ec9d58102696092dd1ab9103fc2
SHA1d4019f352ea64504a357c6447c56f79e06602131
SHA2562e05264acc620b4828ec23550351bdaa7cc429fb273ecc4450ea58f2b20b7f61
SHA512a74f5ebbe8f154857af1408aabc2fab30240ff5dd892d5aa9b510c63d51cb8c67605ff6c34459d620c10bb9d13085ac34072235b7bea274605014f9f8a7dbe55
-
Filesize
5B
MD5112317d572ce0538d2d1b20d7f32170e
SHA1c7f3714c4806b907bcff7f79aa1d1c9373b77d1e
SHA256fd9e9a8be71786826787d6eb9aa28371d09b0515ddf0c19b082fe7bac57a88a9
SHA512265dbebc83c74dc97770e650580b0321144990d133403bab2bc1de4618cde63dfd4fedfa56b5e4e259b510585db0f7a59042c356356c56bea3ac861d4be5337f
-
Filesize
79B
MD5742444c8fab587a36f40949311fa454c
SHA1a2bc658dd04be9edbcb878611d899304e666cb03
SHA256745d8a009da008f23415dab7b58a7f92996b63dba555be87eca0528acf8d4947
SHA51237e5eb7f3a79eea2d17afc4b822d513285a2dab13c7a9c19a5014e359433f39df70cda5020cc1345860a37b59134ab043759519785b85db920f38aced7916f39
-
Filesize
821KB
MD58e98794eb5c87152fae8b20367a93809
SHA179cc6f1bdb412a3533f5de1850520b5742595ef6
SHA256b4743be894a670d389921a8691915caceebbcdf63cd37ab1a127145abf594ca0
SHA5120cf280a180a3a71924838a7bdc047b81dbe245930f0cabbbc8e412048d0bdc7abc3674a7a67523d4b06cc88f1da391256c383b9895d42d5acd6dd1568c220e08
-
Filesize
93KB
MD53060fc299e17c7783df72a4e5f031f39
SHA12b1a867cf9dd435670d3c638974b4ad3c4a6ac87
SHA256cc3766508cfe6674d7c5a3008353ad24aa7e50c576a77b31e26985bd7aee5aa0
SHA512490a2728a54d021e2834332b8a1cc37475486794a2eef27c974a587ede72e1ca4672e3d0f05c646c954f4f4760c12a13f9cd901b816436ca20690ad14f904aa2